This issue was automatically created by Allstar.

Security Policy Violation Dismiss stale reviews not configured for branch main

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Description

Hi again! Thanks for the really awesome job you are doing!

I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

Keep up the great work! 🚀👍🥇

Summary

• fix go module name
• add initial goreleaser (will add the sign and docker files)
• setup mage to run the build/test commands
• setup golangci-lint

Ticket Link

Fixes

Release Note

add mage to run the build/test jobs and setup initial gh actions 

Summary

Link was missing protocol, which led it to use this repo as base path for the link, rendering it invalid. kubectl command formatting to make it looks nicer.

Ticket Link

Fixes https://github.com/sigstore/cosign-gatekeeper-provider/issues/12

Release Note

NONE

Description The first cosign link in the README.md leads to: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/github.com/sigstore/cosign, however this is a 404.

I assume the link should go to: https://github.com/sigstore/cosign ?

Question Dear community, could somebody guide me how to provide the cosign public key for image verification for cosign-gatekeeper-provider? My public key is available with http schema. (http url file)

As I can see from the source code, the only available method is keyless: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/provider.go#L85

But I might miss something, that's why gentle requesting for help.

Thank you, Pasha.

Description

Hi!

We'd like to have an opportunity to pass our own Cosign public key generated with cosign generate-key-pair to the provider. To use it the same way as 'cosign verify --key ...’

Expectations:

1. Generate a key pair using cosign generate-key-pair
2. Sign an image
3. Create a k8s secret/configmap for cosign.pub
4. Pass the secret/configmap to cosign-gatekeeper-provider deployment
5. Verify the images using the public key

Signed-off-by: Furkan [email protected]

Related issue: https://github.com/sigstore/cosign-gatekeeper-provider/issues/16 (This is not a fix PR)

Bump cosign to use panic free fulcio during getting root certs: https://github.com/sigstore/cosign/pull/1965

PTAL @developer-guy

Summary

Ticket Link

Fixes

Release Note

* Bump cosign to v1.9.1
* Use panic-free logic
* Get root certs during initialization

Hi Team

I would like to verify my container images before deploying to pod in my k8s cluster. I am trying to achieve this with cosign-gatekeeper-provider i.e https://github.com/sigstore/cosign-gatekeeper-provider I have signed the image using cosign but I am not able to verify images when I try to deploy pod using manifest in my cluster.

I am getting following error:- error when creating “policy/examples/valid.yaml”: admission webhook “validation.gatekeeper.sh” denied the request: [cosign-gatekeeper-provider] invalid response: {“errors”: [], “responses”: [], “status_code”: 200, “system_error”: “VerifyImageSignatures: one of verifier or root certs is required”}

I am able to verify container images using commands on my local command line i.e cosign verify .(But not inside k8s cluster). Looks like keys/cert information are not propagated to cluster

Anything else you would like to add: I am not sure whether I should put this issue here or on cosign.

Environment:

Gatekeeper version:3.8.1

Looking at the examples, there is not imagePullSecret support currently? This is needed for things such as gitlab repo's where each project is protected.

Description

Right now, if I'm not mistaken, new credentials will be configured for each time we reach out to the KMS or registry.

To make sure that we don't get rate limited, these credentials should be cached.