Accept wildcard mandatory signature repositories

pkg/extensions/lint/lint.go

@@ -135,7 +135,7 @@ func (linter *Linter) CheckMandatorySignatures(repo string, manifestDigest godig
 
 	mandatory := false
 	for _, mandatoryRepo := range linter.config.MandatorySignatures {
-		if repo == mandatoryRepo {
+		if mandatoryRepo == "*" || mandatoryRepo == "**" || repo == mandatoryRepo {
 			mandatory = true
 
 			break

pkg/extensions/lint/lint_signatures_test.go

@@ -81,6 +81,40 @@ func TestMandatorySignaturesFunction(t *testing.T) {
 		So(err, ShouldNotBeNil)
 		So(pass, ShouldBeFalse)
 	})
+
+	for _, wildcard := range []string{"*", "**"} {
+		wildcard := wildcard
+
+		Convey("mandatory signatures check rejects unsigned images for wildcard repository list "+wildcard, t, func() {
+			enable := true
+			lintConfig := &extconf.LintConfig{
+				BaseConfig:          extconf.BaseConfig{Enable: &enable},
+				MandatorySignatures: []string{wildcard},
+			}
+
+			dir := t.TempDir()
+			testStoreCtlr := ociutils.GetDefaultStoreController(dir, log.NewTestLogger())
+			err := WriteImageToFileSystem(CreateRandomImage(), "zot-test", "0.0.1", testStoreCtlr)
+			So(err, ShouldBeNil)
+
+			indexContent, err := os.ReadFile(path.Join(dir, "zot-test", "index.json"))
+			So(err, ShouldBeNil)
+
+			var index ispec.Index
+			err = json.Unmarshal(indexContent, &index)
+			So(err, ShouldBeNil)
+
+			linter := lint.NewLinter(lintConfig, log.NewTestLogger())
+			linter.SetSignatureVerifier(mockImageTrustStore{trusted: true}, true)
+
+			imgStore := local.NewImageStore(dir, false, false,
+				log.NewTestLogger(), monitoring.NewMetricsServer(false, log.NewTestLogger()), linter, nil, nil, nil)
+
+			pass, err := linter.CheckMandatorySignatures("zot-test", index.Manifests[0].Digest, imgStore)
+			So(err, ShouldNotBeNil)
+			So(pass, ShouldBeFalse)
+		})
+	}
 }
 
 type mockImageTrustStore struct {