Support trusted root in cosign verification #3914
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2022 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: Test attest / verify-attestation | |
on: | |
pull_request: | |
branches: [ 'main', 'release-*' ] | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
permissions: {} | |
jobs: | |
cip-test: | |
name: attest / verify-attestation test | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
k8s-version: | |
- v1.27.x | |
tuf-root: | |
- remote | |
- air-gap | |
permissions: | |
contents: read | |
env: | |
KO_DOCKER_REPO: "registry.local:5000/policy-controller" | |
SCAFFOLDING_RELEASE_VERSION: "v0.7.5" | |
GO111MODULE: on | |
GOFLAGS: -ldflags=-s -ldflags=-w | |
KOCACHE: ~/ko | |
COSIGN_YES: "true" | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: '1.22' | |
check-latest: true | |
# will use the latest release available for ko | |
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 | |
- name: Install yq | |
uses: mikefarah/yq@bbdd97482f2d439126582a59689eb1c855944955 # v4.44.3 | |
- name: build cosign | |
run: | | |
make cosign | |
- name: Install cluster + sigstore | |
uses: sigstore/scaffolding/actions/setup@main | |
with: | |
legacy-variables: "false" | |
k8s-version: ${{ matrix.k8s-version }} | |
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }} | |
- name: Create sample image - demoimage | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=`ko publish -B example.com/demo` | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Initialize with our custom TUF root pointing to remote root | |
if: ${{ matrix.tuf-root == 'remote' }} | |
run: | | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
./cosign initialize --mirror $TUF_MIRROR --root ./root.json | |
- name: Initialize with custom TUF root pointing to local filesystem | |
if: ${{ matrix.tuf-root == 'air-gap' }} | |
run: | | |
# Grab the compressed repository for airgap testing. | |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz | |
tar -zxvf ./repository.tar.gz | |
PWD=$(pwd) | |
ROOT=${PWD}/repository/1.root.json | |
REPOSITORY=${PWD}/repository | |
./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} | |
- name: Sign demoimage with cosign | |
run: | | |
./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Create attestation for it | |
run: | | |
echo -n 'foobar e2e test' > ./predicate-file | |
./cosign attest --predicate ./predicate-file --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Sign a blob | |
run: | | |
./cosign sign-blob README.md --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --output-certificate cert.pem --output-signature sig --yes --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign | |
run: | | |
./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Verify custom attestation with cosign, works | |
run: | | |
echo '::group:: test custom verify-attestation success' | |
if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then | |
echo Failed to verify attestation with a valid policy | |
exit 1 | |
else | |
echo Successfully validated custom attestation with a valid policy | |
fi | |
echo '::endgroup::' | |
- name: Verify custom attestation with cosign, fails | |
run: | | |
echo '::group:: test custom verify-attestation success' | |
if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo custom verify-attestation succeeded with cue policy that should not work | |
exit 1 | |
else | |
echo Successfully failed a policy that should not work | |
fi | |
echo '::endgroup::' | |
- name: Verify a blob | |
run: | | |
./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@9ba949ac63357c725a9438f3e05a1e33d313498e # main | |
- name: Create vuln attestation for it | |
run: | | |
./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify vuln attestation with cosign, works | |
run: | | |
echo '::group:: test vuln verify-attestation success' | |
if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo Failed to verify attestation with a valid policy | |
exit 1 | |
else | |
echo Successfully validated vuln attestation with a valid policy | |
fi | |
echo '::endgroup::' | |
- name: Verify vuln attestation with cosign, fails | |
run: | | |
echo '::group:: test vuln verify-attestation success' | |
if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then | |
echo verify-attestation succeeded with cue policy that should not work | |
exit 1 | |
else | |
echo Successfully failed a policy that should not work | |
fi | |
echo '::endgroup::' |