diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 482140193..887562190 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -36,9 +36,9 @@ jobs:
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -46,10 +46,10 @@ jobs:
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- - uses: chainguard-dev/actions/goimports@dacf41f3472c33979cfd49bca5b503236be57de0 # main
+ - uses: chainguard-dev/actions/goimports@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
- name: Set up Cloud SDK
- uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+ uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
with:
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index fb99651b6..2c2334e51 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -54,14 +54,14 @@ jobs:
${{ runner.os }}-go-
- name: Set correct version of Golang to use during CodeQL run
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+ uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
with:
languages: ${{ matrix.language }}
@@ -70,4 +70,4 @@ jobs:
make policy-controller
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+ uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
index 16558c078..b6add24cb 100644
--- a/.github/workflows/depsreview.yml
+++ b/.github/workflows/depsreview.yml
@@ -21,4 +21,4 @@ permissions:
jobs:
dependency-review:
name: dependency-review
- uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc
+ uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@a38887851a12d604b8441ed09e6ebf6b9fe17cbc # main branch 30/Jun/2025
diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml
index 3e8fed026..75bb27fc8 100644
--- a/.github/workflows/donotsubmit.yaml
+++ b/.github/workflows/donotsubmit.yaml
@@ -17,4 +17,4 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
- name: Do Not Submit
- uses: chainguard-dev/actions/donotsubmit@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/donotsubmit@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml
index 26b84d5ee..e5815c4f4 100644
--- a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml
+++ b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml
@@ -33,14 +33,14 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
- SCAFFOLDING_RELEASE_VERSION: "v0.7.22"
+ SCAFFOLDING_RELEASE_VERSION: "v0.7.24"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
@@ -95,7 +95,7 @@ jobs:
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -106,14 +106,14 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+ uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
@@ -143,4 +143,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-cluster-image-policy-trustroot.yaml b/.github/workflows/kind-cluster-image-policy-trustroot.yaml
index 70c99360a..3fa7bb32f 100644
--- a/.github/workflows/kind-cluster-image-policy-trustroot.yaml
+++ b/.github/workflows/kind-cluster-image-policy-trustroot.yaml
@@ -33,10 +33,10 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
script:
- repository
@@ -45,7 +45,7 @@ jobs:
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
- SCAFFOLDING_RELEASE_VERSION: "v0.7.22"
+ SCAFFOLDING_RELEASE_VERSION: "v0.7.24"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
@@ -100,7 +100,7 @@ jobs:
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -111,14 +111,14 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+ uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
@@ -150,4 +150,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-cluster-image-policy-tsa.yaml b/.github/workflows/kind-cluster-image-policy-tsa.yaml
index 96be5f888..d382f50ac 100644
--- a/.github/workflows/kind-cluster-image-policy-tsa.yaml
+++ b/.github/workflows/kind-cluster-image-policy-tsa.yaml
@@ -33,14 +33,14 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
- SCAFFOLDING_RELEASE_VERSION: "v0.7.22"
+ SCAFFOLDING_RELEASE_VERSION: "v0.7.24"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
@@ -95,7 +95,7 @@ jobs:
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -106,14 +106,14 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+ uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v2
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v2
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
@@ -179,4 +179,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml
index 3cea9107c..63d55c138 100644
--- a/.github/workflows/kind-cluster-image-policy.yaml
+++ b/.github/workflows/kind-cluster-image-policy.yaml
@@ -33,10 +33,10 @@ jobs:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
script:
- cluster_image_policy
@@ -54,7 +54,7 @@ jobs:
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
- SCAFFOLDING_RELEASE_VERSION: "v0.7.22"
+ SCAFFOLDING_RELEASE_VERSION: "v0.7.24"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
@@ -109,7 +109,7 @@ jobs:
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -120,14 +120,14 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
+ uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
@@ -174,4 +174,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
index d69057110..d13e62fc1 100644
--- a/.github/workflows/kind-e2e-cosigned.yaml
+++ b/.github/workflows/kind-e2e-cosigned.yaml
@@ -16,23 +16,27 @@ name: Policy Controller KinD E2E
on:
pull_request:
- branches: [ 'main', 'release-*' ]
+ branches:
+ - 'main'
-permissions: read-all
+permissions: {}
jobs:
e2e-tests:
name: e2e tests
runs-on: ubuntu-latest
+ permissions:
+ contents: read # For checking out the code.
+
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
@@ -92,8 +96,12 @@ jobs:
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ with:
+ persist-credentials: false
+
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -102,18 +110,15 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- - name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
-
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- name: Setup kind cluster
- uses: chainguard-dev/actions/setup-kind@main
+ uses: chainguard-dev/actions/setup-kind@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
k8s-version: ${{ matrix.k8s-version }}
cluster-suffix: c${{ github.run_id }}.local
@@ -170,4 +175,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/kind-e2e-trustroot-crd.yaml b/.github/workflows/kind-e2e-trustroot-crd.yaml
index dec2c20c7..222a28687 100644
--- a/.github/workflows/kind-e2e-trustroot-crd.yaml
+++ b/.github/workflows/kind-e2e-trustroot-crd.yaml
@@ -16,23 +16,27 @@ name: TrustRoot CRD KinD E2E
on:
pull_request:
- branches: [ 'main', 'release-*' ]
+ branches:
+ - 'main'
-permissions: read-all
+permissions: {}
jobs:
e2e-crd-tests:
name: e2e CRD tests
runs-on: ubuntu-latest
+ permissions:
+ contents: read # For checking out the code.
+
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- - v1.29.x
- v1.30.x
- v1.31.x
- v1.32.x
+ - v1.33.x
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
@@ -92,8 +96,12 @@ jobs:
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ with:
+ persist-credentials: false
+
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
@@ -102,18 +110,15 @@ jobs:
- uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
- - name: Install yq
- uses: mikefarah/yq@8bf425b4d1344db7cd469a8d10a390876e0c77fd # v4.45.1
-
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- name: Setup mirror
- uses: chainguard-dev/actions/setup-mirror@main
+ uses: chainguard-dev/actions/setup-mirror@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
mirror: mirror.gcr.io
- name: Setup kind cluster
- uses: chainguard-dev/actions/setup-kind@main
+ uses: chainguard-dev/actions/setup-kind@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
k8s-version: ${{ matrix.k8s-version }}
cluster-suffix: c${{ github.run_id }}.local
@@ -141,4 +146,4 @@ jobs:
- name: Collect diagnostics
if: ${{ failure() }}
- uses: chainguard-dev/actions/kind-diag@29fb6e979a0b3efc79748a17e8cec08d0594cbfd # main
+ uses: chainguard-dev/actions/kind-diag@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 3a4e368a5..8b3339e74 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -5,20 +5,27 @@ on:
- main
pull_request:
-permissions:
- contents: read
- pull-requests: read
+permissions: {}
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
+
+ permissions:
+ contents: read
+ pull-requests: read
+
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ with:
+ persist-credentials: false
+
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
+
- name: golangci-lint
- uses: golangci/golangci-lint-action@v7
+ uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
with:
- version: v2.0
+ version: v2.1
diff --git a/.github/workflows/policy-tester-examples.yml b/.github/workflows/policy-tester-examples.yml
index b5d75160e..fa5cbae04 100644
--- a/.github/workflows/policy-tester-examples.yml
+++ b/.github/workflows/policy-tester-examples.yml
@@ -39,7 +39,7 @@ jobs:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
@@ -49,7 +49,7 @@ jobs:
run: |
make policy-tester
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- name: Setup local registry
run: |
diff --git a/.github/workflows/release-snapshot.yaml b/.github/workflows/release-snapshot.yaml
index 59bd5f02c..f72145d06 100644
--- a/.github/workflows/release-snapshot.yaml
+++ b/.github/workflows/release-snapshot.yaml
@@ -22,12 +22,12 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
- - uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+ - uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9 # v0.20.1
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f54237b22..0127f2b54 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -32,19 +32,19 @@ jobs:
with:
fetch-depth: 0
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
- - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
+ - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
- - uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+ - uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9 # v0.20.1
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Set up Cloud SDK
- uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+ uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
with:
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'
diff --git a/.github/workflows/scorecard_action.yml b/.github/workflows/scorecard_action.yml
index ccf0a45dc..79b68ecdd 100644
--- a/.github/workflows/scorecard_action.yml
+++ b/.github/workflows/scorecard_action.yml
@@ -29,7 +29,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+ uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
with:
results_file: results.sarif
results_format: sarif
@@ -53,6 +53,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+ uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
with:
sarif_file: results.sarif
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
index adfb385d7..1659e16d7 100644
--- a/.github/workflows/style.yaml
+++ b/.github/workflows/style.yaml
@@ -16,12 +16,12 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
- - uses: chainguard-dev/actions/gofmt@e6364567e59cb42c49cf69f8e1242f247bc23844 # main
+ - uses: chainguard-dev/actions/gofmt@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
args: -s
@@ -34,9 +34,9 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
- - uses: chainguard-dev/actions/goimports@main # main
+ - uses: chainguard-dev/actions/goimports@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 2aeb59155..9fcaa46a9 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -50,14 +50,14 @@ jobs:
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
- name: Run Go tests
run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
- name: Upload Coverage Report
- uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
+ uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
with:
env_vars: OS
- name: Run Go tests w/ `-race`
@@ -69,7 +69,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './go.mod'
check-latest: true
diff --git a/.github/workflows/verify-codegen.yaml b/.github/workflows/verify-codegen.yaml
index 82fe1f05e..bde93a09d 100644
--- a/.github/workflows/verify-codegen.yaml
+++ b/.github/workflows/verify-codegen.yaml
@@ -37,7 +37,7 @@ jobs:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
@@ -50,7 +50,7 @@ jobs:
# For whatever reason running this makes it not complain...
git status
- - uses: chainguard-dev/actions/nodiff@4ba8d060251254fc0e65500a8d3a90013a22a8d7 # main
+ - uses: chainguard-dev/actions/nodiff@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
path: ./src/github.com/${{ github.repository }}
fixup-command: "./hack/update-codegen.sh"
diff --git a/.github/workflows/verify-docs.yaml b/.github/workflows/verify-docs.yaml
index b9010f306..f9cc9c97b 100644
--- a/.github/workflows/verify-docs.yaml
+++ b/.github/workflows/verify-docs.yaml
@@ -37,7 +37,7 @@ jobs:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+ - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
@@ -50,7 +50,7 @@ jobs:
# For whatever reason running this makes it not complain...
git status
- - uses: chainguard-dev/actions/nodiff@4ba8d060251254fc0e65500a8d3a90013a22a8d7 # main
+ - uses: chainguard-dev/actions/nodiff@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
with:
path: ./src/github.com/${{ github.repository }}
fixup-command: "make docs"
diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml
index b462822fd..8d93a55a0 100644
--- a/.github/workflows/whitespace.yaml
+++ b/.github/workflows/whitespace.yaml
@@ -16,8 +16,8 @@ jobs:
- name: Check out code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: chainguard-dev/actions/trailing-space@7071df0659dbd4a79804731f0da2d0f1dba0b356 # main
+ - uses: chainguard-dev/actions/trailing-space@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
if: ${{ always() }}
- - uses: chainguard-dev/actions/eof-newline@7071df0659dbd4a79804731f0da2d0f1dba0b356 # main
+ - uses: chainguard-dev/actions/eof-newline@16e2fd6603a1c6a1fbc880fdbb922b2e8e2be3e7 # v1.4.3
if: ${{ always() }}
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
index 52f329caa..6f84894fd 100644
--- a/cmd/webhook/main.go
+++ b/cmd/webhook/main.go
@@ -56,6 +56,7 @@ import (
"github.com/sigstore/sigstore/pkg/tuf"
"github.com/sigstore/policy-controller/pkg/apis/config"
+ pctuf "github.com/sigstore/policy-controller/pkg/tuf"
cwebhook "github.com/sigstore/policy-controller/pkg/webhook"
)
@@ -136,7 +137,7 @@ func main() {
// Set the policy and trust root resync periods
ctx = clusterimagepolicy.ToContext(ctx, *policyResyncPeriod)
- ctx = trustroot.ToContext(ctx, *trustrootResyncPeriod)
+ ctx = pctuf.ToContext(ctx, *trustrootResyncPeriod)
// This must match the set of resources we configure in
// cmd/webhook/main.go in the "types" map.
diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
index c5c3c28ea..941bd47c4 100644
--- a/config/300-clusterimagepolicy.yaml
+++ b/config/300-clusterimagepolicy.yaml
@@ -209,6 +209,9 @@ spec:
trustRootRef:
description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
type: string
+ signatureFormat:
+ description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+ type: string
source:
description: Sources sets the configuration to specify the sources from where to consume the signatures.
type: array
@@ -545,6 +548,9 @@ spec:
trustRootRef:
description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
type: string
+ signatureFormat:
+ description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+ type: string
source:
description: Sources sets the configuration to specify the sources from where to consume the signatures.
type: array
diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md
index a55f68104..0dbc3d4c1 100644
--- a/docs/api-types/index-v1alpha1.md
+++ b/docs/api-types/index-v1alpha1.md
@@ -172,6 +172,7 @@ Attestation defines the type of attestation to validate and optionally apply a p
| ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
| attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
| rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
[Back to TOC](#table-of-contents)
diff --git a/docs/api-types/index.md b/docs/api-types/index.md
index c3cdbb512..56c93cdf0 100644
--- a/docs/api-types/index.md
+++ b/docs/api-types/index.md
@@ -49,6 +49,7 @@ The authorities block defines the rules for discovering and validating signature
| ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
| attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
| rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
[Back to TOC](#table-of-contents)
diff --git a/go.mod b/go.mod
index 65af76b97..315e1cc7f 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/sigstore/policy-controller
-go 1.23.4
+go 1.24
require (
github.com/aws/aws-sdk-go v1.55.6
@@ -28,16 +28,16 @@ require (
github.com/ryanuber/go-glob v1.0.0
github.com/sigstore/cosign/v2 v2.5.0
github.com/sigstore/rekor v1.3.10
- github.com/sigstore/sigstore v1.9.3
+ github.com/sigstore/sigstore v1.9.4
github.com/stretchr/testify v1.10.0
github.com/theupdateframework/go-tuf v0.7.0
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
go.uber.org/zap v1.27.0
golang.org/x/crypto v0.37.0
- golang.org/x/net v0.38.0
+ golang.org/x/net v0.39.0
golang.org/x/sys v0.32.0 // indirect
golang.org/x/time v0.11.0
- google.golang.org/grpc v1.71.0 // indirect
+ google.golang.org/grpc v1.71.1 // indirect
google.golang.org/protobuf v1.36.6
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.32.3
