diff --git a/containers-common.spec b/containers-common.spec index 3c0b3a1..c462fcd 100644 --- a/containers-common.spec +++ b/containers-common.spec @@ -6,8 +6,8 @@ # Packit will automatically update the image and storage versions on Fedora and # CentOS Stream dist-git PRs. -%global image_branch v5.30.2 -%global storage_branch v1.53.0 +%global image_branch v5.32.2 +%global storage_branch v1.55.0 %global shortnames_branch main %global project containers @@ -39,7 +39,7 @@ Epoch: 2 # If that's what you're reading, Version must be 0, and will be updated by Packit for # copr and koji builds. # If you're reading this on dist-git, the version is automatically filled in by Packit. -Version: 0.60.0 +Version: 0.60.2 Release: %autorelease License: Apache-2.0 BuildArch: noarch diff --git a/containers-policy.json.5.md b/containers-policy.json.5.md index 909d04a..ad3a1f5 100644 --- a/containers-policy.json.5.md +++ b/containers-policy.json.5.md @@ -320,7 +320,9 @@ This requirement requires an image to be signed using a sigstore signature with { "type": "sigstoreSigned", "keyPath": "/path/to/local/public/key/file", + "keyPaths": ["/path/to/first/public/key/one", "/path/to/first/public/key/two"], "keyData": "base64-encoded-public-key-data", + "keyDatas": ["base64-encoded-public-key-one-data", "base64-encoded-public-key-two-data"] "fulcio": { "caPath": "/path/to/local/CA/file", "caData": "base64-encoded-CA-data", @@ -328,28 +330,33 @@ This requirement requires an image to be signed using a sigstore signature with "subjectEmail", "expected-signing-user@example.com", }, "rekorPublicKeyPath": "/path/to/local/public/key/file", + "rekorPublicKeyPaths": ["/path/to/local/public/key/one","/path/to/local/public/key/two"], "rekorPublicKeyData": "base64-encoded-public-key-data", + "rekorPublicKeyDatas": ["base64-encoded-public-key-one-data","base64-encoded-public-key-two-data"], "signedIdentity": identity_requirement } ``` -Exactly one of `keyPath`, `keyData` and `fulcio` must be present. +Exactly one of `keyPath`, `keyPaths`, `keyData`, `keyDatas` and `fulcio` must be present. If `keyPath` or `keyData` is present, it contains a sigstore public key. Only signatures made by this key are accepted. +If `keyPaths` or `keyDatas` is present, it contains sigstore public keys. +Only signatures made by any key in the list are accepted. + If `fulcio` is present, the signature must be based on a Fulcio-issued certificate. One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance. Both `oidcIssuer` and `subjectEmail` are mandatory, exactly specifying the expected identity provider, and the identity of the user obtaining the Fulcio certificate. -At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present; +At most one of `rekorPublicKeyPath`, `rekorPublicKeyPaths`, `rekorPublicKeyData` and `rekorPublicKeyDatas` can be present; it is mandatory if `fulcio` is specified. If a Rekor public key is specified, the signature must have been uploaded to a Rekor server and the signature must contain an (offline-verifiable) “signed entry timestamp” proving the existence of the Rekor log record, -signed by the provided public key. +signed by one of the provided public keys. The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above. Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag). diff --git a/sources b/sources index 5601a48..5f56fb9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v0.60.0.tar.gz) = 9eae809f6834472172fb997dedf828a11c7617b19374f46086394be3eeeb7f8fa9a1245a020af3a611142d6edda6670ee1d080229048fd0886313c7f698c21af +SHA512 (v0.60.2.tar.gz) = 0f0495adfbac1c1cea3a209d506495617e727523b4edf436225df79c7378bad1ea5504a94e0e54322601585a5740f67cef81b971a0825d5180c2c29da703fc82