Change: verification key reference should default to acorn:// if it's…

… not a file (#2112)
acorn-io · Aug 22, 2023 · 37cd895 · 37cd895
1 parent bd13da9
commit 37cd895
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/docs/docs/100-reference/01-command-line/acorn_image_verify.md b/docs/docs/100-reference/01-command-line/acorn_image_verify.md
@@ -19,7 +19,7 @@ acorn image verify my-image --key ./my-key.pub
 acorn image verify my-image --key gh://ibuildthecloud
 
 # Verify using a public key belonging to an Acorn Manager Identity
-acorn image verify my-image --key ac://ibuildthecloud
+acorn image verify my-image --key acorn://ibuildthecloud
 
 ```
 

diff --git a/pkg/cli/images_verify.go b/pkg/cli/images_verify.go
@@ -22,7 +22,7 @@ acorn image verify my-image --key ./my-key.pub
 acorn image verify my-image --key gh://ibuildthecloud
 
 # Verify using a public key belonging to an Acorn Manager Identity
-acorn image verify my-image --key ac://ibuildthecloud
+acorn image verify my-image --key acorn://ibuildthecloud
 `,
 		SilenceUsage:      true,
 		Short:             "Verify Image Signatures",

diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 
 	v1 "github.com/acorn-io/runtime/pkg/apis/internal.acorn.io/v1"
@@ -390,10 +391,10 @@ func LoadVerifiers(ctx context.Context, keyRef string, algorithm string) (verifi
 			return nil, fmt.Errorf("failed to load public key from SSH - %s: %w", keyRef, err)
 		}
 		verifiers = append(verifiers, v)
-	} else if strings.HasPrefix(keyRef, "ac://") {
+	} else if strings.HasPrefix(keyRef, "acorn://") {
 		// Acorn Manager
 		logrus.Debugf("Loading public key from Acorn Manager: %s", keyRef)
-		acKeys, err := getAcornPublicKeys(strings.TrimPrefix(keyRef, "ac://"))
+		acKeys, err := getAcornPublicKeys(strings.TrimPrefix(keyRef, "acorn://"))
 		if err != nil {
 			return nil, fmt.Errorf("failed to load public key from Acorn Manager - %s: %w", keyRef, err)
 		}
@@ -437,8 +438,11 @@ func LoadVerifiers(ctx context.Context, keyRef string, algorithm string) (verifi
 		}
 
 		verifiers = append(verifiers, ghVerifiers...)
+	} else if regexp.MustCompile(`^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$`).MatchString(keyRef) {
+		// weak (not length-limited) regexp for github/acorn-manager usernames -> default to acorn manager
+		return LoadVerifiers(ctx, fmt.Sprintf("acorn://%s", keyRef), algorithm)
 	} else {
-		// schemes: k8s://, pkcs11://, gitlab://
+		// schemes: k8s://, pkcs11://, gitlab://, raw, url, ...
 		logrus.Debugf("Loading public key from cosign builtin scheme type: %s", keyRef)
 		v, err := cosignature.PublicKeyFromKeyRef(ctx, keyRef)
 		if err != nil {