Use latest version of sigstore/policy-controller

[jkylekelly]

This pull request updates the repository to align with the upstream Sigstore Policy Controller and improves documentation consistency. The most important changes include updating references from GitHub's temporary fork of the Policy Controller to the official Sigstore repository, version upgrades, and documentation adjustments.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[nissessenap]

Hi @jkylekelly , I was just about to test artifact-attestations, when I saw this PR.
Which lead me to sigstore/helm-charts#1016, which was directly released sigstore/helm-charts@4ccd764.

I have looked quickly at the upstream helm chart and it looks very similar. Now that the feature is upstream, is there any need for this helm chart at all?

I assume you will archive https://github.com/github/policy-controller as well.

I guess the core question is, can I use everything upstream instead?

[nissessenap]

Tried using the upstream helm chart according to this PR, but I'm unable to validate the attestation.

failed validAttestationsWithFulcio for authority github with fulcio for europe-west1-docker.pkg.dev/fo-bar/podinfo@sha256:123456: no matching attestations: failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1

Sorry for hijacking the comments for this PR, it's not my intention. I'm hoping this will help the next person that might want to try this out.

But I assume it's still something that is missing, or I'm just missing something in my upstream config. I changed into using policy-controller and it worked on the first try.

[jkylekelly]

Hi @nissessenap, Currently, we recommend to continue using github/policy-controller to verify gh artifact attestations from private repositories. But yes, we do plan to deprecate github/policy-controller now that we've upstreamed bundle support to sigstore/policy-controller.

We'll update our helm-charts once policy-controller merges this bug fix PR and cuts a new release. There will also (likely) be a minor change to our template trust-policies/templates/clusterimagepolicy-github.yaml.

Adding insecureIgnoreSCT: true

{{ if .Values.policy.enabled }}
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: github-policy
spec:
  images: {{ include "clusterimagepolicy.images" . | nindent 4  }}
  authorities:
{{ if .Values.policy.trust.github }}
  - name: github
    keyless:
      insecureIgnoreSCT: true
      trustRootRef: github
      url: https://fulcio.githubapp.com
      identities:
      - issuer: https://token.actions.githubusercontent.com
        {{- include "clusterimagepolicy.subjectRegExp" . | nindent 8 }}
    rfc3161timestamp:
      trustRootRef: github
    signatureFormat: bundle
    attestations:
    - name: require-attestation
      predicateType: {{ .Values.policy.predicateType }}
{{ end }}

Hope this helps!

[nissessenap]

Ah that is great @jkylekelly , thanks a lot for your quick answer.