@@ -55,37 +55,38 @@ require github.com/spf13/cobra v1.9.1
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
+ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1
github.com/cenkalti/backoff/v4 v4.3.0
- github.com/docker/docker v28.0.4+incompatible
+ github.com/docker/docker v28.1.1+incompatible
github.com/docker/docker-credential-helpers v0.9.3
github.com/docker/go-connections v0.5.0
- github.com/go-jose/go-jose/v4 v4.0.5
+ github.com/go-jose/go-jose/v4 v4.1.0
github.com/sigstore/protobuf-specs v0.4.1
github.com/sigstore/scaffolding v0.7.22
- github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.3
+ github.com/sigstore/sigstore-go v0.7.2
+ github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.4
+ github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.4
+ github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.4
+ github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.4
github.com/spf13/viper v1.20.1
knative.dev/hack/schema v0.0.0-20240607132042-09143140a254
knative.dev/pkg v0.0.0-20230612155445-74c4be5e935e
)
require (
- cloud.google.com/go v0.118.3 // indirect
- cloud.google.com/go/auth v0.15.0 // indirect
+ cloud.google.com/go v0.120.0 // indirect
+ cloud.google.com/go/auth v0.16.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
- cloud.google.com/go/iam v1.4.1 // indirect
- cloud.google.com/go/kms v1.21.1 // indirect
- cloud.google.com/go/longrunning v0.6.5 // indirect
+ cloud.google.com/go/iam v1.5.0 // indirect
+ cloud.google.com/go/kms v1.21.2 // indirect
+ cloud.google.com/go/longrunning v0.6.6 // indirect
contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect
cuelang.org/go v0.12.1 // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect
- github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.0 // indirect
+ github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -98,10 +99,9 @@ require (
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
- github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
- github.com/agnivade/levenshtein v1.2.0 // indirect
+ github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
@@ -114,8 +114,8 @@ require (
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/aliyun/credentials-go v1.3.2 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
- github.com/aws/aws-sdk-go-v2/config v1.29.13 // indirect
- github.com/aws/aws-sdk-go-v2/credentials v1.17.66 // indirect
+ github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+ github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
@@ -124,10 +124,10 @@ require (
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
- github.com/aws/aws-sdk-go-v2/service/kms v1.38.2 // indirect
+ github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
- github.com/aws/aws-sdk-go-v2/service/sts v1.33.18 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
github.com/aws/smithy-go v1.22.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -137,7 +137,7 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
github.com/clbanning/mxj/v2 v2.7.0 // indirect
- github.com/cloudflare/circl v1.3.7 // indirect
+ github.com/cloudflare/circl v1.6.1 // indirect
github.com/cockroachdb/apd/v3 v3.2.1 // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
@@ -173,7 +173,7 @@ require (
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
- github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+ github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
github.com/gobuffalo/flect v1.0.2 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@@ -190,7 +190,7 @@ require (
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
github.com/gorilla/mux v1.8.1 // indirect
- github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
+ github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
github.com/hashicorp/vault/api v1.16.0 // indirect
github.com/in-toto/attestation v1.1.1 // indirect
github.com/in-toto/in-toto-golang v0.9.0 // indirect
@@ -199,20 +199,21 @@ require (
github.com/jellydator/ttlcache/v3 v3.3.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
- github.com/klauspost/compress v1.17.11 // indirect
+ github.com/klauspost/compress v1.18.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
+ github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
- github.com/open-policy-agent/opa v1.1.0 // indirect
+ github.com/open-policy-agent/opa v1.4.0 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
- github.com/opencontainers/image-spec v1.1.0 // indirect
+ github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -228,7 +229,6 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
- github.com/sigstore/sigstore-go v0.7.1 // indirect
github.com/sigstore/timestamp-authority v1.2.5 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
@@ -251,8 +251,8 @@ require (
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/otel/metric v1.35.0 // indirect
go.opentelemetry.io/otel/sdk v1.35.0 // indirect
@@ -268,10 +268,10 @@ require (
golang.org/x/text v0.24.0 // indirect
golang.org/x/tools v0.30.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
- google.golang.org/api v0.228.0 // indirect
+ google.golang.org/api v0.229.0 // indirect
google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
diff --git a/go.sum b/go.sum
index 8273f7ff6..ebba0732f 100644
--- a/go.sum
+++ b/go.sum
@@ -13,10 +13,10 @@ cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKV
cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.118.3 h1:jsypSnrE/w4mJysioGdMBg4MiW/hHx/sArFpaBWHdME=
-cloud.google.com/go v0.118.3/go.mod h1:Lhs3YLnBlwJ4KA6nuObNMZ/fCbOQBPuWKPoE0Wa/9Vc=
-cloud.google.com/go/auth v0.15.0 h1:Ly0u4aA5vG/fsSsxu98qCQBemXtAtJf+95z9HK+cxps=
-cloud.google.com/go/auth v0.15.0/go.mod h1:WJDGqZ1o9E9wKIL+IwStfyn/+s59zl4Bi+1KQNVXLZ8=
+cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA=
+cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q=
+cloud.google.com/go/auth v0.16.0 h1:Pd8P1s9WkcrBE2n/PhAwKsdrR35V3Sg2II9B+ndM3CU=
+cloud.google.com/go/auth v0.16.0/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI=
cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
@@ -29,12 +29,12 @@ cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4
cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/iam v1.4.1 h1:cFC25Nv+u5BkTR/BT1tXdoF2daiVbZ1RLx2eqfQ9RMM=
-cloud.google.com/go/iam v1.4.1/go.mod h1:2vUEJpUG3Q9p2UdsyksaKpDzlwOrnMzS30isdReIcLM=
-cloud.google.com/go/kms v1.21.1 h1:r1Auo+jlfJSf8B7mUnVw5K0fI7jWyoUy65bV53VjKyk=
-cloud.google.com/go/kms v1.21.1/go.mod h1:s0wCyByc9LjTdCjG88toVs70U9W+cc6RKFc8zAqX7nE=
-cloud.google.com/go/longrunning v0.6.5 h1:sD+t8DO8j4HKW4QfouCklg7ZC1qC4uzVZt8iz3uTW+Q=
-cloud.google.com/go/longrunning v0.6.5/go.mod h1:Et04XK+0TTLKa5IPYryKf5DkpwImy6TluQ1QTLwlKmY=
+cloud.google.com/go/iam v1.5.0 h1:QlLcVMhbLGOjRcGe6VTGGTyQib8dRLK2B/kYNV0+2xs=
+cloud.google.com/go/iam v1.5.0/go.mod h1:U+DOtKQltF/LxPEtcDLoobcsZMilSRwR7mgNL7knOpo=
+cloud.google.com/go/kms v1.21.2 h1:c/PRUSMNQ8zXrc1sdAUnsenWWaNXN+PzTXfXOcSFdoE=
+cloud.google.com/go/kms v1.21.2/go.mod h1:8wkMtHV/9Z8mLXEXr1GK7xPSBdi6knuLXIhqjuWcI6w=
+cloud.google.com/go/longrunning v0.6.6 h1:XJNDo5MUfMM05xK3ewpbSdmt7R2Zw+aQEMbdQR65Rbw=
+cloud.google.com/go/longrunning v0.6.6/go.mod h1:hyeGJUrPHcx0u2Uu1UFSoYZLn4lkMrccJig0t4FI7yw=
cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
@@ -63,12 +63,12 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 h1:OVoM452qUFBrX+URdH3VpR299ma4kfom0yB0URYky9g=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0/go.mod h1:kUjrAo8bgEwLeZ/CmHqNl3Z/kPm7y6FKfxxK0izYUg4=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.0 h1:Bg8m3nq/X1DeePkAbCfb6ml6F3F0IunEhE8TMh+lY48=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.0/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
@@ -106,14 +106,12 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
-github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E=
github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
-github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
-github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
+github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
+github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -173,10 +171,10 @@ github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk
github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
-github.com/aws/aws-sdk-go-v2/config v1.29.13 h1:RgdPqWoE8nPpIekpVpDJsBckbqT4Liiaq9f35pbTh1Y=
-github.com/aws/aws-sdk-go-v2/config v1.29.13/go.mod h1:NI28qs/IOUIRhsR7GQ/JdexoqRN9tDxkIrYZq0SOF44=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.66 h1:aKpEKaTy6n4CEJeYI1MNj97oSDLi4xro3UzQfwf5RWE=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.66/go.mod h1:xQ5SusDmHb/fy55wU0QqTy0yNfLqxzec59YcsRZB+rI=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
@@ -193,14 +191,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
-github.com/aws/aws-sdk-go-v2/service/kms v1.38.2 h1:945yEU8s1zYwy9s/2JzEJoHKvbAaZEkPqt8TOuO6r/g=
-github.com/aws/aws-sdk-go-v2/service/kms v1.38.2/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 h1:RivOtUH3eEu6SWnUMFHKAW4MqDOzWn1vGQ3S38Y5QMg=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.3/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.18 h1:xz7WvTMfSStb9Y8NpCT82FXLNC3QasqBfuAFHY4Pk5g=
-github.com/aws/aws-sdk-go-v2/service/sts v1.33.18/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 h1:50sS0RWhGpW/yZx2KcDNEb1u1MANv5BMEkJgcieEDTA=
@@ -245,8 +243,8 @@ github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyM
github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
@@ -258,8 +256,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
-github.com/coreos/go-oidc/v3 v3.13.0 h1:M66zd0pcc5VxvBNM4pB331Wrsanby+QomQYjN8HamW8=
-github.com/coreos/go-oidc/v3 v3.13.0/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
@@ -269,10 +267,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgraph-io/badger/v4 v4.5.1 h1:7DCIXrQjo1LKmM96YD+hLVJ2EEsyyoWxJfpdd56HLps=
-github.com/dgraph-io/badger/v4 v4.5.1/go.mod h1:qn3Be0j3TfV4kPbVoK0arXCD1/nr1ftth6sbL5jxdoA=
-github.com/dgraph-io/ristretto/v2 v2.1.0 h1:59LjpOJLNDULHh8MC4UaegN52lC4JnO2dITsie/Pa8I=
-github.com/dgraph-io/ristretto/v2 v2.1.0/go.mod h1:uejeqfYXpUomfse0+lO+13ATz4TypQYLJZzBSAemuB4=
+github.com/dgraph-io/badger/v4 v4.7.0 h1:Q+J8HApYAY7UMpL8d9owqiB+odzEc0zn/aqOD9jhc6Y=
+github.com/dgraph-io/badger/v4 v4.7.0/go.mod h1:He7TzG3YBy3j4f5baj5B7Zl2XyfNe5bl4Udl0aPemVA=
+github.com/dgraph-io/ristretto/v2 v2.2.0 h1:bkY3XzJcXoMuELV8F+vS8kzNgicwQFAaGINAEJdWGOM=
+github.com/dgraph-io/ristretto/v2 v2.2.0/go.mod h1:RZrm63UmcBAaYWC1DotLYBmTvgkrs0+XhBd7Npn7/zI=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
@@ -290,8 +288,8 @@ github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvD
github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v28.0.4+incompatible h1:JNNkBctYKurkw6FrHfKqY0nKIDf5nrbxjVBtS+cdcok=
-github.com/docker/docker v28.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.1.1+incompatible h1:49M11BFLsVO1gxY9UX9p/zwkE/rswggs8AdFmXQw51I=
+github.com/docker/docker v28.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -339,8 +337,8 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
-github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
-github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-jose/go-jose/v4 v4.1.0 h1:cYSYxd3pw5zd2FSXk2vGdn9igQU2PS8MuxrCOCl0FdY=
+github.com/go-jose/go-jose/v4 v4.1.0/go.mod h1:GG/vqmYm3Von2nYiB2vGTXzdoNKE5tix5tuc6iAd+sw=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -391,8 +389,8 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
-github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
+github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
@@ -445,8 +443,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/certificate-transparency-go v1.3.1 h1:akbcTfQg0iZlANZLn0L9xOeWtyCIdeoYhKrqi5iH3Go=
github.com/google/certificate-transparency-go v1.3.1/go.mod h1:gg+UQlx6caKEDQ9EElFOujyxEQEfOiQzAt6782Bvi8k=
-github.com/google/flatbuffers v24.12.23+incompatible h1:ubBKR94NR4pXUCY/MUsRVzd9umNW7ht7EG9hHfS9FX8=
-github.com/google/flatbuffers v24.12.23+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
+github.com/google/flatbuffers v25.2.10+incompatible h1:F3vclr7C3HpB1k9mxCGRMXq6FdUalZ6H/pNX4FP1v0Q=
+github.com/google/flatbuffers v25.2.10+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -511,8 +509,8 @@ github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORR
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
github.com/grpc-ecosystem/grpc-gateway v1.14.6/go.mod h1:zdiPV4Yse/1gnckTHtghG4GkDEdKCRJduHpTxT3/jcw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -591,8 +589,8 @@ github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRt
github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@@ -630,6 +628,10 @@ github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c h1:cqn374
github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -672,12 +674,12 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/open-policy-agent/opa v1.1.0 h1:HMz2evdEMTyNqtdLjmu3Vyx06BmhNYAx67Yz3Ll9q2s=
-github.com/open-policy-agent/opa v1.1.0/go.mod h1:T1pASQ1/vwfTa+e2fYcfpLCvWgYtqtiUv+IuA/dLPQs=
+github.com/open-policy-agent/opa v1.4.0 h1:IGO3xt5HhQKQq2axfa9memIFx5lCyaBlG+fXcgHpd3A=
+github.com/open-policy-agent/opa v1.4.0/go.mod h1:DNzZPKqKh4U0n0ANxcCVlw8lCSv2c+h5G/3QvSYdWZ8=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
@@ -766,18 +768,18 @@ github.com/sigstore/rekor v1.3.10 h1:/mSvRo4MZ/59ECIlARhyykAlQlkmeAQpvBPlmJtZOCU
github.com/sigstore/rekor v1.3.10/go.mod h1:JvryKJ40O0XA48MdzYUPu0y4fyvqt0C4iSY7ri9iu3A=
github.com/sigstore/scaffolding v0.7.22 h1:VjrRzUVRXWGPboglizvGvgq3U8kXnBS5/s4jDCUVwiU=
github.com/sigstore/scaffolding v0.7.22/go.mod h1:ojN1gLIjZCl0lhEoqXBvaL+GJbTbBgcNZxxxvK7apuM=
-github.com/sigstore/sigstore v1.9.3 h1:y2qlTj+vh+Or3ictKuR3JUFawZPdDxAjrWkeFhon0OQ=
-github.com/sigstore/sigstore v1.9.3/go.mod h1:VwYkiw0G0dRtwL25KSs04hCyVFF6CYMd/qvNeYrl7EQ=
-github.com/sigstore/sigstore-go v0.7.1 h1:lyzi3AjO6+BHc5zCf9fniycqPYOt3RaC08M/FRmQhVY=
-github.com/sigstore/sigstore-go v0.7.1/go.mod h1:AIRj4I3LC82qd07VFm3T2zXYiddxeBV1k/eoS8nTz0E=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.3 h1:ofTeeCNenFFqUxSziEOYh5TLMtHbHO6e8+9vT3Vf34A=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.3/go.mod h1:2D6TX/FEBMoaD86P5aYzhxRKUYPiWcOz+6EARsVnM3s=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.3 h1:2vhoi7q92JPOCrCR7AZ52lKLj1G+U+hdRnJX6/wN+qk=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.3/go.mod h1:nR4s/4sdbeHfe7RwEPL1NhwsC1ia72wDJOIMevxTMYY=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.3 h1:FtLuqkIQYvZwWWbtWHbuTbKhsILMeWnMg0VMf6xB4O4=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.3/go.mod h1:yZMHY5cEkNRkhZGGhMS6IAUgE0HcXja1xmil796wtqg=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.3 h1:f+gPRf7NVfHhJfloN672KKkNHWA7b0vAOSQZyBINHWw=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.3/go.mod h1:AjN/gspnXeMDFTOXlHzRJDs8xbkd30kH8VN9D8g4CZM=
+github.com/sigstore/sigstore v1.9.4 h1:64+OGed80+A4mRlNzRd055vFcgBeDghjZw24rPLZgDU=
+github.com/sigstore/sigstore v1.9.4/go.mod h1:Q7tGTC3gbtK7c3jcxEmGc2MmK4rRpIRzi3bxRFWKvEY=
+github.com/sigstore/sigstore-go v0.7.2 h1:CN4xPasChSEb0QBMxMW5dLcXdA9KD4QiRyVnMkhXj6U=
+github.com/sigstore/sigstore-go v0.7.2/go.mod h1:AIRj4I3LC82qd07VFm3T2zXYiddxeBV1k/eoS8nTz0E=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.4 h1:kQqUJ1VuWdJltMkinFXAHTlJrzMRPoNgL+dy6WyJ/dA=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.4/go.mod h1:9miLz7c69vj/7VH7UpCKHDia41HCTIDJWJWf4Ex5yUk=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.4 h1:MHRm7YQuF4zFyoXRLgUdLaNxqVO6JlLGnkDUI9fm9ow=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.4/go.mod h1:899VNYSSnQ0QtcuhkW0gznzxn0cqhowTL3nzc/xnym8=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.4 h1:C2nSyTmTxpuamUmLCWWZwz+0Y1IQIig9XwAJ4UAn/SI=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.4/go.mod h1:vjDahU0sEw/WMkKkygZNH72EMg86iaFNLAaJFXhItXU=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.4 h1:t9yfb6yteIDv8CNRT6OHdqgTV6TSj+CdOtZP9dVhpsQ=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.9.4/go.mod h1:m7sQxVJmDa+rsmS1m6biQxaLX83pzNS7ThUEyjOqkCU=
github.com/sigstore/timestamp-authority v1.2.5 h1:W22JmwRv1Salr/NFFuP7iJuhytcZszQjldoB8GiEdnw=
github.com/sigstore/timestamp-authority v1.2.5/go.mod h1:gWPKWq4HMWgPCETre0AakgBzcr9DRqHrsgbrRqsigOs=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -840,8 +842,8 @@ github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuX
github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=
github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=
github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw=
-github.com/tink-crypto/tink-go/v2 v2.3.0 h1:4/TA0lw0lA/iVKBL9f8R5eP7397bfc4antAMXF5JRhs=
-github.com/tink-crypto/tink-go/v2 v2.3.0/go.mod h1:kfPOtXIadHlekBTeBtJrHWqoGL+Fm3JQg0wtltPuxLU=
+github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0=
+github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
@@ -883,24 +885,24 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
@@ -1023,8 +1025,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1214,8 +1216,8 @@ google.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M
google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.228.0 h1:X2DJ/uoWGnY5obVjewbp8icSL5U4FzuCfy9OjbLSnLs=
