With a policy.yaml that specifies a publicKey, e.g.:
publicKey: k8s://openshift-pipelines/public-key
sources:
- data:
- ...
policy:
- ...
The ec validate input command always fails:
Error: 1 error occurred:
* error validating file input.json: no check options or sig verifier configured
With the --debug flag:
DEBU[0000] helpers.go:80 readPolicyConfigurationFile Loaded policy.yaml as policyConfiguration
DEBU[0000] policy.go:394 parseEffectiveTime Chosen to use effective time of `now`, using current time 2024-04-15T18:44:38Z
DEBU[0000] policy.go:309 loadPolicy Read EnterpriseContractPolicy as YAML
DEBU[0000] policy.go:314 loadPolicy Unable to parse EnterpriseContractPolicy from "configuration:\n # exclude:\n # - tasks.required_tasks_found:prefetch-dependencies\n # - hermetic_build_task.build_task_hermetic\n # - test.no_test_warnings\n # - redhat_manifests.redhat_manifests_missing\n # - labels.required_labels\n # - rpm_ostree_task.builder_image_param\n # - sbom_cyclonedx.found\n # - test.no_failed_tests\n # include:\n # - '@redhat'\n include:\n - attestation_task_bundle\ndescription: Rules for shipping content to registry.redhat.io\npublicKey: k8s://openshift-pipelines/public-key\nsources:\n- data:\n - github.com/release-engineering/rhtap-ec-policy//data\n - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest\n name: Release Policies\n policy:\n # - oci::quay.io/enterprise-contract/ec-release-policy:latest\n - /home/lucarval/src/enterprise-contract/ec-policies/policy/lib\n - /home/lucarval/src/enterprise-contract/ec-policies/policy/release\n # ruleData:\n # allowed_registry_prefixes:\n # - registry.access.redhat.com/\n # - registry.redhat.io/\n # - quay.io/rh-osbs/ubi9\n # - localhost/rhtap-final-image\n # allowed_rpm_ostree_builder_image_prefixes:\n # - quay.io/centos-bootc/bootc-image-builder\n"
DEBU[0000] policy.go:315 loadPolicy Attempting to parse as EnterpriseContractPolicySpec
DEBU[0000] validate.go:37 ValidateInput Current input filePath: "input.json"
DEBU[0000] validate.go:67 detectInput unable to detect input as JSON
DEBU[0000] validate.go:75 detectInput unable to detect input as YAML
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/lib", Kind:"policy"}
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/release", Kind:"policy"}
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"github.com/release-engineering/rhtap-ec-policy//data", Kind:"data"}
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest", Kind:"data"}
DEBU[0000] conftest_evaluator.go:277 NewConftestEvaluatorWithNamespace Created work dir /tmp/ec-work-678054144
DEBU[0000] policy.go:380 EffectiveTime Using effective time: 2024-04-15T18:44:38Z
DEBU[0000] input.go:58 NewInput Failed to initialize the conftest evaluator!
DEBU[0000] validate.go:46 ValidateInput Failed to create input!
Error: 1 error occurred:
* error validating file input.json: no check options or sig verifier configured
Git bisect tells me this started with commit 117055d.
Remove publicKey from the policy bypasses the issue.
With a policy.yaml that specifies a publicKey, e.g.:
The
ec validate inputcommand always fails:With the
--debug flag:Git bisect tells me this started with commit 117055d.
Remove
publicKeyfrom the policy bypasses the issue.