Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controller cannot be deployed in airgapped environments because --disable-tuf=true flag does not behave as expected for Github Root of Trust #180

Closed
federico-falconieri-form3 opened this issue Nov 11, 2024 · 6 comments
Closed

Controller cannot be deployed in airgapped environments because --disable-tuf=true flag does not behave as expected for Github Root of Trust #180

federico-falconieri-form3 opened this issue Nov 11, 2024 · 6 comments
Assignees
@codysoyland

Comments

@federico-falconieri-form3
Copy link

The sigstore policy controller can be launched with the flag --disable-tuf=true to avoid configuring the trust root online, see this related issue that lead to the flag being implemented: sigstore/policy-controller#354). This is critical in airgapped environments.

When we deploy the github fork of the controller we can use that flag and it will work for the Sigstore Root of Trust, however the controller still tries to reach Github Root of Trust at https://tuf-repo.github.com//3.root.json... this should not be necessary as the trust root is provided through a CRD via the https://github.com/github/artifact-attestations-helm-charts/blob/main/charts/trust-policies/templates/trustroot-github.yaml
@federico-falconieri-form3
Copy link
Author

federico-falconieri-form3 commented Nov 12, 2024
edited
Loading

Update: I noticed that the controller tries to reach the mirror url that is specified in the trust-policies TrustRoot github even if --tuf-disable is true. Then I had a look at the TrustRoot CRD and found

description: Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here.

The github TrustRoot is of type remote. We most likely need one of type repository to work in airgapped environements... I found this article on setting up TUF that also shows how to get this repository: https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd

I'll pick up from here tomorrow. In any case I'm curious how frequently updating will be necessary...

@codysoyland
Copy link
Collaborator

Thank you for reporting! That's right, the issue here is that the trust-policies Helm chart includes an online TUF reference, therefore the flag you mentioned doesn't have an effect here. This is "by design" but I agree that we should provide instructions for an offline-ready root of trust for GitHub's CA. I will plan to write up those instructions.

I'll pick up from here tomorrow. In any case I'm curious how frequently updating will be necessary...

For offline trust roots, we'd simply recommend updating it as often as possible, as the certificates may be rotated/updated as soon as 24 hours before entering production use. We currently plan on rotating certificates at least once per six months. Because of this, for air-gapped installations, I would script the update of the trust root as part of the process of updating all other components that may depend on it.

@codysoyland codysoyland self-assigned this Nov 15, 2024
@codysoyland
Copy link
Collaborator

I added an issue and PR to the main policy-controller project to allow simple trusted-root support for air-gapped environments. When that is merged, I can pull it into this fork and add air-gapped support for pulling in the trusted root to our helm charts.

@federico-falconieri-form3
Copy link
Author

thank you @codysoyland great work!

@federico-falconieri-form3 federico-falconieri-form3 changed the title Controller cannot be deployed in airgapped environments because --disable-tuf=true flag does not work for Github Root of Trust Controller cannot be deployed in airgapped environments because --disable-tuf=true flag does not behave as expected for Github Root of Trust Dec 3, 2024
@falcorocks
Copy link

falcorocks commented Dec 3, 2024
edited
Loading

An update on this that may be useful for others running in the same problems. I've tried to deploy the TrustRoot CR as a repository to work in an airgapped deployment but I am still unable to make it work.

####### Repository TrustRoot CR

I was able to assemble the CR with https://github.com/prezha/trustroot. The CR I got with ./trustroot.sh https://tuf-repo.github.com/4.root.json https://tuf-repo.github.com/ is

apiVersion: policy.sigstore.dev/v1alpha1
kind: TrustRoot
metadata:
  name: github-offline
spec:
  repository:
    root: |-
      ewogInNpZ25hdHVyZXMiOiBbCiAgewogICAia2V5aWQiOiAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICJzaWciOiAiMzA0NDAyMjAxOGUyYjE1ZTQ1MWJhMTYwNzBhZGQ1MjlhZDE3ZTA2MmJkNzJkZGFiYjYxYzIxM2UzZGY1YWUwMGRjZjExMjk0MDIyMDYxMjEyZTE5YWM1MjdjMWFhNDQxZTNjMDU3YjM2NmY4Nzc4N2U4YTI4OTEzZDZiOTM1MzYyZTcwNzljODc3ZTAiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgInNpZyI6ICIiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgInNpZyI6ICIiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI1MzlkZGU0NDAxNGM4NTBmZTZlZWI4YjI5OWViN2RhZTJlMWY0YmY4MzQ1NGI5NDllOThhYTczNTQyY2RjNjVhIiwKICAgInNpZyI6ICIiCiAgfSwKICB7CiAgICJrZXlpZCI6ICI1NDgwOTExNWI0MDEzN2FhYzAxYWY0YjdhYzI0MDhjNzdlYTBkNThmYTRkYWQ0OGZjMzE5NjQ5N2QyYTI2ZjQ0IiwKICAgInNpZyI6ICIiCiAgfSwKICB7CiAgICJrZXlpZCI6ICJlYjhlZmYzN2Y5M2FmMmZhYWJhNTE5ZjM0MWRlY2VjM2NlY2QzZWVhZmNhY2UzMjk2NmRiOTcyMzg0MmM4YTYyIiwKICAgInNpZyI6ICIzMDQ1MDIyMTAwZWUzYzkxYTZhOTBlNWQyMTJiODVhZmE0ODMzMzc2ZmVjZDFkYWFhZmNiYTkwMmIxYjUyOGZjMzk2ZmRjNzAwYzAyMjAyYTQ2MzViZmI3ZWFlMGQyNGRkYWFjYmFlMjdlMmQ2ZWYyMjljNDQxMDNlNjk5NTZiNDM0Y2I4NGY4MDFhZjcxIgogIH0sCiAgewogICAia2V5aWQiOiAiNGY0ZDFkZDc1ZjJkN2YzODYwZTNhMDY4ZDdiZWQ5MGRlYzVmMGZhYWZjYmUxYWNlN2ZiN2Q5NWQyOWUwNzIyOCIsCiAgICJzaWciOiAiMzA0NDAyMjAzYjc5NzJjYjc0N2VjYWIyMDQ1OTkwY2JkNjRlMDIxNzg5N2ZiOTRlZGY5NzIzMzUzNWZlNDg0YWQwZWM1YjA0MDIyMDY4ODI5MGFkNGMwYzcyZGUwOGMzNzExZjFiYTU3YjQzM2Y0YzFjNjU1MmFjYTQ4NGI3NzA2NDEzZGE1YmRjYzQiCiAgfSwKICB7CiAgICJrZXlpZCI6ICJkNmE4OWUyM2ZiMjI4MDFhMGQxMTg2YmYxYmRkMDA3ZTIyOGY2NWE4YWE5OTY0ZDI0ZDA2Y2I1ZmJiMGNlOTFjIiwKICAgInNpZyI6ICIzMDQ0MDIyMDAzZGE1NTUxZTI3Nzg1MzU0ZjA5NzM1YzliNjViN2RmNTJmODg2ZWJiNjg5MmYzMTJlYTFmMGMzMjExMTY2NzMwMjIwNzIwY2U5NmEzY2MxZDE0NTI5M2NiNGQ0YTQzZDliNDJkZjEyNjQ1MjU2MDBmYTVkZTUwN2JhMjkxMzVhMGViMSIKICB9CiBdLAogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgImNvbnNpc3RlbnRfc25hcHNob3QiOiB0cnVlLAogICJleHBpcmVzIjogIjIwMjUtMDctMTlUMTM6MTk6MzNaIiwKICAia2V5cyI6IHsKICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5raTdhWlZpcHM1U2dSekNkL09tMENHelFLWS9cbm52ODRnaXFWRG1kd2IyeXM4Mlo2c29GTGFzdllZRUVRY3dxYUMxNzBuOWdyOTN3SFVnUGM3OTZ1SkE9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAYXNodG9tIgogICB9LAogICAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFbEQwbzJzT1pOOW4zUktRN1B0TUxBb1hqKzJBaVxubjRQS1QvcGZuekRsTkxyRDNWVFF3Q2M0c1I0dCtPTHU0S1ErcWsra1hrUjlZdUJzdTNiZEpaMU9Xdz09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBuZXJkbmVoYSIKICAgfSwKICAgIjU0ODA5MTE1YjQwMTM3YWFjMDFhZjRiN2FjMjQwOGM3N2VhMGQ1OGZhNGRhZDQ4ZmMzMTk2NDk3ZDJhMjZmNDQiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWltS2NkU1QrT1JEK2cwYUdFRkRPVlpEQWFJWWdcbklnZXNOS2lJZTJMN01Vc1l4NVVIaHpRMDhxdXZldzEzZVlTQ05KbmZ3b29GWnU3Y2RUdThBd3FGalE9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAYWxleGlzd2FsZXMiCiAgIH0sCiAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVCYWdrc2tOT3BPVGJldFRYNUNkbnZNeStMaVduXG5vblJyTnJxQUhMNFdnaWViSDdVaWc3R0xoQzNia2VBL3FnYjkyNi92cjlxaE9QRzlCdWoySGF0clB3PT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2kta2V5b3duZXIiOiAiQGdyZWdvc2UiCiAgIH0sCiAgICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUU3SUVvVk53cnByY2hYR2hUNXNBaFNheDdTT2QzXG44ZHV1SVNnaEN6Zm1IZEtKV1NiVjJ3SlJhbVJpVVZSdG1BODNLL3FtNWNUMjBXWE1DVDVRZU0vRDNBPT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2kta2V5b3duZXIiOiAiQHRyZXZyb3NlbiIKICAgfSwKICAgImExMDUxM2E1YWI2MWFjZDBjNmI2ZmJlMDUwNDg1NmVhZDE4ZjNiMTdjNGZhYmJlM2ZhODQ4Yzc5YTVhMTg3Y2YiOiB7CiAgICAia2V5dHlwZSI6ICJlY2RzYSIsCiAgICAia2V5dmFsIjogewogICAgICJwdWJsaWMiOiAiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUMyd0ozeHNjeVh4Qkx5Yko5RlZqd2t5UU1lNTNcblJIVXo3N0FqTU84TXpWYVQ4eHc2WnZKcWROWml5dFl0aWdXVUxsSU54dzZmck5zV0pLYi9mN2xDOEE9PVxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iCiAgICB9LAogICAgInNjaGVtZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKICAgICJ4LXR1Zi1vbi1jaS1rZXlvd25lciI6ICJAa29tbWVuZG9ya2FwdGVuIgogICB9LAogICAiZDZhODllMjNmYjIyODAxYTBkMTE4NmJmMWJkZDAwN2UyMjhmNjVhOGFhOTk2NGQyNGQwNmNiNWZiYjBjZTkxYyI6IHsKICAgICJrZXl0eXBlIjogImVjZHNhIiwKICAgICJrZXl2YWwiOiB7CiAgICAgInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFRGRPUndjcnVXM2dxQWdhTGpIL25OZEdNQjRrUVxuQXZBK3dENkR5TzRQL3dSOGVlMmNlODNOWkhxMVpBREtodmUwcmxZS2FLeTNDcXlRNVNtbFozNlpodz09