Skip to content

Commit 962e50a

Browse files
flixmanCopilot
andauthored
feat(notation): Add TSA truststore support to notation policy (#4168)
* feat(notation): Add TSA truststore support to notation policy Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Fixed readme to reflect implementation for TSA config. Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Restored verityTimestamp value to prevent failing for non-timestamped but valid certificates. Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Fixed indentation. Signed-off-by: Felix Rubio <felix@kngnt.org> * fix(notation): Rebased and actioned review comments. Signed-off-by: Felix Rubio <felix@kngnt.org> --------- Signed-off-by: Felix Rubio <felix@kngnt.org> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
1 parent 6c0618a commit 962e50a

3 files changed

Lines changed: 45 additions & 19 deletions

File tree

pkg/extensions/README_imagetrust.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -149,13 +149,16 @@ The information above will be included in the ManifestSummary objects returned b
149149
"name": "default-config",
150150
"registryScopes": [ "*" ],
151151
"signatureVerification": {
152-
"level" : "strict"
152+
"level": "strict",
153+
"verifyTimestamp": "afterCertExpiry"
153154
},
154-
"trustStores": ["ca:default","signingAuthority:default"],
155+
"trustStores": ["ca:default","signingAuthority:default","tsa:default"],
155156
"trustedIdentities": [
156157
"*"
157158
]
158159
}
159160
]
160161
}
161162
```
163+
164+
The default trust policy includes all supported notation truststore types, including CA, signing authority, and TSA stores.

pkg/extensions/imagetrust/image_trust_test.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,39 @@ func TestInitCosignAndNotationDirs(t *testing.T) {
102102
So(err, ShouldEqual, zerr.ErrSignConfigDirNotSet)
103103
})
104104

105+
Convey("InitTrustpolicy includes TSA store", t, func() {
106+
dir := t.TempDir()
107+
108+
certStorage, err := imagetrust.NewCertificateLocalStorage(dir)
109+
So(err, ShouldBeNil)
110+
111+
notationDir, err := certStorage.GetNotationDirPath()
112+
So(err, ShouldBeNil)
113+
114+
_, err = os.Stat(path.Join(notationDir, "truststore/x509/tsa/default"))
115+
So(err, ShouldBeNil)
116+
117+
trustPolicyBytes, err := os.ReadFile(path.Join(notationDir, "trustpolicy.json"))
118+
So(err, ShouldBeNil)
119+
120+
trustPolicyDoc := struct {
121+
TrustPolicies []struct {
122+
TrustStores []string `json:"trustStores"`
123+
SignatureVerification struct {
124+
VerifyTimestamp string `json:"verifyTimestamp"`
125+
} `json:"signatureVerification"`
126+
} `json:"trustPolicies"`
127+
}{}
128+
129+
err = json.Unmarshal(trustPolicyBytes, &trustPolicyDoc)
130+
So(err, ShouldBeNil)
131+
So(trustPolicyDoc.TrustPolicies, ShouldNotBeEmpty)
132+
So(trustPolicyDoc.TrustPolicies[0].TrustStores, ShouldContain, "ca:default")
133+
So(trustPolicyDoc.TrustPolicies[0].TrustStores, ShouldContain, "signingAuthority:default")
134+
So(trustPolicyDoc.TrustPolicies[0].TrustStores, ShouldContain, "tsa:default")
135+
So(trustPolicyDoc.TrustPolicies[0].SignatureVerification.VerifyTimestamp, ShouldEqual, "afterCertExpiry")
136+
})
137+
105138
Convey("UploadCertificate - notationDir is not set", t, func() {
106139
rootDir := t.TempDir()
107140

pkg/extensions/imagetrust/notation.go

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -78,20 +78,11 @@ func NewCertificateLocalStorage(rootDir string) (*CertificateLocalStorage, error
7878
}
7979

8080
for _, truststoreType := range truststore.Types {
81-
if truststoreType != truststore.TypeTSA {
82-
defaultTruststore := path.Join(dir, "truststore", "x509", string(truststoreType), truststoreName)
83-
84-
_, err = os.Stat(defaultTruststore)
85-
if os.IsNotExist(err) {
86-
err = os.MkdirAll(defaultTruststore, defaultDirPerms)
87-
if err != nil {
88-
return nil, err
89-
}
90-
}
81+
defaultTruststore := path.Join(dir, "truststore", "x509", string(truststoreType), truststoreName)
9182

92-
if err != nil {
93-
return nil, err
94-
}
83+
err = os.MkdirAll(defaultTruststore, defaultDirPerms)
84+
if err != nil {
85+
return nil, err
9586
}
9687
}
9788

@@ -118,9 +109,7 @@ func InitTrustpolicyFile(notationStorage certificateStorage) error {
118109
truststores := []string{}
119110

120111
for _, truststoreType := range truststore.Types {
121-
if truststoreType != truststore.TypeTSA {
122-
truststores = append(truststores, fmt.Sprintf("\"%s:%s\"", string(truststoreType), truststoreName))
123-
}
112+
truststores = append(truststores, fmt.Sprintf("\"%s:%s\"", string(truststoreType), truststoreName))
124113
}
125114

126115
defaultTruststores := strings.Join(truststores, ",")
@@ -140,7 +129,8 @@ func InitTrustpolicyFile(notationStorage certificateStorage) error {
140129
"name": "default-config",
141130
"registryScopes": [ "*" ],
142131
"signatureVerification": {
143-
"level" : "strict"
132+
"level": "strict",
133+
"verifyTimestamp": "afterCertExpiry"
144134
},
145135
"trustStores": [` + defaultTruststores + `],
146136
"trustedIdentities": [

0 commit comments

Comments
 (0)