minor tests updates (#437 )

bump golang.org/x/net in the go_modules group across 1 directory (#433 )
bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zack Brady <zackbrady123@gmail.com>
2026-02-18 20:10:27 +00:00 · 2025-05-01 11:07:00 -04:00 · 2025-04-30 22:21:37 -04:00 · 2025-04-22 12:43:04 -04:00 · 2025-04-21 15:27:17 -04:00 · 2025-04-11 00:16:05 -05:00
12 changed files with 297 additions and 73 deletions
--- a/.github/workflows/pages.yaml
+++ b/.github/workflows/pages.yaml
@@ -1,40 +1,47 @@
-# Simple workflow for deploying static content to GitHub Pages
-name: 📋
+name: Pages Workflow

 on:
+  workflow_dispatch:
  push:
    branches:
      - main
-  workflow_dispatch:

-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
  contents: read
  pages: write
  id-token: write

-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
  group: "pages"
  cancel-in-progress: false

 jobs:
-  # Single deploy job since we're just deploying
-  deploy:
+  deploy-pages:
+    name: Deploy GitHub Pages
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
      - name: Setup Pages
        uses: actions/configure-pages@v5
-      - name: Upload artifact
+
+      - name: Upload Pages Artifacts
        uses: actions/upload-pages-artifact@v3
        with:
          path: './static'
+
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v4
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -114,8 +114,8 @@ jobs:
      - name: Verify - hauler login
        run: |
          hauler login --help
-          hauler login docker.io --username bob --password haulin
-          echo "hauler" | hauler login docker.io -u bob --password-stdin
+          hauler login docker.io --username ${{ secrets.DOCKERHUB_USERNAME }} --password ${{ secrets.DOCKERHUB_TOKEN }}
+          echo ${{ secrets.GITHUB_TOKEN }} | hauler login ghcr.io -u ${{ github.repository_owner }} --password-stdin

      - name: Remove Hauler Store Credentials
        run: |
--- a/cmd/hauler/cli/store/add.go
+++ b/cmd/hauler/cli/store/add.go
@@ -68,6 +68,14 @@ func AddImageCmd(ctx context.Context, o *flags.AddImageOpts, s *store.Layout, re
 			return err
 		}
 		l.Infof("signature verified for image [%s]", cfg.Name)
+	} else if o.CertIdentityRegexp != "" || o.CertIdentity != "" {
+		// verify signature using the provided keyless details
+		l.Infof("verifying keyless signature for [%s]", cfg.Name)
+		err := cosign.VerifyKeylessSignature(ctx, s, o.CertIdentity, o.CertIdentityRegexp, o.CertOidcIssuer, o.CertOidcIssuerRegexp, o.CertGithubWorkflowRepository, o.Tlog, cfg.Name, rso, ro)
+		if err != nil {
+			return err
+		}
+		l.Infof("keyless signature verified for image [%s]", cfg.Name)
 	}

 	return storeImage(ctx, s, cfg, o.Platform, rso, ro)
--- a/cmd/hauler/cli/store/sync.go
+++ b/cmd/hauler/cli/store/sync.go
@@ -232,7 +232,13 @@ func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *stor
 						i.Name = newRef.Name()
 					}

-					if a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != "" {
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
 						key := o.Key
 						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
 							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
@@ -262,6 +268,66 @@ func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *stor
 							continue
 						}
 						l.Infof("signature verified for image [%s]", i.Name)
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)
+
+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
 					}

 					platform := o.Platform
@@ -302,7 +368,13 @@ func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *stor
 						i.Name = newRef.Name()
 					}

