github · codysoyland · Jun 24, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024
@@ -40,4 +40,5 @@ jobs:
       - name: Install trust-policies
         run: |
           helm install trust-policies charts/trust-policies \
-            --set policy.enabled=true
+            --set policy.enabled=true \
+            --set policy.organization=github
@@ -8,8 +8,8 @@ sources:
 type: application
 
 name: trust-policies
-version: "v0.3.0"
-appVersion: "v0.3.0"
+version: "v0.4.0"
+appVersion: "v0.4.0"
 
 maintainers:
   - name: codysoyland

@@ -0,0 +1,10 @@
+{{/*
+Generate subjectRegExp value
+*/}}
+{{- define "clusterimagepolicy.subjectRegExp" -}}
+{{- if .Values.policy.subjectRegExp -}}
+subjectRegExp: {{ .Values.policy.subjectRegExp }}
+{{- else -}}
+subjectRegExp: https://github.com/{{ .Values.policy.organization | required "One of policy.organization/policy.subjectRegExp is required" }}/{{ .Values.policy.repository }}/\.github/workflows/.*
+{{- end -}}
+{{- end -}}
@@ -14,7 +14,7 @@ spec:
       url: https://fulcio.githubapp.com
       identities:
       - issuer: https://token.actions.githubusercontent.com
-        subjectRegExp: https://github.com/{{ .Values.policy.organization }}/{{ .Values.policy.repo }}/\.github/workflows/.*
+        {{- include "clusterimagepolicy.subjectRegExp" . | nindent 8 }}
     rfc3161timestamp:
       trustRootRef: github
     signatureFormat: bundle
@@ -26,7 +26,7 @@ spec:
     keyless:
       identities:
       - issuer: https://token.actions.githubusercontent.com
-        subjectRegExp: https://github.com/{{ .Values.policy.organization }}/{{ .Values.policy.repo }}/\.github/workflows/.*
+        {{- include "clusterimagepolicy.subjectRegExp" . | nindent 8 }}
     ctlog:
       url: https://rekor.sigstore.dev
     signatureFormat: bundle

@@ -1,14 +1,22 @@
 # A default policy can be created by setting policy.enabled to true.
 policy:
-  # organization is a regex that matches the organization name in the certificate identity
-  organization: '.*'
-  # repo is a regex that matches the repository name in the certificate identity
-  repo: '.*'
-  # enabled is a flag to enable the default policy
-  enabled: false
-  # predicateType is the type of predicate to expect in the default policy
+  # To verify an attestation, we must validate the identity of the workflow that signed it, which is stored in the attestation's certificate's subject alternative name.
+  # To validate the signer workflow's identity, you can set the subjectRegExp value, or set the organization and the repository values below.
+  #
+  # policy.organization is used to validate the signer workflow's identity. An attestation is valid if it was generated inside a repository owned by this organization.
+  # Required if policy.enabled is true and policy.subjectRegExp has not been set.
+  organization:
+  # policy.repository is used to validate the signer workflow's identity. An attestation is valid if it was generated inside this specific repository.
+  # Must be used in combination with the policy.organization value.
+  repository: '.*'
+  # policy.subjectRegExp is a regex used to validate the signer workflow's identity. Use this if your attestations are generated with a reusable workflow.
+  # Required if policy.enabled is true and policy.organization has not been set.
+  subjectRegExp:
+  # policy.predicateType defines the type of predicate that the default policy expects
   predicateType: https://slsa.dev/provenance/v1
-  # Identify which signing authorities should be trusted as part of the policy
+  # policy.enabled enables the default policy
+  enabled: false
+  # policy.trust identifies which signing authorities should be trusted as part of the policy
   trust:
     # trust the GitHub signing authority
     github: true