1# Copyright 2022 The Sigstore Authors.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15name: Test attest / verify-attestation
16
17on:
18 pull_request:
19 branches: [ 'main', 'release-*' ]
20 workflow_dispatch:
21
22defaults:
23 run:
24 shell: bash
25
26permissions: read-all
27
28jobs:
29 cip-test:
30 name: attest / verify-attestation test
31 runs-on: ubuntu-latest
32
33 strategy:
34 matrix:
35 k8s-version:
36 - v1.25.x
37 tuf-root:
38 - remote
39 - air-gap
40
41 env:
42 KO_DOCKER_REPO: "registry.local:5000/policy-controller"
43 SCAFFOLDING_RELEASE_VERSION: "v0.6.14"
44 GO111MODULE: on
45 GOFLAGS: -ldflags=-s -ldflags=-w
46 KOCACHE: ~/ko
47 COSIGN_YES: "true"
48
49 steps:
50 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
51 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
52 with:
53 go-version: '1.21'
54 check-latest: true
55
56 # will use the latest release available for ko
57 - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
58
59 - name: Install yq
60 uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1
61
62 - name: build cosign
63 run: |
64 make cosign
65
66 - name: Install cluster + sigstore
67 uses: sigstore/scaffolding/actions/setup@main
68 with:
69 legacy-variables: "false"
70 k8s-version: ${{ matrix.k8s-version }}
71 version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
72
73 - name: Create sample image - demoimage
74 run: |
75 pushd $(mktemp -d)
76 go mod init example.com/demo
77 cat <<EOF > main.go
78 package main
79 import "fmt"
80 func main() {
81 fmt.Println("hello world")
82 }
83 EOF
84 demoimage=`ko publish -B example.com/demo`
85 echo "demoimage=$demoimage" >> $GITHUB_ENV
86 echo Created image $demoimage
87 popd
88
89 - name: Initialize with our custom TUF root pointing to remote root
90 if: ${{ matrix.tuf-root == 'remote' }}
91 run: |
92 TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
93 ./cosign initialize --mirror $TUF_MIRROR --root ./root.json
94
95 - name: Initialize with custom TUF root pointing to local filesystem
96 if: ${{ matrix.tuf-root == 'air-gap' }}
97 run: |
98 # Grab the compressed repository for airgap testing.
99 kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz
100 tar -zxvf ./repository.tar.gz
101 PWD=$(pwd)
102 ROOT=${PWD}/repository/1.root.json
103 REPOSITORY=${PWD}/repository
104 ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY}
105
106 - name: Sign demoimage with cosign
107 run: |
108 ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
109
110 - name: Create attestation for it
111 run: |
112 echo -n 'foobar e2e test' > ./predicate-file
113 ./cosign attest --predicate ./predicate-file --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
114
115 - name: Sign a blob
116 run: |
117 ./cosign sign-blob README.md --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --output-certificate cert.pem --output-signature sig --yes --identity-token ${{ env.OIDC_TOKEN }}
118
119 - name: Verify with cosign
120 run: |
121 ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
122
123 - name: Verify custom attestation with cosign, works
124 run: |
125 echo '::group:: test custom verify-attestation success'
126 if ! ./cosign verify-attestation --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" --policy ./test/testdata/policies/cue-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} ; then
127 echo Failed to verify attestation with a valid policy
128 exit 1
129 else
130 echo Successfully validated custom attestation with a valid policy
131 fi
132 echo '::endgroup::'
133
134 - name: Verify custom attestation with cosign, fails
135 run: |
136 echo '::group:: test custom verify-attestation success'
137 if ./cosign verify-attestation --policy ./test/testdata/policies/cue-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
138 echo custom verify-attestation succeeded with cue policy that should not work
139 exit 1
140 else
141 echo Successfully failed a policy that should not work
142 fi
143 echo '::endgroup::'
144
145 - name: Verify a blob
146 run: |
147 ./cosign verify-blob README.md --rekor-url ${{ env.REKOR_URL }} --certificate ./cert.pem --signature sig --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local"
148
149 - name: Collect diagnostics
150 if: ${{ failure() }}
151 uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main
152
153 - name: Create vuln attestation for it
154 run: |
155 ./cosign attest --predicate ./test/testdata/attestations/vuln-predicate.json --type vuln --fulcio-url ${{ env.FULCIO_URL }} --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry --yes ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}
156
157 - name: Verify vuln attestation with cosign, works
158 run: |
159 echo '::group:: test vuln verify-attestation success'
160 if ! ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-works.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
161 echo Failed to verify attestation with a valid policy
162 exit 1
163 else
164 echo Successfully validated vuln attestation with a valid policy
165 fi
166 echo '::endgroup::'
167
168 - name: Verify vuln attestation with cosign, fails
169 run: |
170 echo '::group:: test vuln verify-attestation success'
171 if ./cosign verify-attestation --type vuln --policy ./test/testdata/policies/cue-vuln-fails.cue --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} --certificate-identity https://kubernetes.io/namespaces/default/serviceaccounts/default --certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" ; then
172 echo verify-attestation succeeded with cue policy that should not work
173 exit 1
174 else
175 echo Successfully failed a policy that should not work
176 fi
177 echo '::endgroup::'
View as plain text