github.com/venafi-iw/cosign@v1.3.4/test/e2e_test_secrets.sh (about) 1 #!/bin/bash 2 # 3 # Copyright 2021 The Sigstore Authors. 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 set -ex 18 19 go build -o cosign ./cmd/cosign 20 go build -o sget ./cmd/sget 21 tmp=$(mktemp -d -t cosign-e2e-secrets.XXXX) 22 cp cosign $tmp/ 23 cp sget $tmp/ 24 25 pushd $tmp 26 27 pass="$RANDOM" 28 export COSIGN_PASSWORD=$pass 29 30 BASE_TEST_REPO=${BASE_TEST_REPO:-us-central1-docker.pkg.dev/projectsigstore/cosign-ci} 31 TEST_INSTANCE_REPO="${BASE_TEST_REPO}/$(date +'%Y/%m/%d')/$RANDOM" 32 33 # setup 34 ./cosign generate-key-pair 35 signing_key=cosign.key 36 verification_key=cosign.pub 37 img="${TEST_INSTANCE_REPO}/test" 38 img2="${TEST_INSTANCE_REPO}/test-2" 39 legacy_img="${TEST_INSTANCE_REPO}/legacy-test" 40 for image in $img $img2 $legacy_img 41 do 42 (crane delete $(./cosign triangulate $image)) || true 43 crane cp busybox $image 44 done 45 img_copy="${img}/copy" 46 crane ls $img_copy | while read tag ; do crane delete "${img_copy}:${tag}" ; done 47 multiarch_img="${TEST_INSTANCE_REPO}/multiarch-test" 48 crane ls $multiarch_img | while read tag ; do crane delete "${multiarch_img}:${tag}" ; done 49 crane cp gcr.io/distroless/base $multiarch_img 50 51 # `initialize` 52 ./cosign initialize 53 54 ## sign/verify 55 ./cosign sign --key ${signing_key} $img 56 ./cosign verify --key ${verification_key} $img 57 58 # copy 59 ./cosign copy $img $img_copy 60 ./cosign verify --key ${verification_key} $img_copy 61 62 # sign recursively 63 ./cosign sign --key ${signing_key} -r $multiarch_img 64 ./cosign verify --key ${verification_key} $multiarch_img # verify image index 65 for arch in "linux/amd64" "linux/arm64" "linux/s390x" 66 do 67 # verify sigs on discrete images 68 ./cosign verify --key ${verification_key} "${multiarch_img}@$(crane digest --platform=$arch ${multiarch_img})" 69 done 70 71 ## confirm use of OCI media type in signature image 72 crane manifest $(./cosign triangulate $img) | grep -q "application/vnd.oci.image.config.v1+json" 73 74 ## sign/verify multiple images 75 ./cosign sign --key ${signing_key} -a multiple=true $img $img2 76 ./cosign verify --key ${verification_key} -a multiple=true $img $img2 77 78 # annotations 79 if (./cosign verify --key ${verification_key} -a foo=bar $img); then false; fi 80 ./cosign sign --key ${signing_key} -a foo=bar $img 81 ./cosign verify --key ${verification_key} -a foo=bar $img 82 83 if (./cosign verify --key ${verification_key} -a foo=bar -a bar=baz $img); then false; fi 84 ./cosign sign --key ${signing_key} -a foo=bar -a bar=baz $img 85 ./cosign verify --key ${verification_key} -a foo=bar -a bar=baz $img 86 ./cosign verify --key ${verification_key} -a bar=baz $img 87 88 # confirm the use of legacy (Docker) media types 89 COSIGN_DOCKER_MEDIA_TYPES=1 ./cosign sign --key ${signing_key} $legacy_img 90 ./cosign verify --key ${verification_key} $legacy_img 91 legacy_manifest=$(crane manifest $(./cosign triangulate $legacy_img)) 92 echo $legacy_manifest | grep -q "application/vnd.docker.distribution.manifest.v2+json" 93 echo $legacy_manifest | grep -q "application/vnd.docker.container.image.v1+json" 94 95 # wrong keys 96 mkdir wrong && pushd wrong 97 ../cosign generate-key-pair 98 if (../cosign verify --key ${verification_key} $img); then false; fi 99 popd 100 101 ## sign-blob 102 echo "myblob" > myblob 103 echo "myblob2" > myblob2 104 ./cosign sign-blob --key ${signing_key} myblob > myblob.sig 105 ./cosign sign-blob --key ${signing_key} myblob2 > myblob2.sig 106 107 ./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob 108 if (./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob2); then false; fi 109 110 if (./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob); then false; fi 111 ./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob2 112 113 ## sign and verify multiple blobs 114 ./cosign sign-blob --key ${signing_key} myblob myblob2 > sigs 115 head -n 1 sigs > car.sig 116 tail -n 1 sigs > cdr.sig 117 ./cosign verify-blob --key ${verification_key} --signature car.sig myblob 118 ./cosign verify-blob --key ${verification_key} --signature cdr.sig myblob2 119 120 ## upload blob/sget 121 blobimg="${TEST_INSTANCE_REPO}/blob" 122 crane ls ${blobimg} | while read tag ; do crane delete "${blobimg}:${tag}" ; done 123 124 # make a random blob 125 cat /dev/urandom | head -n 10 | base64 > randomblob 126 127 # upload blob and sign it 128 dgst=$(./cosign upload blob -f randomblob ${blobimg}) 129 ./cosign sign --key ${signing_key} ${dgst} 130 ./cosign verify --key ${verification_key} ${dgst} # For sanity 131 132 # sget w/ signature verification should work via tag or digest 133 ./sget --key ${verification_key} -o verified_randomblob_from_digest $dgst 134 ./sget --key ${verification_key} -o verified_randomblob_from_tag $blobimg 135 136 # sget w/o signature verification should only work for ref by digest 137 ./sget --key ${verification_key} -o randomblob_from_digest $dgst 138 if (./sget -o randomblob_from_tag $blobimg); then false; fi 139 140 # clean up a bit 141 crane delete $blobimg || true 142 crane delete $dgst || true 143 144 # Make sure they're the same 145 if ( ! cmp -s randomblob verified_randomblob_from_digest ); then false; fi 146 if ( ! cmp -s randomblob verified_randomblob_from_tag ); then false; fi 147 if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi 148 149 # TODO: tlog 150 151 ## KMS! 152 TEST_KMS=${TEST_KMS:-gcpkms://projects/projectsigstore/locations/global/keyRings/e2e-test/cryptoKeys/test} 153 (crane delete $(./cosign triangulate $img)) || true 154 ./cosign generate-key-pair --kms $TEST_KMS 155 signing_key=$TEST_KMS 156 157 if (./cosign verify --key ${verification_key} $img); then false; fi 158 ./cosign sign --key ${signing_key} $img 159 ./cosign verify --key ${verification_key} $img 160 161 if (./cosign verify -a foo=bar --key ${verification_key} $img); then false; fi 162 ./cosign sign --key ${signing_key} -a foo=bar $img 163 ./cosign verify --key ${verification_key} -a foo=bar $img 164 165 # store signatures in a different repo 166 export COSIGN_REPOSITORY=${TEST_INSTANCE_REPO}/subbedrepo 167 (crane delete $(./cosign triangulate $img)) || true 168 ./cosign sign --key ${signing_key} $img 169 ./cosign verify --key ${verification_key} $img 170 unset COSIGN_REPOSITORY 171 172 # test stdin interaction for private key password 173 stdin_password=${COSIGN_PASSWORD} 174 unset COSIGN_PASSWORD 175 (crane delete $(./cosign triangulate $img)) || true 176 echo $stdin_password | ./cosign sign --key ${signing_key} --output-signature interactive.sig $img 177 ./cosign verify --key ${verification_key} --signature interactive.sig $img 178 export COSIGN_PASSWORD=${stdin_password} 179 180 # What else needs auth? 181 echo "SUCCESS"