-
Notifications
You must be signed in to change notification settings - Fork 537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loosen verification predicate type + better error messages #2737
Loosen verification predicate type + better error messages #2737
Conversation
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Codecov Report
@@ Coverage Diff @@
## main #2737 +/- ##
==========================================
- Coverage 29.62% 29.55% -0.08%
==========================================
Files 151 151
Lines 9641 9648 +7
==========================================
- Hits 2856 2851 -5
- Misses 6348 6358 +10
- Partials 437 439 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks. I truly believe we need this change in before releasing v2.0.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, I think this will be super helpful for folks.
cc @priyawadhwa @znewman01 for thoughts on v2 |
+1 to this, breaking verification for existing attestations is not ideal. This should go in 2.0 |
Okay. I just talked to @priyawadhwa ✅ . I'm merging this change as it seems everyone approved it. |
…2737) * test policy-controller only. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Better error messages. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> --------- Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Summary
Loosen the policy validation restrictions. With the move to strict RFC3986 and the fact that some of the existing attestations out there are still using the non conformant predicate types, allow validating them with non-conformant predicate types.
Also, to aid folks with the 'guess-the-existing-predicate-type' game :) if attestations are found, but they do not match the predicate type that is being looked for, print out the predicates that were found. Hope is that this will make the migration from non conformant predicate types little easier.
Release Note
Documentation