-					if a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != "" {
+					hasAnnotationIdentityOptions := a[consts.ImageAnnotationCertIdentityRegexp] != "" || a[consts.ImageAnnotationCertIdentity] != ""
+					hasCliIdentityOptions := o.CertIdentityRegexp != "" || o.CertIdentity != ""
+					hasImageIdentityOptions := i.CertIdentityRegexp != "" || i.CertIdentity != ""
+
+					needsKeylessVerificaton := hasAnnotationIdentityOptions || hasCliIdentityOptions || hasImageIdentityOptions
+					needsPubKeyVerification := a[consts.ImageAnnotationKey] != "" || o.Key != "" || i.Key != ""
+					if needsPubKeyVerification {
 						key := o.Key
 						if o.Key == "" && a[consts.ImageAnnotationKey] != "" {
 							key, err = homedir.Expand(a[consts.ImageAnnotationKey])
@@ -332,8 +404,67 @@ func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *stor
 							continue
 						}
 						l.Infof("signature verified for image [%s]", i.Name)
-					}
+					} else if needsKeylessVerificaton { //Keyless signature verification
+						certIdentityRegexp := o.CertIdentityRegexp
+						if o.CertIdentityRegexp == "" && a[consts.ImageAnnotationCertIdentityRegexp] != "" {
+							certIdentityRegexp = a[consts.ImageAnnotationCertIdentityRegexp]
+						}
+						if i.CertIdentityRegexp != "" {
+							certIdentityRegexp = i.CertIdentityRegexp
+						}
+						l.Debugf("certIdentityRegexp for image [%s]", certIdentityRegexp)

+						certIdentity := o.CertIdentity
+						if o.CertIdentity == "" && a[consts.ImageAnnotationCertIdentity] != "" {
+							certIdentity = a[consts.ImageAnnotationCertIdentity]
+						}
+						if i.CertIdentity != "" {
+							certIdentity = i.CertIdentity
+						}
+						l.Debugf("certIdentity for image [%s]", certIdentity)
+
+						certOidcIssuer := o.CertOidcIssuer
+						if o.CertOidcIssuer == "" && a[consts.ImageAnnotationCertOidcIssuer] != "" {
+							certOidcIssuer = a[consts.ImageAnnotationCertOidcIssuer]
+						}
+						if i.CertOidcIssuer != "" {
+							certOidcIssuer = i.CertOidcIssuer
+						}
+						l.Debugf("certOidcIssuer for image [%s]", certOidcIssuer)
+
+						certOidcIssuerRegexp := o.CertOidcIssuerRegexp
+						if o.CertOidcIssuerRegexp == "" && a[consts.ImageAnnotationCertOidcIssuerRegexp] != "" {
+							certOidcIssuerRegexp = a[consts.ImageAnnotationCertOidcIssuerRegexp]
+						}
+						if i.CertOidcIssuerRegexp != "" {
+							certOidcIssuerRegexp = i.CertOidcIssuerRegexp
+						}
+						l.Debugf("certOidcIssuerRegexp for image [%s]", certOidcIssuerRegexp)
+
+						certGithubWorkflowRepository := o.CertGithubWorkflowRepository
+						if o.CertGithubWorkflowRepository == "" && a[consts.ImageAnnotationCertGithubWorkflowRepository] != "" {
+							certGithubWorkflowRepository = a[consts.ImageAnnotationCertGithubWorkflowRepository]
+						}
+						if i.CertGithubWorkflowRepository != "" {
+							certGithubWorkflowRepository = i.CertGithubWorkflowRepository
+						}
+						l.Debugf("certGithubWorkflowRepository for image [%s]", certGithubWorkflowRepository)
+
+						tlog := o.Tlog
+						if !o.Tlog && a[consts.ImageAnnotationTlog] == "true" {
+							tlog = true
+						}
+						if i.Tlog {
+							tlog = i.Tlog
+						}
+						l.Debugf("transparency log for verification [%b]", tlog)
+
+						if err := cosign.VerifyKeylessSignature(ctx, s, certIdentity, certIdentityRegexp, certOidcIssuer, certOidcIssuerRegexp, certGithubWorkflowRepository, tlog, i.Name, rso, ro); err != nil {
+							l.Errorf("keyless signature verification failed for image [%s]... skipping...\n%v", i.Name, err)
+							continue
+						}
+						l.Infof("keyless signature verified for image [%s]", i.Name)
+					}
 					platform := o.Platform
 					if o.Platform == "" && a[consts.ImageAnnotationPlatform] != "" {
 						platform = a[consts.ImageAnnotationPlatform]
--- a/go.mod
+++ b/go.mod
@@ -24,11 +24,11 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.11.0
 	github.com/spf13/cobra v1.8.1
-	golang.org/x/sync v0.11.0
+	golang.org/x/sync v0.12.0
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.17.0
-	k8s.io/apimachinery v0.32.1
-	k8s.io/client-go v0.32.1
+	helm.sh/helm/v3 v3.17.3
+	k8s.io/apimachinery v0.32.2
+	k8s.io/client-go v0.32.2
 	oras.land/oras-go v1.2.5
 )