-google.golang.org/api v0.228.0/go.mod h1:wNvRS1Pbe8r4+IfBIniV8fwCpGwTrYa+kMUDiC5z5a4=
+google.golang.org/api v0.229.0 h1:p98ymMtqeJ5i3lIBMj5MpR9kzIIgzpHHh8vQ+vgAzx8=
+google.golang.org/api v0.229.0/go.mod h1:wyDfmq5g1wYJWn29O22FDWN48P7Xcz0xz+LBpptYvB0=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1255,10 +1257,10 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb h1:ITgPrl429bc6+2ZraNSzMDk3I95nmQln2fuPstKwFDE=
google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:sAo5UzpjUwgFBCzupwhcLcxHVDK7vG5IqI30YnwX2eE=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e h1:UdXH7Kzbj+Vzastr5nVfccbmFsmYNygVLSPk1pEfDoY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e/go.mod h1:085qFyf2+XaZlRdCgKNCIZ3afY2p4HHZdoIRpId8F4A=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e h1:ztQaXfzEXTmCBvbtWYRhJxW+0iJcz2qXfd38/e9l7bA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1272,8 +1274,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
-google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
+google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
index 671fdba33..bebbe75d3 100644
--- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
+++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
@@ -89,6 +89,7 @@ func (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v1beta1.M
func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error {
sink.Name = authority.Name
+ sink.SignatureFormat = authority.SignatureFormat
if authority.CTLog != nil && authority.CTLog.URL != nil {
sink.CTLog = &v1beta1.TLog{
URL: authority.CTLog.URL.DeepCopy(),
@@ -244,6 +245,7 @@ func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1b
func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error {
authority.Name = source.Name
+ authority.SignatureFormat = source.SignatureFormat
if source.CTLog != nil && source.CTLog.URL != nil {
authority.CTLog = &TLog{
URL: source.CTLog.URL.DeepCopy(),
diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
index 32cf79782..75a991593 100644
--- a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
+++ b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
@@ -144,6 +144,10 @@ type Authority struct {
// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
// +optional
RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+ // SignatureFormat specifies the format the authority expects. Supported
+ // formats are "legacy" and "bundle". If not specified, the default
+ // is "legacy" (cosign's default).
+ SignatureFormat string `json:"signatureFormat,omitempty"`
}
// This references a public verification key stored in
diff --git a/pkg/apis/policy/v1alpha1/trustroot_validation_test.go b/pkg/apis/policy/v1alpha1/trustroot_validation_test.go
index df81b64dc..2373d917f 100644
--- a/pkg/apis/policy/v1alpha1/trustroot_validation_test.go
+++ b/pkg/apis/policy/v1alpha1/trustroot_validation_test.go
@@ -29,14 +29,22 @@ import (
// encoded. These are vars because conversion to []byte seems to make them not
// constant
var (
- validRepository = `H4sIAAAAAAAA/+x9WVMbydK2r/UrCN3iA7Uv/mIuurUDLZCsBXFiwlGrFrSh1sqE//sXLcBgsJHPCMt+Z/SEw6DqpruUVZX5VGVm1cSNR3F3Opqs3v00AAAAp/QdgJxzTh5/PuIdJBxDRADH+B2AhFLw7oD+vCo9YhZP1eQdAMPRcDIaTb9736brD1/k4ef/ETy2/zE8Sr7gUS8eDd/2HYk8GCHfa3+CAHzW/owR+O5gJ0L8l7f/X6mDdNxtD51Nfzj4K3VwkP40XY1d+sNBOvm66fdJUTx25tPcTeLuaJhcgUfg7sJjGVx/dstxd+Li5B4EEP0PYP9BoAbBB8A/IHx190fXbhXfv+wgDYVVhDrupfeSEs2Rh1ITpy3HzAmhGRMGYeuJdYY4KjxTAHOovNQaM/bwoPVjH2ruLKIUyvXrkuqbjht868K1W3Xtp46KO59Uvz2adKedQVK1/64vH6TjjkKU3d+9/kghSq8//fn4iLnqf6nFQXo80/2uSV7GpMbSOsk4sU5zzp2iAiAPEJXIYSW4IdpiBSBwxEIjhaNYWcSNBIZocfeiz8n/n9dvSzOHoeTYJt/CGgmtUQIIRzCHHjujEMJMAsuQcsprRZCFRAPssWBYYiB+Y2EZTohTgmImpBbSMOSBB8xogYQSkipFuGBOQuwU90oaowyxQkDLodbefUtYVHNOMTMACQO9NggQazRxkmPEjLOWMam9JtRLaRX3mnjEEBUKYCl+557liACUeGiENwQTCo1izAmvKCKCg0R6Snif9D6RjBMErdXCMIW54cjZl8KyzBPIiZdUY64UUsALDZ2hxHppgTHeWYEIxhBZKD2CylCpLAVQG6aY/o2FBYyWGBoKsFFYA8OI4YpjnvxTHisBEGBOMsMl8YICySWWkigogcIG46fCSt0LLD0Z9d2jEltryqcS6Nqn9d+6J371VaediYs7o36isOGTJoyHahx3Xq3I1q38QxWZqknbTeNX6rG10v+xenQHLp6qwfjVptlSo26oyZcOY0bDuBtP3XD66UlDTSczl1rfsTbCajq7s55J9e661rrGa2uybSe67yXddvI0jzVCGFDJvMOOUgyYTDSuIBYiBD1hRihgvSAYaCmpQcwiaA3iikmFpbeAKoowBsBQKJ1TBmCmrMVOeysx154jTB0HjEplEBDICGeIoEh6D0Ait8+pgz9Tn381AfqX4yv+/9Az33gOsIH/Q0jRM/7PKeR7/r8LvML/v+ipnzAHGLip+mI+7w3Gutc96uq+G7annfSHA0QlvVewCUd4tLuPXCB5l/dOIwAlsdAziDBwgjBmmXUSqUSZKcEdlZZJwqW0DAMMnTTEAwAQ4EAAb4FFSHGFNdOECc6tpE54T6inilMEJMaCKmSdUNQYqLCziV1kWN7bpM/3FX0ilC924AcV/dZG+itFTwWBzCDNOOdWUcmJQQA4ZyF0yFJDKE3qjyzDyFMlKJReIEmkExQ4R5SnxnKBKVdSJfxIcAogFYAjqbwACiiHDIQcUmapx5JZ6wSVSisiHYB7Rf974yv9/3QgvuE7Nuh/Cgh+rv8xJnv9vwu8ov8fePxPUP/PpghpM/XuaDzT39D+kIsfUP4Oc+adRVJgAYl3SEDIhISKGWIBcgBQDwW2hDIsEGCQEGKZog5ZhRGW1BoFhXaYa0wM5YAR6Il2miINKVTSWeAVEMoIRixhTlCkICROIW81/lr5m1k8HQ2eVrTbjqejiXssOkjPYtVeizlTy+ce5rYH6XiqprO19AIz7c7d45XZpJsU373qbj761RTez/qmO/o0h0dmMj0au8E3hCkQ2yxMQqBWlnFFSKLLCVRMQE8ZZwp6xLk1AgAtMcGUEi8hFEQpjx0XVGFkGHdSOM2VQ5QY6ZTCGEtjtCdEY+Qg0BJACJFDBCMoLeXaAQmAYxpz6ck2wsyvhfAW4py469Fkmz6pudXWESgRR44rKK1ObDGCxEmMkeTcUC200Nw6TgHTziBrvCPGGCCMlo4RSIWDXmsLlbWGIY0ZUoZCpQU2SHCiENUUGMIgZwYbCwxeO1ugNtuIsZp8+beQ4nQyi6fOfvriWfiGNDFnaLM4rQJUaqQFQx57ZThHzgrhrSAaW+YUgoJyRKBgiiBiAUdYQUPWq6tEIG0k1gAbaICyQErpAPLrlVgpmLJScYwR9IAQzQwGXkFBCaaIE+elJuTlmtk0Vp+6w6mbDJztqqn7BF4ZeUzCzd9ROq0YlprRpB2dgpJip5kkjmIAKMeCWIu0EVQCr4ECFGmmgSQQaAgMdZIrybV0jktGPJGeasggYMYri4FVhBivgCRAYQP8msfhRD9ixCyHfJsuU/sYvEmHidWnvlP+NVEK/AOi1BpoAbSgXhCKudCSCUuVwMwiDLwmVFuAvZVCMcm1EVwKBAR2yhpssIXGCC+cVIRJIA0AGHhEIdPCE64FlMmMwHHgoIaQYMG4V8it+xvByv0molyPu1dECX7AHlDrHIWKUYMkp0xSpqlT0EhlCBGWAwyA5ARa5ykA1hvhGQOOCAW4TfqgsN4mUy5HoUdQE+858cRBQozmQHOnKANWOyAUU9ZIbKwmxBBkrHd6K3uwtSj/h4nb1quaX03crLMIMWOVkRgQyi3yzGirPQZKcAyIow5gx5UniDDjKTKMOAkoRoDxxCIgz5TlCdNxGHJiEiXpFRcKQGol4A4bZy33mihoESEKaCKFBdogBOx+4vavwJP530/y/v8t/z8FaD//2wX2/v+9//93ENbe/7/3/+/9/3v//97/v/f/77E7POH/P8n7/7f8/5iBPf/fBfb+/73/f+////fiif6/H4Zv/47/Pf+HIQT3+T+7wMv2P75Qy6JT1k3iI3D8Fp7156J59hMgwr7qC0kBg+8OlrsQwEP77+JdvyEgYwdjNe388Y2O8KujKo4ewkJSv1pK/1zspNlf5/8AsWf8HwPG9/l/O8F/EoS5Qql8cFEPz0qZg9Nca12YivLXi9yiVTwdXZVueyATVFql+9+zQcVkK+0g59xgcgM7zTjMTupdNtA10FzJxRVf9H0qboCWizUg3d55eWTqo1XhapCtyMvzWj5TDqeynfXFRf4C8JurxUkfT7Lqtn2a7561//gjta5Drpx9Ua1fLbF/FjbZ/7cIBtto/yl/Zv8pRGRv/3cByOl37f+vDgQ8ehHSuB/8b41dNPum9T/Cn9t/iCnd2/9d4In9z+SqtVK+lAlquXsCUCplyr1MJrCoHSxKYdAulcqt3BjF5WIzriwy7S+EIBcsSgvfy0VRMCoEsJ4LO1E21WiUw6gaLXKVVrZRqZRyi3G21VyOrwZypQf9TlRtLfLB+loxt4C1VpO0q8OTjh6UxwaV56knN5zkFgCWs+12rZlfKdQApXwZRBWyyN5dr+YWdVi+LeFyNncVhWZdi1SmE1Vqhf7MXrbb1YGEelDt2EJ/rnuByy/AqpzNraJesIyyASpn82pdVnssSyWFUZEss9ngNGyXG2HQqgWwUavUcrUozK3fkgmj0wrKx6p5NTcDOm7Vcs0orNzVIFxG5TrKz0q5q1WrSXvqstzTt483ZKpRuVyrkFIOdsxg2reZsGazufMoWNw9IFeN8uWaWZVvK8tCLbi8q8Wolsstx3rYIKXc1dw26XXrsjrWiCyataAWts1N57p3flEphamw3b7/EIXhopwJgspFLW6G3PcrozzNNDK9BoDwzLcOdfWyF5zPRNG1u4VDmNGzTjBMHePZKR3ekIy7mUM8XM4bs1N0WG4qcpqdtC5vztwNB4eRH4H6onIbnCc1LFZEGHiRC4MokwoqrUWu3co2qqAWVIrHYdBehO1ceJx0qlpg7/6A5PLtSp2M/GV8jj+WDk3tJMRhsdlepU5uitkovn7e47LVRbCoBqV2WNeud3PuLSaVfP+mOw/7oHiR7R4WivHNeEVTo2m+GlwW6ysRZ0r50aqZj0sKB9mJGjdbTEFYmTameDm0U3J8yautk/NjCH2fPdLQF6PjV4/ct8Em/vcWwZ+b+d/z9R+KKdrzv10AcvJd/verA3+Pnkcw/0PG3O+EXTT7Jv4HMXvB//g+/nMn2MD/wn42kwlqNw/8r66btdvVKAouPzYzpeOYlKPGpHWIK71m6wUfTJ0+4TGZTpTXBdlrNRfLfC+o39GYqJZtVPsGV9qNfDks5U/mGlcWxY4pR73KMhX1SouoFiyiXoCaSeFtZflQVr4NULMXjJ5wwNPcohFrVO7o7B3BSiVvDpZRuVFo3NpMWK+DXLs+kHObDa+iMCqEq5vCx4jIoJ0rZDL3vy9yxQCUgvAsW06NCnMSBTE5Bp1T0ldm2AtvOuGy2Juw0/bN0nWLpVNwblm52q4cH7rGqn1YGMv5bf0ij6fjy1GqfXHcqJDckub6g8YksGfDQq/SC4MoIIlcbHaR8KBKIrAw7AUXay5Uje7IUy3IphLCFIXg7uZ2pRmGtZNst1ybwJ6+6BfH3cnF4bR7Ct2KfES3CUt9oHuVbNAul1JBNswH3Vww757XT4BAzK7mYnxdJNeFfnuaGdaLPicBREOznLavW322aGdKubN2D+v4FCxuU4XCNa5GlYZr8GYnuMixyvKytmiVLvPt/vlV6eb7JOlX9+49NmET/3uLPKq/wf8I3vv/doLX+N+vzqE7ep4MuOd/b46dNPsG/ocofs7/yD7/ZzfYxP9ua5lMcHn6hf9lWyjXRpPRddmNIp+dd6fTVb/Zsdf93Ev+F32H/xV7gXngf/mn/C/Xn9lCY6WbjWvVzIPUVe3FMh2IslcqvwC30e2XMpyURdlgme0F0cP6WNhczlMtlI+jKlkU7whiNrds1K8uy6CUr9YqH8O6asK+wdWOvgzHemB+ZPGs2oEje128PYxWccacr855NtDtixt9CD3lrfPZ5Tg/m/bwzOXp9CoVYXLeNr0sr2d6pHJRbc67dpmfLHF51elVAIp5dlYtDW9GaLRQ2W8snoUkWBQr68Wz8zBs5fIXJ93Dck1bvZjFzUn/LFqOl9KKa9coRKFY88TSotKKQhXkz66vUuGh8T3SbbcmnYzxq2VxiMaTy3InClvrm08qawa6XrrNZOJCUKnnw0VUuvt8U0glpDipSgCugyjXypQqGUm6zVHUiqg7Xl7Nx/MKXWSZPS7nC73D7HKcbZPLk2omzlzOKqVOKiitLtlsMMvP4ktYOkZxKy+uJ3YZUTOonbLo5BiMBqvVTX1AXllx+9VD5R+JjfzvDbYk2Mj/OHjh/8Vgz/92AShe4X+/eDuKo+/vsLFngm+EXTT7Rv7HXvC/dfzHnv/9fGzif2DN/7pf+F9lXji1pDXM1a/PRLXj67fzj3JxeBvPS79m/W/xnfU/F4WLL+t/jafrfx+bFFxdnkyvmtVx67Lafy3OLfUQ6Baf68LoY/Hq+LR+Lk47F8dx5RYfrqZZddNYzGdzcOsug9NZHna7bV0T9dVHZqM2LadcCwZNdEEKnUIEQLZ9Vu93cbZcmgzAiVJlEhVbi+ydb/TizjdayQbtXCEKozU7S51UvkXN7nhe7m7xMB8F6wXDr3ni2fVVQv1S3+Z+z4hidH1egufzZjk+rLvBaXzMUGnS4GedM516IIKPPNAEUa6SKWWudT2EJrZuBMJeb1DJRdPePDPI3eaak6Dcu+mFtZvzMFU/uT4LumGfZGSzqtjtqb9u0WY8Gg3zxcLlx2HmOFuraymLgVBdEEn4VQDgngf+RGzif2+xi9lG/kdexP8xgvf8bxeAjH+X//3qHeyOvuzBt6d7Pwu7aPYN/O8b8f8IMLznf7vAlvH/pShDw5Oz+fUiHKDhMOpUp/kcr7WoQMepcfEwr+PlCPUvJ1Sumo2rfGd83bsytyflQxTiKxX0ZufH3R6/yl6f9U9OGjwDWhcOVPbx/7vCJvv/Fttubvb/vYz/p/v1n53gtfj/X73l6tGL3WP3g/+tsYtm32D/+Uv7DyFle/u/C/yVXq+t1tZ7fqTVeNzvGjXtjobH86E9sm5+9LC/6sNoTKRwmAzG/3e/ycUf4Aim36en/VE7Tn/471/rXTqCh4280h/SH4sB+rTewet+W65Tt0p/+Cs9UYtwNXVx+kN6W66xDdVIv09fu1XWTVW3n9Tl4rR0+SmXyX4MPl0gyj59LAb3tZ+rftfmR5Ok8km3maY/pBFA5D8QPdnjBB1RLoAESPKr9OfP79P9Ubtkk7+5dqvkl3SnDBqXN9VwSVa4dVGQBRadXYB6rXcjbq6CxmzobetCwj7rBH+kP3/+833auMm065OmccFs2klE23V30o5nuufMNHn+aNJWw+7tuv3SH9Jn3eFseZAfzYb2rujz3YMyHdUdJvc/eerds562yJbJH9vmfmyb+rFt5se2iR/b5n1sm/axbdbHtkkf2+Z8bJvy8XczPtKf//z8QyOdfSDwKv0+7Yb27iJ9cfFu6P50xfhaEvY2Odi7V4zFWoeJhhzIbqk2P1zORmY0Ci9Ub3V8EQb5UrTsqEWcOewHWXOvGL9s8vfjarE/Mqqffp82o8FgNCyrQWL5ai6eHtQ+BgfV0Wj6vyrKraJktg2S2TZGZtsQmW0jZLYNkNk2Pmbb8Jhto2P+l+CY9Of3L/reNh66bR102/rntnXPbeud29Y5t61vblvX3Laeub/jmPtWH9wmS2QHffDVHJFtU0S2zRDZNkFk2/yQbdNDNmWH/DChIh8Ae0qoMP6KPiQXP3/+c7+P4Jvi5frP2x8BsWH951vn/0G+3/9hJ9if/7c//+9gf/7f/vy//fl/+/P/fpND6/bn/+3P/9uf/7c//2+Pn4+n87+HpfQdn/8O4fP8X8gp2s//doLX5n9fzk/62QeAfHXyzLfMFPwBvk0dNZwIB5zzhgPNhJTQe0YdY4R7j7ARRHPFtQXea+U59t4gTAjkzBJjKbIccaEY9RRyZJlxVirttJNYaeiE8MZZDDnEVgpDvLaOIaUoo9Ra/2YHgGx9JtVXdsRQ6ySlhKxvokA6KQgXGiZcOpmjGCQZUQmpFpRYxD3TzBkiFOOcWG2MwwhpA4CSijoMEMQcIqe0VFoByUHCobA0zirjJDXMIS6QVZR4iAHe25E99thjj98S/z8AAP//lDffuwCcAAA=`
+ validRepository = `H4sIAAAAAAAA/+x9WXPayvb9eeZTuHhNrt3zkH+dBwnEYFvYYMzgX51K9cg8GDACTuW7/0s4Thw7iXMvDsk9l/UQQkuWmt27d6/u1cPMTSfz3mIyW//x0wAAAJzSPwDknHPy+fMz/oAUYMAJRSi9j1DC/ziiPy9Ln3E3X6jZHwCMJ+PZZLL45n0vXX/4IQ+f/yX4XP4n8Dj9gcf9+WT8uu9I7cEI+Vb5EwTgk/JnjIA/jvZixP/x8v87c5Sd9zpjZ7Pvjv7OHB1l3y/WU5d9d5RNf272bZo0nzrzfulm895knF6Bx+D+wuc0uP3uVtPezM3TexBA7F8A/gvAOoTvCHuH5M39Hw3cev7xZUdZ4IWhHjOvCQYcIuQ1lxw4hIgmDghGPFFeEUc8w0Q7zoVw0mkrPWJc0IcHbR/7kHNnEaVQbl+XZt903ehrFwZu3bPvu2refa+Gncmst+iO0qz93/byUXbeVYiyj3dvv1KIsttvf31+xFINP+XiKDu908OeSV+GoaUYa4AcFYhoSiDQxiMkiHecWuQ14woCYTR13DLhJadGGmmoYMhQc/+iD+m/H7Zvy0ookKaCOg61pB4AahByxmoCuIWASSUt4loY7JXHwCMHvZGUKKqsNJ79xsZyHHLPCCMGA6U8pkoqjgUwRlCJGVHMQCKQsJ4ogZCi1hsgHTcCWaihfW4sJwzT0CIMOPNICgWRkUBYqQTlFlrnOEScWmq5Ys5JwhTC2AkMgUecqd/YWJQY5bBkGBqttPYeW6eFx4R6joHjXnMtrDAOMu68FsZhwQ2BEEEpuCfPjeWpxxBjzQGWRmHsJbNISoy5pY4g6hSXAiMEIGZMSu2EUJ4y6iTTyLnf2ViKS60sB0pIbRgBQmInNMBUEKE9cpQpJaij3ABDgaCGKOypogZ5B4jHj42V+Wiw7GwydJ+D2DZSPrZAzz7O/86e+MVPXXRnbt6dDNOADR8V4XyspvPudzOycyn/UEYWatZxi/l38rFzHPuxfPRGbr5Qo+l3crJz8/NCTj45jJmM5735wo0X7x8V1GJ25zLbO7aNsFrc3beeafbuXWub422d2dWJPnpJr7ONIMgwJRFR2nkAPDWMEUiExtAaQKykiirpGUXIUQkAQJhqmvJyqIk3nCAIHFXGKEms08gbRQX2RjgmCCOUaMWYgYozQQ0ESAEiudYAOwixRmBbqT5kjv7KfPjVBOh/HF/w/wfPfOU+wAv8H0KKnvB/TiE78P994Dv8/1Oc+gl9gJFbfOIMDw3G1us+x+qhG3cW3ey7I0Ql/RhgU47wud39zAXeHWW1NVxhCjFSGGIOMefEpdSIESqpoR5BYIwRjmum08gFBORGOAMAZgpbnTImy6RAkEMJHUKAaq8NEtICTQj3mEnEsEHICAoQw1xCaxkQHvJPbeOHjxl9ZJRP7cAPBvqdG+kvAr2n2DhjGJOeYsuUs85JrRzkhEhpoTNWKIWE5FwjTxUkCCIkFVaAS4WFER55rRjS1HKitUnppnHOMw0dMlQABLxH3hmKOLCKKsohpJZhiYg4BPrfHV/E/8cV8RXf8UL8p4Dgp/EfY3yI//vAd+L/A4//CeH/SRchaxbeHU/v9FeiP+TiB4K/Js4JwCwRBFujIbYWeMuA91IKD7XRyGDLkTSKSYCFsFw6CbkjFlLACAcOcmkU9UJRwYHThCOGoTOCcqYk95gYgL1TWEDpLOdOA4kUplRrjL8M/uZuvpiMHme015kvJjP3OekoezdXna2Zc/VC9NC3PcrOF2pxt7VeYBa9pft85W7WS5PvX3XfH/2yC383NL3J+yU8NrPF8dSNvmJMgcHLxiSUYGg0RJ4jKK1DhggJIAQaOuIQBIAIBqzBRiourCOWCi4MswBjpxFTBDoKMZGAOcW84VSnH5ZKYQHd0n8KiXWMsdS60DmgATMMKqy49XoXYxa2RngNc87cYDLbxScJs0ZYagTQSmrBlcIOA81T0xDOIOBOE6u9SttUBqAxwIDU9ayRGgEHkRbSAI8EQthR4QWg0jmIoXKWcIINs5JjqRQXXDjnMAFeWYlx2tuSahcz1tIf/xpWXMzu5gtn339SFr5iTcwZ+4Eq7j3miBLElWJQOUWZAcpiLLCFjkukLESaQgwowwRJSZmzQDvAMLKMIYix4EZQaxEV0pDtcIPjjklJBAdQIwaltAhgBxAjXDuEiUXWc6yAJfT5mNlirt73xgs3GznbUwv3Hnyn5jEJX/6NHGLKBGREaaMcNwwI6jzmSmIkvEKWQSAJRFxxySzEyGNutcSMEU2JIgY5aqnBhmImvdVEU+Cx0BYQD7CjEkJjpYYGMAGREM5Yp50yVgMMGGO7uEz9KngVh5mr90On/PdMKfDLpsRCEeSkcZYpoDlDRhmpCaXQMQA0B0I4BkhaSa21UBNtmdNQE4ChF95gp+B2GJAKgbynwhJgBJUcCUCwhsIr6DFx0kFLIAfQecwMR0IYTRGUv4kpt/XuO6YEP1DzPFbWYaMRMwA7Zij22mrtKBIWKywFkhJh4DDHyApqqJKEUy4VhBYAjljac3Dap3VLcKqMFGk5ACcEkNRhDiy0xhlqPBbcQ+8NANxALZH0AO4UyHY25b/Rcdt5VPOLjptwSGqmjVASKu6QZ8g7YizG2gBrpAEaSWeENwAJSJREzgsMCGZEUmYQAQQZarC1Lm17DcMKGkcoRUp57y3wCACBodcAUSY4YkhQxAXHTjkC1KHj9j+BR/2/n6T+/0f6PwXw0P/bBw76/0H//x2MddD/D/r/Qf8/6P8H/f+g/x+wPzzi/z9J/f+P9H9M+YH/7wMH/f+g/x/0//9dPIr/H6vh67/j31//wxACh/U/+8Dz8j+5VKuSU9bN5sfg5DV0lKemefIJEGVf+EKaQOEfR6t9GOCh/Pfxrt8QkJOjqVp0//yKI/xqDe34qRiY+dXW+udhH8X+Ev9H9Mn8LwwZOoz/7wX/ShFGxXLlKBfV6uVCORfUo21qJi6Xw/UmlwtaZ50gKYdBp3xd7aOSb4NatX6LznChDE67hXiRDO/WIMl12uWzyU150wdRkJSTTJyPLuIgKQbwOsp144Iuyn67maxK/cCEnUojDOJ6oVEbGlztNAqVsBwN72yxsdbNxkA1CyBzUw9cIQHrSj3AcT5axfXqJq5XVCEBm0r+UxpK0+J8sMr3g/j+wZN62FwtM21UmMc1kpSCdr5RreajVeP6plUB5UKtXr0Kr1UTDg2udXUrnOqRSZr1oB52zG130L+4rJbDTNjpfPwSh2FSyQXBlTs/H12zE7ai15M3Cs1kw7ftPJHJzWx+s+n6vIhNB5yNRiuteebuFiZnpnmZi27OWvNx69bBeqtxdT5cw7vB8GZYKZRuLy5arQmaJCofXKTZL1VFGHgRhUGcy4QkSErVdr5RAxdh2I4KpQkdmeJJwmByPcwVlvNukis1eWE9nsahSI1ty0m1HYcqKETtSiYuFHUAdNI7E2fL66h91bs5Oeld0zhsb28+rUbhSVKN42BSzOXmxaB6XQiTuHz//baYuYqJTLMSABPEUTVXzuObMmoOYb775uLGRWs5rujxaFwTpWB9wS9mN63WeILp5WbYDHphPyOGQ9e5zWM6FlC3J7paQJVly50Orb2Km+WzpOKvi9NO7aL655+Zre9Flfwzf/zVVeUfiZf432tMBnyZ//Gn/A9QcuB/+wDk9Jv871dPBD1+NqX1QABfG/so9pf4H+HsKf8Dh/Vf+8EL/C93kc/lAose+F/5dEZZLezHIzB5xvd8P9qSiJTuhd04n2k0KmFci5OoumVf5SiZ5tvN1fRmJNd6NOzGtXZSuGdmpSiB9XaTdGrj064eVaYGVZaZRzecRgmAlXynU28W1go1QLlQAXGVJPn767UouYaVTRlX8tFNHJptLjK5blytF4d3ttXp1EYS6lGta4vDpe4/I5Yw3gzVNq3/OS2TJsYlssrng7N7ZtmuB7BRr9ajehxG99Q2jM+qqDBXzZulGdFpux4147B6n4NwFVeuUeGuHN2s203aV61KX28+35CrxZVKvUrKEeya0WJoc2HdPuLNmagWFyp1s65sqqtiPWg98NsoWk31uEHK0c3SNumg3apNNSI/QmFrkYz4NMyfzheDQpS7mK/quMIdndRXN2ySvyq5aNDtnFUr4XRzEmQWZ91KeNO5otCVG5vpoAujrh/F/cpFJUymV/PCcmx7w2o0AddJdfMVChtU20nU2VLYelAtnYRBJwk7Kessh0E9sPd/QKJCp3pd6Mp+X5OLq7XmC/YmQi06yBQCMJly8dTj8lfVIKl1yt3gcj12+cXpWi+xUZuoULZYo3G+8yZk03qxmzlPbskpa70pVrrToBcFi+5N6XbeHqzEG0jql6XGbbODT+u5XiFXbFjGqp1lJTeqzGQdfIeR/gOaoxf53yusYniR/5Fn/I9hfuB/+wBk/Nv87xevYDn+tAbnH1DRflPso9hf4H8AMfSU/1FOD/xvH3jE/y6vw/Ny7ugsan+kf4VBEiXt0scGNxdUPzW++aBq8tVOEFHd6faa+Xn7DJBottg0T4uD8USd+NVkkekvm1XZAqPromuLxeyS9K8Gy+t5rtfIjy99cLpsTeEibmyu6VmxfTYtq5Nqe6Y71H0xDPQ0W7/aYv8svNT+v8aStBfbfw6ejf8gemj/9wEovq3//erliMffXmF5iAKvhH0U+4v6H3um/0F0mP+3F7yk/4F6Lhe0ep/0v+b6HOi5ZufjsAHG6rxRWXXFrOL6jflz/e/sG/pfoR9cP+h/+cf6X+F0qXE1KXVNJe5fJ5nKJljF9QjE9WjTTBM318lDWqUfbZr9IHk0BnQWJY25RpWuzkcuDpNiJn1zsIobjWJjY3Ph9TWIOldNCm5ap4ubZm3abtWG3+M5mQeiA+XVan0WVfqjy9kc9MnyjeO3jcG0fDk6nzXhFF20XJu1LpbuRHbsOgTziEEkZpnVcnTKG1Heny7A8GrIkxmvxpeR65c6UUlVSFxqJ/n7sZHL+7GRaj7oRMU4jLfqXOa0+jVp7l7ni5KtdFeIgzgMvPhSJ4zalbhQ1Jmva39PhMLSOCiWTxYXvFoqNza8eFVZiLy/Jn7kMg9C4DMdMOqe350VzwphbeLzN6WSO69eX5uzZFyfTQY3J3UyOS/BN5UMlqu7oBcsl3VxUeWW322a5HaxMmHT8PaJnJJCDYf5kRttQlUoj007OeiAe8JL/O81dlZ5efzn2fwvCg76314AGfsm//vVu+ocP2wLdGB7Pw37KPb/YPyHkMP4z16w4/hPvpG0bge4qzuzSfGuVzjBC7FpgdWKUpLZzJpX7hJW9CggvN4vtt70JMVLeJJzjdvecno+mE82d6DE18XKOS40MZzerNddehEcxn/2hRfb/1fYdunF9v/Z/B/COT60//vA9+b//Oott46f7R52qPyvjX0U+wvtP0fs+fyfw/6f+8Hf2e3Yan275jOrptNhz6hFbzI+WY7tsXXL44f9tR5qY2qFN2ll/H8fFzn+CY5h9m12MZx05tl3//f3dpVm8LCRQ/Zd9qoUoPfbHRw+bstw5tbZd39nZyoJ1ws3z77L7qo17SI1Zd9mB26ddwvVG6Z5uTwrt95HufxV8P4SUfb+qhR8zP1SDXu2MJmlmU/dZpF9l0UA0X8B/miNqzgWiEqAkOQ32Q8f3maHk07Zpn8zcOv0P1lwEtCaDRFr3J5saO7iTW42umWYi83VqOemt1Uj+RtXX9Ii+DP74cNfb7PGzRY9nxaNC+4W3dS0PXdv7fmd7juzSJ8/mXXUuLfZll/2Xfa8N75bHRUmd2N7n/Th/kG5ruqN0/sfPfX+WY9LZMfJX7vO/dp16teuM792nfi167yvXad97Trra9dJX7vO+dp1ytcuM76yH/768EO1nb7D8ib7NuvG9v4ie3bxvvr+9OD4vY7YLv2w/QfHUr7VAKPB4kpVG2JhCgM/wpv6ipTbiNyd44sbMSSDRhQIRD4Gx08bvfx4aBxOjBpm32bNZDSajCtqlLZ+dTdfHNWvgqPaZLL4d4PlTiuldl0otes6qV2XSe26SmrXRVK7rpHadYnUriuk/p0FUtkPb5/53i4q3a4i3a4a3a4S3a4K3a4C3a763K7y3K7q3H8izn3NB4cpWazffvLB4KQ8AWR0GlM+bzQv6/11W7Z0M6n2B7/CByff8MFPhCxYxZXHPng9kkubD2/Scg7X9/ZNy/3B1kESlQJQDsLSvLUUbHWZzJOb0ugKbKJp0iqviizZhPrWkt6b3CxuquLiQi2vS1eDU1HOL2stka+hhV6fTubVljyzPbbOLev2JHBhgXUGxX61HwZxQLZ+kL/3o9RWYdgPLrfxrxbfx796kE/9Mg7B/b2dajMMazQJe5e8fgfCdcG8WQ362gcYXpTouJ8S2od4nfpypRzkw0JKkobtwSjRMx3K4e28US6uxvXcfFlbNa/MaMRO+p5VTkSEbpf961w5H1cGzfOTN+Zm0iovSa9dMWctEp/7uDzA0VXbjlYJnhB5HZV/mFDhdxA/JlSYfEEf0osfPvx12Evm1fDS+O9rbP798vjvM/0XkcP4717wvf0/fvXG78dPd7A/DP++OvZR7C/N/4P42fgvxof9P/aCl+b/7cLq9jL/77u8LrMrscvsyuwyu1K7zK7cLrMrucu8xO4OU/X+e/E8/r/+ERAvxP+vnf8HOTnE/33gcP7f4fy/o8P5f4fz/w7n/x3O//tNDq07nP93OP/vcP7f4fy/A34+Hvf/HqZR7Pn8dwif7v8LOUWH/t9e8L3+36fzk372ASBfnDzztWYK/gDfxoh6JxxzyBhNuWLAMeCAwdgqzQSGwgnBmHSOeY0ptqkTcg04RloaArnCnGBkBFFYGwQxFYZ4LBGmXjvFEVeGSie0NwoKSLkyTmBIoE+fZ9yrHQCy85lUX7QjREiBjLdWCSSYg5Bvz+8QTkpMEfdIUwSMB0Y4AanCmgKrOKDCW2wcJlxzybDDEDgGMUaIIs8EZVwwSZAjFknlIMaaaaQk1IJRrbilRnpKNXCHduSAAw444LfE/w8AAP//aH82JwCcAAA=`
// This is valid base64 (hello world), but should not be able to gunzip
// untar.
invalidRepository = []byte(`aGVsbG8gd29ybGQK`)
// TUF Root json, generated via scaffolding
- rootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI1LTA2LTIwVDEwOjA3OjIzWiIsCiAgImtleXMiOiB7CiAgICIxOGRhNDVlN2Y5ZmY5NTRiNzJmMTliNGViZDczNmU4OGI2NjhjMjNkZjRkZWM0ZTU4ZjZhMDM3MWFmOWJiMzY2IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICI2OWIzOWRlOTY3NGRlYjc3N2VhNTgwMmYwMjU5MmUzYTg3YzRiZDNhMDEwZTRkMWM5OGU1M2FkMjdjOTBjNGI4IgogICAgfQogICB9LAogICAiNmUzMTk3M2RkMjU1ZGM5MWRjYTgwOGU0MzcxZjNlY2EyMjM2OTBkNjJhZWFmYmE0MmQxNGIwM2YzODYzOTMwOCI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiYzc0NGVhODUzNjg5Yjg5YzYyZjBmMDZjYjgyOGE4OTVhYTQ3ODZlOTEzZWE3ZmE5Y2NhYzRkODgxZDcxYmJmZSIKICAgIH0KICAgfSwKICAgIjZlNWI3NzUzNmMwMjhjMWZiYzIwNGRjYjRlOTczMjZjZWRkNjY5YmZiNDVmOTlkYTdmYjRmMjYyNThhMDM5ODYiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogImU0ODA1NGYxYzhmYzQzNDUxY2E2NmU4ZmE1MjQ4NzA5YzYyYThmZjM5ZGU4ZjliYjIxZGRiOGM2YTM3YzcyZWQiCiAgICB9CiAgIH0sCiAgICJkNmY0MTc0Zjk1YjM3YWEyYTBmOGIxZWM1NGRmOWQwY2NmZWQ4MjQzMzEyZDE5ZjIxYWM1OWFkNTAxYmM2YTZiIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIwY2I5MzFjNTAzY2EzYjBjNjRjN2E3Mzc3Mzc3YWYzYTgwMjA2ZTk2Yzc5NGY4NTA5NzkzOTk0YTE5MGEzYzMzIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiNmU1Yjc3NTM2YzAyOGMxZmJjMjA0ZGNiNGU5NzMyNmNlZGQ2NjliZmI0NWY5OWRhN2ZiNGYyNjI1OGEwMzk4NiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJkNmY0MTc0Zjk1YjM3YWEyYTBmOGIxZWM1NGRmOWQwY2NmZWQ4MjQzMzEyZDE5ZjIxYWM1OWFkNTAxYmM2YTZiIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiMThkYTQ1ZTdmOWZmOTU0YjcyZjE5YjRlYmQ3MzZlODhiNjY4YzIzZGY0ZGVjNGU1OGY2YTAzNzFhZjliYjM2NiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiNmUzMTk3M2RkMjU1ZGM5MWRjYTgwOGU0MzcxZjNlY2EyMjM2OTBkNjJhZWFmYmE0MmQxNGIwM2YzODYzOTMwOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICI2ZTViNzc1MzZjMDI4YzFmYmMyMDRkY2I0ZTk3MzI2Y2VkZDY2OWJmYjQ1Zjk5ZGE3ZmI0ZjI2MjU4YTAzOTg2IiwKICAgInNpZyI6ICJmM2IyMjMwNTk2ZmUzZTU1MzA2OTJmMGY4NGQxMjIxZjQ2YzhhMGRmODQzMGI5OTVjMjZkMjFkYzI3YTY5YTM5ZmQwNWE1MjMzMDBjNTE5ZWVhYzAzNmFkZDNlYmZkOTM3YmY3MjM1ZTcwNjU5YWMyMDgyYzhlYzQ4NTI5ZmYwMCIKICB9CiBdCn0=`
+ // IMPORTANT: The next expiration is on '2026-01-01T11:46:29Z'
+ // Steps to generate:
+ // 1. cgit clone github.com/sigstore/scaffolding
+ // 2. run ./hack/setup-kind.sh
+ // 3. export KO_DOCKER_REPO=registry.local:5001/sigstore
+ // 4. run ./hack/setup-scaffolding.sh
+ // 5. get the secrets from the kind cluster
+ // kubectl get secrets -o yaml -n tuf-system tuf-root
+ rootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI2LTAxLTAxVDExOjQ2OjI5WiIsCiAgImtleXMiOiB7CiAgICIwZjhjNWYzNmZiNDMwNzEyMmZiNzk3MGUyMjRiNGUwODY0ZjRhZmE0ZTRmNjM0YmU3Nzg4ZTllYmQ5ZjI2Nzg1IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIzMWQ1MzNiMDJlNTgyNGI1NDEwYmNmMjI4NGZlNzVkMmZiNjdhMTA4Y2I1ZTdkNjhmOTc1YzljOWM1ODYyYzVjIgogICAgfQogICB9LAogICAiOTE4MmI1ODVlNzFiOTVmMDA1YzIyZWNkYjQwN2QxMDY5YTlkMjdiOGMzZmFmMzBmMmUxZmM5NTRhNWFkOWNmNiI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiZTcxN2Y2NDY0YzMwYWFmMzVhOWE3MzgwY2M4NTkzNjRhNmMxNDgyOGRmNGE4MjJhNWRmYzA5ZTdjODJkMWIxZCIKICAgIH0KICAgfSwKICAgImU4YzZiMWQyMzA3NmYyOThhMTJjOTA4ZDlhODU3ZDFkZWU3MTI3NWQ1ZDdhNmVlOTQ2YTIzM2U4MzEwZjI3NmEiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIjU0Y2FlMzk2MzFjYmFiYmZmM2RlYjhmMzQ1ZjczMGU3ZmI3YjhkOGNlMTY3ZWZiOGNlMzg3YzQxMTIxOTg3ZjQiCiAgICB9CiAgIH0sCiAgICJmNWYzMTMzYjcwMzljYTMzZjk2ZDI5OTMzN2Q1ZTQyNWVhNzk4MzIyMDEzNjY5OWJlODhhZjU2NWU5NmIyZWVhIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICJhNzliYWQ3MGE4OWJjNjQwODkzZThiMDM1ODQ4YmYyZTU2YWE4NWU1N2MwYzUwODVjNGEzZjVhNWMyZmUwNGYzIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiZThjNmIxZDIzMDc2ZjI5OGExMmM5MDhkOWE4NTdkMWRlZTcxMjc1ZDVkN2E2ZWU5NDZhMjMzZTgzMTBmMjc2YSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJmNWYzMTMzYjcwMzljYTMzZjk2ZDI5OTMzN2Q1ZTQyNWVhNzk4MzIyMDEzNjY5OWJlODhhZjU2NWU5NmIyZWVhIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiOTE4MmI1ODVlNzFiOTVmMDA1YzIyZWNkYjQwN2QxMDY5YTlkMjdiOGMzZmFmMzBmMmUxZmM5NTRhNWFkOWNmNiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiMGY4YzVmMzZmYjQzMDcxMjJmYjc5NzBlMjI0YjRlMDg2NGY0YWZhNGU0ZjYzNGJlNzc4OGU5ZWJkOWYyNjc4NSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICJlOGM2YjFkMjMwNzZmMjk4YTEyYzkwOGQ5YTg1N2QxZGVlNzEyNzVkNWQ3YTZlZTk0NmEyMzNlODMxMGYyNzZhIiwKICAgInNpZyI6ICI1MmM2YTkyNGFiZWYwMGY1YzY2NDE0OGIzMWRjMDRkOTVhNWE5ZjY1MjJlNTkwMDAyMzViNTAxNDUxYjRmYzc0MjEwZTVhY2NhOTRkZWIyZmNhNTgzZmM4ZTY4NDY0NTRiYTY2YzFhNzY4NWMxMDJhMDQ5N2JiMDNlMTEzYjIwMyIKICB9CiBdCn0=`
)
func TestTrustRootValidation(t *testing.T) {
diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
index 8e1b1b8b5..44c3adf16 100644
--- a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
+++ b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
@@ -143,6 +143,10 @@ type Authority struct {
// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
// +optional
RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+ // SignatureFormat specifies the format the authority expects. Supported
+ // formats are "legacy" and "bundle". If not specified, the default
+ // is "legacy" (cosign's default).
+ SignatureFormat string `json:"signatureFormat,omitempty"`
}
// This references a public verification key stored in
diff --git a/pkg/reconciler/trustroot/controller.go b/pkg/reconciler/trustroot/controller.go
index 8373b9804..66fffe2a7 100644
--- a/pkg/reconciler/trustroot/controller.go
+++ b/pkg/reconciler/trustroot/controller.go
@@ -16,7 +16,6 @@ package trustroot
import (
"context"
- "time"
"k8s.io/client-go/tools/cache"
kubeclient "knative.dev/pkg/client/injection/kube/client"
@@ -30,6 +29,7 @@ import (
"github.com/sigstore/policy-controller/pkg/apis/config"
trustrootinformer "github.com/sigstore/policy-controller/pkg/client/injection/informers/policy/v1alpha1/trustroot"
trustrootreconciler "github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot"
+ "github.com/sigstore/policy-controller/pkg/tuf"
cminformer "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/configmap"
)
@@ -37,8 +37,6 @@ import (
// use it in tests as well.
const FinalizerName = "trustroots.policy.sigstore.dev"
-type trustrootResyncPeriodKey struct{}
-
// NewController creates a Reconciler and returns the result of NewImpl.
func NewController(
ctx context.Context,
@@ -78,22 +76,8 @@ func NewController(
pkgreconciler.NamespaceFilterFunc(system.Namespace()),
pkgreconciler.NameFilterFunc(config.SigstoreKeysConfigName)),
Handler: controller.HandleAll(grCb),
- }, FromContextOrDefaults(ctx)); err != nil {
+ }, tuf.FromContextOrDefaults(ctx)); err != nil {
logging.FromContext(ctx).Warnf("Failed configMapInformer AddEventHandlerWithResyncPeriod() %v", err)
}
return impl
}
-
-func ToContext(ctx context.Context, duration time.Duration) context.Context {
- return context.WithValue(ctx, trustrootResyncPeriodKey{}, duration)
-}
-
-// FromContextOrDefaults returns a stored trustrootResyncPeriod if attached.
-// If not found, it returns a default duration
-func FromContextOrDefaults(ctx context.Context) time.Duration {
- x, ok := ctx.Value(trustrootResyncPeriodKey{}).(time.Duration)
- if ok {
- return x
- }
- return controller.DefaultResyncPeriod
-}
diff --git a/pkg/reconciler/trustroot/controller_test.go b/pkg/reconciler/trustroot/controller_test.go
index 7d6b442a1..0377b5621 100644
--- a/pkg/reconciler/trustroot/controller_test.go
+++ b/pkg/reconciler/trustroot/controller_test.go
@@ -16,10 +16,8 @@ package trustroot
import (
"testing"
- "time"
"knative.dev/pkg/configmap"
- "knative.dev/pkg/controller"
rtesting "knative.dev/pkg/reconciler/testing"
// Fake injection informers
@@ -39,21 +37,3 @@ func TestNew(t *testing.T) {
t.Fatal("Expected NewController to return a non-nil value")
}
}
-
-func TestContextDuration(t *testing.T) {
- ctx, _ := rtesting.SetupFakeContext(t)
-
- expected := controller.DefaultResyncPeriod
- actual := FromContextOrDefaults(ctx)
- if expected != actual {
- t.Fatal("Expected the context to store the value and be retrievable")
- }
-
- expected = time.Hour
- ctx = ToContext(ctx, expected)
- actual = FromContextOrDefaults(ctx)
-
- if expected != actual {
- t.Fatal("Expected the context to store the value and be retrievable")
- }
-}
diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
index 37f513b36..c87e9066c 100644
--- a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
+++ b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt
@@ -1 +1 @@
-ce0e092b9e35b0b9e3637a96a27b8eb3806e7f366e70367eddcbb65b4f0b7165
\ No newline at end of file
+72d6dae92b27e3c66ce7c06118782a87d64cb1ca4d58da7be4bf6a6c81637d94
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
index 864534e2c..52bab6af7 100644
--- a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
+++ b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem
@@ -1,4 +1,4 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQpbV0RszJ9g2DUmv1RAYXUWS+lA
-a+YbNaU6Q9ZbXmATIX+C+4nUbgM6u0ooW9eXxtnUVAwDGVuHGWtr5VzyLg==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/LRj+kZcPIO3VWlCeulO6WFtd1Vk
+oG80NXchsgpBYD14tH7daOdYukeLzS+BqQFBafrHJy3dzQUNTiHwpiySMA==
-----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
index 1fd67248f..15ae53e09 100644
--- a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
+++ b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
-MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABDinvflTjDOr/6o70lfMWBRtYnaJcYIIdGJp
-27wvISz6CbXoz4wuZbYi3oOlw6uDed+QpMQfJaGcgH0GQ9nM6vyjMzAxMA4GA1Ud
-DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQnBOo/FKFK5QsnmtCW3EULNg7a8jAKBggq
-hkjOPQQDAgNIADBFAiEAobePrizti+1TidezZrdZbPczorA3eNJXO11khRT5f6YC
-IBGX6djF1e44voTyfjajRH6JeyWdRv7OkLKFqk94nxYa
+MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
+MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABCRENSlBsT9Cceu6g60k/y/vzRPM6hb8BJbq
+sX/xx4PpbXO3Um0h+CN/p6WAJh/4koXLVHaRTokl+kNc/OMhp9WjMzAxMA4GA1Ud
+DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTMEbK6/VqSJCNSppR2WoB7izlXsDAKBggq
+hkjOPQQDAgNHADBEAiBXRhIwRdnUy5aniaeIFqsnaOjYddGuhc1u//6ReUzfwgIg
+eHDfF6BK7OmnUvc62QOJeSWj7CRe+wJd9rTL9FeDjCU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
-MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAATYMFeaxWdAnFM3nGB7MT4cVWHwWLpHtGeCWtU+
-dGLqBlF7mM/QjdGmZ3Ea3sb8k1PZfm3m2ycJtu1mle6llLjHo0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJwTqPxShSuULJ5rQ
-ltxFCzYO2vIwCgYIKoZIzj0EAwIDSQAwRgIhAIQQCaaKqofWp/rNU3qyVN6qGYHq
-pBMR5UHKY2ms6UaHAiEAxQ0YHuxXHYziMHoO5Ey8gIbnTSfpCUSltKKhZ5ppgrU=
+MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
+MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAS9qmFBSdQ8sgNy0yRybzJMKmhC9pO4TQRt2dPv
+6SDJTNjOTQLm9CtBQhDOmNaanTzEUFCZxA/3Gx5a+JP0/Ts5o0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUzBGyuv1akiQjUqaU
+dlqAe4s5V7AwCgYIKoZIzj0EAwIDSAAwRQIhAMPb6kbHcMhpWzc7nb8QRadvUxfd
+UnF2pGamtoZ4+LCXAiA4zDqYSz8JLPHgpAtXF3i/2PyqXGKy9eSlprIAYgZ7jg==
-----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
index 2049afb68..89c83d9de 100644
--- a/pkg/reconciler/trustroot/testdata/marshalledEntry.json
+++ b/pkg/reconciler/trustroot/testdata/marshalledEntry.json
@@ -5,14 +5,14 @@
"baseUrl": "https://rekor.example.com",
"hashAlgorithm": "SHA2_256",
"publicKey": {
- "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8OnaXgP7Oj//llRdP76GRDNIx8yTmXm8tra6qck1nt3ZmNvbTcKQu2WXL3kpBNYK3wMg9I3BfeWA36OlUQYL0Q==",
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfISMcpAiZrwd7KUThb0fgrsFOM1MJOxgH4OD+md+c0yHEZ6UsOR5UF5HAN/qD5skTTcXJuSOogZVc/xeOvhSTw==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "1970-01-01T00:00:00Z"
}
},
"logId": {
- "keyId": "ZmFiYWE1Nzg1MjczODczMWU1YmEwYjUyNzAzYWVkMWU4MzE0Yjk3ZTk1MDBiMDk5NDI5NjQwYWQ2NWRlMWM3MA=="
+ "keyId": "YmRmY2I5OTA3NmVjODg5MTMyNDFjYjk4ZTcyMTc4NTljNTRhYThiYTdmNjMzMTQyM2FiOWI3N2Q1ZjQxNGU5OA=="
}
}
],
@@ -26,10 +26,10 @@
"certChain": {
"certificates": [
{
- "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDinvflTjDOr/6o70lfMWBRtYnaJcYIIdGJp27wvISz6CbXoz4wuZbYi3oOlw6uDed+QpMQfJaGcgH0GQ9nM6vyjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQnBOo/FKFK5QsnmtCW3EULNg7a8jAKBggqhkjOPQQDAgNIADBFAiEAobePrizti+1TidezZrdZbPczorA3eNJXO11khRT5f6YCIBGX6djF1e44voTyfjajRH6JeyWdRv7OkLKFqk94nxYa"
+ "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCRENSlBsT9Cceu6g60k/y/vzRPM6hb8BJbqsX/xx4PpbXO3Um0h+CN/p6WAJh/4koXLVHaRTokl+kNc/OMhp9WjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTMEbK6/VqSJCNSppR2WoB7izlXsDAKBggqhkjOPQQDAgNHADBEAiBXRhIwRdnUy5aniaeIFqsnaOjYddGuhc1u//6ReUzfwgIgeHDfF6BK7OmnUvc62QOJeSWj7CRe+wJd9rTL9FeDjCU="
},
{
- "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATYMFeaxWdAnFM3nGB7MT4cVWHwWLpHtGeCWtU+dGLqBlF7mM/QjdGmZ3Ea3sb8k1PZfm3m2ycJtu1mle6llLjHo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJwTqPxShSuULJ5rQltxFCzYO2vIwCgYIKoZIzj0EAwIDSQAwRgIhAIQQCaaKqofWp/rNU3qyVN6qGYHqpBMR5UHKY2ms6UaHAiEAxQ0YHuxXHYziMHoO5Ey8gIbnTSfpCUSltKKhZ5ppgrU="
+ "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS9qmFBSdQ8sgNy0yRybzJMKmhC9pO4TQRt2dPv6SDJTNjOTQLm9CtBQhDOmNaanTzEUFCZxA/3Gx5a+JP0/Ts5o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUzBGyuv1akiQjUqaUdlqAe4s5V7AwCgYIKoZIzj0EAwIDSAAwRQIhAMPb6kbHcMhpWzc7nb8QRadvUxfdUnF2pGamtoZ4+LCXAiA4zDqYSz8JLPHgpAtXF3i/2PyqXGKy9eSlprIAYgZ7jg=="
}
]
},
@@ -43,14 +43,14 @@
"baseUrl": "https://ctfe.example.com",
"hashAlgorithm": "SHA2_256",
"publicKey": {
- "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQpbV0RszJ9g2DUmv1RAYXUWS+lAa+YbNaU6Q9ZbXmATIX+C+4nUbgM6u0ooW9eXxtnUVAwDGVuHGWtr5VzyLg==",
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/LRj+kZcPIO3VWlCeulO6WFtd1VkoG80NXchsgpBYD14tH7daOdYukeLzS+BqQFBafrHJy3dzQUNTiHwpiySMA==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "1970-01-01T00:00:00Z"
}
},
"logId": {
- "keyId": "Y2UwZTA5MmI5ZTM1YjBiOWUzNjM3YTk2YTI3YjhlYjM4MDZlN2YzNjZlNzAzNjdlZGRjYmI2NWI0ZjBiNzE2NQ=="
+ "keyId": "NzJkNmRhZTkyYjI3ZTNjNjZjZTdjMDYxMTg3ODJhODdkNjRjYjFjYTRkNThkYTdiZTRiZjZhNmM4MTYzN2Q5NA=="
}
}
],
@@ -64,10 +64,10 @@
"certChain": {
"certificates": [
{
- "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCKH3XivQjrlRMPBECYj4/aM4HxhmsDjB42Zb5lQNzNLybRCxhequ9/cQUgiAAlqyVNyr2Q38R15ZlzSOJ1IHNyjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBQVwh0Oz6XDozbQWCf7Pozi1nmPZDAKBggqhkjOPQQDAgNJADBGAiEA5o/l9vC7gg2N+QZ+8JKPKmbJtvVuiEEdeZu6zOrJ94sCIQCB5pj2/dyIOwpdtK+CKWvKzY7PzyLc3OuC3GgPmDLHOg=="
+ "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABI6Y+7lytAlUaqJMhBNX8MacXsvm80DnYy9rr1VD1vGaeILTzGO7lweQbR+tWPttctXOTeMq7OPfxjs0alKj+eWjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBS7jGT6QsK8sOLUKDLBCiQpI4AsCzAKBggqhkjOPQQDAgNHADBEAiBnLHjW1+zfJDNshoofVq3brzx4Vn81HQc4k9GcUffTMgIgBCyyGkJ+ayLAPmMUkX7nVZa1RB84rzHV57PISF04bq4="
},
{
- "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATKKGhibPWiUGgf5xOEgR4+mp2CEi4V0J12yjJzP8FJI67idgmGmdH/74hteKO+ooxvjG4obZJtwcpPztshjzaro0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFcIdDs+lw6M20Fgn+z6M4tZ5j2QwCgYIKoZIzj0EAwIDSQAwRgIhAOATau0ajIlhNT1JWFbKO7G2g5iCH3Rsw8nU3UqQH9L4AiEA3HiFPlIFmKRvYJmyGECLw8EO2gRamBpFoi6pszfO58w="
+ "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+D/5XUFXokHysm5PZVgiR0Ef/iCy3hQjbGEoZiDLKsrmGJB+LN4nA5opRL1vVvIwHRCIhu0zymmm6HufsoVXqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUu4xk+kLCvLDi1CgywQokKSOALAswCgYIKoZIzj0EAwIDSQAwRgIhAP6oXEyOIqTjIrgzrtnsVGo5/CIkVwpNy4Kumxev0L2gAiEAncABJkWROim1c7QJl3uYvKbkZkOL3frGVEPc1vxNIms="
}
]
},
diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
index 52a8a908f..460801c81 100644
--- a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
+++ b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json
@@ -3,14 +3,14 @@
{
"hashAlgorithm": "SHA2_256",
"publicKey": {
- "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8OnaXgP7Oj//llRdP76GRDNIx8yTmXm8tra6qck1nt3ZmNvbTcKQu2WXL3kpBNYK3wMg9I3BfeWA36OlUQYL0Q==",
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfISMcpAiZrwd7KUThb0fgrsFOM1MJOxgH4OD+md+c0yHEZ6UsOR5UF5HAN/qD5skTTcXJuSOogZVc/xeOvhSTw==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "1970-01-01T00:00:00Z"
}
},
"logId": {
- "keyId": "ZmFiYWE1Nzg1MjczODczMWU1YmEwYjUyNzAzYWVkMWU4MzE0Yjk3ZTk1MDBiMDk5NDI5NjQwYWQ2NWRlMWM3MA=="
+ "keyId": "YmRmY2I5OTA3NmVjODg5MTMyNDFjYjk4ZTcyMTc4NTljNTRhYThiYTdmNjMzMTQyM2FiOWI3N2Q1ZjQxNGU5OA=="
}
}
],
@@ -19,10 +19,10 @@
"certChain": {
"certificates": [
{
