TrustedPublicKeys Policy

The TrustedPublicKeys policy enforces attestation signature verification against a set of trusted public keys. When this policy is included in a scan, attestation signatures are validated against the provided keys.

Spec Fields

keys

A map of named public keys. Each key entry supports one of:

pem: The public key in PEM format (inline).
pemBase64: The public key in Base64-encoded PEM format.

Example

apiVersion: policy.gradle.com/v1
kind: TrustedPublicKeys
metadata:
  name: trusted-keys
  labels:
    policy.my-corp.com/gate: build
spec:
  description: Validate attestation signatures against trusted keys
  remediation: Ensure attestations are signed with an expected key
  keys:
    my-signing-key:
      pem: |-
        -----BEGIN PUBLIC KEY-----
        MCowBQYDK2VwAyEAVzZ+Xr2RqM6RvYcOmxPADdMi7u8pJ7L8Fv6HnQz/xJg=
        -----END PUBLIC KEY-----
    my-b64-key:
      pemBase64: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QXlFQVZ6WitYcjJScU02UnZZY09teFBBRGRNaTd1OHBKN0w4RnY2SG5Rei94Smc9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=

The keys map accepts one or more trusted public keys. You can use either inline PEM format or Base64-encoded PEM format. This policy is typically referenced by label in a PolicyScanDefinition to enforce signature validation on all attestations included in a scan.