mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-08-06 05:47:13 +02:00
1398 lines
52 KiB
Diff
1398 lines
52 KiB
Diff
From c95f0dc2d8f8d753f5f7a121b54468d47d9454c2 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 10:07:51 -0600
|
|
Subject: [PATCH 1/7] pass policy to Verify method
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/inspect/inspect.go | 2 +-
|
|
pkg/cmd/attestation/verification/sigstore.go | 5 +++--
|
|
pkg/cmd/attestation/verify/verify.go | 3 +--
|
|
3 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go
|
|
index 1b2105da498..76ee50dc0b2 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect.go
|
|
@@ -115,7 +115,7 @@ func runInspect(opts *Options) error {
|
|
return err
|
|
}
|
|
|
|
- res := sigstore.Verify(attestations)
|
|
+ res := sigstore.Verify(attestations, policy)
|
|
if res.Error != nil {
|
|
return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", res.Error)
|
|
}
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
|
|
index daaacf62871..8259627ada4 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore.go
|
|
@@ -31,6 +31,7 @@ type SigstoreResults struct {
|
|
type SigstoreConfig struct {
|
|
CustomTrustedRoot string
|
|
Logger *io.Handler
|
|
+ MockVerifier bool
|
|
NoPublicGood bool
|
|
}
|
|
|
|
@@ -103,7 +104,7 @@ func (v *SigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.Sig
|
|
return nil, "", fmt.Errorf("leaf certificate issuer is not recognized")
|
|
}
|
|
|
|
-func (v *SigstoreVerifier) Verify(attestations []*api.Attestation) *SigstoreResults {
|
|
+func (v *SigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
// initialize the processing results before attempting to verify
|
|
// with multiple verifiers
|
|
results := make([]*AttestationProcessingResult, len(attestations))
|
|
@@ -128,7 +129,7 @@ func (v *SigstoreVerifier) Verify(attestations []*api.Attestation) *SigstoreResu
|
|
|
|
v.Logger.VerbosePrintf("Attempting verification against issuer \"%s\"\n", issuer)
|
|
// attempt to verify the attestation
|
|
- result, err := verifier.Verify(apr.Attestation.Bundle, v.policy)
|
|
+ result, err := verifier.Verify(apr.Attestation.Bundle, policy)
|
|
// if verification fails, create the error and exit verification early
|
|
if err != nil {
|
|
v.Logger.VerbosePrint(v.Logger.ColorScheme.Redf(
|
|
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
|
|
index 718f893a23a..d8b42c757a8 100644
|
|
--- a/pkg/cmd/attestation/verify/verify.go
|
|
+++ b/pkg/cmd/attestation/verify/verify.go
|
|
@@ -1,7 +1,6 @@
|
|
package verify
|
|
|
|
import (
|
|
- // "encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
|
|
@@ -174,7 +173,7 @@ func runVerify(opts *Options) error {
|
|
return err
|
|
}
|
|
|
|
- sigstoreRes := sv.Verify(attestations)
|
|
+ sigstoreRes := sv.Verify(attestations, policy)
|
|
if sigstoreRes.Error != nil {
|
|
return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", sigstoreRes.Error)
|
|
}
|
|
|
|
From 993fbea355d5efeb193acd12fcb4768c4c4e8826 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 10:11:41 -0600
|
|
Subject: [PATCH 2/7] remove policy argument from SigstoreVerifier constructor
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/inspect/inspect.go | 2 +-
|
|
pkg/cmd/attestation/verification/sigstore.go | 5 +----
|
|
pkg/cmd/attestation/verification/sigstore_test.go | 6 +++---
|
|
pkg/cmd/attestation/verify/verify.go | 2 +-
|
|
4 files changed, 6 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go
|
|
index 76ee50dc0b2..1a3ab676617 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect.go
|
|
@@ -110,7 +110,7 @@ func runInspect(opts *Options) error {
|
|
return fmt.Errorf("failed to build policy: %v", err)
|
|
}
|
|
|
|
- sigstore, err := verification.NewSigstoreVerifier(config, policy)
|
|
+ sigstore, err := verification.NewSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
|
|
index 8259627ada4..be09324d419 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore.go
|
|
@@ -31,7 +31,6 @@ type SigstoreResults struct {
|
|
type SigstoreConfig struct {
|
|
CustomTrustedRoot string
|
|
Logger *io.Handler
|
|
- MockVerifier bool
|
|
NoPublicGood bool
|
|
}
|
|
|
|
@@ -39,7 +38,6 @@ type SigstoreVerifier struct {
|
|
ghVerifier *verify.SignedEntityVerifier
|
|
publicGoodVerifier *verify.SignedEntityVerifier
|
|
customVerifier *verify.SignedEntityVerifier
|
|
- policy verify.PolicyBuilder
|
|
onlyVerifyWithGithub bool
|
|
Logger *io.Handler
|
|
}
|
|
@@ -47,7 +45,7 @@ type SigstoreVerifier struct {
|
|
// NewSigstoreVerifier creates a new SigstoreVerifier struct
|
|
// that is used to verify artifacts and attestations against the
|
|
// Public Good, GitHub, or a custom trusted root.
|
|
-func NewSigstoreVerifier(config SigstoreConfig, policy verify.PolicyBuilder) (*SigstoreVerifier, error) {
|
|
+func NewSigstoreVerifier(config SigstoreConfig) (*SigstoreVerifier, error) {
|
|
customVerifier, err := newCustomVerifier(config.CustomTrustedRoot)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create custom verifier: %v", err)
|
|
@@ -68,7 +66,6 @@ func NewSigstoreVerifier(config SigstoreConfig, policy verify.PolicyBuilder) (*S
|
|
publicGoodVerifier: publicGoodVerifier,
|
|
customVerifier: customVerifier,
|
|
Logger: config.Logger,
|
|
- policy: policy,
|
|
onlyVerifyWithGithub: config.NoPublicGood,
|
|
}, nil
|
|
}
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go
|
|
index 204b5e583bb..69514c45cb1 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore_test.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore_test.go
|
|
@@ -32,7 +32,7 @@ func TestNewSigstoreVerifier(t *testing.T) {
|
|
c := SigstoreConfig{
|
|
Logger: io.NewTestHandler(),
|
|
}
|
|
- verifier, err := NewSigstoreVerifier(c, policy)
|
|
+ verifier, err := NewSigstoreVerifier(c)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("with invalid signature", func(t *testing.T) {
|
|
@@ -41,7 +41,7 @@ func TestNewSigstoreVerifier(t *testing.T) {
|
|
require.NotNil(t, attestations)
|
|
require.NoError(t, err)
|
|
|
|
- res := verifier.Verify(attestations)
|
|
+ res := verifier.Verify(attestations, policy)
|
|
require.Error(t, res.Error)
|
|
require.ErrorContains(t, res.Error, "verifying with issuer \"sigstore.dev\"")
|
|
require.Nil(t, res.VerifyResults)
|
|
@@ -53,7 +53,7 @@ func TestNewSigstoreVerifier(t *testing.T) {
|
|
require.Len(t, attestations, 2)
|
|
require.NoError(t, err)
|
|
|
|
- res := verifier.Verify(attestations)
|
|
+ res := verifier.Verify(attestations, policy)
|
|
require.Len(t, res.VerifyResults, 2)
|
|
require.NoError(t, res.Error)
|
|
})
|
|
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
|
|
index d8b42c757a8..6830c163bbd 100644
|
|
--- a/pkg/cmd/attestation/verify/verify.go
|
|
+++ b/pkg/cmd/attestation/verify/verify.go
|
|
@@ -168,7 +168,7 @@ func runVerify(opts *Options) error {
|
|
NoPublicGood: opts.NoPublicGood,
|
|
}
|
|
|
|
- sv, err := verification.NewSigstoreVerifier(config, policy)
|
|
+ sv, err := verification.NewSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
From ae408fbb6d27bcb7978a6e4d6fce9021cbf5123b Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 12:06:08 -0600
|
|
Subject: [PATCH 3/7] add SigstoreVerifier interface and introduce mock
|
|
SigstoreVerifier struct for unit testing
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/inspect/inspect.go | 22 ++++----
|
|
pkg/cmd/attestation/inspect/inspect_test.go | 10 +++-
|
|
pkg/cmd/attestation/inspect/options.go | 2 +
|
|
pkg/cmd/attestation/test/data/data.go | 17 +++++++
|
|
.../attestation/verification/mock_verifier.go | 50 +++++++++++++++++++
|
|
pkg/cmd/attestation/verification/sigstore.go | 16 +++---
|
|
pkg/cmd/attestation/verify/options.go | 4 +-
|
|
pkg/cmd/attestation/verify/verify.go | 26 +++++-----
|
|
pkg/cmd/attestation/verify/verify_test.go | 18 ++++++-
|
|
9 files changed, 134 insertions(+), 31 deletions(-)
|
|
create mode 100644 pkg/cmd/attestation/test/data/data.go
|
|
create mode 100644 pkg/cmd/attestation/verification/mock_verifier.go
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go
|
|
index 1a3ab676617..fe536703cbe 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect.go
|
|
@@ -73,6 +73,17 @@ func NewInspectCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
return runF(opts)
|
|
}
|
|
|
|
+ config := verification.SigstoreConfig{
|
|
+ Logger: opts.Logger,
|
|
+ }
|
|
+
|
|
+ sigstore, err := verification.NewSigstoreVerifier(config)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+
|
|
+ opts.SigstoreVerifier = sigstore
|
|
+
|
|
if err := runInspect(opts); err != nil {
|
|
return fmt.Errorf("Failed to inspect the artifact and bundle: %w", err)
|
|
}
|
|
@@ -101,21 +112,12 @@ func runInspect(opts *Options) error {
|
|
return fmt.Errorf("failed to read attestations for subject: %s", artifact.DigestWithAlg())
|
|
}
|
|
|
|
- config := verification.SigstoreConfig{
|
|
- Logger: opts.Logger,
|
|
- }
|
|
-
|
|
policy, err := buildPolicy(*artifact)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to build policy: %v", err)
|
|
}
|
|
|
|
- sigstore, err := verification.NewSigstoreVerifier(config)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- res := sigstore.Verify(attestations, policy)
|
|
+ res := opts.SigstoreVerifier.Verify(attestations, policy)
|
|
if res.Error != nil {
|
|
return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", res.Error)
|
|
}
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect_test.go b/pkg/cmd/attestation/inspect/inspect_test.go
|
|
index e42bb262012..0501d6256d4 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect_test.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect_test.go
|
|
@@ -11,6 +11,7 @@ import (
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/io"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/test"
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/verification"
|
|
"github.com/cli/cli/v2/pkg/cmdutil"
|
|
|
|
"github.com/cli/cli/v2/pkg/httpmock"
|
|
@@ -57,6 +58,7 @@ func TestNewInspectCmd(t *testing.T) {
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha384",
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -68,6 +70,7 @@ func TestNewInspectCmd(t *testing.T) {
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -79,6 +82,7 @@ func TestNewInspectCmd(t *testing.T) {
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha512",
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -89,6 +93,7 @@ func TestNewInspectCmd(t *testing.T) {
|
|
ArtifactPath: artifactPath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -100,6 +105,7 @@ func TestNewInspectCmd(t *testing.T) {
|
|
BundlePath: bundlePath,
|
|
DigestAlgorithm: "sha256",
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsExporter: true,
|
|
},
|
|
@@ -128,8 +134,8 @@ func TestNewInspectCmd(t *testing.T) {
|
|
assert.Equal(t, tc.wants.ArtifactPath, opts.ArtifactPath)
|
|
assert.Equal(t, tc.wants.BundlePath, opts.BundlePath)
|
|
assert.Equal(t, tc.wants.DigestAlgorithm, opts.DigestAlgorithm)
|
|
- assert.NotNil(t, opts.OCIClient)
|
|
assert.NotNil(t, opts.Logger)
|
|
+ assert.NotNil(t, opts.OCIClient)
|
|
assert.Equal(t, tc.wantsExporter, opts.exporter != nil)
|
|
})
|
|
}
|
|
@@ -142,6 +148,7 @@ func TestRunInspect(t *testing.T) {
|
|
DigestAlgorithm: "sha512",
|
|
Logger: io.NewTestHandler(),
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
}
|
|
|
|
t.Run("with valid artifact and bundle", func(t *testing.T) {
|
|
@@ -169,6 +176,7 @@ func TestJSONOutput(t *testing.T) {
|
|
DigestAlgorithm: "sha512",
|
|
Logger: io.NewHandler(testIO),
|
|
OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
exporter: cmdutil.NewJSONExporter(),
|
|
}
|
|
require.Nil(t, runInspect(&opts))
|
|
diff --git a/pkg/cmd/attestation/inspect/options.go b/pkg/cmd/attestation/inspect/options.go
|
|
index 56199e06b88..974a14d9a2e 100644
|
|
--- a/pkg/cmd/attestation/inspect/options.go
|
|
+++ b/pkg/cmd/attestation/inspect/options.go
|
|
@@ -5,6 +5,7 @@ import (
|
|
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/io"
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/verification"
|
|
"github.com/cli/cli/v2/pkg/cmdutil"
|
|
)
|
|
|
|
@@ -15,6 +16,7 @@ type Options struct {
|
|
DigestAlgorithm string
|
|
Logger *io.Handler
|
|
OCIClient oci.Client
|
|
+ SigstoreVerifier verification.SigstoreVerifier
|
|
exporter cmdutil.Exporter
|
|
}
|
|
|
|
diff --git a/pkg/cmd/attestation/test/data/data.go b/pkg/cmd/attestation/test/data/data.go
|
|
new file mode 100644
|
|
index 00000000000..77f07e60c92
|
|
--- /dev/null
|
|
+++ b/pkg/cmd/attestation/test/data/data.go
|
|
@@ -0,0 +1,17 @@
|
|
+package data
|
|
+
|
|
+import (
|
|
+ _ "embed"
|
|
+ "testing"
|
|
+
|
|
+ "github.com/sigstore/sigstore-go/pkg/bundle"
|
|
+ sgData "github.com/sigstore/sigstore-go/pkg/testing/data"
|
|
+)
|
|
+
|
|
+//go:embed sigstore-js-2.1.0-bundle.json
|
|
+var SigstoreBundleRaw []byte
|
|
+
|
|
+// SigstoreBundle returns a test *sigstore.Bundle
|
|
+func SigstoreBundle(t *testing.T) *bundle.ProtobufBundle {
|
|
+ return sgData.TestBundle(t, SigstoreBundleRaw)
|
|
+}
|
|
diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go
|
|
new file mode 100644
|
|
index 00000000000..94ce6e0f241
|
|
--- /dev/null
|
|
+++ b/pkg/cmd/attestation/verification/mock_verifier.go
|
|
@@ -0,0 +1,50 @@
|
|
+package verification
|
|
+
|
|
+import (
|
|
+ "fmt"
|
|
+ "testing"
|
|
+
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/api"
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/test/data"
|
|
+
|
|
+ "github.com/in-toto/in-toto-golang/in_toto"
|
|
+ "github.com/sigstore/sigstore-go/pkg/verify"
|
|
+)
|
|
+
|
|
+const SLSAPredicateType = "https://slsa.dev/provenance/v1"
|
|
+
|
|
+type MockSigstoreVerifier struct {
|
|
+ t *testing.T
|
|
+}
|
|
+
|
|
+func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
+ statement := &in_toto.Statement{}
|
|
+ statement.PredicateType = SLSAPredicateType
|
|
+
|
|
+ result := AttestationProcessingResult{
|
|
+ Attestation: &api.Attestation{
|
|
+ Bundle: data.SigstoreBundle(v.t),
|
|
+ },
|
|
+ VerificationResult: &verify.VerificationResult{
|
|
+ Statement: statement,
|
|
+ },
|
|
+ }
|
|
+
|
|
+ results := []*AttestationProcessingResult{&result}
|
|
+
|
|
+ return &SigstoreResults{
|
|
+ VerifyResults: results,
|
|
+ }
|
|
+}
|
|
+
|
|
+func NewMockSigstoreVerifier(t *testing.T) *MockSigstoreVerifier {
|
|
+ return &MockSigstoreVerifier{t}
|
|
+}
|
|
+
|
|
+type FailSigstoreVerifier struct {}
|
|
+
|
|
+func (v *FailSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
+ return &SigstoreResults{
|
|
+ Error: fmt.Errorf("failed to verify attestations"),
|
|
+ }
|
|
+}
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
|
|
index be09324d419..cf7bb89c70f 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore.go
|
|
@@ -34,7 +34,11 @@ type SigstoreConfig struct {
|
|
NoPublicGood bool
|
|
}
|
|
|
|
-type SigstoreVerifier struct {
|
|
+type SigstoreVerifier interface {
|
|
+ Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults
|
|
+}
|
|
+
|
|
+type LiveSigstoreVerifier struct {
|
|
ghVerifier *verify.SignedEntityVerifier
|
|
publicGoodVerifier *verify.SignedEntityVerifier
|
|
customVerifier *verify.SignedEntityVerifier
|
|
@@ -42,10 +46,10 @@ type SigstoreVerifier struct {
|
|
Logger *io.Handler
|
|
}
|
|
|
|
-// NewSigstoreVerifier creates a new SigstoreVerifier struct
|
|
+// NewSigstoreVerifier creates a new LiveSigstoreVerifier struct
|
|
// that is used to verify artifacts and attestations against the
|
|
// Public Good, GitHub, or a custom trusted root.
|
|
-func NewSigstoreVerifier(config SigstoreConfig) (*SigstoreVerifier, error) {
|
|
+func NewSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, error) {
|
|
customVerifier, err := newCustomVerifier(config.CustomTrustedRoot)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create custom verifier: %v", err)
|
|
@@ -61,7 +65,7 @@ func NewSigstoreVerifier(config SigstoreConfig) (*SigstoreVerifier, error) {
|
|
return nil, fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err)
|
|
}
|
|
|
|
- return &SigstoreVerifier{
|
|
+ return &LiveSigstoreVerifier{
|
|
ghVerifier: ghVerifier,
|
|
publicGoodVerifier: publicGoodVerifier,
|
|
customVerifier: customVerifier,
|
|
@@ -70,7 +74,7 @@ func NewSigstoreVerifier(config SigstoreConfig) (*SigstoreVerifier, error) {
|
|
}, nil
|
|
}
|
|
|
|
-func (v *SigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.SignedEntityVerifier, string, error) {
|
|
+func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.SignedEntityVerifier, string, error) {
|
|
verifyContent, err := b.VerificationContent()
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("failed to get bundle verification content: %v", err)
|
|
@@ -101,7 +105,7 @@ func (v *SigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.Sig
|
|
return nil, "", fmt.Errorf("leaf certificate issuer is not recognized")
|
|
}
|
|
|
|
-func (v *SigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
+func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
// initialize the processing results before attempting to verify
|
|
// with multiple verifiers
|
|
results := make([]*AttestationProcessingResult, len(attestations))
|
|
diff --git a/pkg/cmd/attestation/verify/options.go b/pkg/cmd/attestation/verify/options.go
|
|
index d7742bf3a9c..62735df5403 100644
|
|
--- a/pkg/cmd/attestation/verify/options.go
|
|
+++ b/pkg/cmd/attestation/verify/options.go
|
|
@@ -8,6 +8,7 @@ import (
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/api"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/io"
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/verification"
|
|
"github.com/cli/cli/v2/pkg/cmdutil"
|
|
)
|
|
|
|
@@ -18,6 +19,7 @@ type Options struct {
|
|
CustomTrustedRoot string
|
|
DenySelfHostedRunner bool
|
|
DigestAlgorithm string
|
|
+ Limit int
|
|
NoPublicGood bool
|
|
OIDCIssuer string
|
|
Owner string
|
|
@@ -26,8 +28,8 @@ type Options struct {
|
|
SANRegex string
|
|
APIClient api.Client
|
|
Logger *io.Handler
|
|
- Limit int
|
|
OCIClient oci.Client
|
|
+ SigstoreVerifier verification.SigstoreVerifier
|
|
exporter cmdutil.Exporter
|
|
}
|
|
|
|
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
|
|
index 6830c163bbd..03f7e56bcca 100644
|
|
--- a/pkg/cmd/attestation/verify/verify.go
|
|
+++ b/pkg/cmd/attestation/verify/verify.go
|
|
@@ -105,6 +105,19 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
return runF(opts)
|
|
}
|
|
|
|
+ config := verification.SigstoreConfig{
|
|
+ CustomTrustedRoot: opts.CustomTrustedRoot,
|
|
+ Logger: opts.Logger,
|
|
+ NoPublicGood: opts.NoPublicGood,
|
|
+ }
|
|
+
|
|
+ sv, err := verification.NewSigstoreVerifier(config)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+
|
|
+ opts.SigstoreVerifier = sv
|
|
+
|
|
if err := runVerify(opts); err != nil {
|
|
return fmt.Errorf("Failed to verify the artifact: %v", err)
|
|
}
|
|
@@ -162,18 +175,7 @@ func runVerify(opts *Options) error {
|
|
return fmt.Errorf("failed to build policy: %v", err)
|
|
}
|
|
|
|
- config := verification.SigstoreConfig{
|
|
- CustomTrustedRoot: opts.CustomTrustedRoot,
|
|
- Logger: opts.Logger,
|
|
- NoPublicGood: opts.NoPublicGood,
|
|
- }
|
|
-
|
|
- sv, err := verification.NewSigstoreVerifier(config)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- sigstoreRes := sv.Verify(attestations, policy)
|
|
+ sigstoreRes := opts.SigstoreVerifier.Verify(attestations, policy)
|
|
if sigstoreRes.Error != nil {
|
|
return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", sigstoreRes.Error)
|
|
}
|
|
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
|
|
index b4cd864fc1d..e0b625a2205 100644
|
|
--- a/pkg/cmd/attestation/verify/verify_test.go
|
|
+++ b/pkg/cmd/attestation/verify/verify_test.go
|
|
@@ -64,6 +64,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Limit: 30,
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -78,6 +79,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -92,6 +94,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -105,6 +108,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Owner: "sigstore",
|
|
Limit: 30,
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -118,6 +122,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Owner: "sigstore",
|
|
Repo: "sigstore/sigstore-js",
|
|
Limit: 30,
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -131,6 +136,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -144,6 +150,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Owner: "sigstore",
|
|
Limit: 101,
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -157,6 +164,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Owner: "sigstore",
|
|
Limit: 0,
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -171,6 +179,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
Owner: "sigstore",
|
|
SAN: "https://github.com/sigstore/",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -185,6 +194,7 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
},
|
|
wantsExporter: true,
|
|
},
|
|
@@ -242,6 +252,7 @@ func TestJSONOutput(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
exporter: cmdutil.NewJSONExporter(),
|
|
}
|
|
require.Nil(t, runVerify(&opts))
|
|
@@ -264,6 +275,7 @@ func TestRunVerify(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
}
|
|
|
|
t.Run("with valid artifact and bundle", func(t *testing.T) {
|
|
@@ -333,6 +345,7 @@ func TestRunVerify(t *testing.T) {
|
|
t.Run("with invalid OIDC issuer", func(t *testing.T) {
|
|
opts := publicGoodOpts
|
|
opts.OIDCIssuer = "not-a-real-issuer"
|
|
+ opts.SigstoreVerifier = &verification.FailSigstoreVerifier{}
|
|
require.Error(t, runVerify(&opts))
|
|
})
|
|
|
|
@@ -346,6 +359,7 @@ func TestRunVerify(t *testing.T) {
|
|
OIDCIssuer: GitHubOIDCIssuer,
|
|
Owner: "sigstore",
|
|
SAN: SigstoreSanValue,
|
|
+ SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
}
|
|
require.Nil(t, runVerify(&opts))
|
|
})
|
|
@@ -353,6 +367,7 @@ func TestRunVerify(t *testing.T) {
|
|
t.Run("with invalid SAN", func(t *testing.T) {
|
|
opts := publicGoodOpts
|
|
opts.SAN = "fake san"
|
|
+ opts.SigstoreVerifier = &verification.FailSigstoreVerifier{}
|
|
require.Error(t, runVerify(&opts))
|
|
})
|
|
|
|
@@ -365,13 +380,14 @@ func TestRunVerify(t *testing.T) {
|
|
t.Run("with invalid SAN regex", func(t *testing.T) {
|
|
opts := publicGoodOpts
|
|
opts.SANRegex = "^https://github.com/sigstore/not-real/"
|
|
+ opts.SigstoreVerifier = &verification.FailSigstoreVerifier{}
|
|
require.Error(t, runVerify(&opts))
|
|
})
|
|
|
|
t.Run("with no matching OIDC issuer", func(t *testing.T) {
|
|
opts := publicGoodOpts
|
|
opts.OIDCIssuer = "some-other-issuer"
|
|
-
|
|
+ opts.SigstoreVerifier = &verification.FailSigstoreVerifier{}
|
|
require.Error(t, runVerify(&opts))
|
|
})
|
|
|
|
|
|
From 0ea2eea3a1e22c28115e5696805af23ada4bba34 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 12:08:20 -0600
|
|
Subject: [PATCH 4/7] gofmt
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/inspect/inspect.go | 2 +-
|
|
pkg/cmd/attestation/inspect/inspect_test.go | 74 +++----
|
|
pkg/cmd/attestation/inspect/options.go | 12 +-
|
|
.../attestation/verification/mock_verifier.go | 4 +-
|
|
pkg/cmd/attestation/verify/verify.go | 2 +-
|
|
pkg/cmd/attestation/verify/verify_test.go | 208 +++++++++---------
|
|
6 files changed, 151 insertions(+), 151 deletions(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go
|
|
index fe536703cbe..8d9e2405bf7 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect.go
|
|
@@ -76,7 +76,7 @@ func NewInspectCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
config := verification.SigstoreConfig{
|
|
Logger: opts.Logger,
|
|
}
|
|
-
|
|
+
|
|
sigstore, err := verification.NewSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect_test.go b/pkg/cmd/attestation/inspect/inspect_test.go
|
|
index 0501d6256d4..368cc54f52c 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect_test.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect_test.go
|
|
@@ -54,11 +54,11 @@ func TestNewInspectCmd(t *testing.T) {
|
|
name: "Invalid digest-alg flag",
|
|
cli: fmt.Sprintf("%s --bundle %s --digest-alg sha384", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha384",
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha384",
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -66,11 +66,11 @@ func TestNewInspectCmd(t *testing.T) {
|
|
name: "Use default digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -78,11 +78,11 @@ func TestNewInspectCmd(t *testing.T) {
|
|
name: "Use custom digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s --digest-alg sha512", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha512",
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha512",
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -90,10 +90,10 @@ func TestNewInspectCmd(t *testing.T) {
|
|
name: "Missing bundle flag",
|
|
cli: artifactPath,
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -101,11 +101,11 @@ func TestNewInspectCmd(t *testing.T) {
|
|
name: "Prints output in JSON format",
|
|
cli: fmt.Sprintf("%s --bundle %s --format json", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsExporter: true,
|
|
},
|
|
@@ -143,12 +143,12 @@ func TestNewInspectCmd(t *testing.T) {
|
|
|
|
func TestRunInspect(t *testing.T) {
|
|
opts := Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha512",
|
|
- Logger: io.NewTestHandler(),
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha512",
|
|
+ Logger: io.NewTestHandler(),
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
}
|
|
|
|
t.Run("with valid artifact and bundle", func(t *testing.T) {
|
|
@@ -171,13 +171,13 @@ func TestRunInspect(t *testing.T) {
|
|
func TestJSONOutput(t *testing.T) {
|
|
testIO, _, out, _ := iostreams.Test()
|
|
opts := Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha512",
|
|
- Logger: io.NewHandler(testIO),
|
|
- OCIClient: oci.MockClient{},
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
- exporter: cmdutil.NewJSONExporter(),
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha512",
|
|
+ Logger: io.NewHandler(testIO),
|
|
+ OCIClient: oci.MockClient{},
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
+ exporter: cmdutil.NewJSONExporter(),
|
|
}
|
|
require.Nil(t, runInspect(&opts))
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/options.go b/pkg/cmd/attestation/inspect/options.go
|
|
index 974a14d9a2e..b9c8819c435 100644
|
|
--- a/pkg/cmd/attestation/inspect/options.go
|
|
+++ b/pkg/cmd/attestation/inspect/options.go
|
|
@@ -11,13 +11,13 @@ import (
|
|
|
|
// Options captures the options for the inspect command
|
|
type Options struct {
|
|
- ArtifactPath string
|
|
- BundlePath string
|
|
- DigestAlgorithm string
|
|
- Logger *io.Handler
|
|
- OCIClient oci.Client
|
|
+ ArtifactPath string
|
|
+ BundlePath string
|
|
+ DigestAlgorithm string
|
|
+ Logger *io.Handler
|
|
+ OCIClient oci.Client
|
|
SigstoreVerifier verification.SigstoreVerifier
|
|
- exporter cmdutil.Exporter
|
|
+ exporter cmdutil.Exporter
|
|
}
|
|
|
|
// Clean cleans the file path option values
|
|
diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go
|
|
index 94ce6e0f241..51e66c42400 100644
|
|
--- a/pkg/cmd/attestation/verification/mock_verifier.go
|
|
+++ b/pkg/cmd/attestation/verification/mock_verifier.go
|
|
@@ -20,7 +20,7 @@ type MockSigstoreVerifier struct {
|
|
func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
statement := &in_toto.Statement{}
|
|
statement.PredicateType = SLSAPredicateType
|
|
-
|
|
+
|
|
result := AttestationProcessingResult{
|
|
Attestation: &api.Attestation{
|
|
Bundle: data.SigstoreBundle(v.t),
|
|
@@ -41,7 +41,7 @@ func NewMockSigstoreVerifier(t *testing.T) *MockSigstoreVerifier {
|
|
return &MockSigstoreVerifier{t}
|
|
}
|
|
|
|
-type FailSigstoreVerifier struct {}
|
|
+type FailSigstoreVerifier struct{}
|
|
|
|
func (v *FailSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
|
|
return &SigstoreResults{
|
|
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
|
|
index 03f7e56bcca..1f4665e30f3 100644
|
|
--- a/pkg/cmd/attestation/verify/verify.go
|
|
+++ b/pkg/cmd/attestation/verify/verify.go
|
|
@@ -110,7 +110,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
Logger: opts.Logger,
|
|
NoPublicGood: opts.NoPublicGood,
|
|
}
|
|
-
|
|
+
|
|
sv, err := verification.NewSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
|
|
index e0b625a2205..776cd27a952 100644
|
|
--- a/pkg/cmd/attestation/verify/verify_test.go
|
|
+++ b/pkg/cmd/attestation/verify/verify_test.go
|
|
@@ -58,13 +58,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Invalid digest-alg flag",
|
|
cli: fmt.Sprintf("%s --bundle %s --digest-alg sha384 --owner sigstore", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
- BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
- DigestAlgorithm: "sha384",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
+ BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
+ DigestAlgorithm: "sha384",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -72,14 +72,14 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Use default digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s --owner sigstore", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
- BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
- DigestAlgorithm: "sha256",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
+ BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
+ DigestAlgorithm: "sha256",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -87,14 +87,14 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Use custom digest-alg value",
|
|
cli: fmt.Sprintf("%s --bundle %s --owner sigstore --digest-alg sha512", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
- BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
- DigestAlgorithm: "sha512",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
+ BundlePath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0-bundle.json"),
|
|
+ DigestAlgorithm: "sha512",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -102,13 +102,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Missing owner and repo flags",
|
|
cli: artifactPath,
|
|
wants: Options{
|
|
- ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
- DigestAlgorithm: "sha256",
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- Limit: 30,
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz"),
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ Limit: 30,
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -116,13 +116,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Has both owner and repo flags",
|
|
cli: fmt.Sprintf("%s --owner sigstore --repo sigstore/sigstore-js", artifactPath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- Repo: "sigstore/sigstore-js",
|
|
- Limit: 30,
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ Repo: "sigstore/sigstore-js",
|
|
+ Limit: 30,
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -130,13 +130,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Uses default limit flag",
|
|
cli: fmt.Sprintf("%s --owner sigstore", artifactPath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -144,13 +144,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Uses custom limit flag",
|
|
cli: fmt.Sprintf("%s --owner sigstore --limit 101", artifactPath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- Limit: 101,
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ Limit: 101,
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: false,
|
|
},
|
|
@@ -158,13 +158,13 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Uses invalid limit flag",
|
|
cli: fmt.Sprintf("%s --owner sigstore --limit 0", artifactPath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- Limit: 0,
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ Limit: 0,
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -172,14 +172,14 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Has both cert-identity and cert-identity-regex flags",
|
|
cli: fmt.Sprintf("%s --owner sigstore --cert-identity https://github.com/sigstore/ --cert-identity-regex ^https://github.com/sigstore/", artifactPath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- DigestAlgorithm: "sha256",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SAN: "https://github.com/sigstore/",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SAN: "https://github.com/sigstore/",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsErr: true,
|
|
},
|
|
@@ -187,14 +187,14 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
name: "Prints output in JSON format",
|
|
cli: fmt.Sprintf("%s --bundle %s --owner sigstore --format json", artifactPath, bundlePath),
|
|
wants: Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha256",
|
|
- Limit: 30,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha256",
|
|
+ Limit: 30,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
},
|
|
wantsExporter: true,
|
|
},
|
|
@@ -243,17 +243,17 @@ func TestNewVerifyCmd(t *testing.T) {
|
|
func TestJSONOutput(t *testing.T) {
|
|
testIO, _, out, _ := iostreams.Test()
|
|
opts := Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha512",
|
|
- APIClient: api.NewTestClient(),
|
|
- Logger: io.NewHandler(testIO),
|
|
- OCIClient: oci.MockClient{},
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
- exporter: cmdutil.NewJSONExporter(),
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha512",
|
|
+ APIClient: api.NewTestClient(),
|
|
+ Logger: io.NewHandler(testIO),
|
|
+ OCIClient: oci.MockClient{},
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
+ exporter: cmdutil.NewJSONExporter(),
|
|
}
|
|
require.Nil(t, runVerify(&opts))
|
|
|
|
@@ -266,16 +266,16 @@ func TestRunVerify(t *testing.T) {
|
|
logger := io.NewTestHandler()
|
|
|
|
publicGoodOpts := Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- DigestAlgorithm: "sha512",
|
|
- APIClient: api.NewTestClient(),
|
|
- Logger: logger,
|
|
- OCIClient: oci.MockClient{},
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SANRegex: "^https://github.com/sigstore/",
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ DigestAlgorithm: "sha512",
|
|
+ APIClient: api.NewTestClient(),
|
|
+ Logger: logger,
|
|
+ OCIClient: oci.MockClient{},
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SANRegex: "^https://github.com/sigstore/",
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
}
|
|
|
|
t.Run("with valid artifact and bundle", func(t *testing.T) {
|
|
@@ -351,15 +351,15 @@ func TestRunVerify(t *testing.T) {
|
|
|
|
t.Run("with SAN enforcement", func(t *testing.T) {
|
|
opts := Options{
|
|
- ArtifactPath: artifactPath,
|
|
- BundlePath: bundlePath,
|
|
- APIClient: api.NewTestClient(),
|
|
- DigestAlgorithm: "sha512",
|
|
- Logger: logger,
|
|
- OIDCIssuer: GitHubOIDCIssuer,
|
|
- Owner: "sigstore",
|
|
- SAN: SigstoreSanValue,
|
|
- SigstoreVerifier: &verification.MockSigstoreVerifier{},
|
|
+ ArtifactPath: artifactPath,
|
|
+ BundlePath: bundlePath,
|
|
+ APIClient: api.NewTestClient(),
|
|
+ DigestAlgorithm: "sha512",
|
|
+ Logger: logger,
|
|
+ OIDCIssuer: GitHubOIDCIssuer,
|
|
+ Owner: "sigstore",
|
|
+ SAN: SigstoreSanValue,
|
|
+ SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
|
|
}
|
|
require.Nil(t, runVerify(&opts))
|
|
})
|
|
|
|
From 800cac39ccd0ab64e4223b8abadd9f1998f26134 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 12:25:58 -0600
|
|
Subject: [PATCH 5/7] rename LiveSigstoreVerifier constructor
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/inspect/inspect.go | 2 +-
|
|
pkg/cmd/attestation/verification/sigstore.go | 4 ++--
|
|
pkg/cmd/attestation/verification/sigstore_test.go | 4 ++--
|
|
pkg/cmd/attestation/verify/verify.go | 2 +-
|
|
4 files changed, 6 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go
|
|
index 8d9e2405bf7..759667b36f8 100644
|
|
--- a/pkg/cmd/attestation/inspect/inspect.go
|
|
+++ b/pkg/cmd/attestation/inspect/inspect.go
|
|
@@ -77,7 +77,7 @@ func NewInspectCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
Logger: opts.Logger,
|
|
}
|
|
|
|
- sigstore, err := verification.NewSigstoreVerifier(config)
|
|
+ sigstore, err := verification.NewLiveSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
|
|
index cf7bb89c70f..ad57102ea88 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore.go
|
|
@@ -46,10 +46,10 @@ type LiveSigstoreVerifier struct {
|
|
Logger *io.Handler
|
|
}
|
|
|
|
-// NewSigstoreVerifier creates a new LiveSigstoreVerifier struct
|
|
+// NewLiveSigstoreVerifier creates a new LiveSigstoreVerifier struct
|
|
// that is used to verify artifacts and attestations against the
|
|
// Public Good, GitHub, or a custom trusted root.
|
|
-func NewSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, error) {
|
|
+func NewLiveSigstoreVerifier(config SigstoreConfig) (*LiveSigstoreVerifier, error) {
|
|
customVerifier, err := newCustomVerifier(config.CustomTrustedRoot)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create custom verifier: %v", err)
|
|
diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_test.go
|
|
index 69514c45cb1..0243a11eef0 100644
|
|
--- a/pkg/cmd/attestation/verification/sigstore_test.go
|
|
+++ b/pkg/cmd/attestation/verification/sigstore_test.go
|
|
@@ -21,7 +21,7 @@ func buildPolicy(a artifact.DigestedArtifact) (verify.PolicyBuilder, error) {
|
|
return policy, nil
|
|
}
|
|
|
|
-func TestNewSigstoreVerifier(t *testing.T) {
|
|
+func TestNewLiveSigstoreVerifier(t *testing.T) {
|
|
artifactPath := test.NormalizeRelativePath("../test/data/sigstore-js-2.1.0.tgz")
|
|
artifact, err := artifact.NewDigestedArtifact(nil, artifactPath, "sha512")
|
|
require.NoError(t, err)
|
|
@@ -32,7 +32,7 @@ func TestNewSigstoreVerifier(t *testing.T) {
|
|
c := SigstoreConfig{
|
|
Logger: io.NewTestHandler(),
|
|
}
|
|
- verifier, err := NewSigstoreVerifier(c)
|
|
+ verifier, err := NewLiveSigstoreVerifier(c)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("with invalid signature", func(t *testing.T) {
|
|
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
|
|
index 1f4665e30f3..e1ad77b1ea4 100644
|
|
--- a/pkg/cmd/attestation/verify/verify.go
|
|
+++ b/pkg/cmd/attestation/verify/verify.go
|
|
@@ -111,7 +111,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
|
|
NoPublicGood: opts.NoPublicGood,
|
|
}
|
|
|
|
- sv, err := verification.NewSigstoreVerifier(config)
|
|
+ sv, err := verification.NewLiveSigstoreVerifier(config)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
From 3b73128ad154c0565e1a32ff5d7d590ec427f857 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 16:29:00 -0600
|
|
Subject: [PATCH 6/7] pr feedback, add todos for tests that need to be
|
|
reimplemented
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/api/mock_client.go | 18 +++---------------
|
|
pkg/cmd/attestation/verify/verify_test.go | 8 ++++++++
|
|
2 files changed, 11 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/api/mock_client.go b/pkg/cmd/attestation/api/mock_client.go
|
|
index 96a64e4fcd6..4e5755faf1f 100644
|
|
--- a/pkg/cmd/attestation/api/mock_client.go
|
|
+++ b/pkg/cmd/attestation/api/mock_client.go
|
|
@@ -1,11 +1,10 @@
|
|
package api
|
|
|
|
import (
|
|
- "encoding/json"
|
|
"fmt"
|
|
- "os"
|
|
+ // "testing"
|
|
|
|
- "github.com/sigstore/sigstore-go/pkg/bundle"
|
|
+ "github.com/cli/cli/v2/pkg/cmd/attestation/test/data"
|
|
)
|
|
|
|
type MockClient struct {
|
|
@@ -22,18 +21,7 @@ func (m MockClient) GetByOwnerAndDigest(owner, digest string, limit int) ([]*Att
|
|
}
|
|
|
|
func makeTestAttestation() Attestation {
|
|
- bundleBytes, err := os.ReadFile("../test/data/sigstore-js-2.1.0-bundle.json")
|
|
- if err != nil {
|
|
- panic(err)
|
|
- }
|
|
-
|
|
- var b *bundle.ProtobufBundle
|
|
- err = json.Unmarshal(bundleBytes, &b)
|
|
- if err != nil {
|
|
- panic(err)
|
|
- }
|
|
-
|
|
- return Attestation{Bundle: b}
|
|
+ return Attestation{Bundle: data.SigstoreBundle(nil)}
|
|
}
|
|
|
|
func OnGetByRepoAndDigestSuccess(repo, digest string, limit int) ([]*Attestation, error) {
|
|
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
|
|
index 776cd27a952..b742ea51723 100644
|
|
--- a/pkg/cmd/attestation/verify/verify_test.go
|
|
+++ b/pkg/cmd/attestation/verify/verify_test.go
|
|
@@ -342,14 +342,22 @@ func TestRunVerify(t *testing.T) {
|
|
require.ErrorContains(t, err, "failed to fetch attestations for subject")
|
|
})
|
|
|
|
+ // TODO: this test can only be tested with a live SigstoreVerifier
|
|
+ // add integration tests or HTTP mocked sigstore verifier tests
|
|
+ // to test this case
|
|
t.Run("with invalid OIDC issuer", func(t *testing.T) {
|
|
+ t.Skip()
|
|
opts := publicGoodOpts
|
|
opts.OIDCIssuer = "not-a-real-issuer"
|
|
opts.SigstoreVerifier = &verification.FailSigstoreVerifier{}
|
|
require.Error(t, runVerify(&opts))
|
|
})
|
|
|
|
+ // TODO: this test can only be tested with a live SigstoreVerifier
|
|
+ // add integration tests or HTTP mocked sigstore verifier tests
|
|
+ // to test this case
|
|
t.Run("with SAN enforcement", func(t *testing.T) {
|
|
+ t.Skip()
|
|
opts := Options{
|
|
ArtifactPath: artifactPath,
|
|
BundlePath: bundlePath,
|
|
|
|
From 87ed8ade9b967983fd604fbb2c21c65694ab3084 Mon Sep 17 00:00:00 2001
|
|
From: Meredith Lancaster <malancas@github.com>
|
|
Date: Fri, 5 Apr 2024 16:30:02 -0600
|
|
Subject: [PATCH 7/7] remove unused import
|
|
|
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
|
|
---
|
|
pkg/cmd/attestation/api/mock_client.go | 1 -
|
|
1 file changed, 1 deletion(-)
|
|
|
|
diff --git a/pkg/cmd/attestation/api/mock_client.go b/pkg/cmd/attestation/api/mock_client.go
|
|
index 4e5755faf1f..edb51ee6e24 100644
|
|
--- a/pkg/cmd/attestation/api/mock_client.go
|
|
+++ b/pkg/cmd/attestation/api/mock_client.go
|
|
@@ -2,7 +2,6 @@ package api
|
|
|
|
import (
|
|
"fmt"
|
|
- // "testing"
|
|
|
|
"github.com/cli/cli/v2/pkg/cmd/attestation/test/data"
|
|
)
|