@@ -301,14 +301,14 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.35.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.25.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	google.golang.org/api v0.219.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
@@ -319,14 +319,14 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/api v0.32.1 // indirect
-	k8s.io/apiextensions-apiserver v0.32.0 // indirect
-	k8s.io/apiserver v0.32.0 // indirect
-	k8s.io/cli-runtime v0.32.0 // indirect
-	k8s.io/component-base v0.32.0 // indirect
+	k8s.io/api v0.32.2 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
+	k8s.io/apiserver v0.32.2 // indirect
+	k8s.io/cli-runtime v0.32.2 // indirect
+	k8s.io/component-base v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	k8s.io/kubectl v0.32.0 // indirect
+	k8s.io/kubectl v0.32.2 // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/kustomize/api v0.18.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1028,8 +1028,8 @@ golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1096,8 +1096,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
-golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1116,8 +1116,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1162,8 +1162,8 @@ golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -1173,8 +1173,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1189,8 +1189,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
@@ -1317,33 +1317,33 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-helm.sh/helm/v3 v3.17.0 h1:DUD4AGdNVn7PSTYfxe1gmQG7s18QeWv/4jI9TubnhT0=
-helm.sh/helm/v3 v3.17.0/go.mod h1:Mo7eGyKPPHlS0Ml67W8z/lbkox/gD9Xt1XpD6bxvZZA=
+helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
+helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
-k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0=
-k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs=
-k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag=
-k8s.io/cli-runtime v0.32.0 h1:dP+OZqs7zHPpGQMCGAhectbHU2SNCuZtIimRKTv2T1c=
-k8s.io/cli-runtime v0.32.0/go.mod h1:Mai8ht2+esoDRK5hr861KRy6z0zHsSTYttNVJXgP3YQ=
-k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
-k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
-k8s.io/component-base v0.32.0 h1:d6cWHZkCiiep41ObYQS6IcgzOUQUNpywm39KVYaUqzU=
-k8s.io/component-base v0.32.0/go.mod h1:JLG2W5TUxUu5uDyKiH2R/7NnxJo1HlPoRIIbVLkK5eM=
+k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
+k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
+k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
+k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
+k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
+k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw=
+k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM=
+k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
+k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
+k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
+k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
+k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU=
+k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/kubectl v0.32.0 h1:rpxl+ng9qeG79YA4Em9tLSfX0G8W0vfaiPVrc/WR7Xw=
-k8s.io/kubectl v0.32.0/go.mod h1:qIjSX+QgPQUgdy8ps6eKsYNF+YmFOAO3WygfucIqFiE=
+k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
+k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
--- a/internal/flags/add.go
+++ b/internal/flags/add.go
@@ -7,15 +7,25 @@ import (

 type AddImageOpts struct {
 	*StoreRootOpts
-	Name     string
-	Key      string
-	Tlog     bool
-	Platform string
+	Name                         string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Tlog                         bool
+	Platform                     string
 }

 func (o *AddImageOpts) AddFlags(cmd *cobra.Command) {
 	f := cmd.Flags()
 	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
 	f.BoolVarP(&o.Tlog, "use-tlog-verify", "v", false, "(Optional) Allow transparency log verification. (defaults to false)")
 	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specifiy the platform of the image... i.e. linux/amd64 (defaults to all)")
 }
--- a/internal/flags/sync.go
+++ b/internal/flags/sync.go
@@ -7,14 +7,19 @@ import (

