Add SignatureFormat field to Authority

Signed-off-by: Cody Soyland <[email protected]>

Author: codysoyland

config/300-clusterimagepolicy.yaml

@@ -209,6 +209,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array
@@ -545,6 +548,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array

docs/api-types/index-v1alpha1.md

@@ -172,6 +172,7 @@ Attestation defines the type of attestation to validate and optionally apply a p
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
 

docs/api-types/index.md

@@ -49,6 +49,7 @@ The authorities block defines the rules for discovering and validating signature
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"legacy\" and \"bundle\". If not specified, the default is \"legacy\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
 

pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go

@@ -89,6 +89,7 @@ func (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v1beta1.M
 
 func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authority) error {
 	sink.Name = authority.Name
+	sink.SignatureFormat = authority.SignatureFormat
 	if authority.CTLog != nil && authority.CTLog.URL != nil {
 		sink.CTLog = &v1beta1.TLog{
 			URL:          authority.CTLog.URL.DeepCopy(),
@@ -244,6 +245,7 @@ func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, source *v1b
 
 func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Authority) error {
 	authority.Name = source.Name
+	authority.SignatureFormat = source.SignatureFormat
 	if source.CTLog != nil && source.CTLog.URL != nil {
 		authority.CTLog = &TLog{
 			URL:          source.CTLog.URL.DeepCopy(),

pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go

@@ -144,6 +144,10 @@ type Authority struct {
 	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// SignatureFormat specifies the format the authority expects. Supported
+	// formats are "legacy" and "bundle". If not specified, the default
+	// is "legacy" (cosign's default).
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in

pkg/apis/policy/v1beta1/clusterimagepolicy_types.go

@@ -143,6 +143,10 @@ type Authority struct {
 	// RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// SignatureFormat specifies the format the authority expects. Supported
+	// formats are "legacy" and "bundle". If not specified, the default
+	// is "legacy" (cosign's default).
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in

pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go

@@ -86,6 +86,8 @@ type Authority struct {
 	Attestations []AttestationPolicy `json:"attestations,omitempty"`
 	// +optional
 	RFC3161Timestamp *RFC3161Timestamp `json:"rfc3161timestamp,omitempty"`
+	// +optional
+	SignatureFormat string `json:"signatureFormat,omitempty"`
 }
 
 // This references a public verification key stored in
@@ -325,6 +327,7 @@ func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority {
 		CTLog:            in.CTLog,
 		RFC3161Timestamp: rfc3161Timestamp,
 		Attestations:     attestations,
+		SignatureFormat:  in.SignatureFormat,
 	}
 }