Skip to content

Comments

fix: skip registry key check for keyless (Sigstore/Fulcio) attestations#454

Open
ajayk wants to merge 1 commit intonpm:mainfrom
ajayk:keyless-attesation
Open

fix: skip registry key check for keyless (Sigstore/Fulcio) attestations#454
ajayk wants to merge 1 commit intonpm:mainfrom
ajayk:keyless-attesation

Conversation

@ajayk
Copy link

@ajayk ajayk commented Feb 24, 2026

fix: skip registry key check for keyless (Sigstore/Fulcio) attestations

Attestations signed with keyless Sigstore/Fulcio have no keyid and
embed the signing certificate directly in the bundle. The existing
guard unconditionally required matching registry keys, causing
EMISSINGSIGNATUREKEY for registries that only use keyless signing.

Only throw when there are keyed attestations that can't be matched.

References

  Attestations signed with keyless Sigstore/Fulcio have no keyid and
  embed the signing certificate directly in the bundle. The existing
  guard unconditionally required matching registry keys, causing
  EMISSINGSIGNATUREKEY for registries that only use keyless signing.

  Only throw when there are keyed attestations that can't be matched.
@ajayk ajayk requested a review from a team as a code owner February 24, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant