Fix e2e test failure, add test for local bundle without rekor bundle

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Sep 14, 2022 · fb51ab0 · fb51ab0
1 parent 58a96ba
commit fb51ab0
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -287,6 +287,15 @@ func TestVerifyBlob(t *testing.T) {
 				pubKeyBytes, true),
 			shouldErr: false,
 		},
+		{
+			name:         "valid signature with public key - bundle without rekor bundle fails",
+			blob:         blobBytes,
+			signature:    blobSignature,
+			sigVerifier:  signer,
+			experimental: false,
+			bundlePath:   makeLocalBundleWithoutRekorBundle(t, []byte(blobSignature), pubKeyBytes),
+			shouldErr:    true,
+		},
 		{
 			name:         "valid signature with public key - bad bundle SET",
 			blob:         blobBytes,
@@ -647,6 +656,26 @@ func makeLocalBundle(t *testing.T, rekorSigner signature.ECDSASignerVerifier,
 	return bundlePath
 }
 
+func makeLocalBundleWithoutRekorBundle(t *testing.T, sig []byte, svBytes []byte) string {
+	td := t.TempDir()
+
+	b := cosign.LocalSignedPayload{
+		Base64Signature: base64.StdEncoding.EncodeToString(sig),
+		Cert:            string(svBytes),
+	}
+
+	// Write bundle to disk
+	jsonBundle, err := json.Marshal(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	bundlePath := filepath.Join(td, "bundle.sig")
+	if err := os.WriteFile(bundlePath, jsonBundle, 0644); err != nil {
+		t.Fatal(err)
+	}
+	return bundlePath
+}
+
 func TestVerifyBlobCmdWithBundle(t *testing.T) {
 	keyless := newKeylessStack(t)
 

diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh
@@ -110,13 +110,16 @@ echo "myblob2" > myblob2
 ./cosign sign-blob --key ${signing_key} myblob2 > myblob2.sig
 
 ./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob
+# expected to fail because signature mismatch
 if (./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob2); then false; fi
 
+# expected to fail because signature mismatch
 if (./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob); then false; fi
 ./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob2
 
 ./cosign sign-blob --key ${signing_key} --bundle bundle.sig myblob
-./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob
+# expected to fail because the local bundle does not contain a rekor bundle
+if (./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob); then false; fi
 
 ## sign and verify multiple blobs
 ./cosign sign-blob --key ${signing_key} myblob myblob2 > sigs