Skip to content

Comments

policy: add artifact attestation and github attestation builtin support #3657

Merged
tonistiigi merged 3 commits intodocker:masterfrom
tonistiigi:policy-artifact-verification
Feb 23, 2026
Merged

policy: add artifact attestation and github attestation builtin support #3657
tonistiigi merged 3 commits intodocker:masterfrom
tonistiigi:policy-artifact-verification

Conversation

@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Feb 20, 2026
edited
Loading

fixes #3640
depends on #3656

@tonistiigi tonistiigi requested a review from crazy-max February 20, 2026 02:04
tonistiigi
tonistiigi commented Feb 20, 2026
View reviewed changes
policy/validate.go
return nil, nil, err
}

rtUnk := runtimeUnknownInputRefs(st)
Copy link
Member Author

@tonistiigi tonistiigi Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this could be bug previously if image signatures were the only requirement with no other unknown fields. Similar code is bit above, but it currently only ran in case of the Partial() code path.

policy/funcs.go
continue
}
if shouldDecodeSnappyBundleURL(bu) {
decoded, err := snappy.Decode(nil, bundleRaw)
Copy link
Member Author

@tonistiigi tonistiigi Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw I didn't find any documentation for this. When I wrote similar code couple of months ago in https://github.com/moby/policy-helpers/blob/main/githubapi/pull.go there was no bundle_url or snappy compression.

Copy link
Member

@crazy-max crazy-max Feb 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes seems gh cli is doing the same: https://github.com/cli/cli/blob/6c3e39ffc481d5b9675451a201ae904b6d42c7cd/pkg/cmd/attestation/api/client.go#L222-L265

Looks like they also have some backoff logic, not sure if we should do the same.

@tonistiigi tonistiigi force-pushed the policy-artifact-verification branch from 846fc5c to 6606aee Compare February 20, 2026 02:15
@tonistiigi tonistiigi marked this pull request as draft February 20, 2026 02:17
@crazy-max crazy-max mentioned this pull request Feb 20, 2026
Closed
@tonistiigi tonistiigi mentioned this pull request Feb 20, 2026
Merged
@tonistiigi
policy: add artifact attestation builtin support
ac9e4c5 
Add artifact_attestation(http, filename) and wire verifier support for
artifact bundle checks. Add docker_github_builder_bundle helper rule.

Handle runtime unknown http.checksum after eval so metadata resolve is
requested when checksum is missing.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
policy: add GitHub attestation verification
5c3551b 
Add github_attestation and github_release_attestation policy support.
Fetch GitHub attestation bundles (including bundle_url .json.sn decode)
and verify against input.http.checksum.

Wire source metadata resolver progress through resolver options and add
ResolveState support for policy HTTP attestation fetches.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
sourcemeta: unblock concurrent resolver open waiters
10c5f00 
Prevent concurrent ResolveSourceMetadata calls from hanging while
waiting for resolver initialization.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi tonistiigi force-pushed the policy-artifact-verification branch from 675ceb5 to 10c5f00 Compare February 20, 2026 16:56
@tonistiigi tonistiigi marked this pull request as ready for review February 20, 2026 16:56
@tonistiigi
Copy link
Member Author

tonistiigi commented Feb 20, 2026

Rebased after #3656 merge.

@tonistiigi tonistiigi mentioned this pull request Feb 21, 2026
Merged
@tonistiigi tonistiigi added this to the v0.32.0 milestone Feb 23, 2026
@tonistiigi tonistiigi merged commit 5830f90 into docker:master Feb 23, 2026
159 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

Assignees

@tonistiigi tonistiigi

Labels

area/build area/dependencies area/tests

Projects

None yet

Milestone

v0.32.0

Development

Successfully merging this pull request may close these issues.

Policy: add artifact attestation verification and github_attestation helper

2 participants

@tonistiigi @crazy-max