1#!/usr/bin/env bash
2#
3# Copyright 2021 The Sigstore Authors.
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# This test checks that verify-blob will iterate over all entries and check for at least one valid entry before erroring out
18# This is to prevent verify-blob from only checking the most recent entry, which could result
19# in a "denial of service" type attack if someone signs a piece of software
20# with their own certificate which doesn't chain up to Sigstore
21
22set -ex
23
24COSIGN_CLI=./cosign
25
26echo "Creating a unique blob"
27BLOB=verify-experimental-blob
28date > $BLOB
29cat $BLOB
30
31echo "Sign the blob with cosign first and upload to rekor"
32$COSIGN_CLI sign-blob --yes --output-certificate blob.cert --output-signature blob.sig $BLOB
33
34echo "Verifying ..."
35$COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' $BLOB
36echo "Verifying using cosign ENV variables..."
37COSIGN_SIGNATURE=blob.sig COSIGN_CERTIFICATE=blob.cert $COSIGN_CLI verify-blob --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' $BLOB
38
39# Now, sign the blob with a self-signed certificate and upload to rekor
40SIG_FILE=verify-experimental-signature
41PRIV_KEY=./test/testdata/test_blob_private_key
42PUB_KEY=./test/testdata/test_blob_public_key
43CERT_FILE=./test/testdata/test_blob_cert.pem
44
45openssl dgst -sha256 -sign $PRIV_KEY -out $SIG_FILE $BLOB
46openssl dgst -sha256 -verify $PUB_KEY -signature $SIG_FILE $BLOB
47
48SHA256HASH=$(sha256sum $BLOB | cut -f1 -d' ')
49
50SIGNATURE=$(cat $SIG_FILE | base64)
51echo "Signature: $SIGNATURE"
52
53CERT=$(cat $CERT_FILE | base64)
54echo "Cert: $CERT"
55
56JSON_BODY_FILE=verify-experimental-blob-http-body.json
57cat <<EOF > $JSON_BODY_FILE
58{
59 "apiVersion": "0.0.1",
60 "spec": {
61 "data": {
62 "hash": {
63 "algorithm": "sha256",
64 "value": "$SHA256HASH"
65 }
66 },
67 "signature": {
68 "content": "$SIGNATURE",
69 "publicKey": {
70 "content": "$CERT"
71 }
72 }
73 },
74 "kind": "hashedrekord"
75}
76EOF
77
78curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: application/json' -d @$JSON_BODY_FILE
79
80# Verifying should still work
81echo "Verifying ..."
82$COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" --certificate-chain "$CERT_FILE" --insecure-ignore-sct --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' "$BLOB"
83
84echo "Verifying using cosign ENV variables ..."
85COSIGN_SIGNATURE="$SIG_FILE" COSIGN_CERTIFICATE_CHAIN="$CERT_FILE" COSIGN_CERTIFICATE="$CERT_FILE" $COSIGN_CLI verify-blob --insecure-ignore-sct --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' "$BLOB"
View as plain text