Feature Request: Update policy verify-image-signatures to support certificates
Closed this issue · 6 comments
zosocanuck commented
Is your feature request related to a problem?
Support for policies based on single public keys will be difficult to manage especially in larger deployments where they may be many code signing keys/certificates.
Solution you'd like
Enhance the verify-image-signatures plugin to support both certificates and certificate chains.
An example policy could be:
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: verify-image-signatures-policy
spec:
module: registry://ghcr.io/kubewarden/policies/verify-image-signatures:v0.1.7
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
signatures:
- image: "*" # match all tags
cert:
- "-----BEGIN CERTIFICATE-----..."
This could also be extended to support a policy where you specify a CA chain, and any code signing certificates trusted by that chain could be used to validate the policy.
Alternatives you've considered
No response
Anything else?
No response
flavio commented
Linked issues:
- #40
- kubewarden/policy-evaluator#200
- kubewarden/policy-evaluator#207
- sigstore/sigstore-rs#157
- kubewarden/policy-server#366
- kubewarden/kwctl#350
- #44
- #45
- Tag new release of Policy Server
- Update helm charts to consume new Policy Server
- Tag new release of kwctl
- kubewarden/kubewarden.io#152
- kubewarden/docs#155
viccuad commented
Wrongly closed by GH issue automation, there's still a check to perform.
flavio commented
Everything is out. Starting from kubewarden 1.4.0 and [verify-image-signatures] v0.2.0 it's possible to perform certificate based verification.
@zosocanuck: thanks for having submitted this feature request. Let us know if there's anything we need to improve
zosocanuck commented
@flavio Thanks.
I'm getting this error now after deploying an updated certificate chain policy:
2022-12-05T17:55:25.694219Z ERROR policy_server::worker_pool: cannot validate policy settings error=[clusterwide-verify-image-signatures-policy] settings are not valid: Some("Error invoking settings validation callback: GuestCallFailure(\"Error decoding validation payload {\\\"signatures\\\":[{\\\"certificateChain\\\":[\\\"-----BEGIN CERTIFICATE-----\\\\nMIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ\\\\nMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt\\\\nbzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx\\\\nMjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t\\\\nMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt\\\\nby1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\\\nAoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7\\\\n9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b\\\\nDVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG\\\\nJ8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc\\\\n9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i\\\\nvHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV\\\\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr\\\\nBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b\\\\nNJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR\\\\ne6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M\\\\nGdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz\\\\nrxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv\\\\nFlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln\\\\nkA==\\\\n-----END CERTIFICATE-----\\\\n\\\"],\\\"certificates\\\":[\\\"-----BEGIN CERTIFICATE-----\\\\nMIIFHzCCBAegAwIBAgITKAAABTyFoQHCB5qI1gAAAAAFPDANBgkqhkiG9w0BAQsF\\\\nADBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZp\\\\nZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcN\\\\nMjEwODE3MTc0MjUwWhcNMjMwODE3MTc0MjUwWjB/MQswCQYDVQQGEwJVUzELMAkG\\\\nA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxWZW5hZmksIElu\\\\nYy4xHDAaBgNVBAsTE1NvbHV0aW9uIEFyY2hpdGVjdHMxGzAZBgNVBAMTEmRldi52\\\\nZW5hZmlkZW1vLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMslgJPVmgPT\\\\npHmXxlJ71uDW/D4X+Oad69SI3QSyJG2Mau2Uso/WA4obJg76w3OGwIo4AMf0QMpd\\\\nLtxJQbq1y32jggKDMIICfzAdBgNVHQ4EFgQU4LcP3TFSH62zjZ65tsQEB0Ihc44w\\\\nHwYDVR0jBBgwFoAU7mXnDYK49xnb/V6XpBWbiJGLbvYwgeYGA1UdHwSB3jCB2zCB\\\\n2KCB1aCB0oaBz2xkYXA6Ly8vQ049dmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUkt\\\\nQ0