docs: Create proposal for verifying 'last-n' artifacts only. #1797
Conversation
asafalgawi
requested review from
akashsinghal,
binbin-li,
jimmyraywv,
luisdlp,
susanshi and
toddysm
as code owners
asafalgawi
changed the title
| spec: | ||
| name: # REQUIRED: [string], the unique type of the verifier (notation, cosign) | ||
| artifactType: # REQUIRED: [string], comma seperated list, artifact type this verifier handles | ||
| artifactAgeFilter: # Optional: [string], one of the following 'latest' to verify only the last artifact, or all to verify all artifacts. defaults to all. |
There was a problem hiding this comment.
if artifactAgeFilter may contain different values based on verifier, should this be moved to "parameters"
There was a problem hiding this comment.
I've added it here because each verifier/namespaced verifier configuration is evaluated as a different "verifier" by ratify.
Since the properties part is parsed by the verifier code itself, and as you said, we wish to filter in the executor, then it would be better to place those fields outside the scope of parameters.
There was a problem hiding this comment.
Basically, age-based filtering is just one special case of annotation-based filtering. It would be better to have a uniform param for the overall filtering feature.
|
Hi @asafalgawi , thank you for the proposal. We have discussed this during the community meeting. We agree with the "latest" vulnerability report user scenario, however we need to understand the feasibility and scope of change. @binbin-li brought up good point today, the individual verifier might not have filtering abilities. Major refactoring might be required in executor code path. We still require more time to understand the notary scenarios a bit more, thankyou for your patience. |
|
Hi @susanshi, thanks for the reviewing the proposal and for the update :) |
| ## Problem/Motivation | ||
|
|
||
| When configuring a verifier in Ratify, we set the artifact type the verifier should work on. In such case, Ratify will verify all referrers of a given subject that have a matching artifact type using the verifier. | ||
| In some cases, this could lead to a wrong behavior. For instance, Vulnerability Artifacts are outdated once a new artifact is written to the repository, as such there is no use for verifying both the new one and the old one. On the other hand, in performing signature verification using Notary, we may wish to attest more than one signature, because there may be multiple signatures attached to a given artifact, but our "tenant" only trusts a subset of them. |
There was a problem hiding this comment.
| In some cases, this could lead to a wrong behavior. For instance, Vulnerability Artifacts are outdated once a new artifact is written to the repository, as such there is no use for verifying both the new one and the old one. On the other hand, in performing signature verification using Notary, we may wish to attest more than one signature, because there may be multiple signatures attached to a given artifact, but our "tenant" only trusts a subset of them. | |
| In some cases, this could lead to a wrong behavior. For instance, Vulnerability Artifacts are outdated once a new artifact is written to the repository, as such there is no use for verifying both the new one and the old one. On the other hand, in performing Notary Project signature verification, we may wish to attest more than one signature, because there may be multiple signatures attached to a given artifact, but our "tenant" only trusts a subset of them. |
There was a problem hiding this comment.
The current behavior of Notary Project signature verification is:
- if 1 out of N signatures passes verification, then the overall signature verification succeeds.
- If all signatures failed validation, then the overall signature verification fails
There was a problem hiding this comment.
@binbin-li If I remembered correctly, verifying multiple signatures can be achieved through Rego policies?
There was a problem hiding this comment.
Both config policy and rego policy can verify multiple signatures but only rego policy engine supports using multiple Notation verifiers validates the same Notation signature.
| "digest": "sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b864", | ||
| "signatures": [ | ||
| { | ||
| "mediaType": "applicaiton/vnd.cncf.notary.x509-signature.config.v2", |
There was a problem hiding this comment.
Is this media type applicaiton/vnd.cncf.notary.x509-signature.config.v2 correct?
There was a problem hiding this comment.
I copied it from their website, perhaps it is not up to date, i'll check again and update the doc.
|
|
||
| # Filtration Methods | ||
|
|
||
| ## Age Based Filtration |
There was a problem hiding this comment.
This is still annotation-based filtration, and it just uses the annotation org.opencontainers.image.created to achieve the goal. So I think there is only one filtration method, but currently there are two scenarios, one is for filtering out latest artifact, another is for filtering out a subset of artifacts.
