From d068696c4d5363ad31de38d5b120e449a48e1050 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Wed, 9 Jul 2025 15:55:41 -0400 Subject: [PATCH] add tenancy aware for san matcher --- pkg/cmd/release/shared/attestation.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/cmd/release/shared/attestation.go b/pkg/cmd/release/shared/attestation.go index 4e0377fed99..b4490373b6f 100644 --- a/pkg/cmd/release/shared/attestation.go +++ b/pkg/cmd/release/shared/attestation.go @@ -46,7 +46,7 @@ func (v *AttestationVerifier) VerifyAttestation(art *artifact.DigestedArtifact, return nil, err } - policy := buildVerificationPolicy(*art) + policy := buildVerificationPolicy(*art, td) sigstoreVerified, err := verifier.Verify([]*api.Attestation{att}, policy) if err != nil { return nil, err @@ -99,9 +99,13 @@ func FilterAttestationsByFileDigest(attestations []*api.Attestation, fileDigest } // buildVerificationPolicy constructs a verification policy for GitHub releases -func buildVerificationPolicy(a artifact.DigestedArtifact) verify.PolicyBuilder { +func buildVerificationPolicy(a artifact.DigestedArtifact, trustDomain string) verify.PolicyBuilder { + // If no trust domain is specified, default to "dotcom" + if trustDomain == "" { + trustDomain = "dotcom" + } // SAN must match the GitHub releases domain. No issuer extension (match anything) - sanMatcher, _ := verify.NewSANMatcher("", "^https://.*\\.releases\\.github\\.com$") + sanMatcher, _ := verify.NewSANMatcher("", fmt.Sprintf("^https://%s\\.releases\\.github\\.com$", trustDomain)) issuerMatcher, _ := verify.NewIssuerMatcher("", ".*") certId, _ := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, certificate.Extensions{})