 type SyncOpts struct {
 	*StoreRootOpts
-	FileName        []string
-	Key             string
-	Products        []string
-	Platform        string
-	Registry        string
-	ProductRegistry string
-	TempOverride    string
-	Tlog            bool
+	FileName                     []string
+	Key                          string
+	CertOidcIssuer               string
+	CertOidcIssuerRegexp         string
+	CertIdentity                 string
+	CertIdentityRegexp           string
+	CertGithubWorkflowRepository string
+	Products                     []string
+	Platform                     string
+	Registry                     string
+	ProductRegistry              string
+	TempOverride                 string
+	Tlog                         bool
 }

 func (o *SyncOpts) AddFlags(cmd *cobra.Command) {
@@ -22,6 +27,11 @@ func (o *SyncOpts) AddFlags(cmd *cobra.Command) {

 	f.StringSliceVarP(&o.FileName, "filename", "f", []string{consts.DefaultHaulerManifestName}, "Specify the name of manifest(s) to sync")
 	f.StringVarP(&o.Key, "key", "k", "", "(Optional) Location of public key to use for signature verification")
+	f.StringVar(&o.CertIdentity, "certificate-identity", "", "(Optional) Cosign certificate-identity (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertIdentityRegexp, "certificate-identity-regexp", "", "(Optional) Cosign certificate-identity-regexp (either --certificate-identity or --certificate-identity-regexp required for keyless verification)")
+	f.StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "", "(Optional) Cosign option to validate oidc issuer")
+	f.StringVar(&o.CertOidcIssuerRegexp, "certificate-oidc-issuer-regexp", "", "(Optional) Cosign option to validate oidc issuer with regex")
+	f.StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "", "(Optional) Cosign certificate-github-workflow-repository option")
 	f.StringSliceVar(&o.Products, "products", []string{}, "(Optional) Specify the product name to fetch collections from the product registry i.e. rancher=v2.10.1,rke2=v1.31.5+rke2r1")
 	f.StringVarP(&o.Platform, "platform", "p", "", "(Optional) Specify the platform of the image... i.e linux/amd64 (defaults to all)")
 	f.StringVarP(&o.Registry, "registry", "g", "", "(Optional) Specify the registry of the image for images that do not alredy define one")
--- a/pkg/apis/hauler.cattle.io/v1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1/image.go
@@ -27,6 +27,13 @@ type Image struct {
 	//Tlog string `json:"use-tlog-verify,omitempty"`
 	Tlog bool `json:"use-tlog-verify"`

+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
 	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
 	//Platform string `json:"key,omitempty"`
 	Platform string `json:"platform"`
--- a/pkg/apis/hauler.cattle.io/v1alpha1/image.go
+++ b/pkg/apis/hauler.cattle.io/v1alpha1/image.go
@@ -27,6 +27,13 @@ type Image struct {
 	//Tlog string `json:"use-tlog-verify,omitempty"`
 	Tlog bool `json:"use-tlog-verify"`

+	// cosign keyless validation options
+	CertIdentity                 string `json:"certificate-identity"`
+	CertIdentityRegexp           string `json:"certificate-identity-regexp"`
+	CertOidcIssuer               string `json:"certificate-oidc-issuer"`
+	CertOidcIssuerRegexp         string `json:"certificate-oidc-issuer-regexp"`
+	CertGithubWorkflowRepository string `json:"certificate-github-workflow-repository"`
+
 	// Platform of the image to be pulled.  If not specified, all platforms will be pulled.
 	//Platform string `json:"key,omitempty"`
 	Platform string `json:"platform"`
--- a/pkg/consts/consts.go
+++ b/pkg/consts/consts.go
@@ -50,6 +50,13 @@ const (
 	ImageAnnotationRegistry = "hauler.dev/registry"
 	ImageAnnotationTlog     = "hauler.dev/use-tlog-verify"