There was a problem hiding this comment.
It is, but the verification process of both is different.
Age based verification requires context, you need to be aware of all the referrers, while annotation based in specific to the artifact that is currently being verified.
While age based has to be implemented in the executor, the annotation filtering can be done even in the skel method of the verifier, it could return a new type of response to show that verification was skipped and the artifact won't be included in the final verification response.
Perhaps we should not bundle both features in the same proposal ?
There was a problem hiding this comment.
^^ I think this is a good point. age based filtering vs generic annotation based filtering operate at different levels of Ratify
There was a problem hiding this comment.
It makes sense to have the overall filtering code in both executor and verifiers in terms of the current Ratify design. I just feel if we need to do some sorting, e.g. latest artifact, it should reside in the corresponding verifier instead of executor since not all verifiers require sorted artifacts and verifier's configuration should not affect executor's behavior.
| ``` | ||
|
|
||
| We could define a notation verifier configuration that would require the artifact manifest to contain the annotation `org.opencontainers.image.signature.fingerprint` and that is should have a known fingerprint value. this would enable a scenario where the user configures three notation verifiers, one in each namespace: | ||
| * Namepsace A -> Fingerprint should match [X] |
There was a problem hiding this comment.
Could you elaborate more about the problem that fingerprint filtering is going to be solved? If it is to distinguish different signers, we can configure Notation Verifier with different trusted identities for different namespaces. For example, images pulled in namespace A are signed by Signer-A, then we can configure the trusted identities that Signer-A used for namespace A.
Or is your scenario to distinguish signatures that are generated by the same Signer (trusted identity)? Then what is the difference in signatures generated by the same Signer? If it is about age, maybe we can use aged-filtering to verify only the latest signature?
There was a problem hiding this comment.
Sure. Basically, I referred to a scenario in which I as a namespace owner I require that all certificate chains will contains a specific signer, since the signature chain is part of the artifact annotations, I can verify it before even going through all whole process of verifying the actual signature.
Hi @asafalgawi, reviewing our current executor path below, we want to explore a bit more on the proposed implementation. How will the executor be refactored for filtering? Note we will not be able to change the verifier interfaces to maintain backward compatibility. If the current PR review meeting and community meeting time doesn't work, would you be open to meet and discuss in the once off meeting? |
| When configuring a verifier in Ratify, we set the artifact type the verifier should work on. In such case, Ratify will verify all referrers of a given subject that have a matching artifact type using the verifier. | ||
| In some cases, this could lead to a wrong behavior. For instance, Vulnerability Artifacts are outdated once a new artifact is written to the repository, as such there is no use for verifying both the new one and the old one. On the other hand, in performing signature verification using Notary, we may wish to attest more than one signature, because there may be multiple signatures attached to a given artifact, but our "tenant" only trusts a subset of them. | ||
|
|
||
| The issue with verifying all the matching artifacts could also lead to performance issues, each "verification" process hides within a request to pull the artifcat manifest, and the blobs containing the actual data. |
There was a problem hiding this comment.
The verifier api includes a CanVerify which is invoked by Ratify's executor prior to even invoking the Verify method, although external plugins will need to be considered differently in that the pre-validation filtering will need to exist in the actual plugin implementation. If the verifier defines it's own behavior for annotation filtering here, then there would be no extra registry request overhead nor executor-level logic required. Age baed filtering can also be done at the CanVerify level if only comparing a specific's artifact age in relation to an absolute timestamp. (Must be newer/older than this timestamp). If relative comparison among artifacts is needed then yes, executor level age filtering is needed.
There was a problem hiding this comment.
^^ I think this is a good point.
There was a problem hiding this comment.
@akashsinghal, I agree, having the annotation based filtering in the CanVerify method would offer a clean solution for that part of the proposal. We could also define how to setup the filtering in a descriptive way in the Verifier configuration to enable external plugin to make use of this. Since the CanVerify method is implemented internally in the VerifierPlugin "verifier" in Ratify.
