Skip to content

Support more wildcards in trust policy #476

@jeremyrickard

Description

@jeremyrickard

What is the areas you would like to add the new feature to?

Notation CLI

Is your feature request related to a problem?

Currently, when defining a Trust Policy it seems like you are constrained to either fully specifying a repository or specifying a wildcard for any, such as:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "*" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

or

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "myacr.azurecr.io/oss/widget/mcguffin" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

I cannot specify a wildcard within the repo path:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "upstream",
            "registryScopes": [ "myacr.azurecr.io/oss/widget/*" ],
            "signatureVerification": {
                "level" : "strict"
            },
            "trustStores": [ "ca:mcguffin" ],
            "trustedIdentities": [
                "*"
            ]
        }
    ]
}

Doing so results in a failure to validate signatures:

notation verify myacr.azurecr.io/oss/widget/flux@sha256:535bff4439d9fe727e72911e6a929548d9d256ac5f8f1c4c9f7cf5b6a82e3c18
Error: registry scope "myacr.azurecr.io/oss/widget/*" is not valid, make sure it is the fully qualified registry URL without the scheme/protocol. e.g domain.com/my/repository

I am currently producing several hundred images in several repository paths that all share "oss/widget". In the current state, I either need to build a trust policy that explicitly enumerates all of them, or I need to trust any repository.

What solution do you propose?

Support path based wildcards.

What alternatives have you considered?

None

Any additional context?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestv2Things belongs to version 2.x

    Type

    No type

    Projects

    Status

    Todo

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions