Support Verification with Root CA

[yangkenneth]

Description

Kubernetes Version: 1.23.x

When leveraging a bring-your-own PKI approach with ClusterImagePolicy and TrustRoot in order to validate a deployment the certChain value within TrustRoot must include the entire certificate chain up until the leaf certificate; this introduces problems if you have Intermediates what are short-lived where you cannot hard-code those values.

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: keyless-signature
spec:
  images:
  - glob: "**"
  authorities:
  - keyless:
      trustRootRef: example-trust-root
      url: https://fulcio.mysigstore.dev/
      identities:
          - issuerRegExp: '.*'
            subjectRegExp: 'test.example.com'
      insecureIgnoreSCT: true
---
apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  name: example-trust-root
spec:
  sigstoreKeys:
    certificateAuthorities:
    - subject:
        organization: Example
        commonName: Example
      uri: https://sigstore-hostname/
      certChain: |-
      BASE64_ENCODED_CERTIFICATE_CHAIN

When the full certificate chain is not included and only the Root CA is added within certChain an error message similar to the one below appears.

Error from server (BadRequest): error when applying patch:
{"spec":{"template":{"spec":{"$setElementOrder/containers":[{"name":"example"}],"containers":[{"image":"[IMAGE_URL]","name":"example"}]}}}}
to:
Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment"
Name: "example", Namespace: "default"
for: "deployment.yaml": error when patching "deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: keyless-signature: spec.template.spec.containers[0].image
[IMAGE_URL]@sha256:[SHA] signature keyless validation failed for authority authority-0 for [IMAGE_URL]@sha256:[SHA]: no matching signatures:
cert verification failed: x509: certificate signed by unknown authority. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE 

We would like to propose a feature within policy-controller to support validating against an Intermediate or Root CA without including the entire chain; this functionality is currently supported within sigstore/cosign.

# Import Code Signing Certificate Private Key
cosign import-key-pair --key /tmp/private.key --output-key-prefix [PREFIX]

# Sign Container and Upload Full Certificate Chain
cosign sign --upload=true --tlog-upload=false --key [PREFIX].key --certificate-chain /tmp/certificate_chain.crt --certificate /tmp/certificate.crt [IMAGE]:[TAG]

# Verify Container via Only Root or Intermediate CA (Does Not Require Full Chain)
cosign verify --insecure-ignore-tlog --insecure-ignore-sct --check-claims=true --certificate-identity test.example.com --certificate-oidc-issuer-regexp '.*'  --certificate-chain [PATH_TO_ROOT_OR_INTERMEDIATE_CA] [IMAGE]:[TAG]

Another alternative for validation that cosign supports is shown below; however, adding an Intermediate CA within the SIGSTORE_ROOT_FILE is not supported here and this must be a Root CA.

export SIGSTORE_ROOT_FILE=./root_ca.pem
cosign verify --insecure-ignore-sct --insecure-ignore-tlog --certificate-identity test.example.com --certificate-oidc-issuer-regexp '.*' [IMAGE]:[TAG]

Another note; on certain helm instillations even when the policy-controller-webhook is running and ready we receive the following error when creating the ClusterImagePolicy and TrustRoot. Not sure if there's a race condition or if this is a known issue within Kubernetes 1.23.x.

Error from server (NotFound): error when creating "cluster-image-policy.yaml": the server could not find the requested resource (post clusterimagepolicies.policy.sigstore.dev)
Error from server (NotFound): error when creating "cluster-image-policy.yaml": the server could not find the requested resource (post trustroots.policy.sigstore.dev)