ratify-project
Disabled keys in AKV should not be used for Cosign signature verification
What happened in your environment?
I created a key in AKV and used the latest version (version-1) to sign container images. Later on, I found there were some issues with the version-1, then I rotated the key and got a new version (version-2) of the key. I disabled version-1 in AKV. However, I can still configure keymanagementprovider to use version-1, and the signature verification still passed.
What did you expect to happen?
The disabled version (version-1) should not be used for signature verification.
What version of Kubernetes are you running?
AKS
What version of Ratify are you running?
0-dev (dev.20240505.6163b7e)
Anything else you would like to add?
Currently, Ratify does not automatically reconcile keys on a regular basis unless there is a failure during the initial setup of keys in the keymanagementprovider. When this enhancement is supported, Ratify will be able to retrieve all versions of a key from Azure Key Vault (AKV), excluding any disabled or expired keys.
Are you willing to submit PRs to contribute to this bug fix?
- [ ] Yes, I am willing to implement it.
