Skip to content

Add --skip-att-sig-check flag#3267

Draft
simonbaird wants to merge 1 commit intoconforma:mainfrom
simonbaird:skip-att-sig-check
Draft

Add --skip-att-sig-check flag#3267
simonbaird wants to merge 1 commit intoconforma:mainfrom
simonbaird:skip-att-sig-check

Conversation

@simonbaird
Copy link
Copy Markdown
Member

@simonbaird simonbaird commented Apr 28, 2026
edited
Loading

Implement --skip-att-sig-check flag to skip attestation signature validation checks, mirroring the existing --skip-image-sig-check flag. When enabled, attestation signature verification is bypassed during image validation.

Why? Often I'm debugging/troubleshooting something and I get given an image ref to look at. We can use cosign download attestation to inspect the attestation, which is very useful, but if we want to try running Conforma against it, we must either guess, find, or ask to be provided with the public key. Sometimes that's not so difficult, but other times it may be very difficult or even impossible. (Consider for example if the image was built on an ephemeral cluster and the signing secret used is gone forever.)

Now we can use --skip-image-sig-check and --skip-att-sig-check and carry on with the debugging. Note that we added the --skip-image-sig-check recently for other reasons, see https://redhat.atlassian.net/browse/EC-1647. The
--skip-att-sig-check is perhaps a little more complicated because we need to add a function that can download the attestation without verifying it.

The argument against this is that it may encourage less secure practices, but I would say it's acceptable because we're not changing the default behavior, which is always to require signature verification.

Ref: https://redhat.atlassian.net/browse/EC-1815

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 28, 2026
edited
Loading

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: be269d81-46c7-4700-affc-10dc4dee7445

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@simonbaird
Copy link
Copy Markdown
Member Author

simonbaird commented Apr 28, 2026

Making it a draft because it has no Jira (yet anyway).

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 28, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 19.64286% with 45 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...ation_snapshot_image/application_snapshot_image.go 0.00% 42 Missing ⚠️
internal/image/validate.go 62.50% 3 Missing ⚠️
Flag Coverage Δ
acceptance 54.97% <19.64%> (-0.20%) ⬇️
generative 17.81% <0.00%> (-0.09%) ⬇️
integration 26.57% <5.35%> (-0.10%) ⬇️
unit 68.77% <16.07%> (-0.26%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
cmd/validate/image.go 91.42% <100.00%> (+0.06%) ⬆️
internal/policy/policy.go 91.74% <100.00%> (+0.07%) ⬆️
internal/image/validate.go 69.71% <62.50%> (-1.09%) ⬇️
...ation_snapshot_image/application_snapshot_image.go 69.96% <0.00%> (-12.73%) ⬇️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@simonbaird @claude
Add --skip-att-sig-check flag
a77249d 
Implement --skip-att-sig-check flag to skip attestation signature
validation checks, mirroring the existing --skip-image-sig-check flag.
When enabled, attestation signature verification is bypassed during
image validation.

Why? Often I'm debugging/troubleshooting something and I get given
an image ref to look at. We can use cosign download attestation to
inspect the attestation, which is very useful, but if we want to try
running Conforma against it, we must either guess, find, or ask to
be provided with the public key. Sometimes that's not so difficult,
but other times it may be very difficult or even impossible.
(Consider for example if the image was built on an ephemeral cluster
and the signing secret used is gone forever.)

Now we can use --skip-image-sig-check and --skip-att-sig-check and
carry on with the debugging. Note that we added the
--skip-image-sig-check recently for other reasons, see
https://redhat.atlassian.net/browse/EC-1647. The
--skip-att-sig-check is a little more complicated because we needed
to add a new function that can download the attestation without
verifying it.

The argument against this is that it may encourage less secure
practices, but I would say it's acceptable because we're not
changing the default behavior, which is always to require signature
verification.

Ref: https://redhat.atlassian.net/browse/EC-1815

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@simonbaird simonbaird force-pushed the skip-att-sig-check branch from 8d30082 to a77249d Compare May 7, 2026 20:52
@simonbaird
Copy link
Copy Markdown
Member Author

simonbaird commented May 7, 2026

This isn't in the sprint currently, so maybe review it only after you reviewed everything else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@simonbaird