- "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDinvflTjDOr/6o70lfMWBRtYnaJcYIIdGJp27wvISz6CbXoz4wuZbYi3oOlw6uDed+QpMQfJaGcgH0GQ9nM6vyjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQnBOo/FKFK5QsnmtCW3EULNg7a8jAKBggqhkjOPQQDAgNIADBFAiEAobePrizti+1TidezZrdZbPczorA3eNJXO11khRT5f6YCIBGX6djF1e44voTyfjajRH6JeyWdRv7OkLKFqk94nxYa"
+ "rawBytes": "MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCRENSlBsT9Cceu6g60k/y/vzRPM6hb8BJbqsX/xx4PpbXO3Um0h+CN/p6WAJh/4koXLVHaRTokl+kNc/OMhp9WjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBTMEbK6/VqSJCNSppR2WoB7izlXsDAKBggqhkjOPQQDAgNHADBEAiBXRhIwRdnUy5aniaeIFqsnaOjYddGuhc1u//6ReUzfwgIgeHDfF6BK7OmnUvc62QOJeSWj7CRe+wJd9rTL9FeDjCU="
},
{
- "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATYMFeaxWdAnFM3nGB7MT4cVWHwWLpHtGeCWtU+dGLqBlF7mM/QjdGmZ3Ea3sb8k1PZfm3m2ycJtu1mle6llLjHo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJwTqPxShSuULJ5rQltxFCzYO2vIwCgYIKoZIzj0EAwIDSQAwRgIhAIQQCaaKqofWp/rNU3qyVN6qGYHqpBMR5UHKY2ms6UaHAiEAxQ0YHuxXHYziMHoO5Ey8gIbnTSfpCUSltKKhZ5ppgrU="
+ "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS9qmFBSdQ8sgNy0yRybzJMKmhC9pO4TQRt2dPv6SDJTNjOTQLm9CtBQhDOmNaanTzEUFCZxA/3Gx5a+JP0/Ts5o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUzBGyuv1akiQjUqaUdlqAe4s5V7AwCgYIKoZIzj0EAwIDSAAwRQIhAMPb6kbHcMhpWzc7nb8QRadvUxfdUnF2pGamtoZ4+LCXAiA4zDqYSz8JLPHgpAtXF3i/2PyqXGKy9eSlprIAYgZ7jg=="
}
]
},
@@ -35,14 +35,14 @@
{
"hashAlgorithm": "SHA2_256",
"publicKey": {
- "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdQpbV0RszJ9g2DUmv1RAYXUWS+lAa+YbNaU6Q9ZbXmATIX+C+4nUbgM6u0ooW9eXxtnUVAwDGVuHGWtr5VzyLg==",
+ "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/LRj+kZcPIO3VWlCeulO6WFtd1VkoG80NXchsgpBYD14tH7daOdYukeLzS+BqQFBafrHJy3dzQUNTiHwpiySMA==",
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
"validFor": {
"start": "1970-01-01T00:00:00Z"
}
},
"logId": {
- "keyId": "Y2UwZTA5MmI5ZTM1YjBiOWUzNjM3YTk2YTI3YjhlYjM4MDZlN2YzNjZlNzAzNjdlZGRjYmI2NWI0ZjBiNzE2NQ=="
+ "keyId": "NzJkNmRhZTkyYjI3ZTNjNjZjZTdjMDYxMTg3ODJhODdkNjRjYjFjYTRkNThkYTdiZTRiZjZhNmM4MTYzN2Q5NA=="
}
}
]
diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
index f1fcebe06..e88e4ea12 100644
--- a/pkg/reconciler/trustroot/testdata/rekorLogID.txt
+++ b/pkg/reconciler/trustroot/testdata/rekorLogID.txt
@@ -1 +1 @@
-fabaa57852738731e5ba0b52703aed1e8314b97e9500b099429640ad65de1c70
\ No newline at end of file
+bdfcb99076ec88913241cb98e7217859c54aa8ba7f6331423ab9b77d5f414e98
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
index 7aa3f9a6d..11ae2f7ea 100644
--- a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
+++ b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem
@@ -1,4 +1,4 @@
-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8OnaXgP7Oj//llRdP76GRDNIx8yT
-mXm8tra6qck1nt3ZmNvbTcKQu2WXL3kpBNYK3wMg9I3BfeWA36OlUQYL0Q==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfISMcpAiZrwd7KUThb0fgrsFOM1M
+JOxgH4OD+md+c0yHEZ6UsOR5UF5HAN/qD5skTTcXJuSOogZVc/xeOvhSTw==
-----END PUBLIC KEY-----
diff --git a/pkg/reconciler/trustroot/testdata/root.json b/pkg/reconciler/trustroot/testdata/root.json
index 1acdefd72..8446376d9 100644
--- a/pkg/reconciler/trustroot/testdata/root.json
+++ b/pkg/reconciler/trustroot/testdata/root.json
@@ -3,9 +3,9 @@
"_type": "root",
"spec_version": "1.0",
"version": 1,
- "expires": "2025-10-02T16:41:39-04:00",
+ "expires": "2026-01-01T13:21:04+01:00",
"keys": {
- "4b6e470a6ae80de875a55e14ebb6f237d849afb159b9702d52a0e83a094eb79e": {
+ "0d940e166ae0568ea03cc478aa85b1665f7f92a35d7999575e31b21e408f487d": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -13,10 +13,10 @@
"sha512"
],
"keyval": {
- "public": "c15703fe858491eb71333222bd1d3ae9a1b12a2ad6da855a0bb87cc62bdcb1db"
+ "public": "9ed3a9ac657799f44fd22c9cd3b569c68e9327dca9690419bc97288bea5b6389"
}
},
- "5bba1132b50cab237959cf28b8471e22b448f618078934e4a551b42956cc2aeb": {
+ "5910c46dd13c76aac66a1931d6267de258b3017f44b8015f46d4b61524fb1e3d": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -24,10 +24,10 @@
"sha512"
],
"keyval": {
- "public": "cabab661f4fbe2a5149f46d1749d4d31275ef3c253c42ab43c23a7defd83e9e2"
+ "public": "7ea730fa36d4181f89bd24580a91fd22de991a7e220fbcbda8c602f1ffbe06fc"
}
},
- "5e981e578c6182ef0d8b74de7507a503eadb940e9f7ab4a1bff2f6ed5d9ee971": {
+ "de5f7af766270e2e22ca1ee043a5ff217b66639b3023d65aad9632df1e79e7b9": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -35,10 +35,10 @@
"sha512"
],
"keyval": {
- "public": "2153df976dd0916189119c20c833d3feea9b8f03e638c30ea86138106ba195f1"
+ "public": "508f01013c2dd120425291227553c5595b736f02a044606537a75ecdbd686b81"
}
},
- "86ea80bbb0d782cc9ad0cb509cdcee05cccb70b22287d1506660f0c4882d899b": {
+ "ecdb1e8e97ee7300b1158718d5390d622b560bec16e21a7f4e2ceb3b0b8e3da1": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -46,32 +46,32 @@
"sha512"
],
"keyval": {
- "public": "d56d7d86bdc349455a9353b850b5c5482178cfd427db91a26fd76379ee422ac6"
+ "public": "6c672e33e09fe3b3a4f7db624c9e797951df092325195f757c974c8578eafb30"
}
}
},
"roles": {
"root": {
"keyids": [
- "5e981e578c6182ef0d8b74de7507a503eadb940e9f7ab4a1bff2f6ed5d9ee971"
+ "de5f7af766270e2e22ca1ee043a5ff217b66639b3023d65aad9632df1e79e7b9"
],
"threshold": 1
},
"snapshot": {
"keyids": [
- "5bba1132b50cab237959cf28b8471e22b448f618078934e4a551b42956cc2aeb"
+ "0d940e166ae0568ea03cc478aa85b1665f7f92a35d7999575e31b21e408f487d"
],
"threshold": 1
},
"targets": {
"keyids": [
- "86ea80bbb0d782cc9ad0cb509cdcee05cccb70b22287d1506660f0c4882d899b"
+ "5910c46dd13c76aac66a1931d6267de258b3017f44b8015f46d4b61524fb1e3d"
],
"threshold": 1
},
"timestamp": {
"keyids": [
- "4b6e470a6ae80de875a55e14ebb6f237d849afb159b9702d52a0e83a094eb79e"
+ "ecdb1e8e97ee7300b1158718d5390d622b560bec16e21a7f4e2ceb3b0b8e3da1"
],
"threshold": 1
}
@@ -80,8 +80,8 @@
},
"signatures": [
{
- "keyid": "5e981e578c6182ef0d8b74de7507a503eadb940e9f7ab4a1bff2f6ed5d9ee971",
- "sig": "491a3f69cc2aa878e0caa1b8f5488f69c1c0ebac08b2a655110454c21fe166245554eaf5d9c3b83a01a5fff9eb4c2b70cfb8af53b576193a746d404ea30a920e"
+ "keyid": "de5f7af766270e2e22ca1ee043a5ff217b66639b3023d65aad9632df1e79e7b9",
+ "sig": "0600abd72979dfe964f5dfdb204534545dc7f885bc3ee3e035488f29f90d2852070aeae1ae397a7dd1cda507ef4317edf056ac9ce88a23ae78d1fbbaf6a7df06"
}
]
}
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/rootWithCustomTrustedRootJSON.json b/pkg/reconciler/trustroot/testdata/rootWithCustomTrustedRootJSON.json
index 8bfd05569..b3833bafc 100644
--- a/pkg/reconciler/trustroot/testdata/rootWithCustomTrustedRootJSON.json
+++ b/pkg/reconciler/trustroot/testdata/rootWithCustomTrustedRootJSON.json
@@ -3,9 +3,9 @@
"_type": "root",
"spec_version": "1.0",
"version": 1,
- "expires": "2025-10-02T16:41:39-04:00",
+ "expires": "2026-01-01T13:21:04+01:00",
"keys": {
- "066ddc8f2c0d25760fc9e4658a6d0eac30a51a18269ace25a28ca49a1fc30879": {
+ "05768da397654761017646fe48c7250b634ccb72ebbb817d97757d2a4ca0d0b1": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -13,10 +13,10 @@
"sha512"
],
"keyval": {
- "public": "54a45a46b845410c3c8f6c4ff0e06cfe464c28fb3ba8de9f700c5e0786b9ca71"
+ "public": "2e14b5f6e51038c8eed39cea5921f25f5d8c1229e1afd6903b749d049eebdf28"
}
},
- "18547878bd70556810872a823a9458361643b3b194cb156da16db9cdea4bf8e7": {
+ "77935fd26e2f5431b14cdb2d7d833f7e894cbe3c9d476a4b0cd2140d9f2a8406": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -24,10 +24,10 @@
"sha512"
],
"keyval": {
- "public": "3f1d6918348063f2f80e9ed607a806be559fd447153ff1829b0ac8af52f374ba"
+ "public": "831694438642cf2f0dda68234089a20464f23a766e858b341747f931bde8577c"
}
},
- "6f682eb905b869b071295765b11f35cc4e4378ba6c57f363d0334224223c5cbe": {
+ "b805e2101b437ba4f99d2eba0eabb8144d8795822ff726e5704ba2e7faa73c4c": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -35,10 +35,10 @@
"sha512"
],
"keyval": {
- "public": "606d869497cb773c0571b7a36a78bffa6088f54ddfc97b971bf08dce335d4345"
+ "public": "8d931de7b0b98a9b852805866a9b624e26158a0ba7890f6048a48a2d3e68d0aa"
}
},
- "98664c4f0dd10825afe47c106451b15d9ed92599d48099584a7e48de77a404d1": {
+ "f1469ae619f991d435ba37096ea88d3eec4ddd1b17c02bd72478e05bce3fb24c": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -46,32 +46,32 @@
"sha512"
],
"keyval": {
- "public": "eaf623556540a9ccc698ab7776322ff1ed69670c0190c67ff0d0e1ad358324a7"
+ "public": "677cb8610efc92280d5a41ae782e20c65b4e14b6629a54db8ebd31af602886ee"
}
}
},
"roles": {
"root": {
"keyids": [
- "066ddc8f2c0d25760fc9e4658a6d0eac30a51a18269ace25a28ca49a1fc30879"
+ "b805e2101b437ba4f99d2eba0eabb8144d8795822ff726e5704ba2e7faa73c4c"
],
"threshold": 1
},
"snapshot": {
"keyids": [
- "18547878bd70556810872a823a9458361643b3b194cb156da16db9cdea4bf8e7"
+ "f1469ae619f991d435ba37096ea88d3eec4ddd1b17c02bd72478e05bce3fb24c"
],
"threshold": 1
},
"targets": {
"keyids": [
- "98664c4f0dd10825afe47c106451b15d9ed92599d48099584a7e48de77a404d1"
+ "05768da397654761017646fe48c7250b634ccb72ebbb817d97757d2a4ca0d0b1"
],
"threshold": 1
},
"timestamp": {
"keyids": [
- "6f682eb905b869b071295765b11f35cc4e4378ba6c57f363d0334224223c5cbe"
+ "77935fd26e2f5431b14cdb2d7d833f7e894cbe3c9d476a4b0cd2140d9f2a8406"
],
"threshold": 1
}
@@ -80,8 +80,8 @@
},
"signatures": [
{
- "keyid": "066ddc8f2c0d25760fc9e4658a6d0eac30a51a18269ace25a28ca49a1fc30879",
- "sig": "9f854fc523bb70d92ab3e4c0e142864013a3ed78f405fc9dd6d45800ec2477631df58429f3f083873cabbd49229c56828a3da59271180cd3de84ce0b28d5530c"
+ "keyid": "b805e2101b437ba4f99d2eba0eabb8144d8795822ff726e5704ba2e7faa73c4c",
+ "sig": "e52a6087280190750f5d0653f79b42b6d504a5c6eceae569cf6ad726e58cd9588748dda451a1feddaf8e7e5bfa7f18b8b7ed4beb37cd988398cebadf6c6f7c06"
}
]
}
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
index 0af2de588..6c8c01b6e 100644
--- a/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
+++ b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json
@@ -3,9 +3,9 @@
"_type": "root",
"spec_version": "1.0",
"version": 1,
- "expires": "2025-10-02T16:41:39-04:00",
+ "expires": "2026-01-01T13:21:04+01:00",
"keys": {
- "a2a4c3d52c938fb090acd498ed23766c12ba9815bf475df0da33c7961e323ad2": {
+ "5505d5405543c1cbc904e2f8da679fd8bf2789c91b1aef887fa6cd4d8f1db64b": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -13,10 +13,10 @@
"sha512"
],
"keyval": {
- "public": "8f81796de46a7177e02c509c6fe55f8466616af5334a6c4e29dc9b0f03f58ade"
+ "public": "62e1a5e99d4893a885f298a08fb12c91c1e3c97a50026e34b3148c84bf6f355d"
}
},
- "c48bd7b25eeb29c3891be1d8fd5d374e2b2359bb780df84b912a91bc9f5f3387": {
+ "78f9e7683495de750dcdfddc36d8a5a8fd085b2ad6fd48285e559e7faacd1791": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -24,10 +24,10 @@
"sha512"
],
"keyval": {
- "public": "a3420281649479d9e5cd705e9f30af2b8c4b6774b0b9998824e49a4874f9d0c2"
+ "public": "ccb6d78d8141db89c3c09904e9d7e969c7cf3d8b916b0ad1ea11b2422803a459"
}
},
- "f766fe620df21a0c1cf3a3c877cad71d82e2ee823c4738e4860596b66f89daf6": {
+ "9cb594e347aaa05899abfc3fa82c94a811e2d9299a830af5746b60968babc8a7": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -35,10 +35,10 @@
"sha512"
],
"keyval": {
- "public": "24490718b694def42421fabd5708c225d82b6c4ae81e67f9225972398d147469"
+ "public": "8e0561c3a1a7d82e1e4c59c3d1f200e2fc24673999b918ce20cfb5ca5b50c7a9"
}
},
- "f77364f8e19144bf85d1f633957e9afce91d3af288359986dd87ecf142933948": {
+ "cf6ff83fc820378d51ddf2f6609ef144c59d07fe053823bf61b485916528f687": {
"keytype": "ed25519",
"scheme": "ed25519",
"keyid_hash_algorithms": [
@@ -46,32 +46,32 @@
"sha512"
],
"keyval": {
- "public": "34156618b3210d5abc84abda86a32be05983db6868edc927cb106ee689e3c5a2"
+ "public": "1c534d131245d5b62663e5efd382943d2f31c6c10a3cc7e6338a6347e5434b6d"
}
}
},
"roles": {
"root": {
"keyids": [
- "f77364f8e19144bf85d1f633957e9afce91d3af288359986dd87ecf142933948"
+ "9cb594e347aaa05899abfc3fa82c94a811e2d9299a830af5746b60968babc8a7"
],
"threshold": 1
},
"snapshot": {
"keyids": [
- "a2a4c3d52c938fb090acd498ed23766c12ba9815bf475df0da33c7961e323ad2"
+ "78f9e7683495de750dcdfddc36d8a5a8fd085b2ad6fd48285e559e7faacd1791"
],
"threshold": 1
},
"targets": {
"keyids": [
- "c48bd7b25eeb29c3891be1d8fd5d374e2b2359bb780df84b912a91bc9f5f3387"
+ "cf6ff83fc820378d51ddf2f6609ef144c59d07fe053823bf61b485916528f687"
],
"threshold": 1
},
"timestamp": {
"keyids": [
- "f766fe620df21a0c1cf3a3c877cad71d82e2ee823c4738e4860596b66f89daf6"
+ "5505d5405543c1cbc904e2f8da679fd8bf2789c91b1aef887fa6cd4d8f1db64b"
],
"threshold": 1
}
@@ -80,8 +80,8 @@
},
"signatures": [
{
- "keyid": "f77364f8e19144bf85d1f633957e9afce91d3af288359986dd87ecf142933948",
- "sig": "319621be06a82cb11278e9c43618dee2f65870e7de18207eaed58b091e4955207877ad7faee03881353320ac9e1d170b35428135aa103feedc422413b9087306"
+ "keyid": "9cb594e347aaa05899abfc3fa82c94a811e2d9299a830af5746b60968babc8a7",
+ "sig": "06d41903a1f0dc861e24bc4cdb1929b5fd9fb2ea77b5dcece56721178542023b5ae849976132d48d264adac7b372bfe40da73ef6d40a11dd0eb8966b5df40703"
}
]
}
\ No newline at end of file
diff --git a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
index 80102d63d..bc5d53bc4 100644
--- a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
+++ b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem
@@ -1,18 +1,18 @@
-----BEGIN CERTIFICATE-----
-MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
-MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG
-ByqGSM49AgEGCCqGSM49AwEHA0IABCKH3XivQjrlRMPBECYj4/aM4HxhmsDjB42Z
-b5lQNzNLybRCxhequ9/cQUgiAAlqyVNyr2Q38R15ZlzSOJ1IHNyjMzAxMA4GA1Ud
-DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBQVwh0Oz6XDozbQWCf7Pozi1nmPZDAKBggq
-hkjOPQQDAgNJADBGAiEA5o/l9vC7gg2N+QZ+8JKPKmbJtvVuiEEdeZu6zOrJ94sC
-IQCB5pj2/dyIOwpdtK+CKWvKzY7PzyLc3OuC3GgPmDLHOg==
+MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
+MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDzENMAsGA1UEAxMEbGVhZjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABI6Y+7lytAlUaqJMhBNX8MacXsvm80DnYy9r
+r1VD1vGaeILTzGO7lweQbR+tWPttctXOTeMq7OPfxjs0alKj+eWjMzAxMA4GA1Ud
+DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBS7jGT6QsK8sOLUKDLBCiQpI4AsCzAKBggq
+hkjOPQQDAgNHADBEAiBnLHjW1+zfJDNshoofVq3brzx4Vn81HQc4k9GcUffTMgIg
+BCyyGkJ+ayLAPmMUkX7nVZa1RB84rzHV57PISF04bq4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI1
-MDQwMjIwNDEzOVoXDTM1MDQwMjIwNDEzOVowDTELMAkGA1UEAxMCY2EwWTATBgcq
-hkjOPQIBBggqhkjOPQMBBwNCAATKKGhibPWiUGgf5xOEgR4+mp2CEi4V0J12yjJz
-P8FJI67idgmGmdH/74hteKO+ooxvjG4obZJtwcpPztshjzaro0IwQDAOBgNVHQ8B
-Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFcIdDs+lw6M20Fgn
-+z6M4tZ5j2QwCgYIKoZIzj0EAwIDSQAwRgIhAOATau0ajIlhNT1JWFbKO7G2g5iC
-H3Rsw8nU3UqQH9L4AiEA3HiFPlIFmKRvYJmyGECLw8EO2gRamBpFoi6pszfO58w=
+MDcwMTExMjEwM1oXDTM1MDcwMTExMjEwM1owDTELMAkGA1UEAxMCY2EwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAAT+D/5XUFXokHysm5PZVgiR0Ef/iCy3hQjbGEoZ
+iDLKsrmGJB+LN4nA5opRL1vVvIwHRCIhu0zymmm6HufsoVXqo0IwQDAOBgNVHQ8B
+Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUu4xk+kLCvLDi1Cgy
+wQokKSOALAswCgYIKoZIzj0EAwIDSQAwRgIhAP6oXEyOIqTjIrgzrtnsVGo5/CIk
+VwpNy4Kumxev0L2gAiEAncABJkWROim1c7QJl3uYvKbkZkOL3frGVEPc1vxNIms=
-----END CERTIFICATE-----
diff --git a/pkg/reconciler/trustroot/testdata/tufRepo.tar b/pkg/reconciler/trustroot/testdata/tufRepo.tar
index 7610a77cc..4c12a8931 100644
Binary files a/pkg/reconciler/trustroot/testdata/tufRepo.tar and b/pkg/reconciler/trustroot/testdata/tufRepo.tar differ
diff --git a/pkg/reconciler/trustroot/testdata/tufRepoWithCustomTrustedRootJSON.tar b/pkg/reconciler/trustroot/testdata/tufRepoWithCustomTrustedRootJSON.tar
index 2acca785c..5d27e065a 100644
Binary files a/pkg/reconciler/trustroot/testdata/tufRepoWithCustomTrustedRootJSON.tar and b/pkg/reconciler/trustroot/testdata/tufRepoWithCustomTrustedRootJSON.tar differ
diff --git a/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar b/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar
index 57603be41..d3f9fd24f 100644
Binary files a/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar and b/pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar differ
diff --git a/pkg/tuf/context.go b/pkg/tuf/context.go
new file mode 100644
index 000000000..3c9f81531
--- /dev/null
+++ b/pkg/tuf/context.go
@@ -0,0 +1,41 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+ "context"
+ "time"
+
+ "knative.dev/pkg/controller"
+)
+
+type trustrootResyncPeriodKey struct{}
+
+// ToContext returns a context that includes a key trustrootResyncPeriod
+// set to the included duration
+func ToContext(ctx context.Context, duration time.Duration) context.Context {
+ return context.WithValue(ctx, trustrootResyncPeriodKey{}, duration)
+}
+
+// FromContextOrDefaults returns a stored trustrootResyncPeriod if attached.
+// If not found, it returns a default duration
+func FromContextOrDefaults(ctx context.Context) time.Duration {
+ x, ok := ctx.Value(trustrootResyncPeriodKey{}).(time.Duration)
+ if ok {
+ return x
+ }
+ return controller.DefaultResyncPeriod
+}
diff --git a/pkg/tuf/context_test.go b/pkg/tuf/context_test.go
new file mode 100644
index 000000000..5537cb0af
--- /dev/null
+++ b/pkg/tuf/context_test.go
@@ -0,0 +1,42 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tuf
+
+import (
+ "testing"
+ "time"
+
+ "knative.dev/pkg/controller"
+ rtesting "knative.dev/pkg/reconciler/testing"
+)
+
+func TestContextDuration(t *testing.T) {
+ ctx, _ := rtesting.SetupFakeContext(t)
+
+ expected := controller.DefaultResyncPeriod
+ actual := FromContextOrDefaults(ctx)
+ if expected != actual {
+ t.Fatal("Expected the context to store the value and be retrievable")
+ }
+
+ expected = time.Hour
+ ctx = ToContext(ctx, expected)
+ actual = FromContextOrDefaults(ctx)
+
+ if expected != actual {
+ t.Fatal("Expected the context to store the value and be retrievable")
+ }
+}
diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 0b31c49d3..eb9573776 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -28,9 +28,12 @@ import (
"path/filepath"
"runtime"
"strings"
+ "sync"
"testing/fstest"
"time"
+ "github.com/sigstore/sigstore-go/pkg/root"
+ "github.com/sigstore/sigstore/pkg/tuf"
"github.com/theupdateframework/go-tuf/client"
"sigs.k8s.io/release-utils/version"
)
@@ -294,3 +297,44 @@ func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte, targets
}
return tufClient, nil
}
+
+var (
+ mu sync.RWMutex
+ timestamp time.Time
+ trustedRoot *root.TrustedRoot
+)
+
+// GetTrustedRoot returns the trusted root for the TUF repository.
+func GetTrustedRoot(ctx context.Context) (*root.TrustedRoot, error) {
+ resyncPeriodDuration := FromContextOrDefaults(ctx)
+ now := time.Now().UTC()
+ // check if timestamp has never been set or if the current time
+ // is after the current timestamp value plus the included resync duration
+ if timestamp.IsZero() || now.After(timestamp.Add(resyncPeriodDuration)) {
+ mu.Lock()
+ defer mu.Unlock()
+
+ tufClient, err := tuf.NewFromEnv(context.Background())
+ if err != nil {
+ return nil, fmt.Errorf("initializing tuf: %w", err)
+ }
+ // TODO: add support for custom trusted root path
+ targetBytes, err := tufClient.GetTarget("trusted_root.json")
+ if err != nil {
+ return nil, fmt.Errorf("error getting targets: %w", err)
+ }
+ trustedRoot, err = root.NewTrustedRootFromJSON(targetBytes)
+ if err != nil {
+ return nil, fmt.Errorf("error creating trusted root: %w", err)
+ }
+
+ timestamp = now
+
+ return trustedRoot, nil
+ }
+
+ mu.RLock()
+ defer mu.RUnlock()
+
+ return trustedRoot, nil
+}
diff --git a/pkg/tuf/repo_test.go b/pkg/tuf/repo_test.go
index 56ca79566..05465497c 100644
--- a/pkg/tuf/repo_test.go
+++ b/pkg/tuf/repo_test.go
@@ -68,10 +68,17 @@ N6mY2prOeaBRV2dnsJzC94hOxkM5pSp9nbAK1TBOI45fOOPsH2rSR++HrA==
// validRepository is a valid tar/gzipped repository representing an air-gap
// TUF repository.
- validRepository = `H4sIAAAAAAAA/+x9WVMbydK2r/UrCN3iA7Uv/mIuurUDLZCsBXFiwlGrFrSh1sqE//sXLcBgsJHPCMt+Z/SEw6DqpruUVZX5VGVm1cSNR3F3Opqs3v00AAAAp/QdgJxzTh5/PuIdJBxDRADH+B2AhFLw7oD+vCo9YhZP1eQdAMPRcDIaTb9736brD1/k4ef/ETy2/zE8Sr7gUS8eDd/2HYk8GCHfa3+CAHzW/owR+O5gJ0L8l7f/X6mDdNxtD51Nfzj4K3VwkP40XY1d+sNBOvm66fdJUTx25tPcTeLuaJhcgUfg7sJjGVx/dstxd+Li5B4EEP0PYP9BoAbBB8A/IHx190fXbhXfv+wgDYVVhDrupfeSEs2Rh1ITpy3HzAmhGRMGYeuJdYY4KjxTAHOovNQaM/bwoPVjH2ruLKIUyvXrkuqbjht868K1W3Xtp46KO59Uvz2adKedQVK1/64vH6TjjkKU3d+9/kghSq8//fn4iLnqf6nFQXo80/2uSV7GpMbSOsk4sU5zzp2iAiAPEJXIYSW4IdpiBSBwxEIjhaNYWcSNBIZocfeiz8n/n9dvSzOHoeTYJt/CGgmtUQIIRzCHHjujEMJMAsuQcsprRZCFRAPssWBYYiB+Y2EZTohTgmImpBbSMOSBB8xogYQSkipFuGBOQuwU90oaowyxQkDLodbefUtYVHNOMTMACQO9NggQazRxkmPEjLOWMam9JtRLaRX3mnjEEBUKYCl+557liACUeGiENwQTCo1izAmvKCKCg0R6Snif9D6RjBMErdXCMIW54cjZl8KyzBPIiZdUY64UUsALDZ2hxHppgTHeWYEIxhBZKD2CylCpLAVQG6aY/o2FBYyWGBoKsFFYA8OI4YpjnvxTHisBEGBOMsMl8YICySWWkigogcIG46fCSt0LLD0Z9d2jEltryqcS6Nqn9d+6J371VaediYs7o36isOGTJoyHahx3Xq3I1q38QxWZqknbTeNX6rG10v+xenQHLp6qwfjVptlSo26oyZcOY0bDuBtP3XD66UlDTSczl1rfsTbCajq7s55J9e661rrGa2uybSe67yXddvI0jzVCGFDJvMOOUgyYTDSuIBYiBD1hRihgvSAYaCmpQcwiaA3iikmFpbeAKoowBsBQKJ1TBmCmrMVOeysx154jTB0HjEplEBDICGeIoEh6D0Ait8+pgz9Tn381AfqX4yv+/9Az33gOsIH/Q0jRM/7PKeR7/r8LvML/v+ipnzAHGLip+mI+7w3Gutc96uq+G7annfSHA0QlvVewCUd4tLuPXCB5l/dOIwAlsdAziDBwgjBmmXUSqUSZKcEdlZZJwqW0DAMMnTTEAwAQ4EAAb4FFSHGFNdOECc6tpE54T6inilMEJMaCKmSdUNQYqLCziV1kWN7bpM/3FX0ilC924AcV/dZG+itFTwWBzCDNOOdWUcmJQQA4ZyF0yFJDKE3qjyzDyFMlKJReIEmkExQ4R5SnxnKBKVdSJfxIcAogFYAjqbwACiiHDIQcUmapx5JZ6wSVSisiHYB7Rf974yv9/3QgvuE7Nuh/Cgh+rv8xJnv9vwu8ov8fePxPUP/PpghpM/XuaDzT39D+kIsfUP4Oc+adRVJgAYl3SEDIhISKGWIBcgBQDwW2hDIsEGCQEGKZog5ZhRGW1BoFhXaYa0wM5YAR6Il2miINKVTSWeAVEMoIRixhTlCkICROIW81/lr5m1k8HQ2eVrTbjqejiXssOkjPYtVeizlTy+ce5rYH6XiqprO19AIz7c7d45XZpJsU373qbj761RTez/qmO/o0h0dmMj0au8E3hCkQ2yxMQqBWlnFFSKLLCVRMQE8ZZwp6xLk1AgAtMcGUEi8hFEQpjx0XVGFkGHdSOM2VQ5QY6ZTCGEtjtCdEY+Qg0BJACJFDBCMoLeXaAQmAYxpz6ck2wsyvhfAW4py469Fkmz6pudXWESgRR44rKK1ObDGCxEmMkeTcUC200Nw6TgHTziBrvCPGGCCMlo4RSIWDXmsLlbWGIY0ZUoZCpQU2SHCiENUUGMIgZwYbCwxeO1ugNtuIsZp8+beQ4nQyi6fOfvriWfiGNDFnaLM4rQJUaqQFQx57ZThHzgrhrSAaW+YUgoJyRKBgiiBiAUdYQUPWq6tEIG0k1gAbaICyQErpAPLrlVgpmLJScYwR9IAQzQwGXkFBCaaIE+elJuTlmtk0Vp+6w6mbDJztqqn7BF4ZeUzCzd9ROq0YlprRpB2dgpJip5kkjmIAKMeCWIu0EVQCr4ECFGmmgSQQaAgMdZIrybV0jktGPJGeasggYMYri4FVhBivgCRAYQP8msfhRD9ixCyHfJsuU/sYvEmHidWnvlP+NVEK/AOi1BpoAbSgXhCKudCSCUuVwMwiDLwmVFuAvZVCMcm1EVwKBAR2yhpssIXGCC+cVIRJIA0AGHhEIdPCE64FlMmMwHHgoIaQYMG4V8it+xvByv0molyPu1dECX7AHlDrHIWKUYMkp0xSpqlT0EhlCBGWAwyA5ARa5ykA1hvhGQOOCAW4TfqgsN4mUy5HoUdQE+858cRBQozmQHOnKANWOyAUU9ZIbKwmxBBkrHd6K3uwtSj/h4nb1quaX03crLMIMWOVkRgQyi3yzGirPQZKcAyIow5gx5UniDDjKTKMOAkoRoDxxCIgz5TlCdNxGHJiEiXpFRcKQGol4A4bZy33mihoESEKaCKFBdogBOx+4vavwJP530/y/v8t/z8FaD//2wX2/v+9//93ENbe/7/3/+/9/3v//97/v/f/77E7POH/P8n7/7f8/5iBPf/fBfb+/73/f+////fiif6/H4Zv/47/Pf+HIQT3+T+7wMv2P75Qy6JT1k3iI3D8Fp7156J59hMgwr7qC0kBg+8OlrsQwEP77+JdvyEgYwdjNe388Y2O8KujKo4ewkJSv1pK/1zspNlf5/8AsWf8HwPG9/l/O8F/EoS5Qql8cFEPz0qZg9Nca12YivLXi9yiVTwdXZVueyATVFql+9+zQcVkK+0g59xgcgM7zTjMTupdNtA10FzJxRVf9H0qboCWizUg3d55eWTqo1XhapCtyMvzWj5TDqeynfXFRf4C8JurxUkfT7Lqtn2a7561//gjta5Drpx9Ua1fLbF/FjbZ/7cIBtto/yl/Zv8pRGRv/3cByOl37f+vDgQ8ehHSuB/8b41dNPum9T/Cn9t/iCnd2/9d4In9z+SqtVK+lAlquXsCUCplyr1MJrCoHSxKYdAulcqt3BjF5WIzriwy7S+EIBcsSgvfy0VRMCoEsJ4LO1E21WiUw6gaLXKVVrZRqZRyi3G21VyOrwZypQf9TlRtLfLB+loxt4C1VpO0q8OTjh6UxwaV56knN5zkFgCWs+12rZlfKdQApXwZRBWyyN5dr+YWdVi+LeFyNncVhWZdi1SmE1Vqhf7MXrbb1YGEelDt2EJ/rnuByy/AqpzNraJesIyyASpn82pdVnssSyWFUZEss9ngNGyXG2HQqgWwUavUcrUozK3fkgmj0wrKx6p5NTcDOm7Vcs0orNzVIFxG5TrKz0q5q1WrSXvqstzTt483ZKpRuVyrkFIOdsxg2reZsGazufMoWNw9IFeN8uWaWZVvK8tCLbi8q8Wolsstx3rYIKXc1dw26XXrsjrWiCyataAWts1N57p3flEphamw3b7/EIXhopwJgspFLW6G3PcrozzNNDK9BoDwzLcOdfWyF5zPRNG1u4VDmNGzTjBMHePZKR3ekIy7mUM8XM4bs1N0WG4qcpqdtC5vztwNB4eRH4H6onIbnCc1LFZEGHiRC4MokwoqrUWu3co2qqAWVIrHYdBehO1ceJx0qlpg7/6A5PLtSp2M/GV8jj+WDk3tJMRhsdlepU5uitkovn7e47LVRbCoBqV2WNeud3PuLSaVfP+mOw/7oHiR7R4WivHNeEVTo2m+GlwW6ysRZ0r50aqZj0sKB9mJGjdbTEFYmTameDm0U3J8yautk/NjCH2fPdLQF6PjV4/ct8Em/vcWwZ+b+d/z9R+KKdrzv10AcvJd/verA3+Pnkcw/0PG3O+EXTT7Jv4HMXvB//g+/nMn2MD/wn42kwlqNw/8r66btdvVKAouPzYzpeOYlKPGpHWIK71m6wUfTJ0+4TGZTpTXBdlrNRfLfC+o39GYqJZtVPsGV9qNfDks5U/mGlcWxY4pR73KMhX1SouoFiyiXoCaSeFtZflQVr4NULMXjJ5wwNPcohFrVO7o7B3BSiVvDpZRuVFo3NpMWK+DXLs+kHObDa+iMCqEq5vCx4jIoJ0rZDL3vy9yxQCUgvAsW06NCnMSBTE5Bp1T0ldm2AtvOuGy2Juw0/bN0nWLpVNwblm52q4cH7rGqn1YGMv5bf0ij6fjy1GqfXHcqJDckub6g8YksGfDQq/SC4MoIIlcbHaR8KBKIrAw7AUXay5Uje7IUy3IphLCFIXg7uZ2pRmGtZNst1ybwJ6+6BfH3cnF4bR7Ct2KfES3CUt9oHuVbNAul1JBNswH3Vww757XT4BAzK7mYnxdJNeFfnuaGdaLPicBREOznLavW322aGdKubN2D+v4FCxuU4XCNa5GlYZr8GYnuMixyvKytmiVLvPt/vlV6eb7JOlX9+49NmET/3uLPKq/wf8I3vv/doLX+N+vzqE7ep4MuOd/b46dNPsG/ocofs7/yD7/ZzfYxP9ua5lMcHn6hf9lWyjXRpPRddmNIp+dd6fTVb/Zsdf93Ev+F32H/xV7gXngf/mn/C/Xn9lCY6WbjWvVzIPUVe3FMh2IslcqvwC30e2XMpyURdlgme0F0cP6WNhczlMtlI+jKlkU7whiNrds1K8uy6CUr9YqH8O6asK+wdWOvgzHemB+ZPGs2oEje128PYxWccacr855NtDtixt9CD3lrfPZ5Tg/m/bwzOXp9CoVYXLeNr0sr2d6pHJRbc67dpmfLHF51elVAIp5dlYtDW9GaLRQ2W8snoUkWBQr68Wz8zBs5fIXJ93Dck1bvZjFzUn/LFqOl9KKa9coRKFY88TSotKKQhXkz66vUuGh8T3SbbcmnYzxq2VxiMaTy3InClvrm08qawa6XrrNZOJCUKnnw0VUuvt8U0glpDipSgCugyjXypQqGUm6zVHUiqg7Xl7Nx/MKXWSZPS7nC73D7HKcbZPLk2omzlzOKqVOKiitLtlsMMvP4ktYOkZxKy+uJ3YZUTOonbLo5BiMBqvVTX1AXllx+9VD5R+JjfzvDbYk2Mj/OHjh/8Vgz/92AShe4X+/eDuKo+/vsLFngm+EXTT7Rv7HXvC/dfzHnv/9fGzif2DN/7pf+F9lXji1pDXM1a/PRLXj67fzj3JxeBvPS79m/W/xnfU/F4WLL+t/jafrfx+bFFxdnkyvmtVx67Lafy3OLfUQ6Baf68LoY/Hq+LR+Lk47F8dx5RYfrqZZddNYzGdzcOsug9NZHna7bV0T9dVHZqM2LadcCwZNdEEKnUIEQLZ9Vu93cbZcmgzAiVJlEhVbi+ydb/TizjdayQbtXCEKozU7S51UvkXN7nhe7m7xMB8F6wXDr3ni2fVVQv1S3+Z+z4hidH1egufzZjk+rLvBaXzMUGnS4GedM516IIKPPNAEUa6SKWWudT2EJrZuBMJeb1DJRdPePDPI3eaak6Dcu+mFtZvzMFU/uT4LumGfZGSzqtjtqb9u0WY8Gg3zxcLlx2HmOFuraymLgVBdEEn4VQDgngf+RGzif2+xi9lG/kdexP8xgvf8bxeAjH+X//3qHeyOvuzBt6d7Pwu7aPYN/O8b8f8IMLznf7vAlvH/pShDw5Oz+fUiHKDhMOpUp/kcr7WoQMepcfEwr+PlCPUvJ1Sumo2rfGd83bsytyflQxTiKxX0ZufH3R6/yl6f9U9OGjwDWhcOVPbx/7vCJvv/Fttubvb/vYz/p/v1n53gtfj/X73l6tGL3WP3g/+tsYtm32D/+Uv7DyFle/u/C/yVXq+t1tZ7fqTVeNzvGjXtjobH86E9sm5+9LC/6sNoTKRwmAzG/3e/ycUf4Aim36en/VE7Tn/471/rXTqCh4280h/SH4sB+rTewet+W65Tt0p/+Cs9UYtwNXVx+kN6W66xDdVIv09fu1XWTVW3n9Tl4rR0+SmXyX4MPl0gyj59LAb3tZ+rftfmR5Ok8km3maY/pBFA5D8QPdnjBB1RLoAESPKr9OfP79P9Ubtkk7+5dqvkl3SnDBqXN9VwSVa4dVGQBRadXYB6rXcjbq6CxmzobetCwj7rBH+kP3/+833auMm065OmccFs2klE23V30o5nuufMNHn+aNJWw+7tuv3SH9Jn3eFseZAfzYb2rujz3YMyHdUdJvc/eerds562yJbJH9vmfmyb+rFt5se2iR/b5n1sm/axbdbHtkkf2+Z8bJvy8XczPtKf//z8QyOdfSDwKv0+7Yb27iJ9cfFu6P50xfhaEvY2Odi7V4zFWoeJhhzIbqk2P1zORmY0Ci9Ub3V8EQb5UrTsqEWcOewHWXOvGL9s8vfjarE/Mqqffp82o8FgNCyrQWL5ai6eHtQ+BgfV0Wj6vyrKraJktg2S2TZGZtsQmW0jZLYNkNk2Pmbb8Jhto2P+l+CY9Of3L/reNh66bR102/rntnXPbeud29Y5t61vblvX3Laeub/jmPtWH9wmS2QHffDVHJFtU0S2zRDZNkFk2/yQbdNDNmWH/DChIh8Ae0qoMP6KPiQXP3/+c7+P4Jvi5frP2x8BsWH951vn/0G+3/9hJ9if/7c//+9gf/7f/vy//fl/+/P/fpND6/bn/+3P/9uf/7c//2+Pn4+n87+HpfQdn/8O4fP8X8gp2s//doLX5n9fzk/62QeAfHXyzLfMFPwBvk0dNZwIB5zzhgPNhJTQe0YdY4R7j7ARRHPFtQXea+U59t4gTAjkzBJjKbIccaEY9RRyZJlxVirttJNYaeiE8MZZDDnEVgpDvLaOIaUoo9Ra/2YHgGx9JtVXdsRQ6ySlhKxvokA6KQgXGiZcOpmjGCQZUQmpFpRYxD3TzBkiFOOcWG2MwwhpA4CSijoMEMQcIqe0VFoByUHCobA0zirjJDXMIS6QVZR4iAHe25E99thjj98S/z8AAP//lDffuwCcAAA=`
