[Bug] ClusterPolicy unable to verify signatures from harbor

[Thrinadh-Kumpatla]

Kyverno Version

1.13

Kubernetes Version

1.29

Kubernetes Platform

EKS

Description

I'm using kyverno-policy which verifies for cosign signatures.
I'm signing images with cosign via github actions workflow and pushing them to docker. Now when running these images, I'm leveraging harbor proxy cache in order to pull from instead of docker.

I will list down scenerios I observed while using harbor-proxy:

I have 5 digests with same tag out of 4 are signed and 1 is unsigned and also the recent digest.

mutateDigest: true    # Changed to true to handle digest updates
verifyDigest: true

Unable to pull latest digest, Instead it's pulling the old image which got created when the tag is created

    mutateDigest: false    
    verifyDigest: true

Error from server: error when creating "dep.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/thrinadh/thrinadh-app was blocked due to the following policies

check-image-keyless-thrinadh:
  check-image-keyless-thrinadh: missing digest for hub.dev-rudder.rudderlabs.com/dockerhub-proxy/thrinadh8898/sigstore-keyless-max-testing:pr-8

I didn't understand why it's complaining for missing digest instead it should say missing signature or no signature found.
Also I've pushed another image which is signed and even it's complaining missing digest which doesn't make sense

    mutateDigest: true    # Changed to true to handle digest updates
    verifyDigest: false
    
Unable to pull latest digest, Instead it's pulling the old image which got created when the tag is created

    mutateDigest: false    # Changed to true to handle digest updates
    verifyDigest: false
    
   Pulls latest digest which doens't have signature

The above cases are only happening with harbor and not with docker.

I've disabled imageverifycache disabled on kyverno controller

Steps to reproduce

1. Have Harbor proxy cache with upstream to docker
2. Kyverno to verify images

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-keyless-thrinadh
spec:
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
    - name: check-image-keyless-thrinadh
      match:
        any:
        - resources:
            kinds:
              - Pod
              - Deployment
      verifyImages:
      - imageReferences:
        - "hub.example.com/dockerhub-proxy/thrinadh8898/sigstore-keyless-max-testing:*" 
        mutateDigest: true    # Changed to true to handle digest updates
        required: true
        useCache: true
        verifyDigest: false    # Changed to true to enforce digest verification
        attestors:
        - entries:
          - keyless:
              subjectRegExp: https://github\.com/.+
              issuerRegExp: https://token\.actions\.githubusercontent.+
              rekor:
                url: https://rekor.sigstore.dev

apiVersion: apps/v1
kind: Deployment
metadata:
  name: thrinadh-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: thrinadh-app    
  template:
    metadata:
      labels:
        app: thrinadh-app  # Pod label must match selector
    spec:
      containers:
      - name: thrinadh-app
        image: hub.example.com/dockerhub-proxy/thrinadh8898/sigstore-keyless-max-testing:pr-8
        imagePullPolicy: Always
      imagePullSecrets:
      - name: regcred

Expected behavior

When using harbor, kyverno should fetch always fetch the latest image which has signature.

Screenshots

No response

Kyverno logs

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.