Skip to content

trusted_task_rules: Add per-allow-rule signature verification#1680

Open
arewm wants to merge 1 commit intoconforma:mainfrom
arewm:ec-1545/signature-verification-trusted-task-rules
Open

trusted_task_rules: Add per-allow-rule signature verification#1680
arewm wants to merge 1 commit intoconforma:mainfrom
arewm:ec-1545/signature-verification-trusted-task-rules

Conversation

@arewm
Copy link
Contributor

@arewm arewm commented Feb 27, 2026

Summary

  • Add optional signature_verification config to allow rules in trusted_task_rules for sigstore-based bundle signature verification
  • Rules without the field work as before (backward compatible); rules with it require matching bundles to also pass sigstore verification
  • Git-resolved tasks are exempt (ec.sigstore.verify_image only works on OCI refs)
  • New signature_verification_failed denial reason type with proper error formatting

Test plan

  • make ci passes (749/749 tests, 100% coverage)
  • Manual testing with real signed/unsigned task bundles
  • Verify backward compatibility with existing policy configurations

Ref: EC-1545

🤖 Generated with Claude Code

@arewm
trusted_task_rules: Add per-allow-rule signature verification
f066bc2 
Add optional `signature_verification` configuration to allow rules in
trusted_task_rules, enabling sigstore-based signature verification as an
additional trust dimension for task bundles.

When an allow rule includes `signature_verification`, matching bundles
must also pass sigstore verification with the configured identity/key.
Rules without the field continue to work as before (pattern-only trust).
Git-resolved tasks are exempt since ec.sigstore.verify_image only works
on OCI refs.

A new denial reason type `signature_verification_failed` is surfaced
when a task matches an allow rule's pattern/version constraints but
fails signature verification.

Ref: EC-1545

Assisted-by: Claude Code (Opus 4.6)
@codecov
Copy link

codecov bot commented Feb 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

Files with missing lines Coverage Δ
policy/lib/tekton/trusted.rego 100.00% <100.00%> (ø)
policy/lib/tekton/trusted_test.rego 100.00% <100.00%> (ø)
policy/release/trusted_task/trusted_task.rego 100.00% <100.00%> (ø)
policy/release/trusted_task/trusted_task_test.rego 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@arewm arewm marked this pull request as ready for review February 28, 2026 02:51
@arewm arewm mentioned this pull request Mar 5, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arewm