1#!/usr/bin/env bash
2#
3# Copyright 2021 The Sigstore Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17set -ex
18
19go build -o cosign ./cmd/cosign
20tmp=$(mktemp -d)
21cp cosign $tmp/
22
23INSECURE_REGISTRY_NAME=${INSECURE_REGISTRY_NAME:-insecure-registry.notlocal}
24INSECURE_REGISTRY_PORT=${INSECURE_REGISTRY_PORT:-5001}
25
26pushd $tmp
27
28pass="$RANDOM"
29export COSIGN_PASSWORD=$pass
30export COSIGN_YES="true"
31
32./cosign generate-key-pair
33signing_key=cosign.key
34verification_key=cosign.pub
35
36img="${INSECURE_REGISTRY_NAME}:${INSECURE_REGISTRY_PORT}/test"
37(crane delete $(./cosign triangulate $img)) || true
38crane cp ghcr.io/distroless/static $img --insecure
39
40# Operations with insecure registries should fail by default, then succeed
41# with `--allow-insecure-registry`
42if (./cosign sign --key ${signing_key} $img); then false; fi
43./cosign sign --allow-insecure-registry --key ${signing_key} $img
44if (./cosign verify --key ${verification_key} $img); then false; fi
45./cosign verify --allow-insecure-registry --key ${verification_key} $img
46
47echo "SUCCESS"
View as plain text