EsQ049RUMyQU1BWi1RTklSODlJLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT\\\\nZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXZlbmFmaWRl\\\\nbW8sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD\\\\nbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8G\\\\nCCsGAQUFBzAChoGybGRhcDovLy9DTj12ZW5hZmlkZW1vLUVDMkFNQVotUU5JUjg5\\\\nSS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj\\\\nZXMsQ049Q29uZmlndXJhdGlvbixEQz12ZW5hZmlkZW1vLERDPWNvbT9jQUNlcnRp\\\\nZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAO\\\\nBgNVHQ8BAf8EBAMCB4AwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIh6eGAIOy\\\\n4l6HwZszgr7vKoOll2o9gYmLFISoj2UCAWQCAQUwEwYDVR0lBAwwCgYIKwYBBQUH\\\\nAwMwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOC\\\\nAQEAQyiVNlQXXMHD3ioA7XpLvjZqVPRWZhWm3cJFF5mrTSNeIOH0RYOODH1xZGoH\\\\nAWBDH05ijjdZwXVNBcOooyx5iTCDaN7HyCPgWhfBUaBduOmcolm51SF0SRR9GInn\\\\n5LNVgba/zGTWNfE+qyfFbKD4sk6Fx2MV+EJEzSfAuPKrMRdMFUUoz0dqUBuazpIg\\\\nBWQnWymu+T4sf/45EEgcoI2S+62q4n4IXxrJ1C7L8XilSTfHMsAxDeOIKACCiT3J\\\\nQS/ByXiWKjW38XZTw/zdT9J4YNksdY0iasEtXAYh1QiJ/3JYTghd8suAxAZW7ERB\\\\n/Dh0ED3NV1wzYgERbM5239WMhQ==\\\\n-----END CERTIFICATE-----\\\\n\\\"],\\\"image\\\":\\\"ghcr.io/zosocanuck/*\\\"}]}: Error(\\\"data did not match any variant of untagged enum Signature\\\", line: 1, column: 3276)\")")
2022-12-05T17:55:25.694297Z ERROR policy_server: [clusterwide-verify-image-signatures-policy] settings are not valid: Some("Error invoking settings validation callback: GuestCallFailure(\"Error decoding validation payload {\\\"signatures\\\":[{\\\"certificateChain\\\":[\\\"-----BEGIN CERTIFICATE-----\\\\nMIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ\\\\nMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt\\\\nbzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx\\\\nMjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t\\\\nMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt\\\\nby1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\\\\nAoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7\\\\n9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b\\\\nDVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG\\\\nJ8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc\\\\n9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i\\\\nvHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV\\\\nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr\\\\nBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b\\\\nNJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR\\\\ne6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M\\\\nGdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz\\\\nrxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv\\\\nFlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln\\\\nkA==\\\\n-----END CERTIFICATE-----\\\\n\\\"],\\\"certificates\\\":[\\\"-----BEGIN CERTIFICATE-----\\\\nMIIFHzCCBAegAwIBAgITKAAABTyFoQHCB5qI1gAAAAAFPDANBgkqhkiG9w0BAQsF\\\\nADBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZp\\\\nZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcN\\\\nMjEwODE3MTc0MjUwWhcNMjMwODE3MTc0MjUwWjB/MQswCQYDVQQGEwJVUzELMAkG\\\\nA1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxWZW5hZmksIElu\\\\nYy4xHDAaBgNVBAsTE1NvbHV0aW9uIEFyY2hpdGVjdHMxGzAZBgNVBAMTEmRldi52\\\\nZW5hZmlkZW1vLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMslgJPVmgPT\\\\npHmXxlJ71uDW/D4X+Oad69SI3QSyJG2Mau2Uso/WA4obJg76w3OGwIo4AMf0QMpd\\\\nLtxJQbq1y32jggKDMIICfzAdBgNVHQ4EFgQU4LcP3TFSH62zjZ65tsQEB0Ihc44w\\\\nHwYDVR0jBBgwFoAU7mXnDYK49xnb/V6XpBWbiJGLbvYwgeYGA1UdHwSB3jCB2zCB\\\\n2KCB1aCB0oaBz2xkYXA6Ly8vQ049dmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUkt\\\\nQ0EsQ049RUMyQU1BWi1RTklSODlJLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT\\\\nZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXZlbmFmaWRl\\\\nbW8sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD\\\\nbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8G\\\\nCCsGAQUFBzAChoGybGRhcDovLy9DTj12ZW5hZmlkZW1vLUVDMkFNQVotUU5JUjg5\\\\nSS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj\\\\nZXMsQ049Q29uZmlndXJhdGlvbixEQz12ZW5hZmlkZW1vLERDPWNvbT9jQUNlcnRp\\\\nZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAO\\\\nBgNVHQ8BAf8EBAMCB4AwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIh6eGAIOy\\\\n4l6HwZszgr7vKoOll2o9gYmLFISoj2UCAWQCAQUwEwYDVR0lBAwwCgYIKwYBBQUH\\\\nAwMwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOC\\\\nAQEAQyiVNlQXXMHD3ioA7XpLvjZqVPRWZhWm3cJFF5mrTSNeIOH0RYOODH1xZGoH\\\\nAWBDH05ijjdZwXVNBcOooyx5iTCDaN7HyCPgWhfBUaBduOmcolm51SF0SRR9GInn\\\\n5LNVgba/zGTWNfE+qyfFbKD4sk6Fx2MV+EJEzSfAuPKrMRdMFUUoz0dqUBuazpIg\\\\nBWQnWymu+T4sf/45EEgcoI2S+62q4n4IXxrJ1C7L8XilSTfHMsAxDeOIKACCiT3J\\\\nQS/ByXiWKjW38XZTw/zdT9J4YNksdY0iasEtXAYh1QiJ/3JYTghd8suAxAZW7ERB\\\\n/Dh0ED3NV1wzYgERbM5239WMhQ==\\\\n-----END