Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix e2e test failure, add test for local bundle without rekor bundle #2248

Merged
merged 2 commits into from Sep 14, 2022
Merged

Fix e2e test failure, add test for local bundle without rekor bundle #2248

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fb51ab0
Fix e2e test failure, add test for local bundle without rekor bundle
haydentherapper Sep 14, 2022
a65b130
fix verify logic when bundle does not contain rekor bundle
asraa Sep 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
29 changes: 29 additions & 0 deletions cmd/cosign/cli/verify/verify_blob_test.go
View file
Open in desktop
Expand Up @@ -287,6 +287,15 @@ func TestVerifyBlob(t *testing.T) {
pubKeyBytes, true),
shouldErr: false,
},
{
name: "valid signature with public key - bundle without rekor bundle fails",
blob: blobBytes,
signature: blobSignature,
sigVerifier: signer,
experimental: false,
bundlePath: makeLocalBundleWithoutRekorBundle(t, []byte(blobSignature), pubKeyBytes),
shouldErr: true,
},
{
name: "valid signature with public key - bad bundle SET",
blob: blobBytes,
Expand Down Expand Up @@ -647,6 +656,26 @@ func makeLocalBundle(t *testing.T, rekorSigner signature.ECDSASignerVerifier,
return bundlePath
}

func makeLocalBundleWithoutRekorBundle(t *testing.T, sig []byte, svBytes []byte) string {
td := t.TempDir()

b := cosign.LocalSignedPayload{
Base64Signature: base64.StdEncoding.EncodeToString(sig),
Cert: string(svBytes),
}

// Write bundle to disk
jsonBundle, err := json.Marshal(b)
if err != nil {
t.Fatal(err)
}
bundlePath := filepath.Join(td, "bundle.sig")
if err := os.WriteFile(bundlePath, jsonBundle, 0644); err != nil {
t.Fatal(err)
}
return bundlePath
}

func TestVerifyBlobCmdWithBundle(t *testing.T) {
keyless := newKeylessStack(t)

Expand Down
5 changes: 4 additions & 1 deletion test/e2e_test_secrets.sh
View file
Open in desktop
Expand Up @@ -110,13 +110,16 @@ echo "myblob2" > myblob2
./cosign sign-blob --key ${signing_key} myblob2 > myblob2.sig

./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob
# expected to fail because signature mismatch
if (./cosign verify-blob --key ${verification_key} --signature myblob.sig myblob2); then false; fi

# expected to fail because signature mismatch
if (./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob); then false; fi
./cosign verify-blob --key ${verification_key} --signature myblob2.sig myblob2

./cosign sign-blob --key ${signing_key} --bundle bundle.sig myblob
./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob
# expected to fail because the local bundle does not contain a rekor bundle
if (./cosign verify-blob --key ${verification_key} --bundle bundle.sig myblob); then false; fi

## sign and verify multiple blobs
./cosign sign-blob --key ${signing_key} myblob myblob2 > sigs
Expand Down