func (pr *prSignedBy) isRunningImageAllowed(image types.Image) (bool, error) { sigs, err := image.Signatures() if err != nil { return false, err } var rejections []error for _, s := range sigs { var reason error switch res, _, err := pr.isSignatureAuthorAccepted(image, s); res { case sarAccepted: // One accepted signature is enough. return true, nil case sarRejected: reason = err case sarUnknown: // Huh?! This should not happen at all; treat it as any other invalid value. fallthrough default: reason = fmt.Errorf(`Internal error: Unexpected signature verification result "%s"`, string(res)) } rejections = append(rejections, reason) } var summary error switch len(rejections) { case 0: summary = PolicyRequirementError("A signature was required, but no signature exists") case 1: summary = rejections[0] default: var msgs []string for _, e := range rejections { msgs = append(msgs, e.Error()) } summary = PolicyRequirementError(fmt.Sprintf("None of the signatures were accepted, reasons: %s", strings.Join(msgs, "; "))) } return false, summary }