Also accept subkey signatures in simple signing

mtrmac · mtrmac · commit 16b1b245fddd · 2025-07-24T00:04:40.000+02:00
This does not change behavior for mechanisms which already always return the
primary key fingerprint (after a recent change, openpgp); for the others,
add support for signingMechanismWithVerificationIdentityLookup .

Signed-off-by: Miloslav Trmač &lt;mitr@redhat.com&gt;
diff --git a/signature/fixtures/dir-img-valid-subkey/manifest.json b/signature/fixtures/dir-img-valid-subkey/manifest.json
@@ -0,0 +1 @@
+../image.manifest.json
diff --git a/signature/fixtures/dir-img-valid-subkey/signature-1 b/signature/fixtures/dir-img-valid-subkey/signature-1
@@ -0,0 +1 @@
+../subkey.signature
diff --git a/signature/policy_eval_signedby_test.go b/signature/policy_eval_signedby_test.go
@@ -277,4 +277,11 @@ func TestPRSignedByIsRunningImageAllowed(t *testing.T) {
 	require.NoError(t, err)
 	allowed, err = pr.isRunningImageAllowed(context.Background(), image)
 	assertRunningRejectedPolicyRequirement(t, allowed, err)
+
+	// A valid signature using a subkey
+	image = dirImageMock(t, "fixtures/dir-img-valid-subkey", "testing/manifest:latest")
+	pr, err = NewPRSignedByKeyPath(ktGPG, "fixtures/public-key-with-subkey.gpg", prm)
+	require.NoError(t, err)
+	allowed, err = pr.isRunningImageAllowed(context.Background(), image)
+	assertRunningAllowed(t, allowed, err)
 }
diff --git a/signature/simple.go b/signature/simple.go
@@ -222,7 +222,21 @@ func verifyAndExtractSignature(mech SigningMechanism, unverifiedSignature []byte
 		return nil, "", err
 	}
 	if !slices.Contains(rules.acceptedKeyIdentities, keyIdentity) {
-		return nil, "", internal.NewInvalidSignatureError(fmt.Sprintf("signature by key %s is not accepted", keyIdentity))
+		withLookup, ok := mech.(signingMechanismWithVerificationIdentityLookup)
+		if !ok {
+			return nil, "", internal.NewInvalidSignatureError(fmt.Sprintf("signature by key %s is not accepted", keyIdentity))
+		}
+
+		primaryKey, err := withLookup.keyIdentityForVerificationKeyIdentity(keyIdentity)
+		if err != nil {
+			// Coverage: This only fails if lookup by keyIdentity fails, but we just found and used that key.
+			// Or maybe on some unexpected I/O error.
+			return nil, "", err
+		}
+		if !slices.Contains(rules.acceptedKeyIdentities, primaryKey) {
+			return nil, "", internal.NewInvalidSignatureError(fmt.Sprintf("signature by key %s of %s is not accepted", keyIdentity, primaryKey))
+		}
+		keyIdentity = primaryKey
 	}
 
 	var unmatchedSignature untrustedSignature
diff --git a/signature/simple_test.go b/signature/simple_test.go
@@ -319,12 +319,26 @@ func TestVerifyAndExtractSignature(t *testing.T) {
 		assert.Equal(t, TestKeyFingerprint, keyIdentity)
 		assert.Equal(t, signatureData, *recorded)
 	}
+	// Successful verification using a subkey
+	sig2, err := os.ReadFile("./fixtures/subkey.signature")
+	require.NoError(t, err)
+	sig2Data := tuple{
+		signedDockerReference:      "testing/manifest:latest",
+		signedDockerManifestDigest: TestImageManifestDigest,
+	}
+	recorded, recordingRules := setupRecording(sig2Data, TestKeyFingerprintPrimaryWithSubkey)
+	sig, keyIdentity, err := verifyAndExtractSignature(mech, sig2, recordingRules)
+	require.NoError(t, err)
+	assert.Equal(t, sig2Data.signedDockerReference, sig.DockerReference)
+	assert.Equal(t, sig2Data.signedDockerManifestDigest, sig.DockerManifestDigest)
+	assert.Equal(t, TestKeyFingerprintPrimaryWithSubkey, keyIdentity)
+	assert.Equal(t, sig2Data, *recorded)
 
 	// For extra paranoia, test that we return a nil signature object and a "" key identity on error.
 
 	// Completely invalid signature.
-	recorded, recordingRules := setupRecording(signatureData, TestKeyFingerprint)
-	sig, keyIdentity, err := verifyAndExtractSignature(mech, []byte{}, recordingRules)
+	recorded, recordingRules = setupRecording(signatureData, TestKeyFingerprint)
+	sig, keyIdentity, err = verifyAndExtractSignature(mech, []byte{}, recordingRules)
 	assert.Error(t, err)
 	assert.Nil(t, sig)
 	assert.Equal(t, "", keyIdentity)
@@ -345,6 +359,16 @@ func TestVerifyAndExtractSignature(t *testing.T) {
 	assert.Equal(t, "", keyIdentity)
 	assert.Equal(t, tuple{}, *recorded)
 
+	// Valid signature with a revoked subkey
+	sig2, err = os.ReadFile("./fixtures/subkey-revoked.signature")
+	require.NoError(t, err)
+	recorded, recordingRules = setupRecording(sig2Data, TestKeyFingerprintPrimaryWithRevokedSubkey) // sig2Data describes subkey-revoked.signature as well.
+	sig, keyIdentity, err = verifyAndExtractSignature(mech, sig2, recordingRules)
+	assert.Error(t, err)
+	assert.Nil(t, sig)
+	assert.Equal(t, "", keyIdentity)
+	assert.Equal(t, tuple{}, *recorded)
+
 	// Valid signature of non-JSON: used acceptedKeyIdentities only
 	invalidBlobSignature, err := os.ReadFile("./fixtures/invalid-blob.signature")
 	require.NoError(t, err)
