Migrate (Cluster)ImagePolicy to v1

Signed-off-by: Qi Wang <qiwan@redhat.com>

Author: QiWang19

pkg/controller/bootstrap/bootstrap.go

@@ -87,8 +87,8 @@ func (b *Bootstrap) Run(destDir string) error {
 		icspRules            []*apioperatorsv1alpha1.ImageContentSourcePolicy
 		idmsRules            []*apicfgv1.ImageDigestMirrorSet
 		itmsRules            []*apicfgv1.ImageTagMirrorSet
-		clusterImagePolicies []*apicfgv1alpha1.ClusterImagePolicy
-		imagePolicies        []*apicfgv1alpha1.ImagePolicy
+		clusterImagePolicies []*apicfgv1.ClusterImagePolicy
+		imagePolicies        []*apicfgv1.ImagePolicy
 		imgCfg               *apicfgv1.Image
 		apiServer            *apicfgv1.APIServer
 	)
@@ -138,9 +138,9 @@ func (b *Bootstrap) Run(destDir string) error {
 				itmsRules = append(itmsRules, obj)
 			case *apicfgv1.Image:
 				imgCfg = obj
-			case *apicfgv1alpha1.ClusterImagePolicy:
+			case *apicfgv1.ClusterImagePolicy:
 				clusterImagePolicies = append(clusterImagePolicies, obj)
-			case *apicfgv1alpha1.ImagePolicy:
+			case *apicfgv1.ImagePolicy:
 				imagePolicies = append(imagePolicies, obj)
 			case *apicfgv1.FeatureGate:
 				if obj.GetName() == ctrlcommon.ClusterFeatureInstanceName {

pkg/controller/container-runtime-config/container_runtime_config_controller.go

@@ -19,7 +19,6 @@ import (
 	configinformers "github.com/openshift/client-go/config/informers/externalversions"
 	cligoinformersv1 "github.com/openshift/client-go/config/informers/externalversions/config/v1"
 	cligolistersv1 "github.com/openshift/client-go/config/listers/config/v1"
-	cligolistersv1alpha1 "github.com/openshift/client-go/config/listers/config/v1alpha1"
 	runtimeutils "github.com/openshift/runtime-utils/pkg/registries"
 
 	operatorinformersv1alpha1 "github.com/openshift/client-go/operator/informers/externalversions/operator/v1alpha1"
@@ -107,10 +106,10 @@ type Controller struct {
 	itmsListerSynced cache.InformerSynced
 
 	configInformerFactory          configinformers.SharedInformerFactory
-	clusterImagePolicyLister       cligolistersv1alpha1.ClusterImagePolicyLister
+	clusterImagePolicyLister       cligolistersv1.ClusterImagePolicyLister
 	clusterImagePolicyListerSynced cache.InformerSynced
 
-	imagePolicyLister       cligolistersv1alpha1.ImagePolicyLister
+	imagePolicyLister       cligolistersv1.ImagePolicyLister
 	imagePolicyListerSynced cache.InformerSynced
 	addedPolicyObservers    bool
 
@@ -320,15 +319,15 @@ func (ctrl *Controller) addImagePolicyObservers() {
 		UpdateFunc: ctrl.clusterImagePolicyUpdated,
 		DeleteFunc: ctrl.clusterImagePolicyDeleted,
 	})
-	ctrl.clusterImagePolicyLister = ctrl.configInformerFactory.Config().V1alpha1().ClusterImagePolicies().Lister()
+	ctrl.clusterImagePolicyLister = ctrl.configInformerFactory.Config().V1().ClusterImagePolicies().Lister()
 	ctrl.clusterImagePolicyListerSynced = ctrl.configInformerFactory.Config().V1alpha1().ClusterImagePolicies().Informer().HasSynced
 
 	ctrl.configInformerFactory.Config().V1alpha1().ImagePolicies().Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    ctrl.imagePolicyAdded,
 		UpdateFunc: ctrl.imagePolicyUpdated,
 		DeleteFunc: ctrl.imagePolicyDeleted,
 	})
-	ctrl.imagePolicyLister = ctrl.configInformerFactory.Config().V1alpha1().ImagePolicies().Lister()
+	ctrl.imagePolicyLister = ctrl.configInformerFactory.Config().V1().ImagePolicies().Lister()
 	ctrl.imagePolicyListerSynced = ctrl.configInformerFactory.Config().V1alpha1().ImagePolicies().Informer().HasSynced
 }
 
@@ -866,24 +865,24 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 	var (
 		registriesBlocked, policyBlocked, allowedRegs []string
 		releaseImage                                  string
-		clusterImagePolicies                          []*apicfgv1alpha1.ClusterImagePolicy
+		clusterImagePolicies                          []*apicfgv1.ClusterImagePolicy
 		clusterScopePolicies                          map[string]signature.PolicyRequirements
-		imagePolicies                                 []*apicfgv1alpha1.ImagePolicy
+		imagePolicies                                 []*apicfgv1.ImagePolicy
 		scopeNamespacePolicies                        map[string]map[string]signature.PolicyRequirements
 	)
 
 	if ctrl.sigstoreAPIEnabled() && ctrl.addedPolicyObservers {
 		// Find all ClusterImagePolicy objects
 		clusterImagePolicies, err = ctrl.clusterImagePolicyLister.List(labels.Everything())
 		if err != nil && errors.IsNotFound(err) {
-			clusterImagePolicies = []*apicfgv1alpha1.ClusterImagePolicy{}
+			clusterImagePolicies = []*apicfgv1.ClusterImagePolicy{}
 		} else if err != nil {
 			return nil
 		}
 		// Find all ImagePolicy objects
 		imagePolicies, err = ctrl.imagePolicyLister.List(labels.Everything())
 		if err != nil && errors.IsNotFound(err) {
-			imagePolicies = []*apicfgv1alpha1.ImagePolicy{}
+			imagePolicies = []*apicfgv1.ImagePolicy{}
 		} else if err != nil {
 			return nil
 		}
@@ -1068,7 +1067,7 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr
 
 // getValidScopePolicies returns a map[scope]policyRequirement from ClusterImagePolicy, a map[scope][namespace]policyRequirement from ImagePolicy CRs.
 // It skips ImagePolicy scopes that conflict with ClusterImagePolicy scopes and logs the conflicting scopes in the ImagePolicy Status.
-func getValidScopePolicies(clusterImagePolicies []*apicfgv1alpha1.ClusterImagePolicy, imagePolicies []*apicfgv1alpha1.ImagePolicy, ctrl *Controller) (map[string]signature.PolicyRequirements, map[string]map[string]signature.PolicyRequirements, error) {
+func getValidScopePolicies(clusterImagePolicies []*apicfgv1.ClusterImagePolicy, imagePolicies []*apicfgv1.ImagePolicy, ctrl *Controller) (map[string]signature.PolicyRequirements, map[string]map[string]signature.PolicyRequirements, error) {
 	clusterScopePolicies := make(map[string]signature.PolicyRequirements)
 	namespacePolicies := make(map[string]map[string]signature.PolicyRequirements)
 
@@ -1141,7 +1140,7 @@ func (ctrl *Controller) syncImagePolicyStatusOnly(namespace, imagepolicy, condit
 // RunImageBootstrap generates MachineConfig objects for mcpPools that would have been generated by syncImageConfig,
 // except that mcfgv1.Image is not available.
 func RunImageBootstrap(templateDir string, controllerConfig *mcfgv1.ControllerConfig, mcpPools []*mcfgv1.MachineConfigPool, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy,
-	idmsRules []*apicfgv1.ImageDigestMirrorSet, itmsRules []*apicfgv1.ImageTagMirrorSet, imgCfg *apicfgv1.Image, clusterImagePolicies []*apicfgv1alpha1.ClusterImagePolicy, imagePolicies []*apicfgv1alpha1.ImagePolicy,
+	idmsRules []*apicfgv1.ImageDigestMirrorSet, itmsRules []*apicfgv1.ImageTagMirrorSet, imgCfg *apicfgv1.Image, clusterImagePolicies []*apicfgv1.ClusterImagePolicy, imagePolicies []*apicfgv1.ImagePolicy,
 	fgHandler ctrlcommon.FeatureGatesHandler) ([]*mcfgv1.MachineConfig, error) {
 
 	var (

pkg/controller/container-runtime-config/container_runtime_config_controller_test.go

@@ -74,8 +74,8 @@ type fixture struct {
 	icspLister               []*apioperatorsv1alpha1.ImageContentSourcePolicy
 	idmsLister               []*apicfgv1.ImageDigestMirrorSet
 	itmsLister               []*apicfgv1.ImageTagMirrorSet
-	clusterImagePolicyLister []*apicfgv1alpha1.ClusterImagePolicy
-	imagePolicyLister        []*apicfgv1alpha1.ImagePolicy
+	clusterImagePolicyLister []*apicfgv1.ClusterImagePolicy
+	imagePolicyLister        []*apicfgv1.ImagePolicy
 
 	actions               []core.Action
 	skipActionsValidation bool
@@ -211,20 +211,20 @@ func newClusterVersionConfig(name, desiredImage string) *apicfgv1.ClusterVersion
 	}
 }
 
-func newClusterImagePolicyWithPublicKey(name string, scopes []string, keyData []byte) *apicfgv1alpha1.ClusterImagePolicy {
-	imgScopes := []apicfgv1alpha1.ImageScope{}
+func newClusterImagePolicyWithPublicKey(name string, scopes []string, keyData []byte) *apicfgv1.ClusterImagePolicy {
+	imgScopes := []apicfgv1.ImageScope{}
 	for _, scope := range scopes {
-		imgScopes = append(imgScopes, apicfgv1alpha1.ImageScope(scope))
+		imgScopes = append(imgScopes, apicfgv1.ImageScope(scope))
 	}
-	return &apicfgv1alpha1.ClusterImagePolicy{
+	return &apicfgv1.ClusterImagePolicy{
 		TypeMeta:   metav1.TypeMeta{APIVersion: apicfgv1alpha1.SchemeGroupVersion.String()},
 		ObjectMeta: metav1.ObjectMeta{Name: name, UID: types.UID(utilrand.String(5)), Generation: 1},
-		Spec: apicfgv1alpha1.ClusterImagePolicySpec{
+		Spec: apicfgv1.ClusterImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1alpha1.Policy{
-				RootOfTrust: apicfgv1alpha1.PolicyRootOfTrust{
-					PolicyType: apicfgv1alpha1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1alpha1.PublicKey{
+			Policy: apicfgv1.Policy{
+				RootOfTrust: apicfgv1.PolicyRootOfTrust{
+					PolicyType: apicfgv1.PublicKeyRootOfTrust,
+					PublicKey: &apicfgv1.PublicKey{
 						KeyData: keyData,
 					},
 				},
@@ -233,20 +233,20 @@ func newClusterImagePolicyWithPublicKey(name string, scopes []string, keyData []
 	}
 }
 
-func newImagePolicyWithPublicKey(name, namespace string, scopes []string, keyData []byte) *apicfgv1alpha1.ImagePolicy {
-	imgScopes := []apicfgv1alpha1.ImageScope{}
+func newImagePolicyWithPublicKey(name, namespace string, scopes []string, keyData []byte) *apicfgv1.ImagePolicy {
+	imgScopes := []apicfgv1.ImageScope{}
 	for _, scope := range scopes {
-		imgScopes = append(imgScopes, apicfgv1alpha1.ImageScope(scope))
+		imgScopes = append(imgScopes, apicfgv1.ImageScope(scope))
 	}
-	return &apicfgv1alpha1.ImagePolicy{
+	return &apicfgv1.ImagePolicy{
 		TypeMeta:   metav1.TypeMeta{APIVersion: apicfgv1alpha1.SchemeGroupVersion.String()},
 		ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace, UID: types.UID(utilrand.String(5)), Generation: 1},
-		Spec: apicfgv1alpha1.ImagePolicySpec{
+		Spec: apicfgv1.ImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1alpha1.Policy{
-				RootOfTrust: apicfgv1alpha1.PolicyRootOfTrust{
-					PolicyType: apicfgv1alpha1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1alpha1.PublicKey{
+			Policy: apicfgv1.Policy{
+				RootOfTrust: apicfgv1.PolicyRootOfTrust{
+					PolicyType: apicfgv1.PublicKeyRootOfTrust,
+					PublicKey: &apicfgv1.PublicKey{
 						KeyData: keyData,
 					},
 				},
@@ -323,10 +323,10 @@ func (f *fixture) newController() *Controller {
 		ci.Config().V1().ImageTagMirrorSets().Informer().GetIndexer().Add(c)
 	}
 	for _, c := range f.clusterImagePolicyLister {
-		ci.Config().V1alpha1().ClusterImagePolicies().Informer().GetIndexer().Add(c)
+		ci.Config().V1().ClusterImagePolicies().Informer().GetIndexer().Add(c)
 	}
 	for _, c := range f.imagePolicyLister {
-		ci.Config().V1alpha1().ImagePolicies().Informer().GetIndexer().Add(c)
+		ci.Config().V1().ImagePolicies().Informer().GetIndexer().Add(c)
 	}
 
 	return c
@@ -473,7 +473,7 @@ type registriesConfigAndPolicyVerifyOptions struct {
 	numberOfImagePolicyNamespaces       int
 }
 
-func (f *fixture) verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mcName string, imgcfg *apicfgv1.Image, icsp *apioperatorsv1alpha1.ImageContentSourcePolicy, idms *apicfgv1.ImageDigestMirrorSet, itms *apicfgv1.ImageTagMirrorSet, clusterImagePolicy *apicfgv1alpha1.ClusterImagePolicy, imagePolicy *apicfgv1alpha1.ImagePolicy, releaseImageReg string, opts registriesConfigAndPolicyVerifyOptions) {
+func (f *fixture) verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mcName string, imgcfg *apicfgv1.Image, icsp *apioperatorsv1alpha1.ImageContentSourcePolicy, idms *apicfgv1.ImageDigestMirrorSet, itms *apicfgv1.ImageTagMirrorSet, clusterImagePolicy *apicfgv1.ClusterImagePolicy, imagePolicy *apicfgv1.ImagePolicy, releaseImageReg string, opts registriesConfigAndPolicyVerifyOptions) {
 	icsps := []*apioperatorsv1alpha1.ImageContentSourcePolicy{}
 	if icsp != nil {
 		icsps = append(icsps, icsp)
@@ -486,11 +486,11 @@ func (f *fixture) verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mcNa
 	if itms != nil {
 		itmss = append(itmss, itms)
 	}
-	clusterImagePolicies := []*apicfgv1alpha1.ClusterImagePolicy{}
+	clusterImagePolicies := []*apicfgv1.ClusterImagePolicy{}
 	if clusterImagePolicy != nil {
 		clusterImagePolicies = append(clusterImagePolicies, clusterImagePolicy)
 	}
-	imagePolicies := []*apicfgv1alpha1.ImagePolicy{}
+	imagePolicies := []*apicfgv1.ImagePolicy{}
 	if imagePolicy != nil {
 		imagePolicies = append(imagePolicies, imagePolicy)
 	}
@@ -499,7 +499,7 @@ func (f *fixture) verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mcNa
 	verifyRegistriesConfigAndPolicyJSONContents(t, updatedMC, mcName, imgcfg, icsps, idmss, itmss, clusterImagePolicies, imagePolicies, releaseImageReg, opts)
 }
 
-func verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mc *mcfgv1.MachineConfig, mcName string, imgcfg *apicfgv1.Image, icsps []*apioperatorsv1alpha1.ImageContentSourcePolicy, idmss []*apicfgv1.ImageDigestMirrorSet, itmss []*apicfgv1.ImageTagMirrorSet, clusterImagePolicies []*apicfgv1alpha1.ClusterImagePolicy, imagePolicies []*apicfgv1alpha1.ImagePolicy, releaseImageReg string, opts registriesConfigAndPolicyVerifyOptions) {
+func verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mc *mcfgv1.MachineConfig, mcName string, imgcfg *apicfgv1.Image, icsps []*apioperatorsv1alpha1.ImageContentSourcePolicy, idmss []*apicfgv1.ImageDigestMirrorSet, itmss []*apicfgv1.ImageTagMirrorSet, clusterImagePolicies []*apicfgv1.ClusterImagePolicy, imagePolicies []*apicfgv1.ImagePolicy, releaseImageReg string, opts registriesConfigAndPolicyVerifyOptions) {
 	// This is not testing updateRegistriesConfig, which has its own tests; this verifies the created object contains the expected
 	// configuration file.
 	// First get the valid blocked registries to ensure we don't block the registry where the release image is from
@@ -1237,8 +1237,8 @@ func TestRunImageBootstrap(t *testing.T) {
 			icspRules             []*apioperatorsv1alpha1.ImageContentSourcePolicy
 			idmsRules             []*apicfgv1.ImageDigestMirrorSet
 			itmsRules             []*apicfgv1.ImageTagMirrorSet
-			clusterImagePolicies  []*apicfgv1alpha1.ClusterImagePolicy
-			imagePolicies         []*apicfgv1alpha1.ImagePolicy
+			clusterImagePolicies  []*apicfgv1.ClusterImagePolicy
+			imagePolicies         []*apicfgv1.ImagePolicy
 			imagePolicyNamespaces int
 		}{
 			{
@@ -1267,10 +1267,10 @@ func TestRunImageBootstrap(t *testing.T) {
 				},
 			},
 			{
-				clusterImagePolicies: []*apicfgv1alpha1.ClusterImagePolicy{
+				clusterImagePolicies: []*apicfgv1.ClusterImagePolicy{
 					&testClusterImagePolicy,
 				},
-				imagePolicies: []*apicfgv1alpha1.ImagePolicy{
+				imagePolicies: []*apicfgv1.ImagePolicy{
 					&testImagePolicy,
 				},
 				imagePolicyNamespaces: 1,

pkg/controller/container-runtime-config/helpers.go

@@ -852,20 +852,20 @@ func ownerReferenceImageConfig(imageConfig *apicfgv1.Image) metav1.OwnerReferenc
 	}
 }
 
-func policyItemFromSpec(policy apicfgv1alpha1.Policy) (signature.PolicyRequirement, error) {
+func policyItemFromSpec(policy apicfgv1.Policy) (signature.PolicyRequirement, error) {
 	var (
 		sigstorePolicyRequirement signature.PolicyRequirement
 		signedIdentity            signature.PolicyReferenceMatch
 		signedOptions             []signature.PRSigstoreSignedOption
 		err                       error
 	)
 	switch policy.RootOfTrust.PolicyType {
-	case apicfgv1alpha1.PublicKeyRootOfTrust:
+	case apicfgv1.PublicKeyRootOfTrust:
 		signedOptions = append(signedOptions, signature.PRSigstoreSignedWithKeyData(policy.RootOfTrust.PublicKey.KeyData))
 		if len(policy.RootOfTrust.PublicKey.RekorKeyData) > 0 {
 			signedOptions = append(signedOptions, signature.PRSigstoreSignedWithRekorPublicKeyData(policy.RootOfTrust.PublicKey.RekorKeyData))
 		}
-	case apicfgv1alpha1.FulcioCAWithRekorRootOfTrust:
+	case apicfgv1.FulcioCAWithRekorRootOfTrust:
 		fulcioOptions := []signature.PRSigstoreSignedFulcioOption{}
 		fulcioOptions = append(fulcioOptions, signature.PRSigstoreSignedFulcioWithCAData(policy.RootOfTrust.FulcioCAWithRekor.FulcioCAData),
 			signature.PRSigstoreSignedFulcioWithOIDCIssuer(policy.RootOfTrust.FulcioCAWithRekor.FulcioSubject.OIDCIssuer),
@@ -876,7 +876,7 @@ func policyItemFromSpec(policy apicfgv1alpha1.Policy) (signature.PolicyRequireme
 			return nil, err
 		}
 		signedOptions = append(signedOptions, signature.PRSigstoreSignedWithFulcio(prSigstoreSignedFulcio), signature.PRSigstoreSignedWithRekorPublicKeyData(policy.RootOfTrust.FulcioCAWithRekor.RekorKeyData))
-	case apicfgv1alpha1.PKIRootOfTrust:
+	case apicfgv1.PKIRootOfTrust:
 		pkiOptions := []signature.PRSigstoreSignedPKIOption{}
 		pkiOptions = append(pkiOptions, signature.PRSigstoreSignedPKIWithCARootsData(policy.RootOfTrust.PKI.CertificateAuthorityRootsData))
 		if len(policy.RootOfTrust.PKI.CertificateAuthorityIntermediatesData) > 0 {
@@ -895,27 +895,30 @@ func policyItemFromSpec(policy apicfgv1alpha1.Policy) (signature.PolicyRequireme
 		signedOptions = append(signedOptions, signature.PRSigstoreSignedWithPKI(prSigstoreSignedPKI))
 	}
 
