policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard
verified publisher icon sigstore

Add OCI 1.1 referrers API support for attestation discovery

Open falcorocks opened this issue 2 months ago • 2 comments

Closes #1895

Summary

Some provenance attestation implementation, for instance Google Cloud Build, store attestations using the OCI 1.1 referrers API rather than the traditional <subject digest>.att naming scheme. As is, the policy controller is thus unable to verify valid in-toto provenance attestations generated by Google Cloud Build. This is demonstrated in #1895.

This PR Implements OCI 1.1 referrers API for discovering attestations with automatic fallback to legacy tag-based discovery. This enables policy-controller to work with modern OCI 1.1 registries while maintaining backward compatibility, regardless if the new sigstore bundle format is used or not.

Technical implementation:

  • Uses ociremote.Referrers() to discover attestation artifacts
  • Filters by artifact types: in-toto, slsa, provenance, attestation, dsse
  • Processes DSSE envelopes and creates compatible oci.Signature objects
  • Maintains proper payload format for AttestationToPayloadJSON compatibility

BEFORE

Image

AFTER

Screenshot 2025-10-13 at 16 52 14

Release Note

  • Add 'enable-oci11' configuration option
  • Implement custom OCI 1.1 referrers API discovery in validAttestations()
  • Add CLI flag '--enable-oci11' to policy-tester for testing
  • Automatic fallback to legacy cosign discovery when OCI 1.1 fails

Documentation

falcorocks avatar Oct 13 '25 13:10 falcorocks

Codecov Report

:x: Patch coverage is 7.24638% with 64 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 29.28%. Comparing base (ea54b96) to head (b99f840). :warning: Report is 32 commits behind head on main.

Files with missing lines Patch % Lines
pkg/webhook/validation.go 1.96% 49 Missing and 1 partial :warning:
cmd/tester/main.go 0.00% 7 Missing :warning:
pkg/config/store.go 12.50% 5 Missing and 2 partials :warning:
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #1894       +/-   ##
===========================================
- Coverage   42.78%   29.28%   -13.50%     
===========================================
  Files         121      122        +1     
  Lines        8994     7320     -1674     
===========================================
- Hits         3848     2144     -1704     
- Misses       4791     4944      +153     
+ Partials      355      232      -123

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Nov 04 '25 14:11 codecov[bot]

@falcorocks There are some lint issues here. Could you fix those ?

hectorj2f avatar Nov 04 '25 17:11 hectorj2f

@hectorj2f I still want to do this, just hard to find the time lately. Please bear with me

falcorocks avatar Nov 18 '25 13:11 falcorocks