As for age based, I don't see a way without first pulling all the references and sorting them/placing them in some sort of heap to enable fast access to the latest artifact.
|
|
||
| ## Age Based Filtration | ||
|
|
||
| Assuming artifacts are generated by ORAS, they all have a `org.opencontainers.image.created` annotation, that markes the creation date of the artifact. Based on it, Ratify could filter out stale artifacts and only evaluate the latest image. To achieve this, Ratify would have to read all the referrers, ordering them based on the artifact age, and only pass the latest one to the corresponding verifier. |
There was a problem hiding this comment.
What happens when this annotation does not exist? What would be default behavior here?
What if the user has a custom annotation for time? Will there be a way to specify that?
There was a problem hiding this comment.
I think the default behavior should be regarding the artifact as the oldest.
As for custom annotations, that could be added to the proposal.
But as far as going with custom date time formatting, I think it is best to formally require the date value to be formatted in specific manner.
|
|
||
| ## Age Based Filtration | ||
|
|
||
| Assuming artifacts are generated by ORAS, they all have a `org.opencontainers.image.created` annotation, that markes the creation date of the artifact. Based on it, Ratify could filter out stale artifacts and only evaluate the latest image. To achieve this, Ratify would have to read all the referrers, ordering them based on the artifact age, and only pass the latest one to the corresponding verifier. |
There was a problem hiding this comment.
off topic but do we know if there are plans (in distribution spec) for registries to allow for annotation filtering?
asafalgawi
changed the title
|
@susanshi I've updated the proposal based on our conversation, also added two implementation proposal. a "simple" one which theoretically impacts Ratify's scalability, the second, a bit more complex, which affects Ratify executor design |
thanks for the updates and comparison between the two implementation methods. My understanding option1 is more straight forward, and given a 1k referrer list, there are no perf and memory concerns. Option 2 memory benefits is unclear. Major refactoring in the executor is risky, unless the refactoring improves code readability /allows for easier future maintaince/ aligns with the direction of ratify v2 executor change. @binbin-li , do you see for executor refactoring benefits for ratify v2? |
|
@asafalgawi , just a note, we are not a cncf sandbox project and there is a new requirement on DCO. You might need to squash the current commits and sign a new commit with the -s flag , |
Codecov ReportAll modified and coverable lines are covered by tests ✅ |
For this feature, I'd like to keep executor untouched. For v2 design, I plan to make executor just handle the core coordination among different components(policy, verifier, store). The last-n feature and possibly more filtering options sound more like a verifier feature, therefore executor is not a good place to handle it. |
|
@asafalgawi I agree with Susan and I think Option 1 seems like a better approach for now. If larger than 1k referrers becomes a user ask, we can revisit this. |
|
Great I'll start with a POC for option 1
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Akash Singhal ***@***.***>
Sent: Wednesday, October 16, 2024 8:36:54 PM
To: ratify-project/ratify ***@***.***>
Cc: Asaf Algawi ***@***.***>; Mention ***@***.***>
Subject: Re: [ratify-project/ratify] docs: Create proposal for verifying 'last-n' artifacts only. (PR #1797)
@asafalgawi<https://github.com/asafalgawi> I agree with Susan and I think Option 1 seems like a better approach for now. If larger than 1k referrers becomes a user ask, we can revisit this.
