Image signing blocked upstream: re-enable cosign keyless + SBOM when containers/image verifies keyless sigs

Image signature verification: blocked upstream

Status as of 2026-05-24policy.json is insecureAcceptAnything across the estate. Cosign signing was removed from CI in catalog v4.3.0 because containers/image cannot verify our keyless signatures at pull time. This issue tracks the blocker and the path back to enforced signing. (Moved out of the repo as docs/image-signing.md — signing is tracked work, not a shipped feature.)

Re-check monthly. When upstream lands the fix, follow the re-enable runbook below.

What we tried

Documented in containers/container-libs#388 (comment):

  • .sig tags present and discoverable in the registry.
  • use-sigstore-attachments: true makes containers/image find the attachment manifest.
  • Verification still fails with Required email "..." not found (got []) even with cosign v2 sigs and a correct sigstoreSigned policy.json pointing at Fulcio + Rekor.

Why it doesn't work

containers/image's sigstoreSigned identity matcher requires a subjectEmail literal match, but Fulcio-issued certificates for GitLab CI keyless OIDC tokens populate a SAN URI, not an email. The matcher exposes no subjectURI / subjectRegexp field today.

Tracking

Issue Covers Status
containers/container-libs#388 Cosign bundle format + identity matching open since Oct 2025
sigstore/cosign#3927 Bundle as OCI referring artifact tracked
sigstore/policy-controller#1406 Bundle spec policy support tracked

Two upstream paths that would unblock us (contribution candidates — see #5)

  1. Tactical (~50 LOC): add subjectURI / subjectRegexp to image/signature/fulcio_cert.go — the exact failure we hit. Highest ROI, achievable as a contributor PR.
  2. Strategic (jlebon, 2026-05-04): a policy.json plugin architecture at /usr/lib/containers/policy-plugins.d/ (binary | stdin -> JSON stdout verification protocol). Sketched, no implementation yet.

Monthly re-check

  • Has subjectURI / subjectRegexp landed in containers/container-libs image/signature/fulcio_cert.go?
  • Any movement on container-libs#388?
  • Did the plugin proposal advance to an RFC or draft PR?
  • If yes to any -> re-enable per the runbook below.

How to re-enable when the gap closes

  1. Restore .install_cosign, .sign_image, .attest_sbom to templates/supply-chain.yml (cherry-pick from the v4.2.0 tag).
  2. Restore id_tokens: SIGSTORE_ID_TOKEN + COSIGN_YES env to the jobs that need them (validate.yml, instance.yml, container-build.yml, catalog publish-images).
  3. Restore the cosign_version input across templates.
  4. Tighten consumer /etc/containers/policy.json from insecureAcceptAnything to a sigstoreSigned block keyed on the GitLab Fulcio identity; add registries.d/dunn.dev.yaml with use-sigstore-attachments: true.
  5. Smoke test: skopeo inspect --policy=... accepts a signed image and rejects an unsigned mutant.
  6. Tag the catalog v5.0.0 (restoring signing is consumer-impacting).

Related goal

Enforced signature verification at the bootc upgrade boundary (trust the update, not just the build) is downstream of this — it needs build-time signing to verify first.

Edited by Andrew G. Dunn