From 645636e07c7d83170ad39fb3e3b0d45a8f341860 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Mon, 20 May 2024 15:28:12 -0700 Subject: [PATCH] Remove sign_blob_test.sh test (#3707) The bug that this test was meant to address[1] applies to a feature that was removed from cosign[2]. The updates made to the script to allow for the breaking changes actually make the test invalid, because while it was once verifying the original artifact signature, the final verification step is now actually verifying against the uploaded rekor entry, so the original signature is inconsequential. [1] https://github.com/sigstore/cosign/pull/1673 [2] https://github.com/sigstore/cosign/pull/2425 Signed-off-by: Colleen Murphy --- .github/workflows/github-oidc.yaml | 5 -- test/ci.mk | 4 -- test/sign_blob_test.sh | 85 ----------------------------- test/testdata/README.md | 10 ---- test/testdata/test_blob_cert.pem | 10 ---- test/testdata/test_blob_private_key | 8 --- test/testdata/test_blob_public_key | 4 -- 7 files changed, 126 deletions(-) delete mode 100755 test/sign_blob_test.sh delete mode 100644 test/testdata/README.md delete mode 100644 test/testdata/test_blob_cert.pem delete mode 100644 test/testdata/test_blob_private_key delete mode 100644 test/testdata/test_blob_public_key diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml index 7d6559f334a..1527ee189b2 100644 --- a/.github/workflows/github-oidc.yaml +++ b/.github/workflows/github-oidc.yaml @@ -62,8 +62,3 @@ jobs: set -e # Build and publish an image. make sign-ci-keyless-containers - - - name: Build and sign a blob - run: | - set -e - make sign-blob-experimental diff --git a/test/ci.mk b/test/ci.mk index 246ed3395aa..3742446c1df 100644 --- a/test/ci.mk +++ b/test/ci.mk @@ -9,7 +9,3 @@ sign-ci-containers: ko .PHONY: sign-ci-keyless-containers sign-ci-keyless-containers: ko ./scripts/sign-images-ci.sh - -.PHONY: sign-blob-experimental -sign-blob-experimental: - ./test/sign_blob_test.sh diff --git a/test/sign_blob_test.sh b/test/sign_blob_test.sh deleted file mode 100755 index a82601e89b2..00000000000 --- a/test/sign_blob_test.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright 2021 The Sigstore Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This test checks that verify-blob will iterate over all entries and check for at least one valid entry before erroring out -# This is to prevent verify-blob from only checking the most recent entry, which could result -# in a "denial of service" type attack if someone signs a piece of software -# with their own certificate which doesn't chain up to Sigstore - -set -ex - -COSIGN_CLI=./cosign - -echo "Creating a unique blob" -BLOB=verify-experimental-blob -date > $BLOB -cat $BLOB - -echo "Sign the blob with cosign first and upload to rekor" -$COSIGN_CLI sign-blob --yes --output-certificate blob.cert --output-signature blob.sig $BLOB - -echo "Verifying ..." -$COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' $BLOB -echo "Verifying using cosign ENV variables..." -COSIGN_SIGNATURE=blob.sig COSIGN_CERTIFICATE=blob.cert $COSIGN_CLI verify-blob --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' $BLOB - -# Now, sign the blob with a self-signed certificate and upload to rekor -SIG_FILE=verify-experimental-signature -PRIV_KEY=./test/testdata/test_blob_private_key -PUB_KEY=./test/testdata/test_blob_public_key -CERT_FILE=./test/testdata/test_blob_cert.pem - -openssl dgst -sha256 -sign $PRIV_KEY -out $SIG_FILE $BLOB -openssl dgst -sha256 -verify $PUB_KEY -signature $SIG_FILE $BLOB - -SHA256HASH=$(sha256sum $BLOB | cut -f1 -d' ') - -SIGNATURE=$(cat $SIG_FILE | base64) -echo "Signature: $SIGNATURE" - -CERT=$(cat $CERT_FILE | base64) -echo "Cert: $CERT" - -JSON_BODY_FILE=verify-experimental-blob-http-body.json -cat < $JSON_BODY_FILE -{ - "apiVersion": "0.0.1", - "spec": { - "data": { - "hash": { - "algorithm": "sha256", - "value": "$SHA256HASH" - } - }, - "signature": { - "content": "$SIGNATURE", - "publicKey": { - "content": "$CERT" - } - } - }, - "kind": "hashedrekord" -} -EOF - -curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: application/json' -d @$JSON_BODY_FILE - -# Verifying should still work -echo "Verifying ..." -$COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" --certificate-chain "$CERT_FILE" --insecure-ignore-sct --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' "$BLOB" - -echo "Verifying using cosign ENV variables ..." -COSIGN_SIGNATURE="$SIG_FILE" COSIGN_CERTIFICATE_CHAIN="$CERT_FILE" COSIGN_CERTIFICATE="$CERT_FILE" $COSIGN_CLI verify-blob --insecure-ignore-sct --certificate-identity-regexp '.*' --certificate-oidc-issuer-regexp '.*' "$BLOB" diff --git a/test/testdata/README.md b/test/testdata/README.md deleted file mode 100644 index 2469736fcf4..00000000000 --- a/test/testdata/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Generate Certificate - -If the `test/testdata/test_blob_cert.pem` expire you can generate a new certificate to use in the tests running the -following command: - -```shell -$ openssl req -key test/testdata/test_blob_private_key -x509 -days 3650 -out cert.pem -new -nodes -subj "/" -addext "subjectAltName = email:foo@example.com" -``` - -and then you replace the old `test/testdata/test_blob_cert.pem` with the new certificate. diff --git a/test/testdata/test_blob_cert.pem b/test/testdata/test_blob_cert.pem deleted file mode 100644 index 72d042b4983..00000000000 --- a/test/testdata/test_blob_cert.pem +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBdDCCARqgAwIBAgIUZw7gQ6T/IgmiMD1AWB2OTIIVH1owCgYIKoZIzj0EAwIw -ADAeFw0yMjEyMjEwMDIwNThaFw0zMjEyMTgwMDIwNThaMAAwWTATBgcqhkjOPQIB -BggqhkjOPQMBBwNCAAR1Q4hB1jtagrdsVxygtDa/rli00U7n/1I/NSw8yoMRQ+MO -AjRhg3gtcV0tha34L6150qJirQHbfocsao8X6wFmo3IwcDAdBgNVHQ4EFgQUx3Wb -0LwCWoGsl0FUpeQb3M4MukkwHwYDVR0jBBgwFoAUx3Wb0LwCWoGsl0FUpeQb3M4M -ukkwEgYDVR0TAQH/BAgwBgEB/wIBATAaBgNVHREEEzARgQ9mb29AZXhhbXBsZS5j -b20wCgYIKoZIzj0EAwIDSAAwRQIhALXG7XS5TIFLp+jLSxjuRk1Tj5MfE+y9x92Z -YPMbi9GZAiAmfEe0+q5l3PnI6zliOG5kG6EcS80QQgQmPcFvRZWOvw== ------END CERTIFICATE----- diff --git a/test/testdata/test_blob_private_key b/test/testdata/test_blob_private_key deleted file mode 100644 index 149cd04cd04..00000000000 --- a/test/testdata/test_blob_private_key +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN EC PARAMETERS----- -BggqhkjOPQMBBw== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMJRdxVQ7AH6z1BlE9ucEMSAQhY431IFHe0oVCH7Iw49oAoGCCqGSM49 -AwEHoUQDQgAEdUOIQdY7WoK3bFccoLQ2v65YtNFO5/9SPzUsPMqDEUPjDgI0YYN4 -LXFdLYWt+C+tedKiYq0B236HLGqPF+sBZg== ------END EC PRIVATE KEY----- diff --git a/test/testdata/test_blob_public_key b/test/testdata/test_blob_public_key deleted file mode 100644 index 7a3ffe8e47b..00000000000 --- a/test/testdata/test_blob_public_key +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdUOIQdY7WoK3bFccoLQ2v65YtNFO -5/9SPzUsPMqDEUPjDgI0YYN4LXFdLYWt+C+tedKiYq0B236HLGqPF+sBZg== ------END PUBLIC KEY-----