Use TUF from scaffolding for validating cosign. (#2146)

* Use TUF from scaffolding for validating cosign. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * pin to scaffolding v0.4.2. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * fix typo, missing ' Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * vscode, not now. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * ok, here we go. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Aug 10, 2022 · 425bd10 · 425bd10
1 parent 72c4224
commit 425bd10
Showing 1 changed file with 11 additions and 9 deletions.
diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml
@@ -32,21 +32,14 @@ jobs:
     strategy:
       matrix:
         k8s-version:
-        - v1.22.x
-        # Try without this one now, might have problems with job restartings
-        # may require upstream changes.
-        - v1.23.x
         - v1.24.x
 
     env:
-      KNATIVE_VERSION: "1.5.0"
       KO_DOCKER_REPO: "registry.local:5000/policy-controller"
-      SCAFFOLDING_RELEASE_VERSION: "v0.3.0"
+      SCAFFOLDING_RELEASE_VERSION: "v0.4.2"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
       KOCACHE: ~/ko
-      # Trust the custom Rekor API endpoint for fetching the Public Key from it.
-      SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY: "true"
       # We are only testing keyless here, so set it.
       COSIGN_EXPERIMENTAL: "true"
 
@@ -67,8 +60,12 @@ jobs:
       run: |
         make cosign
 
-    - name: Install cluster + cosign
+    - name: Install cluster + sigstore
       uses: sigstore/scaffolding/actions/setup@main
+      with:
+        legacy-variables: "false"
+        k8s-version: ${{ matrix.k8s-version }}
+        version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
 
     - name: Create sample image - demoimage
       run: |
@@ -86,6 +83,11 @@ jobs:
         echo Created image $demoimage
         popd
 
+    - name: Initialize with our custom TUF root
+      run: |
+        TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}')
+        ./cosign initialize --mirror $TUF_MIRROR --root ./root.json
+
     - name: Sign demoimage with cosign
       run: |
         ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }}