Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

call e2e test for cosign attach #3112

Merged
merged 2 commits into from
Jul 17, 2023
Merged

call e2e test for cosign attach #3112

merged 2 commits into from
Jul 17, 2023

Conversation

s1ntaxe770r
Copy link
Contributor

Summary

This pr adds a new step in the workflow to run the e2e test for cosign attach.

Fixes #3111

Release Note

Documentation

@codecov
Copy link

codecov bot commented Jul 16, 2023
edited
Loading

Codecov Report

Merging #3112 (d4f72e6) into main (731adeb) will not change coverage.
The diff coverage is n/a.

❗ Current head d4f72e6 differs from pull request most recent head 4624398. Consider uploading reports for the commit 4624398 to get more accurate results

@@           Coverage Diff           @@
##             main    #3112   +/-   ##
=======================================
  Coverage   30.64%   30.64%           
=======================================
  Files         155      155           
  Lines        9791     9791           
=======================================
  Hits         3000     3000           
  Misses       6341     6341           
  Partials      450      450

@haydentherapper
Copy link
Contributor

haydentherapper commented Jul 16, 2023
edited
Loading

It looks like the test itself has an issue. Would you be able to take a look? Or @Mukuls77?

@Mukuls77
Copy link
Contributor

Hi @haydentherapper i checked the script for test case. it seems to work ok on my local setup. As i see the issue seems to be in the permission of the github workflow user to call the attach test script.

Run ./test/e2e_test_attach.sh
/home/runner/work/_temp/c843ab48-cec0-4c2f-866e-b7b0f6ffeb95.sh: line 1: ./test/e2e_test_attach.sh: Permission denied
Error: Process completed with exit code 126.

please find the logs of the test case i checked by invoking the script on my local setup.

/home/mukul/cosign>./test/e2e_test_attach.sh

  • go build -o cosign ./cmd/cosign
    ++ mktemp -d -t cosign-e2e-attach.XXXX
  • tmp=/tmp/cosign-e2e-attach.2xV4
  • cp cosign /tmp/cosign-e2e-attach.2xV4/
  • cp ./test/testdata/test_attach_private_key /tmp/cosign-e2e-attach.2xV4/private_key
  • cp ./test/testdata/test_attach_leafcert.pem /tmp/cosign-e2e-attach.2xV4/leafcert.pem
  • cp ./test/testdata/test_attach_certchain.pem /tmp/cosign-e2e-attach.2xV4/certchain.pem
  • cp ./test/testdata/test_attach_rootcert.pem /tmp/cosign-e2e-attach.2xV4/rootcert.pem
  • pushd /tmp/cosign-e2e-attach.2xV4
    /tmp/cosign-e2e-attach.2xV4 ~/cosign
  • pass=24243
  • export COSIGN_PASSWORD=24243
  • COSIGN_PASSWORD=24243
  • SRC_IMAGE=busybox
    ++ crane digest busybox
  • SRC_DIGEST=sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
    ++ uuidgen
    ++ head -c 8
    ++ tr A-Z a-z
  • IMAGE_URI=ttl.sh/cosign-ci/d442caf9
  • crane cp busybox@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c ttl.sh/cosign-ci/d442caf9:1h
    2023/07/17 06:28:28 Copying from busybox@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c to ttl.sh/cosign-ci/d442caf9:1h
    2023/07/17 06:28:38 pushed blob: sha256:5242710cbd55829f6c44b34ff249913bb7cee748889e7e6925285a29f126aa78
    2023/07/17 06:28:40 pushed blob: sha256:809d8e20e2032a1e633651f87c525fd60e5d5b1bc41560aa63920962700c44fd
    2023/07/17 06:28:40 ttl.sh/cosign-ci/d442caf9@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc: digest: sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc size: 528
    2023/07/17 06:28:47 pushed blob: sha256:6b74357f42a5917dfaa222d228a22b34aea8db79d83e1fee9e6e0dfd41691146
    2023/07/17 06:28:50 pushed blob: sha256:8e408a6bcdb065366a7fda7b51c5e76917b3af9915701584b0ccda29cccd56d7
    2023/07/17 06:28:51 ttl.sh/cosign-ci/d442caf9@sha256:ccc2bc2f28ddaaa819458bd11ca1e97b0386bd944689e22df27a3d529a36f9bb: digest: sha256:ccc2bc2f28ddaaa819458bd11ca1e97b0386bd944689e22df27a3d529a36f9bb size: 528
    2023/07/17 06:28:57 pushed blob: sha256:81e59cbd5fd86a95148393e37b23c9011ef1137ded1293b7c17ce22aef478601
    2023/07/17 06:28:59 pushed blob: sha256:642fb15d3874bc21bb4fd9e4a8272c9e3e624dc6f9a4e667a068711bc8b79e4f
    2023/07/17 06:28:59 ttl.sh/cosign-ci/d442caf9@sha256:547d153dc7c0a08bd40dc6b51afb6ed0a19c104f6f585a3c4c40610e34d2c3b3: digest: sha256:547d153dc7c0a08bd40dc6b51afb6ed0a19c104f6f585a3c4c40610e34d2c3b3 size: 527
    2023/07/17 06:29:07 pushed blob: sha256:d47cb7b954d7b62a6b27ba4e1adc4a3c1fd3666b23cdd79394a11945002a12eb
    2023/07/17 06:29:08 pushed blob: sha256:7d6f1b3af4a954f823efae93df3e3e84b8d75bcc52b4b468f58e8787c115bdb9
    2023/07/17 06:29:09 ttl.sh/cosign-ci/d442caf9@sha256:7cd55cd76ff484faec26da1f95de54f0b3b99aa55a2fb51c2f92c5ed4db905c6: digest: sha256:7cd55cd76ff484faec26da1f95de54f0b3b99aa55a2fb51c2f92c5ed4db905c6 size: 528
    2023/07/17 06:29:16 pushed blob: sha256:3772266d7498c8df7461f1897f6961cdbc71c63c56c213829d56b9c88bea7634
    2023/07/17 06:29:17 pushed blob: sha256:ba1cab11642e9372ec958d63d81a3a1d54465ec265d74f2cbb4564f5e0062bb5
    2023/07/17 06:29:18 ttl.sh/cosign-ci/d442caf9@sha256:52908feba3a6ed841905ce9d248ca4b9910447eaa1737db44f191c947282cdb8: digest: sha256:52908feba3a6ed841905ce9d248ca4b9910447eaa1737db44f191c947282cdb8 size: 528
    2023/07/17 06:29:24 pushed blob: sha256:5a450c1b4c43d360c068dcc546c1c0de46c98331ac38118b590bc08f78c4b90f
    2023/07/17 06:29:27 pushed blob: sha256:78317816e26dd57eeef109c90bfb25ca5826c5b85dd1c01637d0d0c7f8a4f0c2
    2023/07/17 06:29:28 ttl.sh/cosign-ci/d442caf9@sha256:00af1de18a725a3a7f049cc80879a24d81c37892bb9a15952a92cf11f0bb42ba: digest: sha256:00af1de18a725a3a7f049cc80879a24d81c37892bb9a15952a92cf11f0bb42ba size: 528
    2023/07/17 06:29:35 pushed blob: sha256:4169f49eb295f30dcc019a7fe294b6011d841b61cc303cac76bc68d1cf789c00
    2023/07/17 06:29:37 pushed blob: sha256:d556d088ecc2dcee1394a2a31da3772aa23f1a8f0aa90e5f2460713d1210e611
    2023/07/17 06:29:38 ttl.sh/cosign-ci/d442caf9@sha256:7f3cada524471daeb90a1a397f2bedbf1c740509c8dafdebecc19bcd475ff613: digest: sha256:7f3cada524471daeb90a1a397f2bedbf1c740509c8dafdebecc19bcd475ff613 size: 528
    2023/07/17 06:29:45 pushed blob: sha256:79631af0209152e13f742237603c101232c58759842379f94e6641b4d2981a3d
    2023/07/17 06:29:48 pushed blob: sha256:32c370e198929c6fc617d5001b73c8626d6d10f04c1c30598d311684fa015b9b
    2023/07/17 06:29:49 ttl.sh/cosign-ci/d442caf9@sha256:f35640d0263d225459792b39cd86aecad9a91e502f4dfb8b884d1a8368402c77: digest: sha256:f35640d0263d225459792b39cd86aecad9a91e502f4dfb8b884d1a8368402c77 size: 528
    2023/07/17 06:29:55 pushed blob: sha256:833e4c44ce3f686b4ea00e3d200675dab5dc637c9842e78d7649a8aa45c79ce6
    2023/07/17 06:29:57 pushed blob: sha256:77144c6aaa643150fd783d1f737f453639be055037d0591144b15dd55fe65174
    2023/07/17 06:29:57 ttl.sh/cosign-ci/d442caf9@sha256:1bc902c78702c7852f15ef579b1609f215915c5a670de1abd8f16a00a8997625: digest: sha256:1bc902c78702c7852f15ef579b1609f215915c5a670de1abd8f16a00a8997625 size: 527
    2023/07/17 06:30:04 pushed blob: sha256:5cda59500ad8adc132165b43f31a48b1c7b8508cce080d8138c4c41427a1b6ab
