Skip to content

Commit

Permalink
test: use environment variables
Browse files Browse the repository at this point in the history
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
  • Loading branch information
hectorj2f committed Oct 18, 2022
1 parent ca56d97 commit dcd2bd9
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 12 deletions.
6 changes: 3 additions & 3 deletions cmd/cosign/cli/dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ func dockerfileVerify() *cobra.Command {
o := &options.VerifyDockerfileOptions{}

cmd := &cobra.Command{
Use: "verify",
Short: "Verify a signature on the base image specified in the Dockerfile",
Use: "verify",
Short: "Verify a signature on the base image specified in the Dockerfile",
PersistentPreRun: options.BindViper,
Long: `Verify signature and annotations on images in a Dockerfile by checking claims
against the transparency log.
Expand Down Expand Up @@ -115,4 +115,4 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
o.AddFlags(cmd)

return cmd
}
}
18 changes: 9 additions & 9 deletions test/e2e_test_secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -159,33 +159,33 @@ if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi

# TODO: tlog

## KMS!
## KMS using env variables!
TEST_KMS=${TEST_KMS:-gcpkms://projects/projectsigstore/locations/global/keyRings/e2e-test/cryptoKeys/test}
(crane delete $(./cosign triangulate $img)) || true
./cosign generate-key-pair --kms $TEST_KMS
COSIGN_KMS=$TEST_KMS ./cosign generate-key-pair
signing_key=$TEST_KMS

if (./cosign verify --key ${verification_key} $img); then false; fi
./cosign sign --key ${signing_key} $img
./cosign verify --key ${verification_key} $img
COSIGN_KEY=${signing_key} ./cosign sign $img
COSIGN_KEY=${verification_key} ./cosign verify $img

if (./cosign verify -a foo=bar --key ${verification_key} $img); then false; fi
./cosign sign --key ${signing_key} -a foo=bar $img
./cosign verify --key ${verification_key} -a foo=bar $img
COSIGN_KEY=${signing_key} ./cosign sign -a foo=bar $img
COSIGN_KEY=${verification_key} ./cosign verify -a foo=bar $img

# store signatures in a different repo
export COSIGN_REPOSITORY=${TEST_INSTANCE_REPO}/subbedrepo
(crane delete $(./cosign triangulate $img)) || true
./cosign sign --key ${signing_key} $img
./cosign verify --key ${verification_key} $img
COSIGN_KEY=${signing_key} ./cosign sign $img
COSIGN_KEY=${verification_key} ./cosign verify $img
unset COSIGN_REPOSITORY

# test stdin interaction for private key password
stdin_password=${COSIGN_PASSWORD}
unset COSIGN_PASSWORD
(crane delete $(./cosign triangulate $img)) || true
echo $stdin_password | ./cosign sign --key ${signing_key} --output-signature interactive.sig $img
./cosign verify --key ${verification_key} --signature interactive.sig $img
COSIGN_KEY=${verification_key} COSIGN_SIGNATURE=interactive.sig ./cosign verify $img
export COSIGN_PASSWORD=${stdin_password}

# What else needs auth?
Expand Down
6 changes: 6 additions & 0 deletions test/sign_blob_test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ $COSIGN_CLI sign-blob --output-certificate blob.cert --output-signature blob.sig

echo "Verifying ..."
$COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert $BLOB
echo "Verifying using cosign ENV variables..."
COSIGN_SIGNATURE=blob.sig COSIGN_CERTIFICATE=blob.cert $COSIGN_CLI verify-blob $BLOB


# Now, sign the blob with a self-signed certificate and upload to rekor
SIG_FILE=verify-experimental-signature
Expand Down Expand Up @@ -79,3 +82,6 @@ curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: app
# Verifying should still work
echo "Verifying ..."
$COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" --certificate-chain "$CERT_FILE" "$BLOB"

echo "Verifying using cosign ENV variables ..."
COSIGN_SIGNATURE="$SIG_FILE" COSIGN_CERTIFICATE_CHAIN="$CERT_FILE" COSIGN_CERTIFICATE="$CERT_FILE" $COSIGN_CLI verify-blob "$BLOB"

0 comments on commit dcd2bd9

Please sign in to comment.