Merge pull request #415 from jkl73/updatesig

[launcher] Update image signature in test
google · Feb 22, 2024 · a9a11b4 · a9a11b4
2 parents 952ecdf + 76c450a
commit a9a11b4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/launcher/image/test/test_oda_with_signed_container.yaml b/launcher/image/test/test_oda_with_signed_container.yaml
@@ -5,9 +5,9 @@ substitutions:
   '_VM_NAME_PREFIX': 'oda-signedcontainer'
   '_ZONE': 'us-east1-b'
   # If the workload image changes, the commit author should change the cosign signature as well to not break tests.
-  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/ipc/happypath@sha256:999831a7b8f8afd323e2359f3c1192206be2aa1d4f3b19f0739eff5f01f83b9e'
+  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/ipc/happypath@sha256:a7d9b216e16ad1fb2b1e8a35e3da58b21ee8dba84c3b4970567d7ec0234a4010'
   '_SIGNATURE_REPO': 'us-docker.pkg.dev/confidential-space-images-dev/cs-cosign-tests/oda'
-  '_EXPECTED_SIG': 'EQCIBIEAGtAqxzhMqq2jhs76KJZaD5VXvKV93yotPUtD7yDAiAFS4zFyiRicrhzeS1nmb9SpuAtDRSwv1lWaSWxWiwLTw=='
+  '_EXPECTED_SIG': 'MEUCIQCytUYBmuaWckWX6tNshHPELSyRLb41eRh6os3l4NCFMgIgUalPTILyb02Tqri9Ebtm56FkF+gcKbaVHkbpIJencOs='
 
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'

diff --git a/launcher/image/testworkloads/customtoken/happypath/Dockerfile b/launcher/image/testworkloads/customtoken/happypath/Dockerfile
@@ -1,6 +1,27 @@
+# If updated the workload source code or this Dockerfile, need to rebuild the image and regenerate the signature
 # From current directory:
 # GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main .
 # gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/ipc/happypath:latest
+# # Record the image digest generated by this command
+#
+# Updating the container signature
+# 
+# # Install cosign
+# go install github.com/sigstore/cosign/v2/cmd/cosign@latest
+#
+# Designate the sig repo
+# export COSIGN_REPOSITORY=us-docker.pkg.dev/confidential-space-images-dev/cs-cosign-tests/oda
+#
+# # Since we don't verify the signature in the test, you can just generate your own key
+# cosign generate-key-pair
+# cosign public-key --key cosign.key > pub.pem
+# PUB=$(cat pub.pem | openssl base64)
+# PUB=$(echo $PUB | tr -d '[:space:]' | sed 's/[=]*$//')
+# # Sign the container, <IMAGE_DIGEST> is from the gcloud builds submit command above
+# cosign sign --key cosign.key us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/ipc/happypath@sha256:<IMAGE_DIGEST> -a dev.cosignproject.cosign/sigalg=ECDSA_P256_SHA256 -a dev.cosignproject.cosign/pub=$PUB
+#
+# Once finished, refering to pr#415 to on how to update the signature and image
+
 FROM alpine
 
 COPY main /