1#!/usr/bin/env bash
2#
3# Copyright 2023 The Sigstore Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -o errexit
18set -o nounset
19set -o pipefail
20
21go build -o cosign ./cmd/cosign
22tmp=$(mktemp -d)
23cp cosign $tmp/
24
25INSECURE_REGISTRY_NAME=${INSECURE_OCI_REGISTRY_NAME:-insecure-oci-registry.notlocal}
26INSECURE_REGISTRY_PORT=${INSECURE_OCI_REGISTRY_PORT:-5002}
27
28pushd $tmp
29
30pass="$RANDOM"
31export COSIGN_PASSWORD=$pass
32export COSIGN_YES="true"
33export COSIGN_EXPERIMENTAL=1
34
35./cosign generate-key-pair
36signing_key=cosign.key
37verification_key=cosign.pub
38
39img="${INSECURE_REGISTRY_NAME}:${INSECURE_REGISTRY_PORT}/test"
40(crane delete $(./cosign triangulate $img)) || true
41crane cp ghcr.io/distroless/static $img --insecure
42
43# Operations with insecure registries should fail by default, then succeed
44# with `--allow-insecure-registry`
45if (./cosign sign --key ${signing_key} $img); then false; fi
46./cosign sign --allow-insecure-registry --registry-referrers-mode=oci-1-1 --key ${signing_key} $img
47if (./cosign verify --key ${verification_key} $img); then false; fi
48./cosign verify --allow-insecure-registry --experimental-oci11=true --key ${verification_key} $img
49
50echo "SUCCESS"
View as plain text