verify_git_signature fails with multi-key keyrings

[dvdksn]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

The verify_git_signature built-in rego function fails to verify valid signatures when a keyring file contains multiple PGP keys, and the expected key is not the first key.

eg given a keys.asc like this:

-----BEGIN PGP PUBLIC KEY BLOCK----
[ Key A... ]
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK----
[ Key B... ]
-----END PGP PUBLIC KEY BLOCK-----

And you have a tag that's signed by Key B, that you try to verify with verify_git_signature(input.git.tag, "keys.asc"), it only seems to parse the first key.

If you reverse the order of the keys, so Key B comes first, verification runs successfully.

Expected behaviour

It should look up all the keys in a file

Actual behaviour

Check fails even though signing key is in the keyring, it just isn't the first key

Buildx version

v0.31.0-rc2

Docker info

Builders list

v0.27.0-rc2

Configuration

curl -s https://github.com/tonistiigi.gpg > tonistiigi.gpg
curl -s https://github.com/jsternberg.gpg > jsternberg.gpg
cat tonistiigi.gpg > maintainers.asc
echo "" >> maintainers.asc
cat jsternberg.gpg >> maintainers.asc

# Dockerfile.rego
package docker

default allow := false

allow if input.local

allow if {
  input.git.remote == "https://github.com/moby/buildkit.git"
  input.git.tagName != ""
  verify_git_signature(input.git.tag, "maintainers.asc")
}

decision := {"allow": allow}

# Dockerfile
FROM scratch
ADD https://github.com/moby/buildkit.git#v0.26.3 /

docker buildx build .

Build logs

Additional info

No response