Upgrade to TUF v2 client #3900
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: Test attest / verify-attestation | |
on: | |
pull_request: | |
branches: [ 'main', 'release-*' ] | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
permissions: {} | |
jobs: | |
cip-test: | |
name: attest / verify-attestation test | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
k8s-version: | |
- v1.27.x | |
tuf-root: | |
- remote | |
- air-gap | |
permissions: | |
contents: read | |
env: | |
KO_DOCKER_REPO: "registry.local:5000/policy-controller" | |
SCAFFOLDING_RELEASE_VERSION: "v0.7.5" | |
GO111MODULE: on | |
GOFLAGS: -ldflags=-s -ldflags=-w | |
KOCACHE: ~/ko | |
COSIGN_YES: "true" | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: '1.22' | |
check-latest: true | |
# will use the latest release available for ko | |
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 | |
- name: Install yq | |
uses: mikefarah/yq@bbdd97482f2d439126582a59689eb1c855944955 # v4.44.3 | |
- name: build cosign | |
run: | | |
make cosign | |
- name: Install cluster + sigstore | |
uses: sigstore/scaffolding/actions/setup@main | |
with: | |
legacy-variables: "false" | |
k8s-version: ${{ matrix.k8s-version }} | |
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }} | |
- name: Create sample image - demoimage | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=`ko publish -B example.com/demo` | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Initialize with our custom TUF root pointing to remote root | |
if: ${{ matrix.tuf-root == 'remote' }} | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
./cosign initialize --mirror $TUF_MIRROR --root ./root.json | |
- name: Initialize with custom TUF root pointing to local filesystem | |
if: ${{ matrix.tuf-root == 'air-gap' }} | |
run: | | |
# Grab the compressed repository for airgap testing. | |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz | |
tar -zxvf ./repository.tar.gz | |
PWD=$(pwd) | |
ROOT=${PWD}/repository/1.root.json | |
REPOSITORY=${PWD}/repository | |
./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} | |
- name: Set up root.json | |
run: | | |
[ -f $(pwd)/repository/1.root.json ] && cp $(pwd)/repository/1.root.json root.json | |
[ -f root.json ] || ( echo "Failed to set up trust root ; exit 1 ) | |
- name: Sign demoimage with cosign | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Create attestation for it | |
run: | | |
echo -n 'foobar e2e test' > ./predicate-file | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign attest --predicate ./predicate-file --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Sign a blob | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign sign-blob README.md --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --output-certificate cert.pem --output-signature sig --yes --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Verify custom attestation with cosign, works | |
run: | | |
echo '::group:: test custom verify-attestation success' | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then | |
echo Failed to verify attestation with a valid policy | |
exit 1 | |
else | |
echo Successfully validated custom attestation with a valid policy | |
fi | |
echo '::endgroup::' | |
- name: Verify custom attestation with cosign, fails | |
run: | | |
echo '::group:: test custom verify-attestation success' | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo custom verify-attestation succeeded with cue policy that should not work | |
exit 1 | |
else | |
echo Successfully failed a policy that should not work | |
fi | |
echo '::endgroup::' | |
- name: Verify a blob | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main | |
- name: Create vuln attestation for it | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify vuln attestation with cosign, works | |
run: | | |
echo '::group:: test vuln verify-attestation success' | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo Failed to verify attestation with a valid policy | |
exit 1 | |
else | |
echo Successfully validated vuln attestation with a valid policy | |
fi | |
echo '::endgroup::' | |
- name: Verify vuln attestation with cosign, fails | |
run: | | |
echo '::group:: test vuln verify-attestation success' | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
TUF_ROOT_JSON=root.json | |
if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo verify-attestation succeeded with cue policy that should not work | |
exit 1 | |
else | |
echo Successfully failed a policy that should not work | |
fi | |
echo '::endgroup::' |