sigstore-conformance
is a conformance testing suite for Sigstore clients.
This suite provides a high-level view of client behaviour as a whole and sets out to answer questions such as:
- Does the client fail when given a signing certificate that isn't signed by the Fulcio root CA during the signing workflow?
- Does the client fail when given an invalid inclusion proof from Rekor during the verification workflow?
- Does the client fail when given an invalid signed certificate timestamp as part of the Fulcio response in the signing workflow?
- etc
An official Sigstore client specification is being worked on at the moment as
part of the Sigstore Architecture Documentation.
Once it's complete, sigstore-conformance
aims to be able to test a client's
adherence to the specification.
Some general testing principles for this suite are:
- Tests should be "workflow" focused. This testing suite is not about fuzzing every possible input to the client CLI or achieving code coverage.
- Tests should exercise the entire client end-to-end rather than individual subsystems in isolation. Tests should include all network interactions with Sigstore infrastructure such as Rekor, Fulcio, etc. These tests should run against Sigstore staging and production infrastructure as well as custom built mock services to test atypical scenarios.
- Include an executable in your project that implements the client-under-test CLI protocol.
- Use the
sigstore/sigstore-conformance
action in your test workflow:jobs: conformance: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # insert your client installation steps here # Run tests against production Sigstore environment - uses: sigstore/sigstore-conformance@v0.0.14 with: entrypoint: my-conformance-client # Run tests against staging Sigstore environment - uses: sigstore/sigstore-conformance@v0.0.14 with: entrypoint: my-conformance-client environment: staging
See sigstore-python conformance test for a complete example.
The important action inputs are
entrypoint
: required string. A command that implements the client-under-test CLI protocolenvironment
: 'production' (default) or 'staging'. This selects the Sigstore environment to run againstxfail
: optional string. Whitespace separated test names that are expected to fail.
See action.yml for full list of inputs.
Easiest way to run the conformance suite locally is with the provided virtual environment:
$ make dev
$ source env/bin/activate
(env) $
The test suite can be configured with
--entrypoint=$SIGSTORE_CLIENT
where SIGSTORE_CLIENT is path to a script that implements the CLI specification- optional
--staging
: This instructs the test suite to run against Sigstore staging infrastructure - optional
--skip-signing
: Runs verification tests only - The environment variable
GHA_SIGSTORE_CONFORMANCE_XFAIL
can be used to set expected failures
(env) $ # run all tests
(env) $ pytest test --entrypoint=$SIGSTORE_CLIENT
(env) $ # run verification tests only
(env) $ pytest test --entrypoint=$SIGSTORE_CLIENT --skip-signing
Following example runs the test suite with the included sigstore-python-conformance client script:
(env) $ # run all tests
(env) $ GHA_SIGSTORE_CONFORMANCE_XFAIL="test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" \
pytest test --entrypoint=sigstore-python-conformance
sigstore-conformance
is licensed under the Apache 2.0 License.
Everyone interacting with this project is expected to follow the sigstore Code of Conduct
Should you discover any security issues, please refer to sigstore's security process.