From 6c06f4e222a9a9abf19eaf242cc22ab750f9a2b2 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 29 Sep 2022 07:01:36 +0100 Subject: [PATCH] The libgit2 libraries are downloaded and verified before some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes --- .github/workflows/cifuzz.yaml | 2 ++ .github/workflows/e2e.yaml | 2 ++ .github/workflows/tests.yaml | 5 +++++ Makefile | 3 +++ hack/install-libraries.sh | 11 ++++++++--- 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml index ebf71fb13..6ff2940d8 100644 --- a/.github/workflows/cifuzz.yaml +++ b/.github/workflows/cifuzz.yaml @@ -33,3 +33,5 @@ jobs: ${{ runner.os }}-go - name: Smoke test Fuzzers run: make fuzz-smoketest + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7a79f004c..024885e82 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -47,6 +47,7 @@ jobs: uses: fluxcd/pkg/actions/helm@main - name: Run E2E tests env: + SKIP_COSIGN_VERIFICATION: true CREATE_CLUSTER: false run: make e2e @@ -76,6 +77,7 @@ jobs: kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} - name: Run e2e tests env: + SKIP_COSIGN_VERIFICATION: true KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }} KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }} CREATE_CLUSTER: false diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index edf92c396..67931add6 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -34,6 +34,7 @@ jobs: ${{ runner.os }}-go- - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} run: make test @@ -51,6 +52,8 @@ jobs: go-version: 1.19.x - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true + TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} @@ -87,3 +90,5 @@ jobs: ${{ runner.os }}-go- - name: Run tests run: make test + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/Makefile b/Makefile index 4207a121f..66ffac721 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race # Allows for filtering tests based on the specified prefix GO_TEST_PREFIX ?= +# Defines whether cosign verification should be skipped. +SKIP_COSIGN_VERIFICATION ?= false + # Allows for defining additional Docker buildx arguments, # e.g. '--push'. BUILD_ARGS ?= diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh index 9e4966a5b..aed0507a1 100755 --- a/hack/install-libraries.sh +++ b/hack/install-libraries.sh @@ -6,6 +6,7 @@ IMG="${IMG:-}" TAG="${TAG:-}" IMG_TAG="${IMG}:${TAG}" DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}" +SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}" TMP_DIR=$(mktemp -d) @@ -48,9 +49,13 @@ cosign_verify(){ assure_provenance() { [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments' - cosign_verify "${TMP_DIR}/checksums.txt.pem" \ - "${TMP_DIR}/checksums.txt.sig" \ - "${TMP_DIR}/checksums.txt" + if "${SKIP_COSIGN_VERIFICATION}"; then + echo 'Skipping cosign verification...' + else + cosign_verify "${TMP_DIR}/checksums.txt.pem" \ + "${TMP_DIR}/checksums.txt.sig" \ + "${TMP_DIR}/checksums.txt" + fi pushd "${TMP_DIR}" || exit if command -v sha256sum; then