This repository was archived by the owner on Jan 19, 2026. It is now read-only.
fix!: sigstore handle multiple rekor keys#1396
Merged
flavio merged 3 commits intokubewarden:mainfrom Oct 17, 2025
Merged
Conversation
…tory This commit updates to the latest sigstore-rs crate, which allows us to handle some changes done inside of Sigstore's TUF repository. This commit is part of a series of commits required to address the issue. Signed-off-by: Flavio Castelli <[email protected]>
The contents of the Sigstore's TUF repository changed, causing verification to not work properly. This commits fixes verification, both for the `.wasm` files containing our policies and for the policies that make use of our verification capabilities (like the `verify-image-signatures` policy). However, now the Sigstore's TUF repository no longer ships with individual certificate/public keys. Issue kubewarden#1245 was already tracking that. Moreover, the latest version of sigstore-rs requires to know Rekor's KEY IDs in addition to the actual keys, which makes all the individual CLI flags (`--rekor-public-key-path`, ``--fulcio-cert-path`) useless. Because of that, this commit removes these flags. We will add support for bring your own PKI in a future PR (see kubewarden#1245 (comment) for more details). Signed-off-by: Flavio Castelli <[email protected]>
github-project-automation
bot
moved this to Pending review
in Kubewarden Admission Controller
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1396 +/- ##
==========================================
+ Coverage 82.45% 86.74% +4.28%
==========================================
Files 34 34
Lines 4577 4495 -82
==========================================
+ Hits 3774 3899 +125
+ Misses 803 596 -207 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Keep track of the removal of the rekor and fulcio related flags Signed-off-by: Flavio Castelli <[email protected]>
viccuad
changed the title
github-project-automation
bot
moved this from Pending review
to Done
in Kubewarden Admission Controller
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The contents of the Sigstore's TUF repository changed, causing verification to not work properly.
This commits fixes verification, both for the
.wasmfiles containing our policies and for the policies that make use of our verification capabilities (like theverify-image-signaturespolicy).However, now the Sigstore's TUF repository no longer ships with individual certificate/public keys. Issue #1245 was already tracking that.
Moreover, the latest version of sigstore-rs requires to know Rekor's KEY IDs in addition to the actual keys, which makes all the individual CLI flags (
--rekor-public-key-path, ``--fulcio-cert-path`) useless.Because of that, this commit removes these flags.
We will add support for bring your own PKI in a future PR (see #1245 (comment) for more details).