    2023/07/17 06:30:07 pushed blob: sha256:46132b3b56a17392a0d8f48fd134a9d5da6ff3eb8e9e3e13cdcb6f2a75d6d0e5
    2023/07/17 06:30:08 ttl.sh/cosign-ci/d442caf9@sha256:2c50b342d44f4dbe7f020625044696f0bd5398addb86a0c3d13d596e39efa220: digest: sha256:2c50b342d44f4dbe7f020625044696f0bd5398addb86a0c3d13d596e39efa220 size: 528
    2023/07/17 06:30:09 ttl.sh/cosign-ci/d442caf9:1h: digest: sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c size: 2295
  • IMAGE_URI_DIGEST=ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • ./cosign initialize
    Root status:
    {
    "local": "/home/mukul/.sigstore/root",
    "remote": "https://tuf-repo-cdn.sigstore.dev",
    "metadata": {
    "root.json": {
    "version": 7,
    "len": 5404,
    "expiration": "04 Oct 23 13:08 UTC",
    "error": ""
    },
    "snapshot.json": {
    "version": 94,
    "len": 2299,
    "expiration": "31 Jul 23 16:01 UTC",
    "error": ""
    },
    "targets.json": {
    "version": 7,
    "len": 5252,
    "expiration": "04 Oct 23 13:26 UTC",
    "error": ""
    },
    "timestamp.json": {
    "version": 95,
    "len": 717,
    "expiration": "20 Jul 23 16:07 UTC",
    "error": ""
    }
    },
    "targets": [
    "fulcio_v1.crt.pem",
    "rekor.pub",
    "trusted_root.json",
    "artifact.pub",
    "ctfe.pub",
    "ctfe_2022.pub",
    "fulcio.crt.pem",
    "fulcio_intermediate_v1.crt.pem"
    ]
    }
  • ./cosign generate ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • openssl dgst -sha256 -sign ./private_key -out payload.sig payload.json
  • cat payload.sig
  • base64
    ++ cat payloadbase64.sig
    ++ base64
  • SIGNATURE='TVliR21DWXJQYnJBcHpNeG5sRGZXbDAvbm1QMUpkdVlTQWNJeXlXTThmejdpRk9scUM5dVdUektO
    Ly9haDVvMW1tOFdJdCtmZFZMTwpZVU9BNG52N0FhbGNzQks1a0dGWXF2SHNqMllSdDhYU24zVmpw
    L3FSa3ViSjlaQXBZNnV0bkdDWjYyNG9kN0doTi8vT2EvREN6YTNSCkxLVitFTGRzT2ZOaEd5Q0h4
    WWk2Rk5iNjUxSjgzVmFGcnFuSzBLMi9HUmJ0S1dUY1dIenJ3WE5SalJlY1FhNzRwL0gzN0RYSytD
    amcKNTIrcjFWMVFaanBFbm1Ed1pNZkFxZnlHcmwrNzFtQmRKUUJUUmRFK2x0Z0s5YTZjN2dmSFdM
    dSthY2VxcFovR2wycGYyM0MrWHJ1bAp0WldHUlBnaTEvUjgzdURabTJ4VWE2ZHY4b3N0bGlyVzZk
    cFd5Zz09Cg=='
  • echo 'Signature: TVliR21DWXJQYnJBcHpNeG5sRGZXbDAvbm1QMUpkdVlTQWNJeXlXTThmejdpRk9scUM5dVdUektO
    Ly9haDVvMW1tOFdJdCtmZFZMTwpZVU9BNG52N0FhbGNzQks1a0dGWXF2SHNqMllSdDhYU24zVmpw
    L3FSa3ViSjlaQXBZNnV0bkdDWjYyNG9kN0doTi8vT2EvREN6YTNSCkxLVitFTGRzT2ZOaEd5Q0h4
    WWk2Rk5iNjUxSjgzVmFGcnFuSzBLMi9HUmJ0S1dUY1dIenJ3WE5SalJlY1FhNzRwL0gzN0RYSytD
    amcKNTIrcjFWMVFaanBFbm1Ed1pNZkFxZnlHcmwrNzFtQmRKUUJUUmRFK2x0Z0s5YTZjN2dmSFdM
    dSthY2VxcFovR2wycGYyM0MrWHJ1bAp0WldHUlBnaTEvUjgzdURabTJ4VWE2ZHY4b3N0bGlyVzZk
    cFd5Zz09Cg=='
    Signature: TVliR21DWXJQYnJBcHpNeG5sRGZXbDAvbm1QMUpkdVlTQWNJeXlXTThmejdpRk9scUM5dVdUektO
    Ly9haDVvMW1tOFdJdCtmZFZMTwpZVU9BNG52N0FhbGNzQks1a0dGWXF2SHNqMllSdDhYU24zVmpw
    L3FSa3ViSjlaQXBZNnV0bkdDWjYyNG9kN0doTi8vT2EvREN6YTNSCkxLVitFTGRzT2ZOaEd5Q0h4
    WWk2Rk5iNjUxSjgzVmFGcnFuSzBLMi9HUmJ0S1dUY1dIenJ3WE5SalJlY1FhNzRwL0gzN0RYSytD
    amcKNTIrcjFWMVFaanBFbm1Ed1pNZkFxZnlHcmwrNzFtQmRKUUJUUmRFK2x0Z0s5YTZjN2dmSFdM
    dSthY2VxcFovR2wycGYyM0MrWHJ1bAp0WldHUlBnaTEvUjgzdURabTJ4VWE2ZHY4b3N0bGlyVzZk
    cFd5Zz09Cg==
    ++ cat payload.json
  • PAYLOAD='{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d442caf9"},"image":{"docker-manifest-digest":"sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c"},"type":"cosign container image signature"},"optional":null}'
  • echo 'Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d442caf9"},"image":{"docker-manifest-digest":"sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c"},"type":"cosign container image signature"},"optional":null}'
    Payload: {"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d442caf9"},"image":{"docker-manifest-digest":"sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c"},"type":"cosign container image signature"},"optional":null}
  • ./cosign attach signature --signature ./payloadbase64.sig --payload ./payload.json --cert ./leafcert.pem --cert-chain ./certchain.pem ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • grep -q application/vnd.oci.image.config.v1+json
    ++ ./cosign triangulate ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • crane manifest ttl.sh/cosign-ci/d442caf9:sha256-2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c.sig
  • grep -q dev.sigstore.cosign/certificate
    ++ ./cosign triangulate ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • crane manifest ttl.sh/cosign-ci/d442caf9:sha256-2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c.sig
  • grep -q dev.sigstore.cosign/chain
    ++ ./cosign triangulate ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c
  • crane manifest ttl.sh/cosign-ci/d442caf9:sha256-2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c.sig
  • export SIGSTORE_ROOT_FILE=./rootcert.pem
  • SIGSTORE_ROOT_FILE=./rootcert.pem
  • ./cosign verify ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c --insecure-ignore-sct --insecure-ignore-tlog --certificate-identity-regexp '.' --certificate-oidc-issuer-regexp '.'
    WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
    MUKUL inside cosign VerifyImageSignatures