CERTIFICATE-----\\\\n\\\"],\\\"image\\\":\\\"ghcr.io/zosocanuck/*\\\"}]}: Error(\\\"data did not match any variant of untagged enum Signature\\\", line: 1, column: 3276)\")")
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: verify-image-signatures-policy
spec:
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.0
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations:
- CREATE
- UPDATE
mutating: true
settings:
signatures:
- image: "ghcr.io/zosocanuck/*" # match all tags
certificates:
- |
-----BEGIN CERTIFICATE-----
MIIFHzCCBAegAwIBAgITKAAABTyFoQHCB5qI1gAAAAAFPDANBgkqhkiG9w0BAQsF
ADBZMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZp
ZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcN
MjEwODE3MTc0MjUwWhcNMjMwODE3MTc0MjUwWjB/MQswCQYDVQQGEwJVUzELMAkG
A1UECBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxWZW5hZmksIElu
Yy4xHDAaBgNVBAsTE1NvbHV0aW9uIEFyY2hpdGVjdHMxGzAZBgNVBAMTEmRldi52
ZW5hZmlkZW1vLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMslgJPVmgPT
pHmXxlJ71uDW/D4X+Oad69SI3QSyJG2Mau2Uso/WA4obJg76w3OGwIo4AMf0QMpd
LtxJQbq1y32jggKDMIICfzAdBgNVHQ4EFgQU4LcP3TFSH62zjZ65tsQEB0Ihc44w
HwYDVR0jBBgwFoAU7mXnDYK49xnb/V6XpBWbiJGLbvYwgeYGA1UdHwSB3jCB2zCB
2KCB1aCB0oaBz2xkYXA6Ly8vQ049dmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUkt
Q0EsQ049RUMyQU1BWi1RTklSODlJLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBT
ZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXZlbmFmaWRl
bW8sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB0gYIKwYBBQUHAQEEgcUwgcIwgb8G
CCsGAQUFBzAChoGybGRhcDovLy9DTj12ZW5hZmlkZW1vLUVDMkFNQVotUU5JUjg5
SS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
ZXMsQ049Q29uZmlndXJhdGlvbixEQz12ZW5hZmlkZW1vLERDPWNvbT9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAO
BgNVHQ8BAf8EBAMCB4AwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIh6eGAIOy
4l6HwZszgr7vKoOll2o9gYmLFISoj2UCAWQCAQUwEwYDVR0lBAwwCgYIKwYBBQUH
AwMwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOC
AQEAQyiVNlQXXMHD3ioA7XpLvjZqVPRWZhWm3cJFF5mrTSNeIOH0RYOODH1xZGoH
AWBDH05ijjdZwXVNBcOooyx5iTCDaN7HyCPgWhfBUaBduOmcolm51SF0SRR9GInn
5LNVgba/zGTWNfE+qyfFbKD4sk6Fx2MV+EJEzSfAuPKrMRdMFUUoz0dqUBuazpIg
BWQnWymu+T4sf/45EEgcoI2S+62q4n4IXxrJ1C7L8XilSTfHMsAxDeOIKACCiT3J
QS/ByXiWKjW38XZTw/zdT9J4YNksdY0iasEtXAYh1QiJ/3JYTghd8suAxAZW7ERB
/Dh0ED3NV1wzYgERbM5239WMhQ==
-----END CERTIFICATE-----
certificateChain:
- |
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt
bzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx
MjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t
MRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt
by1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7
9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b
DVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG
J8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc
9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i
vHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr
BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b
NJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR
e6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M
GdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz
rxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv
FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln
kA==
-----END CERTIFICATE-----
zosocanuck commented
on further troubleshooting it turns out the policy was failing due to the following missing policy:
requireRekorBundle: false
flavio commented
We could make requireRekorBundle optional, and set it to either true or false by default. However I think this is security sensitive detail the user must provide. Hence the decision to not make it optional.
We can talk more about that if you think this should be made optional