add e2e test for pkcs11 token signing #3495
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3495 +/- ##
=======================================
Coverage 40.10% 40.10%
=======================================
Files 155 155
Lines 10044 10044
=======================================
Hits 4028 4028
Misses 5530 5530
Partials 486 486 ☔ View full report in Codecov by Sentry. |
hectorj2f
reviewed
Jan 23, 2024
test/e2e_test_pkcs11.sh
Outdated
| @@ -0,0 +1,32 @@ | |||
| #!/bin/bash | |||
|
|
|||
| # Copyright 2021 The Sigstore Authors. | |||
There was a problem hiding this comment.
also update the line 1 to #!/usr/bin/env bash
thanks
haydentherapper
requested changes
Jan 23, 2024
test/e2e_test_pkcs11.sh
Outdated
| # add git | ||
| apk add git | ||
| # clone cosign | ||
| git clone https://github.com/sigstore/cosign.git |
There was a problem hiding this comment.
This would test Cosign at HEAD rather than on the PR.
test/e2e_test.sh
Outdated
| # Test pkcs11 token signing | ||
| echo "testing pkcs11 token signing" | ||
| CONTAINER_ID=$(sudo docker run -dit --name softhsm -p 2345:2345 vegardit/softhsm2-pkcs11-proxy) | ||
| sudo docker exec -i $CONTAINER_ID /bin/bash < ./test/e2e_test_pkcs11.sh |
There was a problem hiding this comment.
Can this be run without sudo? I'd prefer that the tests could be run locally without needed this.
test/e2e_test.sh
Outdated
| @@ -79,6 +79,11 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t | |||
| export COSIGN_TEST_REPO=localhost:5000 | |||
| go test -tags=e2e -v ./test/... -run TestSignVerifyClean | |||
|
|
|||
| # Test pkcs11 token signing | |||
| echo "testing pkcs11 token signing" | |||
| CONTAINER_ID=$(sudo docker run -dit --name softhsm -p 2345:2345 vegardit/softhsm2-pkcs11-proxy) | |||
There was a problem hiding this comment.
Need to cleanup container after the test completed
haydentherapper
requested changes
Jan 31, 2024
test/e2e_test.sh
Outdated
| @@ -79,6 +79,15 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t | |||
| export COSIGN_TEST_REPO=localhost:5000 | |||
| go test -tags=e2e -v ./test/... -run TestSignVerifyClean | |||
|
|
|||
| # Test pkcs11 token signing | |||
There was a problem hiding this comment.
Can we put this in its own shell script and workflow, following the pattern of other e2e tests, so it runs in parallel?
test/e2e_test.sh
Outdated
| @@ -79,6 +79,15 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t | |||
| export COSIGN_TEST_REPO=localhost:5000 | |||
| go test -tags=e2e -v ./test/... -run TestSignVerifyClean | |||
|
|
|||
| # Test pkcs11 token signing | |||
| echo "testing pkcs11 token signing" | |||
There was a problem hiding this comment.
Remove testing line
test/e2e_test.sh
Outdated
| @@ -79,6 +79,15 @@ docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=t | |||
| export COSIGN_TEST_REPO=localhost:5000 | |||
| go test -tags=e2e -v ./test/... -run TestSignVerifyClean | |||
|
|
|||
| # Test pkcs11 token signing | |||
| echo "testing pkcs11 token signing" | |||
| CONTAINER_ID=$(docker run -dit --name softhsm -v $(pwd):/root/cosign -p 2345:2345 vegardit/softhsm2-pkcs11-proxy) | |||
There was a problem hiding this comment.
Can we pin the docker container by hash?
viveksahu26
force-pushed
the
e2e_test_pkcs11
branch
from
35352ee
to
1b311d2
Compare
There was a problem hiding this comment.
Just one small thing, moving the test to a different GHA. Thanks!
cc @cpanato if you any other comments
.github/workflows/tests.yaml
Outdated
| @@ -119,6 +119,9 @@ jobs: | |||
| - name: Run end-to-end tests | |||
| run: ./test/e2e_test.sh | |||
|
|
|||
| - name: Run pkcs11 end-to-end tests | |||
There was a problem hiding this comment.
Can you add this as a dedicated job in https://github.com/sigstore/cosign/blob/main/.github/workflows/e2e-tests.yml?
test/e2e_test_pkcs11.sh
Outdated
| # Test pkcs11 token signing | ||
| CONTAINER_ID=$(docker run -dit --name softhsm -v $(pwd):/root/cosign -p 2345:2345 vegardit/softhsm2-pkcs11-proxy@sha256:557a65d2a14e3986f2389d36ddce75609cbd8fb7ee6cf08a78adcc8236c2a80e) | ||
|
|
||
| docker exec -i $CONTAINER_ID /bin/bash << 'EOF' |
There was a problem hiding this comment.
Suggested change
| docker exec -i $CONTAINER_ID /bin/bash << 'EOF' | |
| docker exec -i $CONTAINER_ID /bin/bash << 'EOF' |
haydentherapper
previously approved these changes
Feb 1, 2024
viveksahu26
force-pushed
the
e2e_test_pkcs11
branch
from
86b4fdf
to
4f20f72
Compare
cpanato
requested changes
Feb 2, 2024
test/e2e_test_pkcs11.sh
Outdated
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| set -ex |
There was a problem hiding this comment.
Can you make this explicit?
like
set -o errexit
set -o nounset
set -o pipefail
There was a problem hiding this comment.
just need to update this
.github/workflows/e2e-tests.yml
Outdated
| @@ -73,3 +76,17 @@ jobs: | |||
| - name: Run e2e_signblob_tsa_mtls.sh | |||
| shell: bash | |||
| run: make && PATH="$PWD:$PATH" ./test/e2e_signblob_tsa_mtls.sh | |||
|
|
|||
| e2e-test-pkcs11: | |||
| name: Run pkcs11 e2e tests | |||
| go-version: ${{ env.GO_VERSION }} | ||
| check-latest: true | ||
|
|
||
| - name: Run pkcs11 end-to-end tests |
There was a problem hiding this comment.
set the shell to bash like the others
Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add license Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> small fix Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> update shebang portable with cross platform Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> enable exit on error and xtrace mode Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> cleanup container Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> pkcs11 test with upcoming changes Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> run pkcs11 e2e test in a separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add pkcs11 test in separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com>
Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com>
viveksahu26
force-pushed
the
e2e_test_pkcs11
branch
from
4f20f72
to
5ed1fab
Compare
Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com>
haydentherapper
approved these changes
Feb 2, 2024
|
@cpanato PTAL |
cpanato
approved these changes
Feb 5, 2024
|
thanks for this pr! |
nkreiger
pushed a commit
to fianulabs/cosign
that referenced
this pull request
Mar 2, 2024
* added e2e test for pkcs11 token signing Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add license Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> small fix Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> update shebang portable with cross platform Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> enable exit on error and xtrace mode Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> cleanup container Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> pkcs11 test with upcoming changes Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> run pkcs11 e2e test in a separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add pkcs11 test in separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> * set shell to bash Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> * set shell options Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> --------- Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>
nkreiger
pushed a commit
to fianulabs/cosign
that referenced
this pull request
Mar 7, 2024
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> add tests Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> add e2e test for pkcs11 token signing (sigstore#3495) * added e2e test for pkcs11 token signing Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add license Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> small fix Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> update shebang portable with cross platform Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> enable exit on error and xtrace mode Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> cleanup container Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> pkcs11 test with upcoming changes Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> run pkcs11 e2e test in a separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> add pkcs11 test in separate workflow Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> * set shell to bash Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> * set shell options Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> --------- Signed-off-by: Vivek Kumar Sahu <vivekkumarsahu650@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the actions group with 1 update (sigstore#3516) Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `sigstore/cosign-installer` from 3.3.0 to 3.4.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@9614fae...e1523de) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump codecov/codecov-action from 3.1.5 to 4.0.1 (sigstore#3517) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.5 to 4.0.