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKICAgIH0sCiAgICAic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAogICAgIngtdHVmLW9uLWNpLWtleW93bmVyIjogIkBrcnVrb3ciCiAgIH0sCiAgICJlYjk3OTliNDgzYWZmYWM5ZGE4N2VmNGM5ZWE0Njc5Mjg0MTVjOTYxMzQ5ZTYwN2U1ZTZlNDg1Njc5YjA3ZjhmIjogewogICAgImtleXR5cGUiOiAiZWNkc2EiLAogICAgImtleXZhbCI6IHsKICAgICAicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVOS05jTmNYK2Q3M2xTMVRSRmI5Vm5wOEp2T29oXG56WVEraW40M2lHZW5iRzhSR285TC82RkoyaG9SYlZVNnhza3Z5dUVyY2RQYkNkSTRHeHJRNWk4aGt3PT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgogICAgfSwKICAgICJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCiAgICAieC10dWYtb24tY2ktb25saW5lLXVyaSI6ICJhenVyZWttczovL3Byb2R1Y3Rpb24tdHVmLXJvb3QudmF1bHQuYXp1cmUubmV0L2tleXMvT25saW5lLUtleS9hYWYzNzVmZDhlZDI0YWNiOTQ5YTVjYzE3MzcwMGIwNSIKICAgfQogIH0sCiAgInJvbGVzIjogewogICAicm9vdCI6IHsKICAgICJrZXlpZHMiOiBbCiAgICAgImExMDUxM2E1YWI2MWFjZDBjNmI2ZmJlMDUwNDg1NmVhZDE4ZjNiMTdjNGZhYmJlM2ZhODQ4Yzc5YTVhMTg3Y2YiLAogICAgICI0ZjRkMWRkNzVmMmQ3ZjM4NjBlM2EwNjhkN2JlZDkwZGVjNWYwZmFhZmNiZTFhY2U3ZmI3ZDk1ZDI5ZTA3MjI4IiwKICAgICAiODg3MzdjY2RhYzdiNDljYzIzN2U5YWFlYWQ4MWJlMmE0MDI3OGI4ODZhNjkzZDgxNDlhMTljZjU0M2YwOTNkMyIsCiAgICAgImQ2YTg5ZTIzZmIyMjgwMWEwZDExODZiZjFiZGQwMDdlMjI4ZjY1YThhYTk5NjRkMjRkMDZjYjVmYmIwY2U5MWMiLAogICAgICI4YjQ5OGE4MGExYjdhZjE4OGMxMGM5YWJkZjZhYWRlODFkMTRmYWFmZmNkZTJhYmNkNjA2M2JhYTY3M2ViZDEyIiwKICAgICAiNTM5ZGRlNDQwMTRjODUwZmU2ZWViOGIyOTllYjdkYWUyZTFmNGJmODM0NTRiOTQ5ZTk4YWE3MzU0MmNkYzY1YSIsCiAgICAgIjU0ODA5MTE1YjQwMTM3YWFjMDFhZjRiN2FjMjQwOGM3N2VhMGQ1OGZhNGRhZDQ4ZmMzMTk2NDk3ZDJhMjZmNDQiCiAgICBdLAogICAgInRocmVzaG9sZCI6IDMKICAgfSwKICAgInNuYXBzaG90IjogewogICAgImtleWlkcyI6IFsKICAgICAiZWI5Nzk5YjQ4M2FmZmFjOWRhODdlZjRjOWVhNDY3OTI4NDE1Yzk2MTM0OWU2MDdlNWU2ZTQ4NTY3OWIwN2Y4ZiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMSwKICAgICJ4LXR1Zi1vbi1jaS1leHBpcnktcGVyaW9kIjogMjEsCiAgICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA3CiAgIH0sCiAgICJ0YXJnZXRzIjogewogICAgImtleWlkcyI6IFsKICAgICAiYTEwNTEzYTVhYjYxYWNkMGM2YjZmYmUwNTA0ODU2ZWFkMThmM2IxN2M0ZmFiYmUzZmE4NDhjNzlhNWExODdjZiIsCiAgICAgIjRmNGQxZGQ3NWYyZDdmMzg2MGUzYTA2OGQ3YmVkOTBkZWM1ZjBmYWFmY2JlMWFjZTdmYjdkOTVkMjllMDcyMjgiLAogICAgICI4ODczN2NjZGFjN2I0OWNjMjM3ZTlhYWVhZDgxYmUyYTQwMjc4Yjg4NmE2OTNkODE0OWExOWNmNTQzZjA5M2QzIiwKICAgICAiZDZhODllMjNmYjIyODAxYTBkMTE4NmJmMWJkZDAwN2UyMjhmNjVhOGFhOTk2NGQyNGQwNmNiNWZiYjBjZTkxYyIsCiAgICAgIjhiNDk4YTgwYTFiN2FmMTg4YzEwYzlhYmRmNmFhZGU4MWQxNGZhYWZmY2RlMmFiY2Q2MDYzYmFhNjczZWJkMTIiLAogICAgICI1MzlkZGU0NDAxNGM4NTBmZTZlZWI4YjI5OWViN2RhZTJlMWY0YmY4MzQ1NGI5NDllOThhYTczNTQyY2RjNjVhIiwKICAgICAiNTQ4MDkxMTViNDAxMzdhYWMwMWFmNGI3YWMyNDA4Yzc3ZWEwZDU4ZmE0ZGFkNDhmYzMxOTY0OTdkMmEyNmY0NCIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMwogICB9LAogICAidGltZXN0YW1wIjogewogICAgImtleWlkcyI6IFsKICAgICAiZWI5Nzk5YjQ4M2FmZmFjOWRhODdlZjRjOWVhNDY3OTI4NDE1Yzk2MTM0OWU2MDdlNWU2ZTQ4NTY3OWIwN2Y4ZiIKICAgIF0sCiAgICAidGhyZXNob2xkIjogMSwKICAgICJ4LXR1Zi1vbi1jaS1leHBpcnktcGVyaW9kIjogNywKICAgICJ4LXR1Zi1vbi1jaS1zaWduaW5nLXBlcmlvZCI6IDYKICAgfQogIH0sCiAgInNwZWNfdmVyc2lvbiI6ICIxLjAuMzEiLAogICJ2ZXJzaW9uIjogNCwKICAieC10dWYtb24tY2ktZXhwaXJ5LXBlcmlvZCI6IDI0MCwKICAieC10dWYtb24tY2ktc2lnbmluZy1wZXJpb2QiOiA2MAogfQp9
    mirrorFS: |-
      H4sIAEV8SGcAA+29WZPbOvYHNklVKpWbvCaPKZdfNdcCCHC7qakKKVE7JVG7lPnXFAiAmyRSIilRUmq+R/KUh3zFfICA7a29Xfva3e2xzWP3RpFYiLP8DnAO8OJfKT8kWZgn6fVvj0QAAFWWn939VJS7n0DCL3++/B09g1iVJPExBPIzAGUJyX97Bh6rQffplOUkFU0Zp5ylxH8xSfyQfuQ+cZvn/Uk5L7vy7M3PH4X+u//lv//bf/u3v9mEPhtNn62evaLy2t/+B/Elia+j+Cr//n+/rEhjNpu8+rV84v8SX//je7f8N2+v/8802b8gh8OOvzikyZnHJKa8vOH//v+C/+dv/9P/yh+gkxV9isbk0uGE8bT+eHrgs/IP1PfkX1FV+Ldnl4duyMfoF5d/SX+2z8M9/wdUkaQBpMjohSTpUIeS9JusPht0TWPS6HQX1osLyfP0xcek9R+GYxh7b5LEhWF39vPfsP5sKh4arP/soXsi/tv3fg2/LL2V+vqj1fE5+S/l5T37D1T0t2fyo7XoHv3i8n9v/F/8S7wJn+fZQ9fx1/GfogKlwn9PQhX++6Xpnvy/hYIPrAc+K//wPf0vAYxwhf+eghD4EP8J66sCTQaoAoA/Pd2T/1dS//A48K/jP0XGuMJ/T0Hv4D8EXmQxOWRBkr+IsiR+oDrE+1Aw/lL8h0v9Lymwwn9PQhX++6Xpo/jvgfXAZ+X/HfxXyr8k7qzw31PQh/hPeqEjXZYhhtUE4M9P9+T/kaz/5+VfUdX37T+Q1cr+PwX9n789e56FfkzyU8qz5388+z9+e/ZMXHz27PmWX0Mmrjznrq7quos1JF4BoTojmso9THVOsKLqkoahTHUFIqxzBahc5grHmiw+coHqad7zv9+VJ6opS0MAy6WGVzBgWGWkfAZyziCVOJeQR4Ty8SSmQ9nTFKYqRNUQ9xTAPK4zDl2ZYRdCxEQZEACd6a6kU8x1cacryoMahZS7wqjoWPNU5KlY1oiraa7nqpIGNVe0FmLOFXG/Jz0XTfv3b8/+6++v3gMve1z2//m/8uuBlw1+LRR33XjOL4fw5Zt6LmAq/h1Kv0M4A+ofEvoD483Lm/Y8J6/Kefb8lV91J1OvLz57fuZpFt5dkMsL/y7bcfdsduD0X28/fQ5fgBcIviz37WUEfhPP/Pubx/8d/I9fpMlDC//fvgL/l7aomv99Gqrw/y9NH8X/D6wH/jr+h0Cu5n+fhD6G/1UdAQhlRa7w/09P9+T/kaz/5+QfYgXC9+2/YL/K/j8FfQn+J0IdQ0Rk4iqQUAao4iqey4EMSpQvTAbUPORClWKPuC4XEF7DGlV18QTUVPoh/scl/ocal1wocyxDl0DhNwDCmCzpojiVA0VymSoxJgpUhGcAEUfMkwkHgFEPQkm/K0OBEpQ41AmVJZVCQjCGHFHhPbpIUTxNVYWnohFJ04XDoLg6kpEicRWoOhWfcfD8Nep+r8eapiKVUkao6mKdUgmpXCdEdFWDLpeIqFzVhE+hEEVH4hrWCdSpJ2PkAXEBvdvjT9YiytaIBgh0VeJBTXgugOrEZZ5ChB3WIIPijQq2o0zU6VKmAAW5hCgq4i6D0pfVIiOdMS7eOcRUk4EnnDPuasJp0rkr3C8u3p+HXU9DWMauLlw40SaiIhlLlFFFJl9YC9aALqTWFfUglRAKIBHFqoRKGAhmUDkBTNY8ghlhwjGjCOoK1lUmEUnxMP6yWkTDuech1dOFKyqJd+MSGeoewpBxyikSXwxxTjxKKEeSrihM+K4S0kRnNKJIH/VEhRfJBdPokChEB1xmgqdcTSairRpCSFU8USpkRIwEdcUdgmtdWSq7oCseoyoAtORFwRUKkksvkws2ZRIWzEvEA1xSucQU7kmln4ohQFzRdVlxMcLU1bCnla9KhZ/qM/awqJ2ppVOsekhTAEcEKBpTXc50IDoue8C7axwX4slV0QKmi17oHAidqn1c+pCrihdDXRWrnBJXEq9C1wF1mYK5wF+qpotydMyZV74/ITeyJ3x6TBgQ9bngpfRpmqQLqcUUUCGrXIwzEprbE/IsBBAj5GHhiyuyLBEq3qXgBlUYAiGJRHYZpfhTPWYK0fRyKsAVzRcvBzAINcUV5TImTAgXVz3BmIJNdcFD5ZsGCnVlz3UB5TqkH+8xKOuVZSjGQ9VEf7AQVcHmVHcVWbwxT5Y8IdBc6BtNlzwk9AqBHqBIghAqQuTKMlSprEEhiNJSOIW2QtTFDBOMmO5iiXlQUsRlWQFiSGTGZaC6RBLaRyaAu/ALZhtKG/zS2adJnIVZzuP8X2+mIP54lqcn/pGJCPl3oP4O9RlEf0D9D4ReTUSId5q9mYj4Zk56M3khin3dXiEb2SsdcXf9THZv7nv2/HBydyEt7/u9JNNqd4fPxnNz0G0861vru4v/jO3WtrCKdaefbLq3CDQMZ9199XvTcGjT8Q1ruA1VslmEh0ye+pNbg9VHe9Bo35z+uv7POD5r2A+Pi+aeFa50zTRpo2RJa0Cy83ptWQ4tjqQBVRDrfqqjojP3x8JAKaee8Y9//DO+a4Y1bH7Ysud3/fj3q+5lNOD7t73+PQuI9HssxuggRvz1O7j8np+835P4dxr+Lt5HUsQ8LR/530kW5Mn+rsSXBX67av6eA7JrgkTKRpuhHqNJ31HHuT0wklVUk4xQDAge92f1gxffmrvhIG2ixcwpGhRnE5zXRoMT7ju147a2XW0n+vpkZifkst4GjpbF0w2I+MliHpB3huRb7dj3HJJw36dsOquNJs2aD0jbajVHi03TIN21/8+46/Ns2A+7XBqo9jxbX+R5J7g5QDuezrwQCGs9bQx7sVckSWtzUimbnTSjOLYi5wllZMcvYVaIH9n9UflmPPY9R8Uk/jbbDkeH0czl+WwlN1h8tq+1QbiM/xkn8SQdpkejM8BLP+RuR52HvtoeBA3kbrlRP/quLin1c6ofg9G4rZunSOqQPB0/oaD4KfeTjL8zIt+KXb/niKhdK1kMi/SQ0mDVDmZyZgRTclGnI4b+GWvsdOpO/aBx8/Yd1u8tp+5CKnoTsp+E88Uk3xsa6tePe5nOJLBc2Y2Z7HC73kRPaEvylJ9TMSTx/TH5Zj/te45JQ7xidMnodXUxB1e3p7cWUbG9OjaXxZhMOvObqhqRPdLs24LMtEuhbM69Ixtuwmu+zkN/OR/sukNx2UuH2bLXd+ueumtoTzgm22S/5zFL0i055O+OzDcj2u85Mk02mhQ0PS2RfzR8Mog69XjI2raJt84/Y+Ns1Iqm0ryO8LheTDTOJco1NNx0jnBjNPvBmYN0t+6T/hU1jldHnu53G6RsgifUX9v0tE2K+wPyzUua3xUK94d0SFc1pqLdFM4mLVdfxAetdx4lwT/j29qphTFGYZvHblubtBN9UFdaPSlIJu5irlyy7fl6slLKxm6DdXH7kjpyqAXbxx2QJN6FMf/9lIZ3U0q3U8q3++yPev2QJuxE81DcVt59Nwd5Jqdd/uLuphcxz+ulG1MfvSyhz691YViQcGOYxoWsCCdbYGMiC59MoAQAXCA/f3dJNU12/K0bdOdh3R+/kL2e+HoQLfr3VwU9jOP+EOjndUEP41g/hPV/XdDDTE49BG6/K+e/XjFuHgjPOkh2pXuO7qmNe374p9jnmzXLJxsCPyJVd5MA198PPA2T8h7pYzeVMw1h7L+9S73XpVfRCZVAVALxFQJRLh1mOdkf/mMlQv0SgVDetRdfFoKD7/7+U2nE4IN7Pqz7gSJ5vo7ezf98PZpPG//3Qf6nJP5V639PQ1X8zy9NH8//fFg98Nfif0r5F0AeVfE/T0Efy/+UJB0BRYawiv/56el+/ufjWP/Py78K3t//Qb3b/6ey/49P3y3+/y52vwwe0HUKmUIVrDGCNU6RcLN0oHMGEdCEtyUx4VgKJxFDKHkqokhlSAbC32R3q/oulD2mlh6NIskASgAJJxLrnuSK4ohauqsEqQooI/8RxBqhogNYF46e7qEviv9/6+N8KgEAyOW6u6T8IasfSwB4J6vmYxkAZTD/V6QAKOjbPYd38L/84n6uwgNx2FfhfwCr+P+noQr//9L0Ufz/wHrgK/D/3f4PFf5/fPoY/geqLEZMlqr4/5+f7sn/I1n/z8q/LMEP8L8CUGX/n4K+BP8/bATy08Spv84yBrpwHoguEVUikucK7K/LAjhjl3IPiS7IwgOBMhe+BZaR6wGNi756XpmZLG7C6KWnQojoJiWQuuJdcC55XFZ1TRWt0V1PaEvXJUDigoVd5BGZlMs9iMmUaypUZOHffqrPD55Z8cqz0giWmXj/okhVVpHnAYXqQFKAJzwqLJUrYwRpLublYhdARClD5MvqhEPmMeLdRYh7ZbIFpBhKUhkEDinC5TADj4r7FY0rCtKQ5AmPDIgPIMBcuFVCcnWJugCSp8l6eBPPznUEKWfY8yRZOKKi6QJGiNGSXEXymHiJYtCYhpmGBFfKqiZ7nJasq7vCLRRqp4xnd8sBhhAoRFZ0mTJZVZBQT5KnuR6CghsVDZU5JZJOEJXEjZoCNVk8LnEqBvxpskleczYSapO5mnC/BUfLiCCPYjG4TChUSKkHqOBBIpxpQGVXF+wtCQECXDCaJFGoAv6SU1wxogyLrioUeQirQrIp4EzVxJALqaMUukx44BqQuUSJaBXgUBKS7mEVIk3+ZAz/w+aDvB5lVUWKYBxFVC6EnwFXPMYY4JqQYOQyITuUCslRiRibMsEfclUT/3VPfKxTfhfDL24Cig4V8RhzFdmjQBIKBUkAU8Kx4slirHQGdSAUj+ASBKF4whXiAlTOBGM+WdbC3SiLwRIDKJSdkGKXyBRxMSRCVWFSyoyiMEw0wdvMkwUTuOKtC8VQ5ksxV3SAilbcjTKVVIXr4u0IdYqxkFsxMJyLwXRlJMRfiKIYXEmSdA8xBboIMxVyJn5VVZno7if112Pl4xBhYxRP/A2AeO+Iy5qCxAgSIETIExpXlammCq5FSKaqGE0JSQh6nGNKiejt3ThjJt4GFf+QK/SlyoVIM1WShTFRXMbL6SQFS0hwglBX1PWozBQh71SoWaJSSWFfMjP0Knbi4/kYSrkxBMR/yOAPSX41L/RnMzvvRWI8LwOjfif8dwBf5KmAKZz9602C5ttZpIBkwdvgprKKgJQhWKJwVQKC41ShlsXbKnWLpAKZ6QoXVg/ongyIYD7xpnQkWKJUNJqQgXLv9fIhj8F3I752PPbzQJQrBATcCwG4a2bG6Ne3UxZqnQldhTEXDMe5kBIgoICQRIVI1JOIAITCkmuu0LyaUBwKwaVOYQALLSxM0F9oZ8FPX99OJoSZ60ATBtvFmgAimtCW2JVURIWyEJIiUCvDjMtUaG5hLwAucZAuGIpz8ST/RDuFvVHeicj5usYJhcsVJiwAFfqFK2WmFdGYxD2JSh5QNaF4CMEKI0job6EjyrQlYeuFnROSLrufapwQPend2cl7O5f8DBEQvza9+Ne3aokXf6an7uoo/b9XrtGXzf8ijDD4wf2/DzdWfawefBtV87+/NL2d9H0sPfAF8v/+/C+SYbn+80PP//4g8v/R+A9VllQs62o1//vT0+Nb/8/JP5SQKr1v/yH60eM/fhD5/z9fRiuwkMxeObWlmIaUlAk59XPMXjB+fiEgeya6wl8PcTnCtXKE/7dXzsA/wItXXizlaR56ZQHcOOVBkoZ5yN+Gg79yXITncnIjTt9mUtxdTFKfxOHtrvKyLe0w75zcvz/rxvTF68j28j6hTvZJPCQvM5C6cc7TmOyeTXl6DinPnk3KFJ9Xt//79XPPX+UeeacdDZMXeamF8hd+wEvt9Kb0uw40AhLG7zbtXr/uBbc/u9+nV3empDCvL+96bne7jeGt0TBcyTcKoUr97rzdDTYdy1jSQ83snhrXzqk1GqiXRT+iRcN/k+5lGYVdjJrWwjbttgHnViOw7Ym0A9POIhw0zJ67t0/2RCs6zrq5cJymddm02fISkaXmT5cy2Kx6+WY5OaxXk123XVxsE6+asy6wm/7NblpXuylqaCXlNfjetWIy+0y906Lo+6/qvQ7/rN5rtwF82umdNw0YbKagsGemZJtG27we21Mb64Zvtc3pyTQNIzSkrmE2J2rPWNR1ZbQ91JQjsFrLBetobVc6jUZ772bsdrXh0lud83zrROOOvl3gNGspdjJY9J15g+Y1rSh27UkrjW63fufU1JO0pS/8yB+eLgPcO7lOE67t+TG7oSiTs+B2tfe+3muuZ1OUcmWo2p1t0Sz7NwFjw+nUTcNplu189U5Yz3Fs20jajUbWNpx5yyzspm127z6zCsusF07XNtam4WkNYRtfjtEEjExzbbX6ZIlv7pqv9dW10JrYg21+CxGbt3Tb1O7K6BbO2jaJ0bKbwanV306BVkNxgi3HHU/XSjDZZLeX9b98h6YhRk6wmN2eN2xjTIQ4T/Y6naDIGjSTDRot6SlfbvgJzbmu14aG7Y3EQ6ClTw6+PhkOZ1rTcmajRtzd5EX3Yoz2NyuzLLzqh+w0NaeHlslMmcGrQ+Yr1B3JN/10PPmBt1bUhLCoo0OdD/rhjugL5ucb5x//eH5PLP799y+Xl9ZMyMvm9EZemqi3O+b4GKR008XzuO2N26l1rB8i51vlpefGkx3dy4HbMGeCbyWyHO7o1Zy6kg5eyYuQi+3Fnr0jL1hcK0Zvrz2snHbWhWW8kwLa6mPLMhrd5rrMXl+pcR8UDfVk7ZvRspbEIFt1V6hF6AAFAU2DmBs1u77dwVF+dsLxvpV29J07d46jqG542aGnndprFJGjtjxNfcUPSH5be6fTbWD0un0ctw8Nk3gxbWnWNR5l2fio4HrzVuvNl6vjLpHWxaZpjEx/uOg4WsnjluC/sp2F9VJmZi9lxi9Mv5QFMY4zg728H1st35kXozaeHyeD2U3lPPInZqb3omOrtb/ZRae4KyMyTb9oJcbca/XkupIGXsfajOOVEaTOIGhvez27eH/8m8Qwio0j+LerdZaDdMvV0y0YHYpdE9JheBnvk5W+avW56lrj5JaAZu3cD0E7Vxa7hnoZc9bqFrhuXA+GkMBxrdWeLM/eBXSNjlyPAZmEQ7U+WByuLUOebHvGdDNajEJXWmuH4SlYCd5HG3c5Us7Kdln/Sv439ZL/V8c3/D9spVcDKFan2aVMtrou17LC3emjNX4i/veL4e0+/9svrzW/mv//vN7P8P9qTVYX3AHJ8LQY1yXqXZmBEkK883m73fquKHWg1aO6OZLkqXqa7ZujhiFz7AwGy0a/daK1y0GKIM4bHbzcd272vHn2pHyVd+PFLlzLxcYXyl0fKNtdUu8Whn7ByZ7RKJ7Vtv2eESVgXji3v8j/0bv8/5d4WtiPjS94enxbZYsaT7bpcdSZOptOfRUEHQtmu1FG+1fUdA7rw7oHjeW+J+16p/pqtD+55krOVHLY7ealXh8U0izTGk2jEfaxNL/uG5q3VTJ36CWrubE8smt/tsilQZbXiiHbTuKwfb6o0UyRzf5sS7P39fqb3//rA7h1JruQtZL0XRxVwu38bfAs+B2oMwD+uPu/eYPZfnv9/b9eLo28DsH9D4WUb0PnnwxV9kstQZQ3WmI+WXI3u9UuXUR8egJ61rBHKMATt/uBlrCjz0nrtmgVr6XVnM+B5ZP3LNU9NHkdzT5Ak/evFePb59DkuugZr+uDd/Ut2rt8sxqC9RIWou74L6PIbndjDDCt690rsUh/obTp4HztZ/FICYJNQCS73TMteZtkcBEtL2x9XKVSN9vPmr3j8XgyGkg/NaVTMOSbHTh2+61I6ehDS6l1drXZgPa22p5Bo0fdmrTd+9vEdZXZinr1sdu9BbTTVYa41GQfokhu2EZxHykKxPYeQuwWa7Y/RP2iPjrsNleWj6/H49m5qCD9ACF21l6wvdVOyzidXOFUHa9X60liXBuhbZvrV2j1rp73EWv3QwS5FQhy3bCdRr3TojjRx8lImg6OC4gd7ooxkRpS57DSjNN0VKx70bUBkzXc7E6dXjKKj8DJnK6fX+KrVpax9A4ToyDwfKZIh8bw6liXvHVkGsCzzrk3bGhJ2j6v8XKDzrY+Nq1rGtdmk6u7Cbzt5mB8NYLsNUvZeGtB6Xa16BzCQg17a7ioR2ttsB5E8sw/Gt/JgpYIUly7JyMPIpOfsZzd6VlXgpkja06aWLfbCfdriX7Q1sLZaZghkebqurYwh+6oXS/gfjAJ3TPXgymfW7A1vQ5Mexu2ptO9YvMLzdzoehwlw3xyOdlhfF3nSnNqJZdavZtLWd2dja9DYwicMWg2HGd0iGebBGUFn33Ccr5EfTvTeGUBi7VpOvOOUfiftqrNd60qC2rt2ViRCc87g8Ug0wMWtP1mt98tHghVBl5NsuSldB25dU9Y0SgY1Nv1iKeeim2Qt+u3a4KkubTlpLhsb5ska7IiHpMOaQ+useF0C6LFKeIx9jY3aLDRZq/EfTlI4bEvtXQch54fG736ks+At4n79aRDYjCRtAtS0HF9WncqVFmhygpVfiuq/O3f1YrDHb1d/3vxL6TKGlVkThHSZBlDyMpQHE/3uOIpKlORwhREdcwR1FWN6OV+x5RhV0Yalz1AoM5cGasy5jrFEgN6efwO+/z6H0Ifrv9DqVr/ewqCmv7sQPLgHx85CPaxOIKWIatMJzJwqeRxjbvc1WTJgxpRdEjuNt7m0KOy9+JPg8t++9jiJcayDGWMtErAv4SeYIy/Iv4Hqbha/3saquJ/fmm6d+jrI+mBz9t/+f39H4T9l2Bl/5+CoKZ+0v7/0Na/Cl36InqCMf6K+B/Rqh/9/NcfRP6r+J8niv95u1IzbWxGw8meXrzs2gd6bzzhqul6c2+S/efE/3xuNnoKiv7r2ejr5Evjf26btp2LegoWGY7p02OwjUZjp2ua/jz1Hcfo+sPQMKa1WafbX+9SctHnBWQxVmwly+p4GPnyaKS5yiZH2fFStKVhqxkNbKM930nGVV7I/WQJD33/NJO0YCV4E1oYqZeGuu6eiE8kHaB0mQ39nTYrerPCYrWmaXiFlsv0DIKOXzOLuJ+TiN9M2Tbw3epJ8+UqjVWOnxkZs7sZt+ncajaNvun7qelbLdOhTeNmTO8+m9h3s3eNptEuZ+wM3zJsE7wsy3eWpjkpanPrEtjdAMdFHswVuA0tUtymh2nT8F6Wb1vtprH0zZmB3WB6sPLxOJeVkWm1b2A/SuZL177d1f/qHTpi5Iax0TS3RmRoPtxSvz4ASXpLWT3r8r2aUIPPtVXt2E/n3UFy6XW7Ron9lo3cOtlZtFwkV4dK6YRvi4bd2hkKhWDRz61Rul92fQ7bbRn6k+30sCXHTpO3HKDDvMGWU7e3mzOYHOU1zOhZm/VM0Ycq/qeK/6nif76C/6uVmmqlplqpef29iv/5hJXsR2WMQ+2NlnAviDtWaOd4yG8rD0gXqFyYGqor7bvH/zif0w5TWvTeaAf5c/E/X4giZ/vJtT3Znnv97qq7XaE6pZ3ZSTmkmwU+LjJnW7d6Xc3tTdPuuNVe1BkZRu0ZG0ukIErfXXj1hjE/Xljh933eZm0BOZGXdm4b4yqhEd70l3TNNsJ3NkcbO21523kzE2CLaMGpNgYcNyLeNKWPoMiO3xSA8B5SFNrhPYToaPq28MPrdnEZ5WjfV+f1kQcd5