Skip to content

regexp support for policy subjectAlternativeName verifier#1556

Open
crazy-max wants to merge 1 commit intosigstore:mainfrom
crazy-max:policy-regexp
Open

regexp support for policy subjectAlternativeName verifier#1556
crazy-max wants to merge 1 commit intosigstore:mainfrom
crazy-max:policy-regexp

Conversation

@crazy-max
Copy link

@crazy-max crazy-max commented Jan 12, 2026

relates to docker/actions-toolkit#929

Summary

Adds support for RegExp when verifying policy subjectAlternativeName. This is similar to cosign behavior with --certificate-identity-regexp flag:

https://github.com/sigstore/cosign/blob/10e56727c01bd682da2d536819c1493a84884940/doc/cosign_verify.md?plain=1#L89

--certificate-identity-regexp string                                                       A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.

This is specially useful when we want to match a dynamic subjectAlternativeName when signing using the github actions provider like: https://oci.dag.dev/?image=public.ecr.aws%2Fq3b5f1u4%2Ftest-docker-action%40sha256%3A670d819051bdec9cb7e4789217cd2fae3e4f1359376421ada2af1e4d53f84d3e&jq=.layers%5B0%5D.annotations%5B%22dev.sigstore.cosign%2Fcertificate%22%5D&render=x509

https://github.com/docker/github-builder-experimental/.github/workflows/build.yml@refs/heads/build-reusable-workflow

Where the ref changes based on user invocation.

Release Note

  • Regexp support for policy subjectAlternativeName verifier

Documentation

@crazy-max crazy-max requested a review from a team as a code owner January 12, 2026 12:50
@changeset-bot
Copy link

changeset-bot bot commented Jan 12, 2026

⚠️ No Changeset found

Latest commit: 9529edc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@crazy-max crazy-max mentioned this pull request Jan 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crazy-max