feat: regexp support for sigstore bundle (kyverno#10901)

Signed-off-by: Vishal Choudhary <[email protected]>
TnGadaria · Aug 21, 2024 · 4287f8c · 4287f8c
1 parent 39e5808
commit 4287f8c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 12 deletions.
diff --git a/pkg/cosign/sigstore.go b/pkg/cosign/sigstore.go
@@ -185,17 +185,7 @@ func buildPolicy(desc *v1.Descriptor, opts images.Options) (verify.PolicyBuilder
 	}
 	artifactDigestVerificationOption := verify.WithArtifactDigest(desc.Digest.Algorithm, digest)
 
-	// TODO: Add full regexp support to sigstore and cosign
-	// Verify images only has subject field, and no subject regexp, subject cannot be passed to subject regexp
-	// because then string containing the subjects will also work. We should just add an issuer regexp
-	// Solve this in a separate PR,
-	// See: https://github.com/sigstore/cosign/blob/7c20052077a81d667526af879ec40168899dde1f/pkg/cosign/verify.go#L339-L356
-	subjectRegexp := ""
-	if strings.Contains(opts.Subject, "*") {
-		subjectRegexp = opts.Subject
-		opts.Subject = ""
-	}
-	id, err := verify.NewShortCertificateIdentity(opts.Issuer, opts.Subject, "", subjectRegexp)
+	id, err := verify.NewShortCertificateIdentity(opts.Issuer, opts.Subject, "", opts.SubjectRegExp)
 	if err != nil {
 		return verify.PolicyBuilder{}, err
 	}

diff --git a/.../verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml b/.../verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml
@@ -24,7 +24,7 @@ spec:
         - entries:
           - keyless:
               issuer: https://token.actions.githubusercontent.com
-              subject: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/*
+              subjectRegExp: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/.+
               rekor:
                   url: https://rekor.sigstore.dev
         conditions: