From 2b7c6f6a168e1c2b2afd994fdd7d50b7107c95be Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 5 Dec 2024 09:58:27 -0700 Subject: [PATCH 1/4] add integration test for bundle-from-oci option Signed-off-by: Meredith Lancaster --- .../verify/verify_integration_test.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 781cb4df1df..f20ecfc3190 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -111,6 +111,25 @@ func TestVerifyIntegration(t *testing.T) { require.Error(t, err) require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\"") }) + + t.Run("with bundle from OCI registry", func(t *testing.T) { + opts := Options{ + APIClient: api.NewLiveClient(hc, host, logger), + ArtifactPath: "oci://ghcr.io/malancas/attest-demo:latest", + UseBundleFromRegistry: true, + DigestAlgorithm: "sha256", + Logger: logger, + OCIClient: oci.NewLiveClient(), + OIDCIssuer: verification.GitHubOIDCIssuer, + Owner: "malancas", + PredicateType: verification.SLSAPredicateV1, + SANRegex: "^https://github.com/malancas/", + SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), + } + + err := runVerify(&opts) + require.NoError(t, err) + }) } func TestVerifyIntegrationCustomIssuer(t *testing.T) { From 006ed7b5b55769c5f2ed6bbe7f7ea9811d7b3714 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 5 Dec 2024 10:02:01 -0700 Subject: [PATCH 2/4] add gh attestation verify integration test for oci bundles Signed-off-by: Meredith Lancaster --- .../attestation-cmd/verify-oci-bundle.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 test/integration/attestation-cmd/verify-oci-bundle.sh diff --git a/test/integration/attestation-cmd/verify-oci-bundle.sh b/test/integration/attestation-cmd/verify-oci-bundle.sh new file mode 100644 index 00000000000..22f9e29bf83 --- /dev/null +++ b/test/integration/attestation-cmd/verify-oci-bundle.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Get the root directory of the repository +rootDir="$(git rev-parse --show-toplevel)" + +ghBuildPath="$rootDir/bin/gh" + +# Verify an OCI artifact with bundles stored on the GHCR OCI registry +echo "Testing with package $sigstore02PackageFile and attestation $sigstore02AttestationFile" +if ! $ghBuildPath attestation verify oci://ghcr.io/malancas/attest-demo:latest --owner=malancas --bundle-from-oci; then + echo "Failed to verify oci://ghcr.io/malancas/attest-demo:latest with bundles from the GHCR OCI registry" + exit 1 +fi From 7e69c0d4ab296b5b2dba48f01cd8a9f1483853f7 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 5 Dec 2024 10:06:26 -0700 Subject: [PATCH 3/4] fix package reference Signed-off-by: Meredith Lancaster --- test/integration/attestation-cmd/verify-oci-bundle.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 test/integration/attestation-cmd/verify-oci-bundle.sh diff --git a/test/integration/attestation-cmd/verify-oci-bundle.sh b/test/integration/attestation-cmd/verify-oci-bundle.sh old mode 100644 new mode 100755 index 22f9e29bf83..c0444899dc3 --- a/test/integration/attestation-cmd/verify-oci-bundle.sh +++ b/test/integration/attestation-cmd/verify-oci-bundle.sh @@ -7,7 +7,7 @@ rootDir="$(git rev-parse --show-toplevel)" ghBuildPath="$rootDir/bin/gh" # Verify an OCI artifact with bundles stored on the GHCR OCI registry -echo "Testing with package $sigstore02PackageFile and attestation $sigstore02AttestationFile" +echo "Testing with OCI image ghcr.io/malancas/attest-demo:latest with the --bundle-from-oci flag" if ! $ghBuildPath attestation verify oci://ghcr.io/malancas/attest-demo:latest --owner=malancas --bundle-from-oci; then echo "Failed to verify oci://ghcr.io/malancas/attest-demo:latest with bundles from the GHCR OCI registry" exit 1 From 67798b06c0769a74f7c206c009df78e38a7e7778 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Fri, 6 Dec 2024 08:32:16 -0700 Subject: [PATCH 4/4] use github owned oci image Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_integration_test.go | 6 +++--- test/integration/attestation-cmd/verify-oci-bundle.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index f20ecfc3190..4d4c9599c8f 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -115,15 +115,15 @@ func TestVerifyIntegration(t *testing.T) { t.Run("with bundle from OCI registry", func(t *testing.T) { opts := Options{ APIClient: api.NewLiveClient(hc, host, logger), - ArtifactPath: "oci://ghcr.io/malancas/attest-demo:latest", + ArtifactPath: "oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9", UseBundleFromRegistry: true, DigestAlgorithm: "sha256", Logger: logger, OCIClient: oci.NewLiveClient(), OIDCIssuer: verification.GitHubOIDCIssuer, - Owner: "malancas", + Owner: "github", PredicateType: verification.SLSAPredicateV1, - SANRegex: "^https://github.com/malancas/", + SANRegex: "^https://github.com/github/", SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), } diff --git a/test/integration/attestation-cmd/verify-oci-bundle.sh b/test/integration/attestation-cmd/verify-oci-bundle.sh index c0444899dc3..0e9fd22817b 100755 --- a/test/integration/attestation-cmd/verify-oci-bundle.sh +++ b/test/integration/attestation-cmd/verify-oci-bundle.sh @@ -7,8 +7,8 @@ rootDir="$(git rev-parse --show-toplevel)" ghBuildPath="$rootDir/bin/gh" # Verify an OCI artifact with bundles stored on the GHCR OCI registry -echo "Testing with OCI image ghcr.io/malancas/attest-demo:latest with the --bundle-from-oci flag" -if ! $ghBuildPath attestation verify oci://ghcr.io/malancas/attest-demo:latest --owner=malancas --bundle-from-oci; then - echo "Failed to verify oci://ghcr.io/malancas/attest-demo:latest with bundles from the GHCR OCI registry" +echo "Testing with OCI image ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 with the --bundle-from-oci flag" +if ! $ghBuildPath attestation verify oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 --owner=github --bundle-from-oci; then + echo "Failed to verify oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github9 with bundles from the GHCR OCI registry" exit 1 fi