Fix OIDC test (#2050)

* use cosign build from head Signed-off-by: cpanato <ctadeu@gmail.com> * add script to sign the digests and not the tags Signed-off-by: cpanato <ctadeu@gmail.com> * update test script and update the flags Signed-off-by: cpanato <ctadeu@gmail.com> * regenerate the certificate becasue the previous expired, now it is valid for 10 years Signed-off-by: cpanato <ctadeu@gmail.com> * add doc in how to regenerate a certificate in case we need it again :) Signed-off-by: cpanato <ctadeu@gmail.com> * enable cache Signed-off-by: cpanato <ctadeu@gmail.com> * uncomment Signed-off-by: cpanato <ctadeu@gmail.com>
sigstore · Jul 6, 2022 · dbd430f · dbd430f
1 parent 4ba8b6a
commit dbd430f
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 14 deletions.
diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml
@@ -40,11 +40,16 @@ jobs:
         with:
           go-version: '1.17'
           check-latest: true
+          cache: true
 
       # Install tools.
-      - uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 # v2.3.0
       - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
+      - name: build cosign from the HEAD
+        run: |
+          make cosign
+          ./cosign version
+
       - name: Build and sign a container image
         run: |
           set -e
@@ -54,5 +59,4 @@ jobs:
       - name: Build and sign a blob
         run: |
           set -e
-          make cosign
           make sign-blob-experimental
diff --git a/scripts/sign-images-ci.sh b/scripts/sign-images-ci.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License"";
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+: "${GIT_HASH:?Environment variable empty or not defined.}"
+: "${GITHUB_RUN_ID:?Environment variable empty or not defined.}"
+: "${GITHUB_RUN_ATTEMPT:?Environment variable empty or not defined.}"
+
+export COSIGN_EXPERIMENTAL=1
+COSIGN_CLI=./cosign
+
+if [[ ! -f cosignImagerefs ]]; then
+    echo "cosignImagerefs not found"
+    exit 1
+fi
+
+if [[ ! -f sgetImagerefs ]]; then
+    echo "sgetImagerefs not found"
+    exit 1
+fi
+
+echo "Signing cosign images using Keyless..."
+
+$COSIGN_CLI sign -a sha="$GIT_HASH" -a run_id="$GITHUB_RUN_ID" -a run_attempt="$GITHUB_RUN_ATTEMPT" "$(cat cosignImagerefs)"
+$COSIGN_CLI sign -a sha="$GIT_HASH" -a run_id="$GITHUB_RUN_ID" -a run_attempt="$GITHUB_RUN_ATTEMPT" "$(cat sgetImagerefs)"
diff --git a/test/ci.mk b/test/ci.mk
@@ -9,10 +9,7 @@ sign-ci-containers: ko
 
 .PHONY: sign-ci-keyless-containers
 sign-ci-keyless-containers: ko
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_HASH)
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_VERSION)
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/sget:$(GIT_HASH)
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/sget:$(GIT_VERSION)
+	./scripts/sign-images-ci.sh
 
 .PHONY: sign-blob-experimental
 sign-blob-experimental:

diff --git a/test/sign_blob_test.sh b/test/sign_blob_test.sh
@@ -30,10 +30,10 @@ date > $BLOB
 cat $BLOB
 
 echo "Sign the blob with cosign first and upload to rekor"
-SIG=$($COSIGN_CLI sign-blob $BLOB)
+$COSIGN_CLI sign-blob --output-certificate blob.cert --output-signature blob.sig $BLOB
 
 echo "Verifying ..."
-$COSIGN_CLI verify-blob -signature $SIG $BLOB
+$COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert $BLOB
 
 # Now, sign the blob with a self-signed certificate and upload to rekor
 SIG_FILE=verify-experimental-signature
@@ -78,4 +78,4 @@ curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: app
 
 # Verifying should still work
 echo "Verifying ..."
-$COSIGN_CLI verify-blob --signature $SIG $BLOB
+$COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" "$BLOB"
diff --git a/test/testdata/README.md b/test/testdata/README.md
@@ -0,0 +1,26 @@
+# Generate Certificate
+
+If the `test/testdata/test_blob_cert.pem` expire you can generate a new certificate to use in the tests running the
+following command:
+
+```shell
+$ openssl req -key test/testdata/test_blob_private_key -x509 -days 3650 -out cert.pem -new -nodes
+
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) []:US
+State or Province Name (full name) []:CA
+Locality Name (eg, city) []:SF
+Organization Name (eg, company) []:Company
+Organizational Unit Name (eg, section) []:Unit
+Common Name (eg, fully qualified host name) []:www.example.org
+Email Address []:email@email.com
+```
+
+and then you replace the old `test/testdata/test_blob_cert.pem` with the new certificate.
+
diff --git a/test/testdata/test_blob_cert.pem b/test/testdata/test_blob_cert.pem
@@ -1,13 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB9jCCAZwCCQDmJAPXiurv9jAKBggqhkjOPQQDAjCBgjELMAkGA1UEBhMCVVMx
+MIIB9zCCAZwCCQCtaU3hib3CkTAKBggqhkjOPQQDAjCBgjELMAkGA1UEBhMCVVMx
 CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEQMA4GA1UECgwHQ29tcGFueTENMAsG
 A1UECwwEVW5pdDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMR4wHAYJKoZIhvcN
-AQkBFg9lbWFpbEBlbWFpbC5jb20wHhcNMjIwMzI4MTgwNDIwWhcNMjIwNDI3MTgw
-NDIwWjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEQ
+AQkBFg9lbWFpbEBlbWFpbC5jb20wHhcNMjIwNzA2MTQyMzU5WhcNMzIwNzAzMTQy
+MzU5WjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEQ
 MA4GA1UECgwHQ29tcGFueTENMAsGA1UECwwEVW5pdDEYMBYGA1UEAwwPd3d3LmV4
 YW1wbGUub3JnMR4wHAYJKoZIhvcNAQkBFg9lbWFpbEBlbWFpbC5jb20wWTATBgcq
 hkjOPQIBBggqhkjOPQMBBwNCAAR1Q4hB1jtagrdsVxygtDa/rli00U7n/1I/NSw8
 yoMRQ+MOAjRhg3gtcV0tha34L6150qJirQHbfocsao8X6wFmMAoGCCqGSM49BAMC
-A0gAMEUCIQDkZ4ZmFOK2Ze+znScge1JidTRzxNxCLbrdfc5yEJia2QIgCEjIY6Zo
-QUwiyuC3ll5a9GDc4swfguZq9kOFX9bD0XQ=
+A0kAMEYCIQDperCsZxqQRZXSMk4DiJCxSQfT+gaX+aLbhOS1AoTbGQIhAO22bQ87
+9ngud/Klrih6bm4rde6oLtfVB+12wSetEqpd
 -----END CERTIFICATE-----