-	switch policy.SignedIdentity.MatchPolicy {
-	case apicfgv1alpha1.IdentityMatchPolicyRemapIdentity:
-		identity, err := signature.NewPRMRemapIdentity(string(policy.SignedIdentity.PolicyMatchRemapIdentity.Prefix), string(policy.SignedIdentity.PolicyMatchRemapIdentity.SignedPrefix))
-		if err != nil {
-			return nil, fmt.Errorf("error getting signedIdentity for %s: %v", apicfgv1alpha1.IdentityMatchPolicyRemapIdentity, err)
-		}
-		signedIdentity = identity
-	case apicfgv1alpha1.IdentityMatchPolicyExactRepository:
-		identity, err := signature.NewPRMExactRepository(string(policy.SignedIdentity.PolicyMatchExactRepository.Repository))
-		if err != nil {
-			return nil, fmt.Errorf("error getting signedIdentity for %s: %v", apicfgv1alpha1.IdentityMatchPolicyExactRepository, err)
+	if policy.SignedIdentity != nil {
+		switch policy.SignedIdentity.MatchPolicy {
+		case apicfgv1.IdentityMatchPolicyRemapIdentity:
+			identity, err := signature.NewPRMRemapIdentity(string(policy.SignedIdentity.PolicyMatchRemapIdentity.Prefix), string(policy.SignedIdentity.PolicyMatchRemapIdentity.SignedPrefix))
+			if err != nil {
+				return nil, fmt.Errorf("error getting signedIdentity for %s: %v", apicfgv1alpha1.IdentityMatchPolicyRemapIdentity, err)
+			}
+			signedIdentity = identity
+		case apicfgv1.IdentityMatchPolicyExactRepository:
+			identity, err := signature.NewPRMExactRepository(string(policy.SignedIdentity.PolicyMatchExactRepository.Repository))
+			if err != nil {
+				return nil, fmt.Errorf("error getting signedIdentity for %s: %v", apicfgv1alpha1.IdentityMatchPolicyExactRepository, err)
+			}
+			signedIdentity = identity
+		case apicfgv1.IdentityMatchPolicyMatchRepository:
+			signedIdentity = signature.NewPRMMatchRepository()
+		case apicfgv1.IdentityMatchPolicyMatchRepoDigestOrExact:
+			signedIdentity = signature.NewPRMMatchRepoDigestOrExact()
+		default:
+			return nil, fmt.Errorf("unknown signedIdentity match policy: %s", policy.SignedIdentity.MatchPolicy)
 		}
-		signedIdentity = identity
-	case apicfgv1alpha1.IdentityMatchPolicyMatchRepository:
-		signedIdentity = signature.NewPRMMatchRepository()
-	case apicfgv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact, "":
+	} else {
 		signedIdentity = signature.NewPRMMatchRepoDigestOrExact()
-	default:
-		return nil, fmt.Errorf("unknown signedIdentity match policy: %s", policy.SignedIdentity.MatchPolicy)
 	}
-
 	signedOptions = append(signedOptions, signature.PRSigstoreSignedWithSignedIdentity(signedIdentity))
 
 	if sigstorePolicyRequirement, err = signature.NewPRSigstoreSigned(signedOptions...); err != nil {