Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more wildcards in trust policy #476

Open
jeremyrickard opened this issue Dec 8, 2022 · 3 comments
Open

Support more wildcards in trust policy #476

jeremyrickard opened this issue Dec 8, 2022 · 3 comments
Labels
enhancement New feature or request v2 Things belongs to version 2.x
Milestone
2.1.0

Comments

@jeremyrickard
Copy link
Contributor

jeremyrickard commented Dec 8, 2022
edited
Loading

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

Currently, when defining a Trust Policy it seems like you are constrained to either fully specifying a repository or specifying a wildcard for any, such as:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "*" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

or

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "myacr.azurecr.io/oss/widget/mcguffin" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

I cannot specify a wildcard within the repo path:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "myacr.azurecr.io/oss/widget/*" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

Doing so results in a failure to validate signatures:

notation verify myacr.azurecr.io/oss/widget/flux@sha256:535bff4439d9fe727e72911e6a929548d9d256ac5f8f1c4c9f7cf5b6a82e3c18
Error: registry scope "myacr.azurecr.io/oss/widget/*" is not valid, make sure it is the fully qualified registry URL without the scheme/protocol. e.g domain.com/my/repository

I am currently producing several hundred images in several repository paths that all share "oss/widget". In the current state, I either need to build a trust policy that explicitly enumerates all of them, or I need to trust any repository.

What solution do you propose?

Support path based wildcards.

What alternatives have you considered?

None

Any additional context?

No response
@jeremyrickard jeremyrickard added enhancement New feature or request triage Need to triage labels Dec 8, 2022
@sajayantony
Copy link
Contributor

+1. Should we prioritize this. Having so many scopes is quite challenging.

@yizha1
Copy link
Contributor

yizha1 commented Dec 13, 2022

@priteshbandi Could you take a look at this issue? /cc @vaninrao10

@yizha1 yizha1 removed the triage Need to triage label Jul 25, 2023
@yizha1 yizha1 added this to the 1.2.0 milestone Jul 25, 2023
@yizha1
Copy link
Contributor

yizha1 commented Jul 25, 2023

@priteshbandi I updated the milestone to 1.2.0, could you take a look?

@yizha1 yizha1 modified the milestones: 1.2.0, 1.3.0 Mar 19, 2024
@yizha1 yizha1 mentioned this issue Oct 14, 2024
Open
@yizha1 yizha1 added the v2 Things belongs to version 2.x label Oct 15, 2024
@yizha1 yizha1 modified the milestones: 1.3.0, 2.1.0 Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v2 Things belongs to version 2.x
Projects
Notary Project Planning Board
Status: Todo
Milestone
2.1.0
Development

No branches or pull requests
4 participants
@sajayantony @priteshbandi @jeremyrickard @yizha1