How to write the policy for verifying Cosign signatures only

[yizha1]

What happened in your environment?

After installation of Ratify, I configured cosign verifier to verify images signed with Cosign and keys stored in AKV. However, the image deployment was denied. After checking the Ratify logs, the verification of cosign signature was successful. However, the report from notation verifier indicated failure, which is as expected, as images were signed with Cosign not Notation. I deleted notation built-in verifier as a mitigation, then signature verification passed and images were deployed successfully.

What did you expect to happen?

Images can be signed with different signatures and be referenced with various supply chain artifacts, such as SBOM. Thus, there could be one or multiple verifiers required for verifying images depending on user scenarios. Users should be provided with a policy template to define the criteria for a successful image verification.

What version of Kubernetes are you running?

AKS

What version of Ratify are you running?

0-dev (dev.20240505.6163b7e)

Anything else you would like to add?

I signed one image with two keys in AKV, which resulted in two signatures. I expected image verification should pass only and only if two signatures passed validation. By default, as long as one signature passed validation, the image was allowed to be deployed. This scenario also requires a Rego policy in my understanding.

Are you willing to submit PRs to contribute to this bug fix?

• Yes, I am willing to implement it.