Verification for ttl.sh/cosign-ci/d442caf9@sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c --
The following checks were performed on each of these signatures:

  • The cosign claims were validated
  • The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"ttl.sh/cosign-ci/d442caf9"},"image":{"docker-manifest-digest":"sha256:2376a0c12759aa1214ba83e771ff252c7b1663216b192fbe5e0fb364e952f85c"},"type":"cosign container image signature"},"optional":{"Subject":"[email protected]"}}]

@haydentherapper
Copy link
Contributor

@s1ntaxe770r Could you run git update-index --chmod=+x ./test/e2e_test_attach.sh and push that change? That should be the issue.

@s1ntaxe770r
add cosign attach e2e test
d54224d 
Signed-off-by: s1ntaxe770r <[email protected]>
@s1ntaxe770r
update-index
4624398 
Signed-off-by: s1ntaxe770r <[email protected]>
@s1ntaxe770r
Copy link
Contributor Author

🫡 done.

haydentherapper
haydentherapper approved these changes Jul 17, 2023
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@haydentherapper haydentherapper merged commit f68679a into sigstore:main Jul 17, 2023
@github-actions github-actions bot added this to the v2.1.1 milestone Jul 17, 2023
@s1ntaxe770r s1ntaxe770r deleted the e2e-test branch July 17, 2023 18:02
@cpanato cpanato modified the milestones: v2.1.1, v2.2.0 Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.

Add GitHub Action for e2e test for cosign attach
4 participants
@s1ntaxe770r @haydentherapper @Mukuls77 @cpanato