+	// cosign keyless validation options
+	ImageAnnotationCertIdentity                 = "hauler.dev/certificate-identity"
+	ImageAnnotationCertIdentityRegexp           = "hauler.dev/certificate-identity-regexp"
+	ImageAnnotationCertOidcIssuer               = "hauler.dev/certificate-oidc-issuer"
+	ImageAnnotationCertOidcIssuerRegexp         = "hauler.dev/certificate-oidc-issuer-regexp"
+	ImageAnnotationCertGithubWorkflowRepository = "hauler.dev/certificate-github-workflow-repository"
+
 	// content kinds
 	ImagesContentKind    = "Images"
 	ChartsContentKind    = "Charts"
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@@ -18,7 +18,7 @@ import (
 	"oras.land/oras-go/pkg/content"
 )

-// VerifyFileSignature verifies the digital signature of a file using Sigstore/Cosign.
+// VerifySignature verifies the digital signature of a file using Sigstore/Cosign.
 func VerifySignature(ctx context.Context, s *store.Layout, keyPath string, useTlog bool, ref string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
 	l := log.FromContext(ctx)
 	operation := func() error {
@@ -45,6 +45,43 @@ func VerifySignature(ctx context.Context, s *store.Layout, keyPath string, useTl
 	return RetryOperation(ctx, rso, ro, operation)
 }

+// VerifyKeylessSignature verifies the digital signature of a file using Sigstore/Cosign.
+func VerifyKeylessSignature(ctx context.Context, s *store.Layout, identity string, identityRegexp string, oidcIssuer string, oidcIssuerRegexp string, ghWorkflowRepository string, useTlog bool, ref string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
+	l := log.FromContext(ctx)
+	operation := func() error {
+
+		certVerifyOptions := options.CertVerifyOptions{
+			CertOidcIssuer:               oidcIssuer,
+			CertOidcIssuerRegexp:         oidcIssuer,
+			CertIdentity:                 identity,
+			CertIdentityRegexp:           identityRegexp,
+			CertGithubWorkflowRepository: ghWorkflowRepository,
+		}
+
+		v := &verify.VerifyCommand{
+			CertVerifyOptions:            certVerifyOptions,
+			IgnoreTlog:                   false, // Ignore transparency log is set to false by default for keyless signature verification
+			CertGithubWorkflowRepository: ghWorkflowRepository,
+		}
+
+		// if the user wants to use the transparency log, set the flag to false
+		if useTlog {
+			v.IgnoreTlog = false
+		}
+
+		err := log.CaptureOutput(l, true, func() error {
+			return v.Exec(ctx, []string{ref})
+		})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	return RetryOperation(ctx, rso, ro, operation)
+}
+
 // SaveImage saves image and any signatures/attestations to the store.
 func SaveImage(ctx context.Context, s *store.Layout, ref string, platform string, rso *flags.StoreRootOpts, ro *flags.CliRootOpts) error {
 	l := log.FromContext(ctx)
Author	SHA1	Message	Date
Zack Brady	e089c31879	minor tests updates (#437 )	2025-05-01 11:07:00 -04:00
dependabot[bot]	b7b599e6ed	bump golang.org/x/net in the go_modules group across 1 directory (#433 ) bumps the go_modules group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.37.0 to 0.38.0 - [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zack Brady <zackbrady123@gmail.com>	2025-04-30 22:21:37 -04:00
Adam Martin	ea53002f3a	formatting and flag text updates Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com>	2025-04-22 12:43:04 -04:00
Nathaniel Churchill	4d0f779ae6	add keyless signature verification (#434 )	2025-04-21 15:27:17 -04:00
dependabot[bot]	4d0b407452	bump helm.sh/helm/v3 in the go_modules group across 1 directory (#430 ) bumps the go_modules group with 1 update in the / directory: [helm.sh/helm/v3](https://github.com/helm/helm). Updates `helm.sh/helm/v3` from 3.17.0 to 3.17.3 - [Release notes](https://github.com/helm/helm/releases) - [Commits](https://github.com/helm/helm/compare/v3.17.0...v3.17.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-version: 3.17.3 dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-11 00:16:05 -05:00