Skip to content

Commit 1c1deda

Browse files
dmitrisdmitris
committed
transform gencert subpackage to helper function
Signed-off-by: Dmitry S <[email protected]>
1 parent f3d55a8 commit 1c1deda

File tree

3 files changed

+398
-0
lines changed

3 files changed

+398
-0
lines changed

test/e2e_test.go

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,64 @@ func TestSignVerify(t *testing.T) {
131131
mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", false), t)
132132
}
133133

134+
func TestSignVerifyCertBundle(t *testing.T) {
135+
td := t.TempDir()
136+
err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td)
137+
if err != nil {
138+
t.Fatal(err)
139+
}
140+
141+
repo, stop := reg(t)
142+
defer stop()
143+
144+
imgName := path.Join(repo, "cosign-e2e")
145+
146+
_, _, cleanup := mkimage(t, imgName)
147+
defer cleanup()
148+
149+
caCertFile, _ /* caPrivKeyFile */, caIntermediateCertFile, _ /* caIntermediatePrivKeyFile */, certFile, privKeyFile, pubkeyFile, certChainFile, err := generateCertificateBundleFiles(td, true, "foobar")
150+
151+
ctx := context.Background()
152+
// Verify should fail at first
153+
must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t)
154+
// So should download
155+
mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
156+
157+
// Now sign the image
158+
ko := options.KeyOpts{
159+
KeyRef: privKeyFile,
160+
PassFunc: passFunc,
161+
RekorURL: rekorURL,
162+
SkipConfirmation: true,
163+
}
164+
so := options.SignOptions{
165+
Upload: true,
166+
TlogUpload: true,
167+
}
168+
must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
169+
170+
// Now verify and download should work!
171+
must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, nil, "", false), t)
172+
// verification with certificate chain instead of root/intermediate files should work as well
173+
must(verifyCertChain(pubkeyFile, certChainFile, certFile, imgName, true, nil, "", false), t)
174+
must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
175+
176+
// Look for a specific annotation
177+
mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t)
178+
179+
so.AnnotationOptions = options.AnnotationOptions{
180+
Annotations: []string{"foo=bar"},
181+
}
182+
// Sign the image with an annotation
183+
must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
184+
185+
// It should match this time.
186+
must(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar"}, "", false), t)
187+
188+
// But two doesn't work
189+
mustErr(verifyCertBundle(pubkeyFile, caCertFile, caIntermediateCertFile, certFile, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, "", false), t)
190+
}
191+
134192
func TestSignVerifyClean(t *testing.T) {
135193
td := t.TempDir()
136194
err := downloadAndSetEnv(t, rekorURL+"/api/v1/log/publicKey", env.VariableSigstoreRekorPublicKey.String(), td)

0 commit comments

Comments
 (0)