conforma · robnester-rh · Feb 26, 2026
diff --git a/acceptance/examples/happy_config_with_public_key.yaml b/acceptance/examples/happy_config_with_public_key.yaml
@@ -0,0 +1,7 @@
+---
+# Policy config that includes a publicKey - for testing issue #1528
+# ec validate input should work even when publicKey is specified
+publicKey: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\n-----END PUBLIC KEY-----"
+sources:
+  - policy:
+      - "git::https://${GITHOST}/git/happy-day-policy.git"
diff --git a/features/__snapshots__/validate_input.snap b/features/__snapshots__/validate_input.snap
@@ -139,3 +139,35 @@ success: true
 [multiple data source top level key map merging:stderr - 1]
 
 ---
+
+[valid policy URL with publicKey in policy config:stdout - 1]
+{
+  "success": true,
+  "filepaths": [
+    {
+      "filepath": "pipeline_definition.yaml",
+      "violations": [],
+      "warnings": [],
+      "successes": null,
+      "success": true,
+      "success-count": 1
+    }
+  ],
+  "policy": {
+    "sources": [
+      {
+        "policy": [
+          "git::https://${GITHOST}/git/happy-day-policy.git"
+        ]
+      }
+    ],
+    "publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\n-----END PUBLIC KEY-----"
+  },
+  "ec-version": "${EC_VERSION}",
+  "effective-time": "${TIMESTAMP}"
+}
+---
+
+[valid policy URL with publicKey in policy config:stderr - 1]
+
+---
diff --git a/features/validate_input.feature b/features/validate_input.feature
@@ -27,6 +27,30 @@ Feature: validate input
     Then the exit status should be 0
     Then the output should match the snapshot
 
+  # Test for issue #1528: ec validate input should work when policy has publicKey
+  Scenario: valid policy URL with publicKey in policy config
+    Given a git repository named "happy-day-config-with-public-key" with
+      | policy.yaml | examples/happy_config_with_public_key.yaml |
+    Given a git repository named "happy-day-policy" with
+      | main.rego | examples/happy_day.rego |
+    Given a pipeline definition file named "pipeline_definition.yaml" containing
+    """
+    ---
+    apiVersion: tekton.dev/v1
+    kind: Pipeline
+    metadata:
+      name: basic-build
+    spec:
+      tasks:
+      - name: appstudio-init
+        taskRef:
+          name: init
+          version: "0.1"
+    """
+    When ec command is run with "validate input --file pipeline_definition.yaml --policy git::https://${GITHOST}/git/happy-day-config-with-public-key.git --output json"
+    Then the exit status should be 0
+    Then the output should match the snapshot
+
   Scenario: valid policy URL with text output
     Given a git repository named "happy-day-config" with
       | policy.yaml | examples/happy_config.yaml |

diff --git a/internal/policy/policy.go b/internal/policy/policy.go
@@ -98,8 +98,12 @@ func (p *policy) PublicKeyPEM() ([]byte, error) {
 	if p.Keyless() {
 		return []byte{}, nil
 	}
+	// If SigVerifier is not initialized but we have PublicKey in the policy spec,
+	// return it directly. This handles scenarios like "ec validate input" where
+	// signature verification is not performed but the policy spec may contain a
+	// publicKey field (fixes issue #1528).
 	if p.checkOpts == nil || p.checkOpts.SigVerifier == nil {
-		return nil, errors.New("no check options or sig verifier configured")
+		return []byte(p.PublicKey), nil
 	}
 	pk, err := p.checkOpts.SigVerifier.PublicKey()
 	if err != nil {

diff --git a/internal/policy/policy_test.go b/internal/policy/policy_test.go
@@ -526,11 +526,13 @@ func TestPublicKeyPEM(t *testing.T) {
 			expectedPublicKey: utils.TestPublicKey,
 		},
 		{
-			name: "checkOpts is nil",
+			// When checkOpts is nil but publicKey is set in the policy spec,
+			// PublicKeyPEM returns the public key directly (fix for issue #1528)
+			name: "checkOpts is nil but publicKey in spec",
 			newPolicy: func(ctx context.Context) (Policy, error) {
-				return NewInertPolicy(ctx, fmt.Sprintf(`{"publicKey": "%s"}`, utils.TestPublicKey))
+				return NewInertPolicy(ctx, fmt.Sprintf(`{"publicKey": %s}`, utils.TestPublicKeyJSON))
 			},
-			err: "no check options or sig verifier configured",
+			expectedPublicKey: utils.TestPublicKey,
 		},
 		{
 			name: "keyless",