—
Reply to this email directly, view it on GitHub<#1797 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BCRNDOFRKWSDBXYYW4SNGNTZ32P3NAVCNFSM6AAAAABOC5QPAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXGQ4DIOBUG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
…-project#1876) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5 (ratify-project#1877) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump vscode/devcontainers/go from `bdecb4c` to `46f85d1` in /.devcontainer (ratify-project#1879) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: crl cache Signed-off-by: Juncheng Zhu <[email protected]> feat: crl cache 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: crl provider Signed-off-by: Juncheng Zhu <[email protected]> feat: added interfaces Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier Signed-off-by: Juncheng Zhu <[email protected]> feat: kmp revocationfactory refactor Signed-off-by: Juncheng Zhu <[email protected]> chore: bump up go version to 1.22.8 (ratify-project#1880) Signed-off-by: Binbin Li <[email protected]> Signed-off-by: Binbin Li <[email protected]> chore: Bump github.com/sigstore/sigstore from 1.8.9 to 1.8.10 (ratify-project#1878) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> docs: design proposal for tag and digest co-existing [ISSUE 1657] (ratify-project#1793) docs: add CRL Design (ratify-project#1789) Signed-off-by: Juncheng Zhu <[email protected]> docs: Create proposal for verifying 'last-n' artifacts only. (ratify-project#1797) Signed-off-by: Susan Shi <[email protected]> docs: nVersionCount support for KMP design doc (ratify-project#1831) Signed-off-by: Joshua Duffney <[email protected]> ci: retry trivy db update upon failure (ratify-project#1881) Signed-off-by: Binbin Li <[email protected]> chore: Bump anchore/sbom-action from 0.17.4 to 0.17.5 (ratify-project#1882) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> ci: fix tagging in publish-ghcr workflow (ratify-project#1884) Signed-off-by: Binbin Li <[email protected]> ci: retry trivy download-db on failure (ratify-project#1883) Signed-off-by: Binbin Li <[email protected]> chore: migrate azure-sdk-for-go/containerregistry to the latest release (ratify-project#1829) Signed-off-by: Shahram Kalantari <[email protected]> chore: Bump github/codeql-action from 3.26.13 to 3.27.0 (ratify-project#1887) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: crl fetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: crl fetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: update bytesFetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: crl provider Signed-off-by: Juncheng Zhu <[email protected]> feat: refactor the interface Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier 2 Signed-off-by: Juncheng Zhu <[email protected]> chore: update charts (ratify-project#1892) Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump actions/checkout from 4.2.1 to 4.2.2 (ratify-project#1893) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump actions/setup-go from 5.0.2 to 5.1.0 (ratify-project#1894) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump k8s.io/apimachinery from 0.28.14 to 0.28.15 (ratify-project#1896) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `26f9b99` to `3a03fc0` in /httpserver (ratify-project#1899) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump k8s.io/client-go from 0.28.14 to 0.28.15 (ratify-project#1897) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.5 to 0.17.6 (ratify-project#1903) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: allow service account annotations (ratify-project#1907) Signed-off-by: Maneesh Singh <[email protected]> feat: add interface for testing Signed-off-by: Juncheng Zhu <[email protected]> feat: implemented interface Signed-off-by: Juncheng Zhu <[email protected]> feat: implemented interface Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases 2 Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases 3 Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor 2 Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor 3 Signed-off-by: Juncheng Zhu <[email protected]> test: add cache constructor into fetcher constructor Signed-off-by: Juncheng Zhu <[email protected]> test: add cache constructor into fetcher constructor 2 Signed-off-by: Juncheng Zhu <[email protected]>
…-project#1876) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/prometheus/client_golang from 1.20.4 to 1.20.5 (ratify-project#1877) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump vscode/devcontainers/go from `bdecb4c` to `46f85d1` in /.devcontainer (ratify-project#1879) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: crl cache Signed-off-by: Juncheng Zhu <[email protected]> feat: crl cache 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: crl provider Signed-off-by: Juncheng Zhu <[email protected]> feat: added interfaces Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: crl refactor Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier Signed-off-by: Juncheng Zhu <[email protected]> feat: kmp revocationfactory refactor Signed-off-by: Juncheng Zhu <[email protected]> chore: bump up go version to 1.22.8 (ratify-project#1880) Signed-off-by: