sigstore / policy-controller

Description

PolicyResult.ID is intended to be unique:

policy-controller/pkg/webhook/validator_result.go

Lines 94 to 96 in bb9d59b

    
           // A unique identifier describing this signature. 
        
           // This is typically the hash of this signature's OCI layer for images. 
        
           ID string `json:"id,omitempty"`

Currently, when a PolicySignature is created, we try to create a unique identifier by getting the digest of the signature -

policy-controller/pkg/webhook/validator.go

Line 645 in bb9d59b

id, err := ociSig.Digest()

But non-intuitively, this doesn't give you the digest of the signature itself, this gives you the digest of the content that was signed (the signature / cert are included in layer annotations). This means that any signatures for the same image will have the same PolicySignature.ID

We should modify this to generate a digest of the signature itself.

Version

bb9d59b (HEAD)

	// A unique identifier describing this signature.
	// This is typically the hash of this signature's OCI layer for images.
	ID string `json:"id,omitempty"`

Signature IDs aren't unique for the same image