Skip to content

refactor: move signature verification logic to its own module #2157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gsanchezgavier merged 3 commits into from
Feb 11, 2026
Merged

refactor: move signature verification logic to its own module #2157

gsanchezgavier merged 3 commits into from
Feb 11, 2026

Conversation

@gsanchezgavier
Copy link
Contributor

@gsanchezgavier gsanchezgavier commented Feb 6, 2026

  • moves out common signature abstractions so they can be reused by the oci signature verifier.

@gsanchezgavier gsanchezgavier requested a review from a team as a code owner February 6, 2026 14:43
gsanchezgavier
gsanchezgavier commented Feb 6, 2026
View reviewed changes
agent-control/src/signature/public_key_fetcher.rs

/// Fetches all public keys from the JWKS endpoint. If any keys are invalid, they will be
/// skipped and a warning will be logged. If no valid keys are found, an error will be returned.
pub fn fetch(&self) -> Result<Vec<PublicKey>, PubKeyFetcherError> {
Copy link
Contributor Author

@gsanchezgavier gsanchezgavier Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is meant to be used by the new cosign verificator

Copy link
Contributor

@sigilioso sigilioso Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will probably need to update the signature and receive the url as an argument as we can have different public-key urls for different artifacts. However, we can leave that refactor for a different PR.

@gsanchezgavier gsanchezgavier marked this pull request as draft February 6, 2026 14:46
@gsanchezgavier gsanchezgavier force-pushed the gsanchez/feat/pubkey-fetcher-jwks branch from 675125c to 35c2e11 Compare February 9, 2026 07:39
@gsanchezgavier gsanchezgavier marked this pull request as ready for review February 9, 2026 08:24
danielorihuela
danielorihuela reviewed Feb 10, 2026
View reviewed changes
danielorihuela
danielorihuela approved these changes Feb 10, 2026
View reviewed changes
Copy link
Contributor

@danielorihuela danielorihuela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!!! I like it. From my side, we can merge it already.

sigilioso
sigilioso approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@sigilioso sigilioso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@gsanchezgavier gsanchezgavier enabled auto-merge (squash) February 11, 2026 11:25
@gsanchezgavier gsanchezgavier merged commit dcb43be into freeze-develop Feb 11, 2026
56 of 58 checks passed
@gsanchezgavier gsanchezgavier deleted the gsanchez/feat/pubkey-fetcher-jwks branch February 11, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigilioso sigilioso sigilioso approved these changes

@danielorihuela danielorihuela danielorihuela approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gsanchezgavier @sigilioso @danielorihuela