notation
notation copied to clipboard
Published
20 hours ago •
notaryproject
notaryproject
Support more wildcards in trust policy
What is the areas you would like to add the new feature to?
Notation CLI
Is your feature request related to a problem?
Currently, when defining a Trust Policy it seems like you are constrained to either fully specifying a repository or specifying a wildcard for any, such as:
{
"version": "1.0",
"trustPolicies": [
{
"name": "upstream",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:mcguffin" ],
"trustedIdentities": [
"*"
]
}
]
}
or
{
"version": "1.0",
"trustPolicies": [
{
"name": "upstream",
"registryScopes": [ "myacr.azurecr.io/oss/widget/mcguffin" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:mcguffin" ],
"trustedIdentities": [
"*"
]
}
]
}
I cannot specify a wildcard within the repo path:
{
"version": "1.0",
"trustPolicies": [
{
"name": "upstream",
"registryScopes": [ "myacr.azurecr.io/oss/widget/*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:mcguffin" ],
"trustedIdentities": [
"*"
]
}
]
}
Doing so results in a failure to validate signatures:
notation verify myacr.azurecr.io/oss/widget/flux@sha256:535bff4439d9fe727e72911e6a929548d9d256ac5f8f1c4c9f7cf5b6a82e3c18
Error: registry scope "myacr.azurecr.io/oss/widget/*" is not valid, make sure it is the fully qualified registry URL without the scheme/protocol. e.g domain.com/my/repository
I am currently producing several hundred images in several repository paths that all share "oss/widget". In the current state, I either need to build a trust policy that explicitly enumerates all of them, or I need to trust any repository.
What solution do you propose?
Support path based wildcards.
What alternatives have you considered?
None
Any additional context?
No response
+1. Should we prioritize this. Having so many scopes is quite challenging.
