...

Text file src/github.com/sigstore/cosign/v2/test/e2e_test_secrets_kms.sh

Documentation: github.com/sigstore/cosign/v2/test 

     1#!/usr/bin/env bash
     2#
     3# Copyright 2022 The Sigstore Authors.
     4#
     5# Licensed under the Apache License, Version 2.0 (the "License");
     6# you may not use this file except in compliance with the License.
     7# You may obtain a copy of the License at
     8#
     9#     http://www.apache.org/licenses/LICENSE-2.0
    10#
    11# Unless required by applicable law or agreed to in writing, software
    12# distributed under the License is distributed on an "AS IS" BASIS,
    13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14# See the License for the specific language governing permissions and
    15# limitations under the License.
    16
    17set -ex
    18
    19go build -o cosign ./cmd/cosign
    20tmp=$(mktemp -d -t cosign-e2e-secrets.XXXXXX)
    21cp cosign $tmp/
    22
    23cd $tmp
    24
    25pass="$RANDOM"
    26export COSIGN_PASSWORD=$pass
    27
    28BASE_TEST_REPO=${BASE_TEST_REPO:-ttl.sh/cosign-ci}
    29TEST_INSTANCE_REPO="${BASE_TEST_REPO}/$(date +'%Y/%m/%d')/$RANDOM"
    30
    31img="${TEST_INSTANCE_REPO}/test-${RANDOM}"
    32crane cp busybox "${img}"
    33
    34## KMS using env variables!
    35TEST_KMS=${TEST_KMS:-hashivault://transit}
    36(crane delete $(./cosign triangulate $img)) || true
    37COSIGN_KMS=$TEST_KMS ./cosign generate-key-pair
    38signing_key=$TEST_KMS
    39verification_key=cosign.pub
    40
    41if (./cosign verify --key ${verification_key} $img); then false; fi
    42COSIGN_KEY=${signing_key} ./cosign sign --tlog-upload=true $img
    43COSIGN_KEY=${verification_key} ./cosign verify $img
    44
    45if (./cosign verify -a foo=bar --key ${verification_key} $img); then false; fi
    46COSIGN_KEY=${signing_key} ./cosign sign -a foo=bar --tlog-upload=true $img
    47COSIGN_KEY=${verification_key} ./cosign verify -a foo=bar $img
    48
    49# store signatures in a different repo
    50export COSIGN_REPOSITORY=${TEST_INSTANCE_REPO}/subbedrepo
    51(crane delete $(./cosign triangulate $img)) || true
    52COSIGN_KEY=${signing_key} ./cosign sign --tlog-upload=true $img
    53COSIGN_KEY=${verification_key} ./cosign verify $img
    54unset COSIGN_REPOSITORY
    55
    56# test stdin interaction for private key password
    57stdin_password=${COSIGN_PASSWORD}
    58unset COSIGN_PASSWORD
    59(crane delete $(./cosign triangulate $img)) || true
    60echo $stdin_password | ./cosign sign --key ${signing_key} --output-signature interactive.sig --output-payload interactive.payload $img
    61COSIGN_KEY=${verification_key} COSIGN_SIGNATURE=interactive.sig ./cosign verify --payload interactive.payload $img
    62export COSIGN_PASSWORD=${stdin_password}
    63
    64# What else needs auth?
    65echo "SUCCESS"

View as plain text