do8foAQJ1IHb+x6ujsogObz001qSRYxbD+JxOev0OpdPe8j1kbzAwR5EAhyb0SWkfF0uajVmBktBNwbrUF9ibRw1V8obr6ag11zoYXObaYew0uzJku9+v4aTAr1kBmh4ZrbuCzjMl35cuDMLvMal9vOpgbPwa5/QPrWDMPOJWHL5bhPjuvFSKFe39LQCO2bik02rV7sTuK8iv+p4n+q+J8q/qdClRWqrOJ/HoXux//QcjM7l8iyJ1FNVl2OqMcIkTmRXU9RuYJljemaxxG+237bZdQtt01CTOaAQQaJWm4cBQBgBGpYR6oCGf6S+J/35/9lKMvV+t9TENS0P4n/eRyOIIonbtfKPdg1DCjBEKqk3JiME0lllFNF1oEGKeV/ml3+8QVAiHQguEep5PuL6AnG+Gv2/xH3V+t/T0JV/M8vTW/t/2PpgS+J//nQ/ivV/j9PQlBTPmn/f2TrX4X/fBk9wRh/zf4/Mv7Rz3/8QeS/iv+p9v+p9v+p9v+p9v+p4n+q+J8q/qdaqalWav6jVmqq+J+PW8lq/59q/59q/5+Py0YV/1PF/1TxPxWqrFBlhSqr+J8/pfvxPwSXp58J1icq16BeHnAlEQl7nLqazhkl4i+icyhBxVXVMhcYQoQlxVOYp+sUMV0qz9nzXEAJ05FLyhUC92v2/5GhXO3/8yT05/v/PA5HUKRokg4VXB6aqgLsyZ4qfqiqzrCoTtVUjyNFUvmrFcBPHdr28SVAVdElCKsAoC+jJxjjr4n/wQhX639PQlX8zy9Nb+3/Y+mBr9n/R4ZKZf+fhP5s/58f2vpXAUBfRE8wxp+RfwmLgfvA/ivV/n9PQlX8z6Ov1Ixm7+7/0x3OG8Px+LTkWp1JcNXTt3uynLW6vQ8ztR8n/odehzNLvptpW7xesXnn2mPt/4M2q/kXZG5Pji2zt1oeDhGPlCYM52lCdNP0BqcdVsL6Ms4O8tWSjxPt5nUGTm+mRhfF7GVqt80TZTNkt/5mnA+cLGvfzFCDK702Tg8rHPu3HZ3wtTzpQe7I3W7UUpq1GjhiHJL51ja6PJzVRmHjkff/mRmInseHpuGuauGFtoiUzQ+sP1Ys8G37/7zJ3tZpeKmd3VtTB9yQvcXVXfvtyN2RvtZvDA8OjMfLGbXlKEobnVWQM3sRjPC53ePA1qzrsixDmTp+XYtbmxbQanDfgpMparc65/F4RBqDvanLkzao2bKjW2ujeUs7bd/EWn+SweFgYJj9Kv6niv+p4n/+Mv9XKzXVSs0vs1IDtN+BPoPwDwn9AaTNfYzHY3Z/QUeSP7mg8/cKWb7UFD2Z7LbkwmYxrO0v55xMeu10tK6bg+3TIMuZKPn9WKB3r31vZOk31GHa7naNY+tQJCGJ+jWNjIfznh8ohW3WFiOQLe2j7DaBYsRH49ZKu8frzEeH+cbWZ/3p6VLLT7f9DqqTdq07J+PGEM1bbnu+0PNLY+CPecK0VNY3fT9cB1etvUxgdnUj1knmXiw9MrKcOnq66O97dNSsHfP4cJsi6qzH4333cnsYZCl3VLVtLtWLdExa+TDbe2DWWajGyaJWzM42aqzOinfcItg17KMmIIaiJ71s20wDe3A6rMsyjuFw3LwFeSjTUd5YhHC3njC+Hc2b89VC4043mErTlWokbX89p5fMuEw8z2SHPaZjphNUIcsKWVbI8i/zf4UsK2T5yyDLnyWyPCNPHVP+dk/J8SU5DPTVbUKv+wWp5UGtedqe8nknmD92THkxjCxsR87Vhm9iyu9fe+g9Jb8QP05NzzZFIZvs2nAu1CHNBdUunfXUWjdkcqpNajWV7ke9y6J+Xm+cVuOSD5c53UEFTHZm93A4pRGVwinh/mC88tb7PIrXrDY0ZUU6AHL0LmdnNs/CGTZngE2txXQEjPlkU/DuCduT8/Qb9pScSNNhHVwP13NTtWmhrRKJ9S7HzmiZfYANH3RPyURgx12J+8B1p/TcxaA2OrFhl2+vvNNg5JqbJ3MTOuvMjZbWNJqa+WWsBmjLR7G+Sg9DNTuDnpGFbdGnbd1hx2vc2xOtPk/jcKpHGj4cd0dT29xcoshzuO+52y1RgvpNXmBwvmQHCjfJNV+6nbiKKa9iyquY8iqmvMKTFZ78lWcq/wM2LGe1HTgtd/VBkjqZv7UVtaD7aX0Ydh85YfELJim/E7jcuNrlqgvtMeudUn+sdDeFESvzkeXFuB1Gk+2Ep9bK024Q+hPWE40p1viE6OIYU7nQT2SB4fFyacSDC02SW2sZ1S8t46xG6fzsABiy/NhB1rrfpsqAwf3YknqLtNPgsbbU5ciTvgFczvKwfjyAozEvYlNb4cbw2AiwNbjo/eiJNixvDueSo7T6he3tdyOjdlxA7bhetOtzWWCHdDdvrEh0C27cMRojHSoLi200Mt20evpgB62yjLzWSZNxZ4Ns04nq7Ujj7WLgpdGF95ckvzmd48GZ7NdQ97vBqtC3jQVu+bxVdKan2vZi9ypwWYHLClxW4LIClxW4/DESFu/n/0GNciB5kqcxFZdneioaYbInAY0C5EIge57OqMuRrsqSRhFQXM41WYKSuMyx7slUQwRAwjTMaZnDIxH9C+L/EVQ/OP9XRVX8/1MQVD8d//9YHIFURcdYUiXAmeIRjyOPYyquu0hYQqJqLgGcUomAL4z6l4Gqlcf+4h87Fv970BOM8Vfk/yEFVPH/T0NV/t8vTW/t/2Ppgc/bf6x8aP9Rtf/3kxBU5U/a/x/O+lc5f3+ZnmCMPyP/SCkvvm//cWX/n4R+3fw/P8yDkyt6+xTrHm7jzTzWEs16Cz46p7Xh9NxbsVGhxZYVq53gm4NOvyRI+2XQaWQBu7mGw5dzu+BVIOrraw9Z7/Vz81hZkiVs5AanTlsZp/L5IF9rh33cJ8UUBlJQnFGKArM4BmjT6RmFgvdBM25mulfgqL/dWOZ6Ml1cR53r5nC4YUauWuAfZt1mwSKMRyTGk6ZbK/YRwJEXLAbRIHOwU1/hfv0aT/zh6uvmeO0vnuPdg/O2uXU2kh6c8rVoXy9xu5O9Vw8/DEj9s+DVT8zxihp3OrLU83Y5OzPe3cPltGvj4zCLgHGwtEEjQlt4TtfyRamr18DYZKqzG6F6y2wkFiebct1j16PDFKmnzVE3151Rs2PyUd0f1xTLc2/ZkAwWkmRMzV3QqhP9qiFrOjgdG8Oh2r20L/vlrArIrgKyq4Dsv8z/1RpHtcbxi6xxoLvIGHUGlT/QyzWOTwTQAPmHCKB5ahB5exdEjg7XQuqQDfeyqI6n49UpbyeCOaXGE2X6NecX+1ay7P1dv9+59qQgsjfsLc9LzaNbb1tPnH1QOzZ4d9da7fT1wNr2p9Gm4dOFqUutEHac+Lw/NMLr8XAe63C6n8F6W3HcdD9rL1R733V2zdhcdobzWS0qNojv2qf61UvrZ20OTsFm1t2FddOO5DXuNjr9eoTZY4PIJvBaiGa1HRtfw2USdHqotx/pcKH63wYiXyuckWpOGnqoJu15J4p2tDOvu95xKw0HVzVXij3qy8taZA5arhEp2SJa03UtTddBcqiPIrpzS0M8IJ7ZH4y74yhpdCXdnHeKgdkaK1yXNrsrSVp5cqSU8pXBzxPSjFatsyvXbLWIm4pxMnpFdWZMBSQrIPkV/F8ByQpI/iJA8g4hQnQPIf7YkdjfGUg6/Mr0eQco142CDs3TMfLnG1lrxIcPwMLjbRlx+0g09u1RDOVngWRxdq2ZVNQiXfyTQTjrxh3ou3p7utoessZ5eZOTdAVv/p7X6k5Ql317e/D2vjeaDhbSZuLPYHA7Ret93HfOY2nfuKxjt3CsgbE1vNoisNZ1dV6g2+bsn9rOlLUgvdwmndCejQIi89ZjA0k7dPUb3qxN6hjD2eK8aBDUT2Zt15w/DJAcd+f1264X9tJLrCSz5ZBZRrO+NqdxcL3Q8+EIm1Lz1rpqlha4W8uzN2MrXQ/UzjUZ1M0tKxXOUO83rf51m1tzM/U6PPDowLh1pa016V1qWnOa7VZZMeq6A8KPa2+Z7VPHyOUGWNXj0fKyMiogWQHJCkh+Bf9XQLICkr8MkPxZtoh4k8v3VCCyc5eu1H6rJJqL3T7fnM7JKYpxvwgb9eTSTbXg8mG60gOm8t3uTq1+1zi+f7r1V9X3firf55TCon7rBcMZO4EW0YN2Yx4G9d75aCWWBnNrmRqLYr5aBWzid9d60G1Z6SAYJko2HR0WOlM3pyvoL+1OQMN9Y55iSMroJvO6mFyRV9tgJzgeMr9lB7Ir93TQ6Q36amd0nW8iHhjxeRonyC9TCz9QCiY2iqZxXykIjfIeIGwXljKTN91A2a31YqyccyGZnevC5h+mIP1ZulLrpfLZvaznw5SoTyqWXoK1QZ5OsxjM94P82A7nfV+y5ucsqZHmULau0eFs7xN3Ux8d9VsUT9SRhxQ9SAxzieuwLGPoy5slbh3DKMhWsYH2TIls/TpIB42u7gxq/fi0iVdHZekbdOgQY6iOh8No0ewvUNiztrtvmHmsUveq1L0qda8CkRWI/BVB5M+2rP30WLJ9exdLjsd+rMQ8heN5XZUbTk2RPGaeyI08Kpb8ohXtp8CSBji04d5o4CPxtrDXO42S7jmIbdvSV3uzeYnarZQ3B/H1Rvile5sUtXln3rpqDcm3hK2sgbzbdnLcyt2Togzbe+9sbieKm4zttTOdSyN5JV+3G3Nf1weTunG8gZ2/N6/10W51nvUif/ctWLJJcHsRMF3dSAttGy52etME24aMGh9OrDwolnwVCmk5HVaruargJON0nEl1GNaLlQeXtrRKt62WcmSQom2LmoszGzjXntxPrsN5J/YajUVvMipDIWuicdORRY3Jbq5MjgsaenovDzrFLVDiYXEDhmd0ziPtQuJ8WFc7UTjYt9KW1Z7UfbAdfu3ES4UjKxxZ4cgKR1Y48pfEkT/bqvb3x5EdNStCexbXsnNAm4EGRnxDaXMWqY+MI2fGfX3wZkF7+MRzkrYasfXQnPGmEkTXvVS/qsiVwUkyWk7maQjI0xQOd3x0JPuOTpa5krhBz+mgYTKcF3rYunVo80y89dJp2Sd1uh9dpnKMyLEovImW9C792Noh5dTYt82aNltNkakq08WsYwVtOb2NvgVHOuebvnaXKzRVSC1KT+Y2mJihJU0a26fAkcJmYhac5PB6qfu1Gzz3DWN57uTc3cFNkTVqi8KP9sos3x3l62DY6ZzXVtyrB1B2zlL3tDozv1tstE49vOLdKmv1WGs9zUxYv5HzTsKWf5neLv36oXEIg5XN8/W6adR3K3Sxr8dTmNkXLKfDCkdWOLLCkRWOrHBkhSMfdlH7na3EXvyLuR7kOtAQkV2slQcAc0SwK6mIAl1XZaIAxDDjMsXIQ5AD7KpM111OOBdPfuaU5rKOv77/j4yhVOX/PwlV+//80vR2/5/H0gNfIP8QvCf/4nZc7f/zFPSxDXUQVnVJwgBWG+r89PT41v9z8i9hwXPv23+hEir7/xT06+7/891Oae0O543heHxacq3OJLjq6ds9Wc5a3Z72RLnb9DqcWfKdt7l4vdL9zrXvfUrrsWX2VsvDIeKR0oThPE2Ibpre4LTDSlhfxtlBvlrycaLdvM7A6c3U6KKYvUzttnmibIbs1t+M84GTZe2bGWpwpdfG6WGFY/+2oxO+lic9yB25241aSrNWA0eMQzLf2kaXh7PaKGw88imtMwPR8/jQNNxVLbzQFpGy+YH1x4oFmg9zSqtOw0vt7N6aOuCG7C2u7tpvR+6O9LV+Y3hwYDxezqgtR1Ha6KyCnNmLYITP7R4HtmZdl2UZytTx61rc2rSAVoP7FpxMUbvVOY/HI9IY7E1dnrRBzZYd3VobzVvaafsm1vqTDA4HA8PsVyk4VQpOlYLzl/m/mq2sZit/mdnKn+tUre+NLHsy2W3Jhc1iWNtfzjmZ9NrpaF03B0+0K9AXHK31nZGl31CHabvbNY6tQ5GEJOrXNDIeznt+oBS2WVuMQLa0j7LbBIoRH41bK+0erzMfHeYbW5/1p6dLLT/d9juoTtq17pyMG0M0b7nt+ULPL42BP+YJ01JZ3/T9cB1ctfYygdnVjVgnmXux9MjIcuro6aK/79FRs3bM48NtiqizHo/33csHZ7x+HbKUO6raNpfqRTomrXyY7T0w6yxU42RRK2ZnGzVWZ8U7bhHsGvZRExBD0ZNetm2mgT04HdZlGcdwOG7egjyU6ShvLEK4W08Y347mzflqoXGnG0yl6Uo1kra/ntNLZlwmnmeywx7TMdMJqpBlhSwrZPmX+b9ClhWy/GWQ5c+S3J2RJzyidfbuEa3jS3IY6KvbhF73C1LLg1rztD3l804wf+RcHKEDIgvbkXO14esZyneufa8jWk3PNkUhm+zacC7UIc0F1S6d9dRaN2Ryqk1qNZXuR73Lon5eb5xW45IPlzndQQVMdmb3cDilEZXCKeH+YLzy1vs8itesNjRlRToAcvQuZ2c2z8IZNmeATa3FdASM+WRT8O4J25Pz9BuOaJ1I02EdXA/Xc1O1aaGtEon1LsfOaJl9gA0f9IjWRGDHXYn7wHWn9NzFoDY6sWGXb6+802DkmpsncxM668yNltY0mpr5ZawGaMtHsb5KD0M1O4OekYVt0adt3WHHa9zbE60+T+NwqkcaPhx3R1Pb3FyiyHO477nbLVGC+k1eYHC+ZAcKN8k1X7qd2KjyvKu4yiqusoqrrPBkhSd/4ZnKt/k5Twcuo3fBJavtwGm5qw+S1Mn8ra2oBd1P68Ow2330BJ3PTVJ+J3C5cbXLVRfaY9Y7pf5Y6W4KI1bmI8uLcTuMJtsJT62Vp90g9CesJxpTrPEJ0cUxpnKhn8gCw+Pl0ogHF5okt9Yyql9axlmN0vnZATBk+bGDrHW/TZUBg/uxJfUWaafBY22py5EnfQO4nOVh/XgAR2NexKa2wo3hsRFga3DR+9Gjgss3E5NZcziXHKXVL2xvvxsZteMCasf1ol2fywI7pLt5Y0WiW3DjjtEY6VBZWGyjkemm1dMHO2iVZeS1TpqMOxtkm05Ub0cabxcDL40uvL8k+c3pHA/OZL+Gut8NVoW+bSxwy+etojM91bYXu1eBywpcVuCyApcVuKzA5SMm7TwgvT3rnWENcIUpFFNdV7gCFAyJxiTuSVTygKppRBBWGEES8TRIMcPEY0SXKWdMdj8V/fs1+T9I/PHTxP8+Vssfhqr8n1+aXsv/vTygB9cDfz3/R8Yy+Gnyfx6r5Q9CH83/0SSgICBX+T8/P72W/8ez/p+z/x89/1tGP0/+z2O1/EHo183/qc7/rs7/rs7/rs7/rgIyq4DMKiCzmuOs5jirjdL/c0Fkdf53df53df73J+WjApIVkKyAZAUkKyD5swPJn22n9Or87+r87+r87+r87wpIVkCyApIVkKyA5H9Q1OWPkSJenf9dnf9dnf9dnf9dpe5UqTtV6k4FIisQWS1r/zBYsjr/uzr/uzr/u8KRFY6scGSFIysc+WviyJ9tVfv748jq/O/q/O/q/O8KR1Y4ssKRFY6scOSvgiP/8vnfsssgQwRhzKGqci5UCGCMezJSiGAFiQCoSgBorqpJmsqJQjBEKmEAIyppSHp5AmjG6EOe/w2g8tPk//9Hn/9Z7f/za9PbfX8eSw98zfnfMoY/z/4//9Hy/9H9f4CiQohkudr/56enx7f+n5N/KCFVek/+sQLUyv4/Bf26+/882cbnw9u7pzROG5vRcLKnFy+79oHeG0+4arre3JtkT5S7/U6E5OvTdd6JmnykUxpvm7b9JRuh12adbn+9S8lFnxeQxVixlSyr42Hky6OR5iqbHGXHS9GWhq1mNLCN9nwnGVd5IfeTJTz0/dNM0oKV4E1oYaReGuq6eyI+Eb4wSpfZ0N9ps6I3KyxWawpvs9BymZ5B0PFrZhH3c/LIpzSWi/bWJbC7AY6LPJgrcBtapLhND9NvO/87NprmVnjGmg+31K8PQJLeUlbPunyvJtTgc21VO/bTeXeQXHrdrlFiv2Ujt052Fi0XydWhUjrh26Jht3aGQiFY9HNrlO6XXZ/DdluG/mQ7PWzJsdPkLQfoMG+w5dTt7eYMJkd5DTN61mY9U/ShSsGpUnCqFJyv4P9qtrKaraxmK19//9FScL7bcTruBXHHCu0cD/lt5QHpApULU0N1pT32WY3X0fvH6bx77aGP0/lCFDnbT67tyfbc63dX3e0K1SntzE7KId0s8HGROdu61etqbm+adset9qLOyDBqz9hYIgVR+u7CqzeM+fHCCr/v8zZrC8iJvLRz2xhXCY3wpr+ka7ZRZG6ONnba8rbzZibAFtGCU20MOG58w3E6jqZvCz+8bheXUY72fXVeH3nQUa7N4wcI8ZGO0+HpclGrMTNaCLg3WoP6Emnhqr9Q3Hw1B7vmQgud20w9hpdmTZZ69f01mBTqITNCwzW3cVnGZbry5cCZXeY1LredTQ2eg13/gPStGYadS8KWy3GfHNeLkUK9vqWhEdo3FZtsWr3YncR5tQZerYFXa+DVGniFKitU+Yhr4BVVVFFFvyL9/zKzktEA8gEA

I've then deployed:

  • the controller with --disable-tuf=true to avoid it bootstrapping itself with the public-good sigstore root of trust
  • the above CR
  • a policy that denies deployment to artifacts attested by organisations others than my own
policy
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: attested-by-github-org
spec:
  mode: enforce
  images:
    - glob: "**"
  authorities:
  - name: github-offline
    keyless:
      trustRootRef: github-offline
      url: https://fulcio.githubapp.com
      identities:
      - issuer: https://token.actions.githubusercontent.com
        subjectRegExp: https://github.com/REDACTED/.*/\.github/workflows/.*
    rfc3161timestamp:
      trustRootRef: github-offline
    signatureFormat: bundle
    attestations:
    - name: require-attestation
      predicateType: https://slsa.dev/provenance/v1

The webhook happily processes the TrustRoot CR and updates the configmap config-sigstore-keys with its contents.

Name:         config-sigstore-keys
Namespace:    REDACTED

Data
====
_example:
----
##################################
#                                #
#    EXAMPLE CONFIGURATION       #
< REMOVING AS IRRELEVANT >
###################################


github-offline:
----
{"mediaType":"application/vnd.dev.sigstore.trustedroot+json;version=0.1", "certificateAuthorities":[{"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"fulcio.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICKjCCAbCgAwIBAgIUW3TJVeOvr+NSvJXdOw8nEEn7HhQwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMB4XDTIzMDkxMjE0MDY1NFoXDTI0MDkxMTE0MDY1NFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEsosodObhuHG6Pr5vp5y+pmnKawS1h2hwv3r3hBwqh3ZHJAw64mhDnDs9fw4jKkZEBYRSVyOHyZppz4day8hgpTIDwdj44Oan4RDb+wmj04jfhVLjLsQ4Q/X4K/ynRgNXo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUm0vkDkQZ29hutYdayJobIRmf/iMwHwYDVR0jBBgwFoAUwOG4UqRLTz7eejgRBs9JjqFFmzMwCgYIKoZIzj0EAwMDaAAwZQIwIBl93E7vkWTvdeIm1WSIM4qNsj0ApE8LCj3k1vrY5x6/7yhAZs7QlO3/FBCoEeaZAjEAlJcNr37uZq9BYHODHBeO/gP+6EfbzsNaLV22ASBlhF/a9y83ESLuqCNN7IxGxmWT"}, {"rawBytes":"MIICFTCCAZugAwIBAgIUD3Jlqt4qhrcZI4UnGfPGrEq/pjQwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDkxMTEyMDAwMFoXDTI4MDkwOTEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7X7nK0wC7uEmDjW+on0sXIX3FacL3hhcrhneA+M/kl1OtvQiPmFrH9lbUQqOj/AfspJ8uGY3jaq8WuSg6ghatzYfuuzLAJIK4nGpCBafncF8EynOssPq64/Dz+JUWXqlo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUwOG4UqRLTz7eejgRBs9JjqFFmzMwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAI8HWLrke7uzhOpwlD1cNixPmoX9XFKe7bEPozo0D+vKi0Gt6VlC7xPedFIw4/AypAIwQP+FGRWvfx0IAH5/n0aRiN7/LVpyFA5RkJASZOVOib2Y8pNuhXa9V3ZbWO6v6kW/"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2023-10-27T16:30:00Z", "end":"2024-05-25T00:00:00Z"}}, {"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"fulcio.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICKzCCAbCgAwIBAgIUOpyw2HaZefsj/4SPXutGof8E2CkwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMB4XDTI0MDUxMzAwMDAwMFoXDTI1MDUxMzAwMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJNJWvW8fckfk/oQmh+qCeIlFXl9YLEkKSjZCgcVB92Fi1HQnvmpCiyqpvP91SmT1/G6QbrmTGV7MmIQlDnBWHNUT+jwZ3elGu/yfr/v8U0uhZTIli/BMj5Y4ICHK/j4do3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUD0fF3cs+ldPyiWohHJ3JmO91V7gwHwYDVR0jBBgwFoAUwOG4UqRLTz7eejgRBs9JjqFFmzMwCgYIKoZIzj0EAwMDaQAwZgIxAO7BRC9i7oGUHjjlcHU/bfqk2NLy7t6wm3K5W+jBLFbAj6sVjYcY+rrYhop/OjclbQIxALafBKLPIPjoCI29BUHwLBFP6e92ZlyaoFtoqccceXAevRaDjXFvb5+M7wnD6AuAJw=="}, {"rawBytes":"MIICFTCCAZugAwIBAgIUD3Jlqt4qhrcZI4UnGfPGrEq/pjQwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDkxMTEyMDAwMFoXDTI4MDkwOTEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7X7nK0wC7uEmDjW+on0sXIX3FacL3hhcrhneA+M/kl1OtvQiPmFrH9lbUQqOj/AfspJ8uGY3jaq8WuSg6ghatzYfuuzLAJIK4nGpCBafncF8EynOssPq64/Dz+JUWXqlo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUwOG4UqRLTz7eejgRBs9JjqFFmzMwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAI8HWLrke7uzhOpwlD1cNixPmoX9XFKe7bEPozo0D+vKi0Gt6VlC7xPedFIw4/AypAIwQP+FGRWvfx0IAH5/n0aRiN7/LVpyFA5RkJASZOVOib2Y8pNuhXa9V3ZbWO6v6kW/"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2024-05-13T00:00:00Z", "end":"2024-10-25T00:00:00Z"}}, {"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"fulcio.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICKzCCAbCgAwIBAgIUQeyd9UH06yZ63pDuqjgUZ58CnpMwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMB4XDTI0MTAwMzEyMDAwMFoXDTI1MTAwMzEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwyMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEwvbET2w+j9j9j50iTInH1gb9GSXkpsCvWz5orX1zgme+/Qh/5gMkpfmgfOSLV2ZRgT1hzujYmnKQvP2mCxYnbwQELAkAf+VhEY/7Uw3zZvguGQSdF1cxzRHiMTOha5eFo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUMib9z4ZYBcQANTVvVCa3KoTGbBUwHwYDVR0jBBgwFoAUwOG4UqRLTz7eejgRBs9JjqFFmzMwCgYIKoZIzj0EAwMDaQAwZgIxAPIU/zlJiJrxn6oTWNdEAD/YBSnhyxcvpq1D2DzFy8E8hbkEfMZPErYL7HyoL/BkdwIxAN9KDEKyktEUBrfHehfcLAzI2kERJx+8DSslXswOIbLaeqYfWsmrQAt5C0X/nOWxXA=="}, {"rawBytes":"MIICFTCCAZugAwIBAgIUD3Jlqt4qhrcZI4UnGfPGrEq/pjQwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDkxMTEyMDAwMFoXDTI4MDkwOTEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7X7nK0wC7uEmDjW+on0sXIX3FacL3hhcrhneA+M/kl1OtvQiPmFrH9lbUQqOj/AfspJ8uGY3jaq8WuSg6ghatzYfuuzLAJIK4nGpCBafncF8EynOssPq64/Dz+JUWXqlo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUwOG4UqRLTz7eejgRBs9JjqFFmzMwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAI8HWLrke7uzhOpwlD1cNixPmoX9XFKe7bEPozo0D+vKi0Gt6VlC7xPedFIw4/AypAIwQP+FGRWvfx0IAH5/n0aRiN7/LVpyFA5RkJASZOVOib2Y8pNuhXa9V3ZbWO6v6kW/"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2024-10-07T00:00:00Z"}}], "timestampAuthorities":[{"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"timestamp.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICHDCCAaGgAwIBAgIUNDVlmtZuvoujn4KwiC/oxIr8hxAwCgYIKoZIzj0EAwMwMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMB4XDTIzMDgzMTEyMDAwMFoXDTI0MDgzMDEyMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgVGltZXN0YW1waW5nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEV/zJhNTdu0Fa9hGCUih/JvqEoE81tEWrAVwUXXhdRgIY9hIFErLhNo6sSOpV9d7Zuy0KWMHhcimCUr41a1732ByVRy3f+Z4QhqpsgFMh5b5J90HJLK7HOyUZjehAnvSno3gwdjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUGwE6T5ZIh6lY9wP6vt42UHyVMewwHwYDVR0jBBgwFoAUdh+GTP65aetHLVLs9hdhGgDIKIwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDaQAwZgIxAJo48LtrSsn0UmLtqGiUKg2EUvso+aDN5EyjpvMmobZ/Oq9zjnR7Of369hoABW4/1gIxANg5ZW4FqijhsXnA3md6jM9yLrLCI9QL+KnuZnXq6WgAcNQaAN7PNNjVDKV3iJEklw=="}, {"rawBytes":"MIICJDCCAaqgAwIBAgIUckXVHpiw7iJY1V/jY8LYLj5TgqAwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTI4MDgwNTEyMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEISv96hTQ58QroEzzu4K+o9p8YkwDCBia2U7Y+VBNbOG/w1mLRibve9hSeUE1FSyLBMkiFSSm6MexcsbjyqOoNtRxuMinyYt6DSEox+/It2s/bTPyNAN0QP0DCQQOpnTZo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUdh+GTP65aetHLVLs9hdhGgDIKIwwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAIhf+2E5W2yOb/fCDAjhL/G/jerf74M0tG/zyo32U2keawxkzZosDdwnPaHaGLynAQIwa8nr3en4fZz1AdOZm6nK5hr1qK2F94nifgnAJ/WeT0fZnK/oHan0R28x363qYuYH"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2023-10-27T16:30:00Z", "end":"2024-05-25T00:00:00Z"}}, {"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"timestamp.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICGzCCAaGgAwIBAgIUPPgn6ner1PU/75CQ+62fdBuazaAwCgYIKoZIzj0EAwMwMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMB4XDTI0MDUxMzAwMDAwMFoXDTI1MDUxMzAwMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgVGltZXN0YW1waW5nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEA0pG1mAC4qafk1JJuOoIvhnMME9XmBDxjGFreDLnyzaexIzRw+UHUFy8C2gE6Me+0tIGQt4Ftbu66NGmfvBkR6boPMYQSU2O5X5ykZBm/9LR/Aqz0lgmBy/OlXvTJjglo3gwdjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUDa4GVhd97Z2V8kiVl9DB0kC53CMwHwYDVR0jBBgwFoAUdh+GTP65aetHLVLs9hdhGgDIKIwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDaAAwZQIwEQHd++b7IBAAuqT2/1i/wXf1WM2XrkFF6qd1c3kFcBVvdLQyJ5KoyNUHnfCCVJROAjEA+FoASOEcARlU6RqVcif9JthHwzh6nNwz0AfAHvO8xantN/7HjiLmFrFEGR/g0kN/"}, {"rawBytes":"MIICJDCCAaqgAwIBAgIUckXVHpiw7iJY1V/jY8LYLj5TgqAwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTI4MDgwNTEyMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEISv96hTQ58QroEzzu4K+o9p8YkwDCBia2U7Y+VBNbOG/w1mLRibve9hSeUE1FSyLBMkiFSSm6MexcsbjyqOoNtRxuMinyYt6DSEox+/It2s/bTPyNAN0QP0DCQQOpnTZo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUdh+GTP65aetHLVLs9hdhGgDIKIwwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAIhf+2E5W2yOb/fCDAjhL/G/jerf74M0tG/zyo32U2keawxkzZosDdwnPaHaGLynAQIwa8nr3en4fZz1AdOZm6nK5hr1qK2F94nifgnAJ/WeT0fZnK/oHan0R28x363qYuYH"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2024-05-13T00:00:00Z", "end":"2024-10-25T00:00:00Z"}}, {"subject":{"organization":"GitHub, Inc.", "commonName":"Internal Services Root"}, "uri":"timestamp.githubapp.com", "certChain":{"certificates":[{"rawBytes":"MIICGzCCAaGgAwIBAgIUH7swiMTn+svhcDh80OeZccDTj7AwCgYIKoZIzj0EAwMwMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMB4XDTI0MTAwNDEyMDAwMFoXDTI1MTAwNDEyMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgVGltZXN0YW1waW5nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEM7jdYNBTeD6hjym2/y73b50u2AFQsf8305Sr1NleOqamH9aWt6obhJQH3NoNUw9iFzHcDvafYWQFMu7SmOxS5n3aqwwfR8oJxKnEl36uCmGB+8TXS3B76SVTHEhG5rzOo3gwdjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUQvz9YbWX3S6a+jruBkhRBiE2RCkwHwYDVR0jBBgwFoAUdh+GTP65aetHLVLs9hdhGgDIKIwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwCgYIKoZIzj0EAwMDaAAwZQIxAI4dhu5iyx/g+z1vKAAWvHtebl1ZwsC+Vwgjm6Ttlq5yLNHHvYEnJ/h15Qv2IuXvdgIwZ8H/iy4lXsFJdFYSsB1/zavl24EgxSzxK/pCpihXMetYYDA/lX3xMyquisMx45rN"}, {"rawBytes":"MIICJDCCAaqgAwIBAgIUckXVHpiw7iJY1V/jY8LYLj5TgqAwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTI4MDgwNTEyMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEISv96hTQ58QroEzzu4K+o9p8YkwDCBia2U7Y+VBNbOG/w1mLRibve9hSeUE1FSyLBMkiFSSm6MexcsbjyqOoNtRxuMinyYt6DSEox+/It2s/bTPyNAN0QP0DCQQOpnTZo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUdh+GTP65aetHLVLs9hdhGgDIKIwwHwYDVR0jBBgwFoAUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaAAwZQIxAIhf+2E5W2yOb/fCDAjhL/G/jerf74M0tG/zyo32U2keawxkzZosDdwnPaHaGLynAQIwa8nr3en4fZz1AdOZm6nK5hr1qK2F94nifgnAJ/WeT0fZnK/oHan0R28x363qYuYH"}, {"rawBytes":"MIIB9TCCAXqgAwIBAgIUNFryA06EHDIcd5EIbe8swbl9OY4wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDgwNzEyMDAwMFoXDTMzMDgwNDEyMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXYaXx4H0oNuVP/2cfydA3oaafvvkkkgb5hbL8/j/BO25S7uTmDOCA5e4QLLWCKFuc+xp2j14tCH4WmHzMUDvf2tXtInVliY5wZgQMM9L6klo/IwA9x4omdcjnT+kKJAjo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUfFJ5/6rhfHEZPnXAhrQLhGkJJMwwCgYIKoZIzj0EAwMDaQAwZgIxAPzXsV+eokrqOHSQZH/XhhHE1slOscKy3DQpYpYJ1AWmJ2lJu/XOmubBX5s7apllUwIxALw2Ts8CDACiK42UymC8fk6sbNfoXUAWqdyKTVt2Lst+wNdkRniGvx7jT65BKTkcsQ=="}]}, "validFor":{"start":"2024-10-07T00:00:00Z"}}]}


BinaryData
====

Events:  <none>

However, when I try to deploy my attested artifact (I've verified that the artifact was attested correctly and that the attestation is present in the registry) I get:

$ kubectl apply -f deploy-attested.yaml
Error from server (InternalError): error when creating "deploy-attested.yaml": Internal error occurred: failed calling webhook "policy.sigstore.dev": failed to call webhook: Post "https://webhook.sigstore.svc:443/validations?timeout=10s": context deadline exceeded

The webhook logs show this knative validation error:

sigstore-github-policy-controller-webhook-6c68dcdd86-fbjqr {"level":"error","ts":"2024-12-03T10:38:47.178Z","logger":"policy-controller","caller":"validation/validation_admit.go:183","msg":"Failed the resource specific validation","commit":"abc8ff3","knative.dev/kind":"apps/v1, Kind=Deployment","knative.dev/namespace":"REDACTED","knative.dev/name":"deploy-attested","knative.dev/operation":"CREATE","knative.dev/resource":"apps/v1, Resource=deployments","knative.dev/subresource":"","knative.dev/userinfo":"REDACTED","stacktrace":"knative.dev/pkg/webhook/resourcesemantics/validation.validate\n\tknative.dev/[email protected]/webhook/resourcesemantics/validation/validation_admit.go:183\nknative.dev/pkg/webhook/resourcesemantics/validation.(*reconciler).Admit\n\tknative.dev/[email protected]/webhook/resourcesemantics/validation/validation_admit.go:79\nknative.dev/pkg/webhook.New.admissionHandler.func4\n\tknative.dev/[email protected]/webhook/admission.go:123\nnet/http.HandlerFunc.ServeHTTP\n\tnet/http/server.go:2220\nnet/http.(*ServeMux).ServeHTTP\n\tnet/http/server.go:2747\nknative.dev/pkg/webhook.(*Webhook).ServeHTTP\n\tknative.dev/[email protected]/webhook/webhook.go:302\nknative.dev/pkg/network/handlers.(*Drainer).ServeHTTP\n\tknative.dev/[email protected]/network/handlers/drain.go:113\nnet/http.serverHandler.ServeHTTP\n\tnet/http/server.go:3210\nnet/http.(*conn).serve\n\tnet/http/server.go:2092"}

Notice that if I delete the policy or if I configure it in mode: warn the deployment works fine, so this is not an issue with registry access or with the deployment resource.

@federico-falconieri-form3
Copy link
Author

Turns out this was a combination of unrelated problems that made it tricky to understand what was happening. It's working fine 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codysoyland codysoyland

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@codysoyland @falcorocks @federico-falconieri-form3