Artifact signature verification
The following rule type is available for checking that an artifact has a valid signature and its provenance conforms to a policy.
stacklok/artifact_signature
- Verifies that an artifact has a valid signature
This rule allows you to verify that an artifact was signed and that the signature is valid.
Entity
artifact
Type
stacklok/artifact_signature
Rule Parameters
The stacklok/artifact_signature
rule supports the following parameters:
-
tags (array)
- The tags that should be checked for signatures. If not specified, all tags will be checked. If specified, the artifact must be tagged with all the specified tags in order to be checked. -
tag_regex (string)
- A regular expression specifying the tags that should be checked for signatures. If not specified, all tags will be checked. If specified, the artifact must be tagged with a tag that matches the regular expression in order to be checked. -
name (string)
- The name of the artifact that should be checked for signatures. If not specified, all artifacts will be checked. -
type (enum)
- The type of artifact to check.container
- A container image
-
sigstore (string)
- The URL of the sigstore TUF root to use for verification. The default value istuf-repo-cdn.sigstore.dev
.It is an error to specify both
tags
andtags_regex
.
Rule Definition Options
The stacklok/artifact_signature
rule has the following options:
is_signed (bool)
- Whether the artifact is signedis_verified (bool)
- Whether the artifact's signature could be verifiedrepository (string)
- The repository that the artifact was built frombranch (string)
- The branch that the artifact was built fromsigner_identity (string)
- The identity of the signer of the artifact, e.g. a workflow name likedocker-image-build-push.yml
for GitHub workflow signatures or an email addressrunner_environment (string)
- The environment that the artifact was built in, i.e. hosted-runner or self-hosted-runner. Set togithub-hosted
to check for artifacts built on a GitHub-hosted runner.cert_issuer (string)
- The issuer of the certificate used to sign the artifact, i.e.https://token.actions.githubusercontent.com
for GitHub Actions