+ validRepository = `H4sIAAAAAAAA/+x9WXPayvb9eeZTuHhNrt3zkH+dBwnEYFvYYMzgX51K9cg8GDACTuW7/0s4Thw7iXMvDsk9l/UQQkuWmt27d6/u1cPMTSfz3mIyW//x0wAAAJzSPwDknHPy+fMz/oAUYMAJRSi9j1DC/ziiPy9Ln3E3X6jZHwCMJ+PZZLL45n0vXX/4IQ+f/yX4XP4n8Dj9gcf9+WT8uu9I7cEI+Vb5EwTgk/JnjIA/jvZixP/x8v87c5Sd9zpjZ7Pvjv7OHB1l3y/WU5d9d5RNf272bZo0nzrzfulm895knF6Bx+D+wuc0uP3uVtPezM3TexBA7F8A/gvAOoTvCHuH5M39Hw3cev7xZUdZ4IWhHjOvCQYcIuQ1lxw4hIgmDghGPFFeEUc8w0Q7zoVw0mkrPWJc0IcHbR/7kHNnEaVQbl+XZt903ehrFwZu3bPvu2refa+Gncmst+iO0qz93/byUXbeVYiyj3dvv1KIsttvf31+xFINP+XiKDu908OeSV+GoaUYa4AcFYhoSiDQxiMkiHecWuQ14woCYTR13DLhJadGGmmoYMhQc/+iD+m/H7Zvy0ookKaCOg61pB4AahByxmoCuIWASSUt4loY7JXHwCMHvZGUKKqsNJ79xsZyHHLPCCMGA6U8pkoqjgUwRlCJGVHMQCKQsJ4ogZCi1hsgHTcCWaihfW4sJwzT0CIMOPNICgWRkUBYqQTlFlrnOEScWmq5Ys5JwhTC2AkMgUecqd/YWJQY5bBkGBqttPYeW6eFx4R6joHjXnMtrDAOMu68FsZhwQ2BEEEpuCfPjeWpxxBjzQGWRmHsJbNISoy5pY4g6hSXAiMEIGZMSu2EUJ4y6iTTyLnf2ViKS60sB0pIbRgBQmInNMBUEKE9cpQpJaij3ABDgaCGKOypogZ5B4jHj42V+Wiw7GwydJ+D2DZSPrZAzz7O/86e+MVPXXRnbt6dDNOADR8V4XyspvPudzOycyn/UEYWatZxi/l38rFzHPuxfPRGbr5Qo+l3crJz8/NCTj45jJmM5735wo0X7x8V1GJ25zLbO7aNsFrc3beeafbuXWub422d2dWJPnpJr7ONIMgwJRFR2nkAPDWMEUiExtAaQKykiirpGUXIUQkAQJhqmvJyqIk3nCAIHFXGKEms08gbRQX2RjgmCCOUaMWYgYozQQ0ESAEiudYAOwixRmBbqT5kjv7KfPjVBOh/HF/w/wfPfOU+wAv8H0KKnvB/TiE78P994Dv8/1Oc+gl9gJFbfOIMDw3G1us+x+qhG3cW3ey7I0Ql/RhgU47wud39zAXeHWW1NVxhCjFSGGIOMefEpdSIESqpoR5BYIwRjmum08gFBORGOAMAZgpbnTImy6RAkEMJHUKAaq8NEtICTQj3mEnEsEHICAoQw1xCaxkQHvJPbeOHjxl9ZJRP7cAPBvqdG+kvAr2n2DhjGJOeYsuUs85JrRzkhEhpoTNWKIWE5FwjTxUkCCIkFVaAS4WFER55rRjS1HKitUnppnHOMw0dMlQABLxH3hmKOLCKKsohpJZhiYg4BPrfHV/E/8cV8RXf8UL8p4Dgp/EfY3yI//vAd+L/A4//CeH/SRchaxbeHU/v9FeiP+TiB4K/Js4JwCwRBFujIbYWeMuA91IKD7XRyGDLkTSKSYCFsFw6CbkjFlLACAcOcmkU9UJRwYHThCOGoTOCcqYk95gYgL1TWEDpLOdOA4kUplRrjL8M/uZuvpiMHme015kvJjP3OekoezdXna2Zc/VC9NC3PcrOF2pxt7VeYBa9pft85W7WS5PvX3XfH/2yC383NL3J+yU8NrPF8dSNvmJMgcHLxiSUYGg0RJ4jKK1DhggJIAQaOuIQBIAIBqzBRiourCOWCi4MswBjpxFTBDoKMZGAOcW84VSnH5ZKYQHd0n8KiXWMsdS60DmgATMMKqy49XoXYxa2RngNc87cYDLbxScJs0ZYagTQSmrBlcIOA81T0xDOIOBOE6u9SttUBqAxwIDU9ayRGgEHkRbSAI8EQthR4QWg0jmIoXKWcIINs5JjqRQXXDjnMAFeWYlx2tuSahcz1tIf/xpWXMzu5gtn339SFr5iTcwZ+4Eq7j3miBLElWJQOUWZAcpiLLCFjkukLESaQgwowwRJSZmzQDvAMLKMIYix4EZQaxEV0pDtcIPjjklJBAdQIwaltAhgBxAjXDuEiUXWc6yAJfT5mNlirt73xgs3GznbUwv3Hnyn5jEJX/6NHGLKBGREaaMcNwwI6jzmSmIkvEKWQSAJRFxxySzEyGNutcSMEU2JIgY5aqnBhmImvdVEU+Cx0BYQD7CjEkJjpYYGMAGREM5Yp50yVgMMGGO7uEz9KngVh5mr90On/PdMKfDLpsRCEeSkcZYpoDlDRhmpCaXQMQA0B0I4BkhaSa21UBNtmdNQE4ChF95gp+B2GJAKgbynwhJgBJUcCUCwhsIr6DFx0kFLIAfQecwMR0IYTRGUv4kpt/XuO6YEP1DzPFbWYaMRMwA7Zij22mrtKBIWKywFkhJh4DDHyApqqJKEUy4VhBYAjljac3Dap3VLcKqMFGk5ACcEkNRhDiy0xhlqPBbcQ+8NANxALZH0AO4UyHY25b/Rcdt5VPOLjptwSGqmjVASKu6QZ8g7YizG2gBrpAEaSWeENwAJSJREzgsMCGZEUmYQAQQZarC1Lm17DcMKGkcoRUp57y3wCACBodcAUSY4YkhQxAXHTjkC1KHj9j+BR/2/n6T+/0f6PwXw0P/bBw76/0H//x2MddD/D/r/Qf8/6P8H/f+g/x+wPzzi/z9J/f+P9H9M+YH/7wMH/f+g/x/0//9dPIr/H6vh67/j31//wxACh/U/+8Dz8j+5VKuSU9bN5sfg5DV0lKemefIJEGVf+EKaQOEfR6t9GOCh/Pfxrt8QkJOjqVp0//yKI/xqDe34qRiY+dXW+udhH8X+Ev9H9Mn8LwwZOoz/7wX/ShFGxXLlKBfV6uVCORfUo21qJi6Xw/UmlwtaZ50gKYdBp3xd7aOSb4NatX6LznChDE67hXiRDO/WIMl12uWzyU150wdRkJSTTJyPLuIgKQbwOsp144Iuyn67maxK/cCEnUojDOJ6oVEbGlztNAqVsBwN72yxsdbNxkA1CyBzUw9cIQHrSj3AcT5axfXqJq5XVCEBm0r+UxpK0+J8sMr3g/j+wZN62FwtM21UmMc1kpSCdr5RreajVeP6plUB5UKtXr0Kr1UTDg2udXUrnOqRSZr1oB52zG130L+4rJbDTNjpfPwSh2FSyQXBlTs/H12zE7ai15M3Cs1kw7ftPJHJzWx+s+n6vIhNB5yNRiuteebuFiZnpnmZi27OWvNx69bBeqtxdT5cw7vB8GZYKZRuLy5arQmaJCofXKTZL1VFGHgRhUGcy4QkSErVdr5RAxdh2I4KpQkdmeJJwmByPcwVlvNukis1eWE9nsahSI1ty0m1HYcqKETtSiYuFHUAdNI7E2fL66h91bs5Oeld0zhsb28+rUbhSVKN42BSzOXmxaB6XQiTuHz//baYuYqJTLMSABPEUTVXzuObMmoOYb775uLGRWs5rujxaFwTpWB9wS9mN63WeILp5WbYDHphPyOGQ9e5zWM6FlC3J7paQJVly50Orb2Km+WzpOKvi9NO7aL655+Zre9Flfwzf/zVVeUfiZf432tMBnyZ//Gn/A9QcuB/+wDk9Jv871dPBD1+NqX1QABfG/so9pf4H+HsKf8Dh/Vf+8EL/C93kc/lAose+F/5dEZZLezHIzB5xvd8P9qSiJTuhd04n2k0KmFci5OoumVf5SiZ5tvN1fRmJNd6NOzGtXZSuGdmpSiB9XaTdGrj064eVaYGVZaZRzecRgmAlXynU28W1go1QLlQAXGVJPn767UouYaVTRlX8tFNHJptLjK5blytF4d3ttXp1EYS6lGta4vDpe4/I5Yw3gzVNq3/OS2TJsYlssrng7N7ZtmuB7BRr9ajehxG99Q2jM+qqDBXzZulGdFpux4147B6n4NwFVeuUeGuHN2s203aV61KX28+35CrxZVKvUrKEeya0WJoc2HdPuLNmagWFyp1s65sqqtiPWg98NsoWk31uEHK0c3SNumg3apNNSI/QmFrkYz4NMyfzheDQpS7mK/quMIdndRXN2ySvyq5aNDtnFUr4XRzEmQWZ91KeNO5otCVG5vpoAujrh/F/cpFJUymV/PCcmx7w2o0AddJdfMVChtU20nU2VLYelAtnYRBJwk7Kessh0E9sPd/QKJCp3pd6Mp+X5OLq7XmC/YmQi06yBQCMJly8dTj8lfVIKl1yt3gcj12+cXpWi+xUZuoULZYo3G+8yZk03qxmzlPbskpa70pVrrToBcFi+5N6XbeHqzEG0jql6XGbbODT+u5XiFXbFjGqp1lJTeqzGQdfIeR/gOaoxf53yusYniR/5Fn/I9hfuB/+wBk/Nv87xevYDn+tAbnH1DRflPso9hf4H8AMfSU/1FOD/xvH3jE/y6vw/Ny7ugsan+kf4VBEiXt0scGNxdUPzW++aBq8tVOEFHd6faa+Xn7DJBottg0T4uD8USd+NVkkekvm1XZAqPromuLxeyS9K8Gy+t5rtfIjy99cLpsTeEibmyu6VmxfTYtq5Nqe6Y71H0xDPQ0W7/aYv8svNT+v8aStBfbfw6ejf8gemj/9wEovq3//erliMffXmF5iAKvhH0U+4v6H3um/0F0mP+3F7yk/4F6Lhe0ep/0v+b6HOi5ZufjsAHG6rxRWXXFrOL6jflz/e/sG/pfoR9cP+h/+cf6X+F0qXE1KXVNJe5fJ5nKJljF9QjE9WjTTBM318lDWqUfbZr9IHk0BnQWJY25RpWuzkcuDpNiJn1zsIobjWJjY3Ph9TWIOldNCm5ap4ubZm3abtWG3+M5mQeiA+XVan0WVfqjy9kc9MnyjeO3jcG0fDk6nzXhFF20XJu1LpbuRHbsOgTziEEkZpnVcnTKG1Heny7A8GrIkxmvxpeR65c6UUlVSFxqJ/n7sZHL+7GRaj7oRMU4jLfqXOa0+jVp7l7ni5KtdFeIgzgMvPhSJ4zalbhQ1Jmva39PhMLSOCiWTxYXvFoqNza8eFVZiLy/Jn7kMg9C4DMdMOqe350VzwphbeLzN6WSO69eX5uzZFyfTQY3J3UyOS/BN5UMlqu7oBcsl3VxUeWW322a5HaxMmHT8PaJnJJCDYf5kRttQlUoj007OeiAe8JL/O81dlZ5efzn2fwvCg76314AGfsm//vVu+ocP2wLdGB7Pw37KPb/YPyHkMP4z16w4/hPvpG0bge4qzuzSfGuVzjBC7FpgdWKUpLZzJpX7hJW9CggvN4vtt70JMVLeJJzjdvecno+mE82d6DE18XKOS40MZzerNddehEcxn/2hRfb/1fYdunF9v/Z/B/COT60//vA9+b//Oott46f7R52qPyvjX0U+wvtP0fs+fyfw/6f+8Hf2e3Yan275jOrptNhz6hFbzI+WY7tsXXL44f9tR5qY2qFN2ll/H8fFzn+CY5h9m12MZx05tl3//f3dpVm8LCRQ/Zd9qoUoPfbHRw+bstw5tbZd39nZyoJ1ws3z77L7qo17SI1Zd9mB26ddwvVG6Z5uTwrt95HufxV8P4SUfb+qhR8zP1SDXu2MJmlmU/dZpF9l0UA0X8B/miNqzgWiEqAkOQ32Q8f3maHk07Zpn8zcOv0P1lwEtCaDRFr3J5saO7iTW42umWYi83VqOemt1Uj+RtXX9Ii+DP74cNfb7PGzRY9nxaNC+4W3dS0PXdv7fmd7juzSJ8/mXXUuLfZll/2Xfa8N75bHRUmd2N7n/Th/kG5ruqN0/sfPfX+WY9LZMfJX7vO/dp16teuM792nfi167yvXad97Trra9dJX7vO+dp1ytcuM76yH/768EO1nb7D8ib7NuvG9v4ie3bxvvr+9OD4vY7YLv2w/QfHUr7VAKPB4kpVG2JhCgM/wpv6ipTbiNyd44sbMSSDRhQIRD4Gx08bvfx4aBxOjBpm32bNZDSajCtqlLZ+dTdfHNWvgqPaZLL4d4PlTiuldl0otes6qV2XSe26SmrXRVK7rpHadYnUriuk/p0FUtkPb5/53i4q3a4i3a4a3a4S3a4K3a4C3a763K7y3K7q3H8izn3NB4cpWazffvLB4KQ8AWR0GlM+bzQv6/11W7Z0M6n2B7/CByff8MFPhCxYxZXHPng9kkubD2/Scg7X9/ZNy/3B1kESlQJQDsLSvLUUbHWZzJOb0ugKbKJp0iqviizZhPrWkt6b3CxuquLiQi2vS1eDU1HOL2stka+hhV6fTubVljyzPbbOLev2JHBhgXUGxX61HwZxQLZ+kL/3o9RWYdgPLrfxrxbfx796kE/9Mg7B/b2dajMMazQJe5e8fgfCdcG8WQ362gcYXpTouJ8S2od4nfpypRzkw0JKkobtwSjRMx3K4e28US6uxvXcfFlbNa/MaMRO+p5VTkSEbpf961w5H1cGzfOTN+Zm0iovSa9dMWctEp/7uDzA0VXbjlYJnhB5HZV/mFDhdxA/JlSYfEEf0osfPvx12Evm1fDS+O9rbP798vjvM/0XkcP4717wvf0/fvXG78dPd7A/DP++OvZR7C/N/4P42fgvxof9P/aCl+b/7cLq9jL/77u8LrMrscvsyuwyu1K7zK7cLrMrucu8xO4OU/X+e/E8/r/+ERAvxP+vnf8HOTnE/33gcP7f4fy/o8P5f4fz/w7n/x3O//tNDq07nP93OP/vcP7f4fy/A34+Hvf/HqZR7Pn8dwif7v8LOUWH/t9e8L3+36fzk372ASBfnDzztWYK/gDfxoh6JxxzyBhNuWLAMeCAwdgqzQSGwgnBmHSOeY0ptqkTcg04RloaArnCnGBkBFFYGwQxFYZ4LBGmXjvFEVeGSie0NwoKSLkyTmBIoE+fZ9yrHQCy85lUX7QjREiBjLdWCSSYg5Bvz+8QTkpMEfdIUwSMB0Y4AanCmgKrOKDCW2wcJlxzybDDEDgGMUaIIs8EZVwwSZAjFknlIMaaaaQk1IJRrbilRnpKNXCHduSAAw444LfE/w8AAP//aH82JwCcAAA=`
- // IMPORTANT: The next expiration is on '2025-06-20T10:07:23Z'
- rootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI1LTA2LTIwVDEwOjA3OjIzWiIsCiAgImtleXMiOiB7CiAgICIxOGRhNDVlN2Y5ZmY5NTRiNzJmMTliNGViZDczNmU4OGI2NjhjMjNkZjRkZWM0ZTU4ZjZhMDM3MWFmOWJiMzY2IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICI2OWIzOWRlOTY3NGRlYjc3N2VhNTgwMmYwMjU5MmUzYTg3YzRiZDNhMDEwZTRkMWM5OGU1M2FkMjdjOTBjNGI4IgogICAgfQogICB9LAogICAiNmUzMTk3M2RkMjU1ZGM5MWRjYTgwOGU0MzcxZjNlY2EyMjM2OTBkNjJhZWFmYmE0MmQxNGIwM2YzODYzOTMwOCI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiYzc0NGVhODUzNjg5Yjg5YzYyZjBmMDZjYjgyOGE4OTVhYTQ3ODZlOTEzZWE3ZmE5Y2NhYzRkODgxZDcxYmJmZSIKICAgIH0KICAgfSwKICAgIjZlNWI3NzUzNmMwMjhjMWZiYzIwNGRjYjRlOTczMjZjZWRkNjY5YmZiNDVmOTlkYTdmYjRmMjYyNThhMDM5ODYiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogImU0ODA1NGYxYzhmYzQzNDUxY2E2NmU4ZmE1MjQ4NzA5YzYyYThmZjM5ZGU4ZjliYjIxZGRiOGM2YTM3YzcyZWQiCiAgICB9CiAgIH0sCiAgICJkNmY0MTc0Zjk1YjM3YWEyYTBmOGIxZWM1NGRmOWQwY2NmZWQ4MjQzMzEyZDE5ZjIxYWM1OWFkNTAxYmM2YTZiIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIwY2I5MzFjNTAzY2EzYjBjNjRjN2E3Mzc3Mzc3YWYzYTgwMjA2ZTk2Yzc5NGY4NTA5NzkzOTk0YTE5MGEzYzMzIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiNmU1Yjc3NTM2YzAyOGMxZmJjMjA0ZGNiNGU5NzMyNmNlZGQ2NjliZmI0NWY5OWRhN2ZiNGYyNjI1OGEwMzk4NiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJkNmY0MTc0Zjk1YjM3YWEyYTBmOGIxZWM1NGRmOWQwY2NmZWQ4MjQzMzEyZDE5ZjIxYWM1OWFkNTAxYmM2YTZiIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiMThkYTQ1ZTdmOWZmOTU0YjcyZjE5YjRlYmQ3MzZlODhiNjY4YzIzZGY0ZGVjNGU1OGY2YTAzNzFhZjliYjM2NiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiNmUzMTk3M2RkMjU1ZGM5MWRjYTgwOGU0MzcxZjNlY2EyMjM2OTBkNjJhZWFmYmE0MmQxNGIwM2YzODYzOTMwOCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICI2ZTViNzc1MzZjMDI4YzFmYmMyMDRkY2I0ZTk3MzI2Y2VkZDY2OWJmYjQ1Zjk5ZGE3ZmI0ZjI2MjU4YTAzOTg2IiwKICAgInNpZyI6ICJmM2IyMjMwNTk2ZmUzZTU1MzA2OTJmMGY4NGQxMjIxZjQ2YzhhMGRmODQzMGI5OTVjMjZkMjFkYzI3YTY5YTM5ZmQwNWE1MjMzMDBjNTE5ZWVhYzAzNmFkZDNlYmZkOTM3YmY3MjM1ZTcwNjU5YWMyMDgyYzhlYzQ4NTI5ZmYwMCIKICB9CiBdCn0=`
+ // IMPORTANT: The next expiration is on '2026-01-01T11:46:29Z'
+ // Steps to generate:
+ // 1. cgit clone github.com/sigstore/scaffolding
+ // 2. run ./hack/setup-kind.sh
+ // 3. export KO_DOCKER_REPO=registry.local:5001/sigstore
+ // 4. run ./hack/setup-scaffolding.sh
+ // 5. get the secrets from the kind cluster
+ // kubectl get secrets -o yaml -n tuf-system tuf-root
+ rootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAiLAogICJ2ZXJzaW9uIjogMSwKICAiZXhwaXJlcyI6ICIyMDI2LTAxLTAxVDExOjQ2OjI5WiIsCiAgImtleXMiOiB7CiAgICIwZjhjNWYzNmZiNDMwNzEyMmZiNzk3MGUyMjRiNGUwODY0ZjRhZmE0ZTRmNjM0YmU3Nzg4ZTllYmQ5ZjI2Nzg1IjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICIzMWQ1MzNiMDJlNTgyNGI1NDEwYmNmMjI4NGZlNzVkMmZiNjdhMTA4Y2I1ZTdkNjhmOTc1YzljOWM1ODYyYzVjIgogICAgfQogICB9LAogICAiOTE4MmI1ODVlNzFiOTVmMDA1YzIyZWNkYjQwN2QxMDY5YTlkMjdiOGMzZmFmMzBmMmUxZmM5NTRhNWFkOWNmNiI6IHsKICAgICJrZXl0eXBlIjogImVkMjU1MTkiLAogICAgInNjaGVtZSI6ICJlZDI1NTE5IiwKICAgICJrZXlpZF9oYXNoX2FsZ29yaXRobXMiOiBbCiAgICAgInNoYTI1NiIsCiAgICAgInNoYTUxMiIKICAgIF0sCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiZTcxN2Y2NDY0YzMwYWFmMzVhOWE3MzgwY2M4NTkzNjRhNmMxNDgyOGRmNGE4MjJhNWRmYzA5ZTdjODJkMWIxZCIKICAgIH0KICAgfSwKICAgImU4YzZiMWQyMzA3NmYyOThhMTJjOTA4ZDlhODU3ZDFkZWU3MTI3NWQ1ZDdhNmVlOTQ2YTIzM2U4MzEwZjI3NmEiOiB7CiAgICAia2V5dHlwZSI6ICJlZDI1NTE5IiwKICAgICJzY2hlbWUiOiAiZWQyNTUxOSIsCiAgICAia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwogICAgICJzaGEyNTYiLAogICAgICJzaGE1MTIiCiAgICBdLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIjU0Y2FlMzk2MzFjYmFiYmZmM2RlYjhmMzQ1ZjczMGU3ZmI3YjhkOGNlMTY3ZWZiOGNlMzg3YzQxMTIxOTg3ZjQiCiAgICB9CiAgIH0sCiAgICJmNWYzMTMzYjcwMzljYTMzZjk2ZDI5OTMzN2Q1ZTQyNWVhNzk4MzIyMDEzNjY5OWJlODhhZjU2NWU5NmIyZWVhIjogewogICAgImtleXR5cGUiOiAiZWQyNTUxOSIsCiAgICAic2NoZW1lIjogImVkMjU1MTkiLAogICAgImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKICAgICAic2hhMjU2IiwKICAgICAic2hhNTEyIgogICAgXSwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICJhNzliYWQ3MGE4OWJjNjQwODkzZThiMDM1ODQ4YmYyZTU2YWE4NWU1N2MwYzUwODVjNGEzZjVhNWMyZmUwNGYzIgogICAgfQogICB9CiAgfSwKICAicm9sZXMiOiB7CiAgICJyb290IjogewogICAgImtleWlkcyI6IFsKICAgICAiZThjNmIxZDIzMDc2ZjI5OGExMmM5MDhkOWE4NTdkMWRlZTcxMjc1ZDVkN2E2ZWU5NDZhMjMzZTgzMTBmMjc2YSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAic25hcHNob3QiOiB7CiAgICAia2V5aWRzIjogWwogICAgICJmNWYzMTMzYjcwMzljYTMzZjk2ZDI5OTMzN2Q1ZTQyNWVhNzk4MzIyMDEzNjY5OWJlODhhZjU2NWU5NmIyZWVhIgogICAgXSwKICAgICJ0aHJlc2hvbGQiOiAxCiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiOTE4MmI1ODVlNzFiOTVmMDA1YzIyZWNkYjQwN2QxMDY5YTlkMjdiOGMzZmFmMzBmMmUxZmM5NTRhNWFkOWNmNiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiMGY4YzVmMzZmYjQzMDcxMjJmYjc5NzBlMjI0YjRlMDg2NGY0YWZhNGU0ZjYzNGJlNzc4OGU5ZWJkOWYyNjc4NSIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMQogICB9CiAgfSwKICAiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKIH0sCiAic2lnbmF0dXJlcyI6IFsKICB7CiAgICJrZXlpZCI6ICJlOGM2YjFkMjMwNzZmMjk4YTEyYzkwOGQ5YTg1N2QxZGVlNzEyNzVkNWQ3YTZlZTk0NmEyMzNlODMxMGYyNzZhIiwKICAgInNpZyI6ICI1MmM2YTkyNGFiZWYwMGY1YzY2NDE0OGIzMWRjMDRkOTVhNWE5ZjY1MjJlNTkwMDAyMzViNTAxNDUxYjRmYzc0MjEwZTVhY2NhOTRkZWIyZmNhNTgzZmM4ZTY4NDY0NTRiYTY2YzFhNzY4NWMxMDJhMDQ5N2JiMDNlMTEzYjIwMyIKICB9CiBdCn0=`
)
func TestCompressUncompressFS(t *testing.T) {
diff --git a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
index a01235eb0..e022d5d65 100644
--- a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
+++ b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
@@ -86,6 +86,8 @@ type Authority struct {
Attestations []AttestationPolicy `json:"attestations,omitempty"`
// +optional
RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+ // +optional
+ SignatureFormat string `json:"signatureFormat,omitempty"`
}
// This references a public verification key stored in
@@ -325,6 +327,7 @@ func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority {
CTLog: in.CTLog,
RFC3161Timestamp: rfc3161Timestamp,
Attestations: attestations,
+ SignatureFormat: in.SignatureFormat,
}
}
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
index 53f533103..ea456031e 100644
--- a/pkg/webhook/validator.go
+++ b/pkg/webhook/validator.go
@@ -41,10 +41,12 @@ import (
"github.com/sigstore/policy-controller/pkg/apis/config"
policyduckv1beta1 "github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1"
policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config"
+ pctuf "github.com/sigstore/policy-controller/pkg/tuf"
webhookcip "github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy"
"github.com/sigstore/policy-controller/pkg/webhook/registryauth"