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@4fe8c5f...e0b68c6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump go.step.sm/crypto from 0.42.1 to 0.43.0 (sigstore#3519) Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the gomod group with 1 update (sigstore#3518) Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Update codeql-analysis.yml (sigstore#3524) Signed-off-by: Hayden B <hblauzvern@google.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> ErrNoSignaturesFound should be used when there is no signature attached to an image. (sigstore#3526) * ErrNoSignaturesFound should be used when there is no signature attached to an image. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> * Change error message. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> * Add error type tests. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> --------- Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Make E2E tests hermetic (sigstore#3499) * Set rekor URL for online and offline tests Some tests were setting the REKOR_URL environment variable to try to test offline verification. This variable is no longer read so it was not doing anything. This change removes the variable and instead sets RekorURL in the command to either the local rekor instance (so that the public instance is not used) or to a bad url with Offline set to true so that offline verification is truly tested. This change also removes the COSIGN_EXPERIMENTAL variable which is no longer used, and replaces os.Setenv with testing.Setenv which localizes the environment setting to the scope of the test and removes the need for a cleanup function. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Fix cleanup in E2E script Calling trap multiple times replaces the last signal handler rather than appending to it. This change ensures that the most recent trap includes all previous traps so that all cleanups are executed. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move verify tests from shell script to Go suite Move the `cosign dockerfile verify` and `cosign manifest verify` tests out of the shell script and into the e2e Go test suite file with all the other tests. This makes them consistent to manage. The initialization of fulcio roots in other tests pollutes the trust root in the new tests, so a reset is added to the fulcioroots package for testing only. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Use local services for verify tests Update TestDockerfileVerify and TestManifestVerify to sign ephemeral images within the tests so that the signatures can be created with and verified from the locally running Fulcio and Rekor instances instead of verifying images with the public Rekor instance, so that the tests no longer depend on external services. The images are signed using --identity-token to avoid changing the nature of the verification tests, which were originally written to be keyless. A mock OIDC server is provisioned to provide the token and enable verification. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Set rekor env variable in Go test suite Move the setting of SIGSTORE_REKOR_PUBLIC_KEY from the e2e shell script to the Go test suite, so that only the tests that need it have it set and the shell script is doing less setup. Also remove unnecessary instances of os.RemoveAll for temporary directories that the Go testing framework will automatically clean up. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Correct help text of verify-attestation policy argument (sigstore#3527) Signed-off-by: michaelvl <mvl.gh@network42.dk> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Don't ignore transparency log in tests if possible (sigstore#3528) Update the e2e tests to default to setting IgnoreTlog to false where possible. In some cases, where the IgnoreTlog functionality is being explicitly tested, continue to set it to true. Since the transparency log isn't being ignored, the signing commands need to upload it and need the rekor public key and URL in order to do so. Removes one redundant test. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the gomod group with 1 update (sigstore#3530) Bumps the gomod group with 1 update: cuelang.org/go. Updates `cuelang.org/go` from 0.7.0 to 0.7.1 --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 (sigstore#3531) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.18.0 to 0.19.0. - [Commits](golang/crypto@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (sigstore#3532) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.16.0 to 0.17.0. - [Commits](golang/oauth2@v0.16.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the actions group with 3 updates (sigstore#3535) Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `google-github-actions/auth` from 2.1.0 to 2.1.1 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@5a50e58...a6e2e39) Updates `actions/upload-artifact` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@26f96df...5d5d22a) Updates `mikefarah/yq` from 4.40.5 to 4.40.7 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@dd64899...bb66c9c) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump github.com/google/go-containerregistry (sigstore#3521) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (sigstore#3536) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@3a91952...3cfe3a4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump github.com/xanzy/go-gitlab from 0.96.0 to 0.97.0 (sigstore#3522) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.96.0 to 0.97.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.96.0...v0.97.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump google.golang.org/api from 0.160.0 to 0.164.0 (sigstore#3538) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.160.0 to 0.164.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.160.0...v0.164.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> use go1.21.7 as go-version in actions/setup-go (sigstore#3540) * use go1.21 as go-version in actions/setup-go Signed-off-by: Dmitry S <dsavints@gmail.com> * e2e-tests.yml - remove unused GO_VERSION env var Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 (sigstore#3537) * chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 Updates the requirements on [github/codeql-action](https://github.com/github/codeql-action) to permit the latest version. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/commits/65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update scorecard-action.yml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> fix semgrep issues for dgryski.semgrep-go ruleset (sigstore#3541) * fix semgrep issues dgryski.semgrep-go ruleset Signed-off-by: Dmitry S <dsavints@gmail.com> * golangci-lint: check error value of out.Write() Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump google.golang.org/api from 0.164.0 to 0.165.0 (sigstore#3545) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.164.0 to 0.165.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.164.0...v0.165.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the actions group with 1 update (sigstore#3546) Bumps the actions group with 1 update: [mikefarah/yq](https://github.com/mikefarah/yq). Updates `mikefarah/yq` from 4.40.7 to 4.41.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@bb66c9c...0476945) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the gomod group with 2 updates (sigstore#3543) Bumps the gomod group with 2 updates: [github.com/sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority) and [go.step.sm/crypto](https://github.com/smallstep/crypto). Updates `github.com/sigstore/timestamp-authority` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/sigstore/timestamp-authority/releases) - [Changelog](https://github.com/sigstore/timestamp-authority/blob/main/CHANGELOG.md) - [Commits](sigstore/timestamp-authority@v1.2.1...v1.2.2) Updates `go.step.sm/crypto` from 0.43.0 to 0.43.1 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.43.0...v0.43.1) --- updated-dependencies: - dependency-name: github.com/sigstore/timestamp-authority dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> fix 'go vet -tags e2e ./...' (sigstore#3550) * fix 'go vet -tags e2e ./...' Signed-off-by: Dmitry S <dsavints@gmail.com> * fix typo in 'concatenating' Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (sigstore#3556) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.97.0...v0.98.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump google.golang.org/api from 0.165.0 to 0.167.0 (sigstore#3557) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.165.0 to 0.167.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.165.0...v0.167.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> remove unused rootPool var (sigstore#3559) Signed-off-by: Dmitry S <dsavints@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Bump sigstore/sigstore to v1.8.2 (sigstore#3561) Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> Correct help text of triangulate cmd (sigstore#3551) Signed-off-by: michaelvl <mvl.gh@network42.dk> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (sigstore#3554) * chore(deps): bump imranismail/setup-kustomize Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198. - [Release notes](https://github.com/imranismail/setup-kustomize/releases) - [Commits](imranismail/setup-kustomize@a76db1c...f6959cf) --- updated-dependencies: - dependency-name: imranismail/setup-kustomize dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update kind-e2e-insecure-registry.yaml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the actions group with 3 updates (sigstore#3564) Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `google-github-actions/auth` from 2.1.1 to 2.1.2 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@a6e2e39...55bd3a7) Updates `mikefarah/yq` from 4.41.1 to 4.42.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@0476945...9adde1a) Updates `codecov/codecov-action` from 4.0.1 to 4.1.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@e0b68c6...54bcd87) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> add flag for fulcio auth flow and client creds Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> chore(deps): bump the actions group with 1 update (sigstore#3516) Bumps the actions group with 1 update: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `sigstore/cosign-installer` from 3.3.0 to 3.4.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@9614fae...e1523de) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Update codeql-analysis.yml (sigstore#3524) Signed-off-by: Hayden B <hblauzvern@google.com> ErrNoSignaturesFound should be used when there is no signature attached to an image. (sigstore#3526) * ErrNoSignaturesFound should be used when there is no signature attached to an image. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> * Change error message. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> * Add error type tests. Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> --------- Signed-off-by: zhaoyonghe <yonghe.zhao@yahoo.com> Correct help text of verify-attestation policy argument (sigstore#3527) Signed-off-by: michaelvl <mvl.gh@network42.dk> Don't ignore transparency log in tests if possible (sigstore#3528) Update the e2e tests to default to setting IgnoreTlog to false where possible. In some cases, where the IgnoreTlog functionality is being explicitly tested, continue to set it to true. Since the transparency log isn't being ignored, the signing commands need to upload it and need the rekor public key and URL in order to do so. Removes one redundant test. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> chore(deps): bump the gomod group with 1 update (sigstore#3530) Bumps the gomod group with 1 update: cuelang.org/go. Updates `cuelang.org/go` from 0.7.0 to 0.7.1 --- updated-dependencies: - dependency-name: cuelang.org/go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore(deps): bump github.com/google/go-containerregistry (sigstore#3521) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.18.0 to 0.19.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.18.0...v0.19.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (sigstore#3536) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@3a91952...3cfe3a4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> use go1.21.7 as go-version in actions/setup-go (sigstore#3540) * use go1.21 as go-version in actions/setup-go Signed-off-by: Dmitry S <dsavints@gmail.com> * e2e-tests.yml - remove unused GO_VERSION env var Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 (sigstore#3537) * chore(deps): update github/codeql-action requirement to 65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 Updates the requirements on [github/codeql-action](https://github.com/github/codeql-action) to permit the latest version. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/commits/65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update scorecard-action.yml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> fix semgrep issues for dgryski.semgrep-go ruleset (sigstore#3541) * fix semgrep issues dgryski.semgrep-go ruleset Signed-off-by: Dmitry S <dsavints@gmail.com> * golangci-lint: check error value of out.Write() Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> fix 'go vet -tags e2e ./...' (sigstore#3550) * fix 'go vet -tags e2e ./...' Signed-off-by: Dmitry S <dsavints@gmail.com> * fix typo in 'concatenating' Signed-off-by: Dmitry S <dsavints@gmail.com> --------- Signed-off-by: Dmitry S <dsavints@gmail.com> chore(deps): bump github.com/xanzy/go-gitlab from 0.97.0 to 0.98.0 (sigstore#3556) Bumps [github.com/xanzy/go-gitlab](https://github.com/xanzy/go-gitlab) from 0.97.0 to 0.98.0. - [Changelog](https://github.com/xanzy/go-gitlab/blob/main/releases_test.go) - [Commits](xanzy/go-gitlab@v0.97.0...v0.98.0) --- updated-dependencies: - dependency-name: github.com/xanzy/go-gitlab dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> remove unused rootPool var (sigstore#3559) Signed-off-by: Dmitry S <dsavints@gmail.com> Bump sigstore/sigstore to v1.8.2 (sigstore#3561) Correct help text of triangulate cmd (sigstore#3551) Signed-off-by: michaelvl <mvl.gh@network42.dk> chore(deps): bump imranismail/setup-kustomize from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198 (sigstore#3554) * chore(deps): bump imranismail/setup-kustomize Bumps [imranismail/setup-kustomize](https://github.com/imranismail/setup-kustomize) from a76db1c6419124d51470b1e388c4b29476f495f1 to f6959cf94216d4be0182d7c78b39f14d0c8bb198. - [Release notes](https://github.com/imranismail/setup-kustomize/releases) - [Commits](imranismail/setup-kustomize@a76db1c...f6959cf) --- updated-dependencies: - dependency-name: imranismail/setup-kustomize dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update kind-e2e-insecure-registry.yaml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> chore(deps): bump the actions group with 3 updates (sigstore#3564) Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [mikefarah/yq](https://github.com/mikefarah/yq) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `google-github-actions/auth` from 2.1.1 to 2.1.2 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](google-github-actions/auth@a6e2e39...55bd3a7) Updates `mikefarah/yq` from 4.41.1 to 4.42.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](mikefarah/yq@0476945...9adde1a) Updates `codecov/codecov-action` from 4.0.1 to 4.1.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@e0b68c6...54bcd87) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> re-add missing from rebase Signed-off-by: Noah Kreiger <noahkreiger@gmail.com> add to doc Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
closes #3343
Earlier e2e test doesn't have facility to test PKCS11, but this PR has the support for end-to-end pkcs11 token signing
Following commands being run to automate the e2e test for PKCS11:
Release Note
Documentation