roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

feat: secure build phase 2 — enforce image verification by default

Browse Source 
All store images are now digest-pinned and cosign-signed by the publish
pipeline, so the warn-by-default training-wheels period is over: an
unsigned or undigested image must not install unless the admin
explicitly opts out. The service_composer fallback used when the config
manager is unavailable or corrupt also flips to enforce — config
corruption must fail closed rather than silently weaken verification.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-11 14:12:58 -04:00
parent c430a392b8
commit 2ab3d2d5ac
5 changed files with 66 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_config_manager.py
+6 -6
View File
@@ -518,7 +518,7 @@ class TestEmailManagerApply(unittest.TestCase):
class TestImageVerificationConfig(unittest.TestCase):
"""image_verification config round-trip and warn-by-default behaviour."""
"""image_verification config round-trip; default is now 'enforce' (P3)."""
def setUp(self):
self.temp_dir = tempfile.mkdtemp()
@@ -530,9 +530,9 @@ class TestImageVerificationConfig(unittest.TestCase):
def tearDown(self):
shutil.rmtree(self.temp_dir)
def test_default_mode_is_warn(self):
self.assertEqual(self.cm.get_image_verification_mode(), 'warn')
self.assertEqual(self.cm.get_image_verification(), {'mode': 'warn'})
def test_default_mode_is_enforce(self):
self.assertEqual(self.cm.get_image_verification_mode(), 'enforce')
self.assertEqual(self.cm.get_image_verification(), {'mode': 'enforce'})
def test_set_and_get_round_trip(self):
for mode in ('off', 'warn', 'enforce'):
@@ -548,9 +548,9 @@ class TestImageVerificationConfig(unittest.TestCase):
with self.assertRaises(ValueError):
self.cm.set_image_verification_mode('paranoid')
def test_corrupt_section_falls_back_to_warn(self):
def test_corrupt_section_falls_back_to_enforce(self):
self.cm.configs['image_verification'] = {'mode': 'bogus'}
self.assertEqual(self.cm.get_image_verification_mode(), 'warn')
self.assertEqual(self.cm.get_image_verification_mode(), 'enforce')
if __name__ == '__main__':