Connaisseur should stop checking trusted roots after meeting threshold of valid answers
shani-e opened this issue · 2 comments
Describe the bug
If an image is signed with a specific public key and the threshold is set to 1, Connaisseur will continue to check all trusted roots even if the answer is already valid in the first trusted root and the threshold is met.
This results in a lot of unnecessary log messages that can make it difficult to understand what's happening.
For instance, suppose you have two trusted roots defined in your validators configuration: key1 and key2, with a threshold of 1 specified in the policy configuration.
If you try to deploy an image that is signed with key1, Connaisseur should only check key1 and stop there, without checking key2 or generating log messages about it.
By only checking the relevant trusted roots that are tied to the image validators specified in the policy configuration, Connaisseur can reduce the number of log messages and improve its performance.
I believe that this feature would greatly improve Connaisseur's usability, and we request that Connaisseur should only check relevant trusted roots when validating images.
Expected behavior
in this configuration:
validators:
- name: default
type: cosign
trust_roots:
- name: key1
key: awskms:///arn:aws:kms:eu-central-1:11111111:alias/key1
- name: key2
key: awskms:///arn:aws:kms:eu-central-1:11111111:alias/key2
policy:
- pattern: "*:*"
validator: default
with:
trust_root: "*"
threshold: 1
If you try to deploy an image that is signed with key1, Connaisseur should only check key1 and stop there, without checking key2 or generating log messages about it.
But right now the logs shows:
[2023-03-28 09:34:19,279] INFO: COSIGN output of trust root 'key2' for image'docker-registry.com:/shani/shani-tests:test': RETURNCODE: 1; STDOUT: ; STDERR: Error: no matching signatures:
invalid signature when validating ASN.1 encoded signature
main.go:62: error during command execution: no matching signatures:
invalid signature when validating ASN.1 encoded signature
[2023-03-28 09:34:19,280] INFO: {'message': 'Failed to verify signature of trust data.', 'context': {'trust_data_type': 'dev.cosignproject.cosign/signature', 'stderr': 'Error: no matching signatures:\ninvalid signature when validating ASN.1 encoded signature\nmain.go:62: error during command execution: no matching signatures:\ninvalid signature when validating ASN.1 encoded signature\n', 'image': 'docker-registry.com:/shani/shani-tests:test', 'trust_root': 'key2', 'detection_mode': False}}
[2023-03-28 09:34:19,297] INFO: COSIGN output of trust root 'key1' for image'docker-registry.com:/shani/shani-tests:test': RETURNCODE: 0; STDOUT: {"critical":{"identity":{"docker-reference":"docker-registry.com:/shani/shani-tests:test"},"image":{"docker-manifest-digest":"sha256:6b7c4a1779437c9815b021fsdfsdfsd2759b0c38842b17aef7f710f66"},"type":"cosign container image signature"},"optional":null}
; STDERR:
Verification for docker-registry.com:/shani/shani-tests:test --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[2023-03-28 09:34:19,298] INFO: {'message': 'successful verification of image "docker-registry.com:/shani/shani-tests:test"', 'context': {'user': 'kubernetes-admin', 'operation': 'CREATE', 'kind': 'Pod', 'name': 'connisseur-test-shani', 'namespace': 'connaisseur-tests', 'image': 'docker-registry.com:/shani/shani-tests:test'}}
[2023-03-28 09:34:19,299] INFO: 10.156.11.18 - - [28/Mar/2023 09:34:19] "POST /mutate?timeout=30s HTTP/1.1" 200 -
-
kubectl version aws:zooz-dev
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.0", GitCommit:"c2b5237ccd9c0f1d600d3072634ca66cefdf272f", GitTreeState:"clean", BuildDate:"2021-08-04T18:03:20Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"darwin/arm64"} -
k8s version v1.19.15-eks-9c63c4
-
Connaisseur: v2.7.0
-
Other: cosign signer
Any update? :(
I will look into it later this week