Binbin Li <[email protected]> Signed-off-by: Binbin Li <[email protected]> chore: Bump github.com/sigstore/sigstore from 1.8.9 to 1.8.10 (ratify-project#1878) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> docs: design proposal for tag and digest co-existing [ISSUE 1657] (ratify-project#1793) docs: add CRL Design (ratify-project#1789) Signed-off-by: Juncheng Zhu <[email protected]> docs: Create proposal for verifying 'last-n' artifacts only. (ratify-project#1797) Signed-off-by: Susan Shi <[email protected]> docs: nVersionCount support for KMP design doc (ratify-project#1831) Signed-off-by: Joshua Duffney <[email protected]> ci: retry trivy db update upon failure (ratify-project#1881) Signed-off-by: Binbin Li <[email protected]> chore: Bump anchore/sbom-action from 0.17.4 to 0.17.5 (ratify-project#1882) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> ci: fix tagging in publish-ghcr workflow (ratify-project#1884) Signed-off-by: Binbin Li <[email protected]> ci: retry trivy download-db on failure (ratify-project#1883) Signed-off-by: Binbin Li <[email protected]> chore: migrate azure-sdk-for-go/containerregistry to the latest release (ratify-project#1829) Signed-off-by: Shahram Kalantari <[email protected]> chore: Bump github/codeql-action from 3.26.13 to 3.27.0 (ratify-project#1887) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: crl fetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: crl fetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: update bytesFetcher Signed-off-by: Juncheng Zhu <[email protected]> feat: crl provider Signed-off-by: Juncheng Zhu <[email protected]> feat: refactor the interface Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: integrate crl to verifier 2 Signed-off-by: Juncheng Zhu <[email protected]> chore: update charts (ratify-project#1892) Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump actions/checkout from 4.2.1 to 4.2.2 (ratify-project#1893) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump actions/setup-go from 5.0.2 to 5.1.0 (ratify-project#1894) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump k8s.io/apimachinery from 0.28.14 to 0.28.15 (ratify-project#1896) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `26f9b99` to `3a03fc0` in /httpserver (ratify-project#1899) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump k8s.io/client-go from 0.28.14 to 0.28.15 (ratify-project#1897) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.5 to 0.17.6 (ratify-project#1903) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: allow service account annotations (ratify-project#1907) Signed-off-by: Maneesh Singh <[email protected]> feat: add interface for testing Signed-off-by: Juncheng Zhu <[email protected]> feat: implemented interface Signed-off-by: Juncheng Zhu <[email protected]> feat: implemented interface Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases 2 Signed-off-by: Juncheng Zhu <[email protected]> test: working on test cases 3 Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor 2 Signed-off-by: Juncheng Zhu <[email protected]> refactor: add cache constructor into fetcher constructor 3 Signed-off-by: Juncheng Zhu <[email protected]> test: add cache constructor into fetcher constructor Signed-off-by: Juncheng Zhu <[email protected]> test: add cache constructor into fetcher constructor 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl 1 Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github.com/aws/aws-sdk-go-v2 from 1.32.2 to 1.32.3 (ratify-project#1912) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.41 to 1.17.42 (ratify-project#1911) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.2 to 1.2.3 (ratify-project#1910) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.6 to 0.17.7 (ratify-project#1915) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (ratify-project#1916) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: support enabled status for kmp keys/certs (ratify-project#1874) Signed-off-by: Joshua Duffney <[email protected]> ci: add cron job to cache trivy db (ratify-project#1918) Signed-off-by: Binbin Li <[email protected]> fix: fix the conditional check on update-trivy-cache job (ratify-project#1919) Signed-off-by: Binbin Li <[email protected]> feat: add support for crl basic functionality with built-in cache (ratify-project#1890) Signed-off-by: Juncheng Zhu <[email protected]> Co-authored-by: Binbin Li <[email protected]> chore: Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0 (ratify-project#1920) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.0 to 3.27.1 (ratify-project#1922) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.42 to 1.17.44 (ratify-project#1923) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump golang from `0ca97f4` to `4cfe4a9` in /httpserver (ratify-project#1925) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.1 to 3.27.3 (ratify-project#1926) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> feat: support alibaba cloud rrsa store auth provider (ratify-project#1909) Signed-off-by: dahu.kdh <[email protected]> feat: kmprevocationfactory impl 3 Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl 3 Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl 4 Signed-off-by: Juncheng Zhu <[email protected]> feat: kmprevocationfactory impl 5 Signed-off-by: Juncheng Zhu <[email protected]> chore: kmprevocationfactory reform Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 2 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 3 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 4 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 5 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 6 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 7 Signed-off-by: Juncheng Zhu <[email protected]> feat: update implementations 8 Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github/codeql-action from 3.27.3 to 3.27.4 (ratify-project#1929) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump alpine from `beefdbd` to `1e42bbe` (ratify-project#1937) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump golang from `4cfe4a9` to `147f428` in /httpserver (ratify-project#1936) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `3a03fc0` to `d71f4b2` in /httpserver (ratify-project#1935) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aliyun/credentials-go from 1.3.10 to 1.3.11 (ratify-project#1934) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.44 to 1.17.45 (ratify-project#1933) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 4.6.0 to 5.0.2 (ratify-project#1932) Signed-off-by: dependabot[bot] <[email protected]> chore: Replace deprecated autorest SDK with azidentity (ratify-project#1904) Signed-off-by: Shahram Kalantari <[email protected]> chore: Bump step-security/harden-runner from 2.10.1 to 2.10.2 (ratify-project#1938) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 5.0.2 to 5.0.4 (ratify-project#1939) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump codecov/codecov-action from 5.0.4 to 5.0.7 (ratify-project#1946) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github/codeql-action from 3.27.4 to 3.27.5 (ratify-project#1945) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump anchore/sbom-action from 0.17.7 to 0.17.8 (ratify-project#1948) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.45 to 1.17.46 (ratify-project#1953) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> fix: add missing pod annotations and labels to deployment spec (ratify-project#1949) Signed-off-by: akashsinghal <[email protected]> chore: revert changes in AKV KMP provider Signed-off-by: Juncheng Zhu <[email protected]> chore: add more comments Signed-off-by: Juncheng Zhu <[email protected]> chore: add more comments and fix Signed-off-by: Juncheng Zhu <[email protected]> chore: update logging Signed-off-by: Juncheng Zhu <[email protected]> chore: update test Signed-off-by: Juncheng Zhu <[email protected]> chore: update test 2 Signed-off-by: Juncheng Zhu <[email protected]> chore: limited changes 3 Signed-off-by: Juncheng Zhu <[email protected]> chore: more changes applied Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github.com/sigstore/rekor from 1.3.6 to 1.3.7 (ratify-project#1952) Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Susan Shi <[email protected]> Signed-off-by: Binbin Li <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: bump up golangci-lint version (ratify-project#1961) Signed-off-by: Binbin Li <[email protected]> fix(tls): allowing TLS when crd-manager disabled (ratify-project#1954) Signed-off-by: Jordan Langue <[email protected]> chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.28.3 to 1.28.6 (ratify-project#1957) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: Bump distroless/static from `d71f4b2` to `6cd937e` in /httpserver (ratify-project#1960) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: fix go-lint Signed-off-by: Juncheng Zhu <[email protected]> chore: improve codecov Signed-off-by: Juncheng Zhu <[email protected]> chore: fix golint Signed-off-by: Juncheng Zhu <[email protected]> chore: remove the CRL Cache in truststore Signed-off-by: Juncheng Zhu <[email protected]> chore: renaming func Signed-off-by: Juncheng Zhu <[email protected]> chore: fix 1 Signed-off-by: Juncheng Zhu <[email protected]> chore: fix 2 Signed-off-by: Juncheng Zhu <[email protected]> chore: Bump github/codeql-action from 3.27.5 to 3.27.6 (ratify-project#1963) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore: add more test case Signed-off-by: Juncheng Zhu <[email protected]> chore: fix golint Signed-off-by: Juncheng Zhu <[email protected]> chore: fix codecov Signed-off-by: Juncheng Zhu <[email protected]> chore: fix context reference Signed-off-by: Juncheng Zhu <[email protected]> chore: fix golint Signed-off-by: Juncheng Zhu <[email protected]> build: add image signing for all release images (ratify-project#1947) Signed-off-by: Akash Singhal <[email protected]> chore: Bump golang from `73f06be` to `574185e` in /httpserver (ratify-project#1973) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Description
What this PR does / why we need it:
This PR adds a proposal for filtering artifacts based on their annotations before forwarding them to verification by one of the configured verifiers.]
The PR refers to issue #1772
Type of change
Added document to proposal directory.