rekor "github.com/sigstore/rekor/pkg/client"
"github.com/sigstore/rekor/pkg/generated/client"
+ "github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/fulcioroots"
"github.com/sigstore/sigstore/pkg/signature"
@@ -1078,7 +1080,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
continue
}
- cs[i].Image = digest.String()
+ // Keep the original tag and append the digest
+ if tagRef, ok := ref.(name.Tag); ok {
+ cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
+ } else {
+ cs[i].Image = digest.String()
+ }
}
}
}
@@ -1102,7 +1109,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
continue
}
- cs[i].Image = digest.String()
+ // Keep the original tag and append the digest
+ if tagRef, ok := ref.(name.Tag); ok {
+ cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
+ } else {
+ cs[i].Image = digest.String()
+ }
}
}
}
@@ -1338,10 +1350,10 @@ func normalizeArchitecture(cf *v1.ConfigFile) string {
func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (*cosign.CheckOpts, error) {
ret := &cosign.CheckOpts{
RegistryClientOpts: remoteOpts,
+ NewBundleFormat: authority.SignatureFormat == "bundle",
}
- // Add in the identities for verification purposes, as well as Fulcio URL
- // and certificates
+ // Add in the identities for verification purposes
if authority.Keyless != nil {
for _, id := range authority.Keyless.Identities {
ret.Identities = append(ret.Identities,
@@ -1351,6 +1363,67 @@ func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority,
IssuerRegExp: id.IssuerRegExp,
SubjectRegExp: id.SubjectRegExp})
}
+ }
+
+ if ret.NewBundleFormat {
+ // The new bundle format is only supported for keyless authorities
+ // and the trustRootRef must be set.
+ if authority.Keyless == nil {
+ // TODO: Support the new bundle format for non-keyless authorities
+ return nil, fmt.Errorf("when using the new bundle format, the authority must be keyless")
+ }
+ trustRootRef := authority.Keyless.TrustRootRef
+ if trustRootRef != "" {
+ // Set up TrustedMaterial
+ sigstoreKeys, err := sigstoreKeysFromContext(ctx, trustRootRef)
+ if err != nil {
+ return nil, fmt.Errorf("getting SigstoreKeys: %w", err)
+ }
+ sk, ok := sigstoreKeys.SigstoreKeys[trustRootRef]
+ if !ok {
+ return nil, fmt.Errorf("trustRootRef %s not found", trustRootRef)
+ }
+ ret.TrustedMaterial, err = root.NewTrustedRootFromProtobuf(sk)
+ if err != nil {
+ return nil, fmt.Errorf("failed to create trusted root from protobuf: %w", err)
+ }
+ } else {
+ var err error
+ ret.TrustedMaterial, err = pctuf.GetTrustedRoot(ctx)
+ if err != nil {
+ return nil, fmt.Errorf("failed to fetch trusted root: %w", err)
+ }
+ }
+ if authority.Keyless.InsecureIgnoreSCT != nil && *authority.Keyless.InsecureIgnoreSCT {
+ ret.IgnoreSCT = *authority.Keyless.InsecureIgnoreSCT
+ }
+
+ // Check for custom TSA
+ tsa := authority.RFC3161Timestamp
+ if tsa != nil {
+ if tsa.TrustRootRef != authority.Keyless.TrustRootRef {
+ return nil, fmt.Errorf("when using the new bundle format, the trustRootRef for the TSA must be the same as the trustRootRef for the Keyless authority")
+ }
+ ret.UseSignedTimestamps = true
+ }
+
+ // Check for custom Rekor
+ tlog := authority.CTLog
+ if tlog != nil {
+ if tlog.TrustRootRef != authority.Keyless.TrustRootRef {
+ return nil, fmt.Errorf("when using the new bundle format, the trustRootRef for the TLog must be the same as the trustRootRef for the Keyless authority")
+ }
+ // Only require the TLog if we're not using signed timestamps
+ if ret.UseSignedTimestamps {
+ ret.IgnoreTlog = true
+ }
+ }
+ return ret, nil
+ }
+
+ // If we're not using the new bundle verifier (TrustedMaterial), we need to assemble the other CheckOpts (Fulcio, Rekor, TSA, etc.)
+
+ if authority.Keyless != nil {
fulcioRoots, fulcioIntermediates, ctlogKeys, err := fulcioCertsFromAuthority(ctx, authority.Keyless)
if err != nil {
return nil, fmt.Errorf("getting Fulcio certs: %s: %w", authority.Name, err)
diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go
index 5ff0f816a..b6ed0edf8 100644
--- a/pkg/webhook/validator_test.go
+++ b/pkg/webhook/validator_test.go
@@ -33,6 +33,7 @@ import (
"time"
"github.com/google/go-cmp/cmp"
+ "github.com/google/go-cmp/cmp/cmpopts"
"github.com/google/go-containerregistry/pkg/authn/k8schain"
"github.com/google/go-containerregistry/pkg/name"
"github.com/sigstore/cosign/v2/pkg/cosign"
@@ -46,6 +47,8 @@ import (
"github.com/sigstore/policy-controller/pkg/apis/signaturealgo"
policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config"
webhookcip "github.com/sigstore/policy-controller/pkg/webhook/clusterimagepolicy"
+ pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+ "github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/fulcioroots"
"github.com/sigstore/sigstore/pkg/tuf"
@@ -1000,6 +1003,7 @@ func TestResolvePodSpec(t *testing.T) {
tag := name.MustParseReference("gcr.io/distroless/static:nonroot")
// Resolved via crane digest on 2021/09/25
digest := name.MustParseReference("gcr.io/distroless/static:nonroot@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4")
+ digestWithoutTag := name.MustParseReference("gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4")
ctx, _ := rtesting.SetupFakeContext(t)
@@ -1017,7 +1021,7 @@ func TestResolvePodSpec(t *testing.T) {
remoteResolveDigest = rrd
}()
resolve := func(_ name.Reference, _ ...remote.Option) (name.Digest, error) {
- return digest.(name.Digest), nil
+ return tag.Context().Digest(digestWithoutTag.Identifier()), nil
}
tests := []struct {
@@ -1107,6 +1111,30 @@ func TestResolvePodSpec(t *testing.T) {
},
wc: apis.WithinCreate,
rrd: resolve,
+ }, {
+ name: "digests without tag resolve (in create)",
+ ps: &corev1.PodSpec{
+ InitContainers: []corev1.Container{{
+ Name: "setup-stuff",
+ Image: digestWithoutTag.String(),
+ }},
+ Containers: []corev1.Container{{
+ Name: "user-container",
+ Image: digestWithoutTag.String(),
+ }},
+ },
+ want: &corev1.PodSpec{
+ InitContainers: []corev1.Container{{
+ Name: "setup-stuff",
+ Image: digestWithoutTag.String(),
+ }},
+ Containers: []corev1.Container{{
+ Name: "user-container",
+ Image: digestWithoutTag.String(),
+ }},
+ },
+ wc: apis.WithinCreate,
+ rrd: resolve,
}}
for _, test := range tests {
@@ -3032,7 +3060,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) {
} else if err.Error() != tc.wantErr {
t.Errorf("unexpected error: %v wanted %q", err, tc.wantErr)
}
- } else if err == nil && tc.wantErr != "" {
+ } else if tc.wantErr != "" {
t.Errorf("wanted error: %q got none", tc.wantErr)
}
if !roots.Equal(tc.wantRoots) {
@@ -3140,7 +3168,7 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) {
} else if err.Error() != tc.wantErr {
t.Errorf("unexpected error: %v wanted %q", err, tc.wantErr)
}
- } else if err == nil && tc.wantErr != "" {
+ } else if tc.wantErr != "" {
t.Errorf("wanted error: %q got none", tc.wantErr)
}
if tc.wantLogID != "" {
@@ -3240,10 +3268,12 @@ func TestCheckOptsFromAuthority(t *testing.T) {
}},
}
skCombined := config.SigstoreKeys{
+ MediaType: "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
Tlogs: []*config.TransparencyLogInstance{{
- PublicKey: pbpkRekor,
- LogId: &config.LogID{KeyId: []byte("rekor-logid")},
- BaseUrl: "rekor.example.com",
+ PublicKey: pbpkRekor,
+ LogId: &config.LogID{KeyId: []byte("rekor-logid")},
+ BaseUrl: "rekor.example.com",
+ HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,
}},
CertificateAuthorities: []*config.CertificateAuthority{{
Subject: &config.DistinguishedName{
@@ -3253,8 +3283,9 @@ func TestCheckOptsFromAuthority(t *testing.T) {
CertChain: certChainPB,
}},
Ctlogs: []*config.TransparencyLogInstance{{
- LogId: &config.LogID{KeyId: []byte(ctfeLogID)},
- PublicKey: pbpkCTFE,
+ LogId: &config.LogID{KeyId: []byte(ctfeLogID)},
+ PublicKey: pbpkCTFE,
+ HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256,
}},
}
c := &config.Config{
@@ -3355,6 +3386,79 @@ func TestCheckOptsFromAuthority(t *testing.T) {
}},
CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},
},
+ }, {
+ name: "bundle format, with Identities and Rekor",
+ authority: webhookcip.Authority{
+ SignatureFormat: "bundle",
+ CTLog: &v1alpha1.TLog{
+ URL: apis.HTTPS("rekor.example.com"),
+ TrustRootRef: "test-trust-combined",
+ },
+ Keyless: &webhookcip.KeylessRef{
+ TrustRootRef: "test-trust-combined",
+ Identities: []v1alpha1.Identity{{
+ Issuer: "issuer",
+ Subject: "subject",
+ }},
+ },
+ },
+ ctx: testCtx,
+ wantCheckOpts: &cosign.CheckOpts{
+ NewBundleFormat: true,
+ Identities: []cosign.Identity{{
+ Issuer: "issuer",
+ Subject: "subject",
+ }},
+ TrustedMaterial: &root.TrustedRoot{},
+ },
+ }, {
+ name: "bundle format, with TSA",
+ authority: webhookcip.Authority{
+ SignatureFormat: "bundle",
+ // Test keys do not contain a TSA but that is okay as we are just constructing the checkOpts
+ RFC3161Timestamp: &webhookcip.RFC3161Timestamp{
+ TrustRootRef: "test-trust-combined",
+ },
+ Keyless: &webhookcip.KeylessRef{
+ TrustRootRef: "test-trust-combined",
+ },
+ },
+ ctx: testCtx,
+ wantCheckOpts: &cosign.CheckOpts{
+ NewBundleFormat: true,
+ UseSignedTimestamps: true,
+ TrustedMaterial: &root.TrustedRoot{},
+ },
+ }, {
+ name: "bundle format, bad TrustRootRef",
+ authority: webhookcip.Authority{
+ SignatureFormat: "bundle",
+ Keyless: &webhookcip.KeylessRef{
+ TrustRootRef: "not-there",
+ },
+ },
+ ctx: testCtx,
+ wantErr: "trustRootRef not-there not found",
+ }, {
+ name: "bundle format, unsupported different trustroots",
+ authority: webhookcip.Authority{
+ SignatureFormat: "bundle",
+ CTLog: &v1alpha1.TLog{
+ TrustRootRef: "test-trust-rekor",
+ },
+ Keyless: &webhookcip.KeylessRef{
+ TrustRootRef: "test-trust-combined",
+ },
+ },
+ ctx: testCtx,
+ wantErr: "when using the new bundle format, the trustRootRef for the TLog must be the same as the trustRootRef for the Keyless authority",
+ }, {
+ name: "bundle format, unsupported non-keyless",
+ authority: webhookcip.Authority{
+ SignatureFormat: "bundle",
+ },
+ ctx: testCtx,
+ wantErr: "when using the new bundle format, the authority must be keyless",
}}
for _, tc := range tests {
@@ -3370,7 +3474,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
} else if err.Error() != tc.wantErr {
t.Errorf("unexpected error: %v wanted %q", err, tc.wantErr)
}
- } else if err == nil && tc.wantErr != "" {
+ } else if tc.wantErr != "" {
t.Errorf("wanted error: %q got none", tc.wantErr)
}
if tc.wantClient && (gotCheckOpts == nil || gotCheckOpts.RekorClient == nil) {
@@ -3384,7 +3488,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
if gotCheckOpts != nil {
gotCheckOpts.RekorClient = nil
}
- if diff := cmp.Diff(gotCheckOpts, tc.wantCheckOpts); diff != "" {
+ if diff := cmp.Diff(gotCheckOpts, tc.wantCheckOpts, cmpopts.IgnoreUnexported(root.TrustedRoot{})); diff != "" {
t.Errorf("CheckOpts differ: %s", diff)
}
})
diff --git a/third_party/VENDOR-LICENSE/github.com/OneOfOne/xxhash/LICENSE b/third_party/VENDOR-LICENSE/github.com/prometheus/procfs/LICENSE
similarity index 94%
rename from third_party/VENDOR-LICENSE/github.com/OneOfOne/xxhash/LICENSE
rename to third_party/VENDOR-LICENSE/github.com/prometheus/procfs/LICENSE
index 9e30b4f34..261eeb9e9 100644
--- a/third_party/VENDOR-LICENSE/github.com/OneOfOne/xxhash/LICENSE
+++ b/third_party/VENDOR-LICENSE/github.com/prometheus/procfs/LICENSE
@@ -178,10 +178,24 @@
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "{}"
+ boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/third_party/VENDOR-LICENSE/github.com/prometheus/procfs/NOTICE b/third_party/VENDOR-LICENSE/github.com/prometheus/procfs/NOTICE
new file mode 100644
index 000000000..53c5e9aa1
--- /dev/null
+++ b/third_party/VENDOR-LICENSE/github.com/prometheus/procfs/NOTICE
@@ -0,0 +1,7 @@
+procfs provides functions to retrieve system, kernel and process
+metrics from the pseudo-filesystem proc.
+
+Copyright 2014-2015 The Prometheus Authors
+
+This product includes software developed at
+SoundCloud Ltd. (http://soundcloud.com/).
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy