Use Sigstore staging for test recordings

This commit modifies the acceptance tests which rely on recordings to be based on the staging instance of Sigstore. The main advantage of this approach is that to regenerate the data, we no longer need to spin up a local instance of Sigstore which can be quite resource intensive. Also, since the stagning Sigstore instance is not an ephemeral instance, we can be selective in only re-generating the data that expires. It would be great to eventually tie this into a GitHub Workflow so a PR can be created every so often. Signed-off-by: Luiz Carvalho <[email protected]>
enterprise-contract · May 15, 2024 · b3ac300 · b3ac300
1 parent d1bb942
commit b3ac300
Show file tree

Hide file tree

Showing 57 changed files with 898 additions and 471 deletions.
diff --git a/Makefile b/Makefile
@@ -146,6 +146,7 @@ LICENSE_IGNORE=\
 -ignore 'configs/*/*.yaml' \
 -ignore 'node_modules/**' \
 -ignore 'hack/**/charts/**' \
+-ignore 'acceptance/wiremock/recordings/**' \
 -ignore '.tekton/*.yaml'
 
 LINT_TO_GITHUB_ANNOTATIONS='map(map(.)[])[][] as $$d | $$d.posn | split(":") as $$posn | "::warning file=\($$posn[0]),line=\($$posn[1]),col=\($$posn[2])::\($$d.message)"'

diff --git a/acceptance/cli/cli.go b/acceptance/cli/cli.go
@@ -385,8 +385,8 @@ func setupTUF(ctx context.Context, vars map[string]string, environment []string)
 	}
 	vars["TUF"] = tufURL
 
-	vars["CERT_IDENTITY"] = "https://kubernetes.io/namespaces/default/serviceaccounts/default"
-	vars["CERT_ISSUER"] = "https://kubernetes.default.svc.cluster.local"
+	vars["CERT_IDENTITY"] = "[email protected]"
+	vars["CERT_ISSUER"] = "https://github.com/login/oauth"
 
 	environment = append(environment, fmt.Sprintf("TUF_ROOT=%s", tuf.Root(ctx)))
 

diff --git a/acceptance/image/image.go b/acceptance/image/image.go
@@ -26,7 +26,6 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -603,14 +602,17 @@ func createAndPushKeylessImage(ctx context.Context, imageName string) (context.C
 				sig.Certificate = certPEM
 			}
 
-			if cert, ok := l.Annotations[static.ChainAnnotationKey]; ok {
-				if strings.Contains(cert, "-\n-") {
-					return errors.New("thus far we have only seen chain of length 1, fix the test to support more than one certificate in chain")
+			if certs, ok := l.Annotations[static.ChainAnnotationKey]; ok {
+				for block, rest := pem.Decode([]byte(certs)); block != nil; block, rest = pem.Decode(rest) {
+					if block.Type != "CERTIFICATE" {
+						continue
+					}
+					cert := new(strings.Builder)
+					if err := pem.Encode(cert, block); err != nil {
+						return err
+					}
+					sig.Chain = append(sig.Chain, cert.String())
 				}
-				if !strings.HasSuffix(cert, "\n") { // for whatever reason the trailing newline is missing in the annotation
-					cert += "\n"
-				}
-				sig.Chain = []string{cert} // TODO hmm
 			}
 
 			where[imageName] = sig

diff --git a/...e/testimage/blobs/sha256/3a62d4fad8e219768eadafca1629a27cf4b88d5e3f0f1bfe718fde064a4fed71 b/...e/testimage/blobs/sha256/3a62d4fad8e219768eadafca1629a27cf4b88d5e3f0f1bfe718fde064a4fed71
diff --git a/...fc744e2686287d10564a6510bd8ef0d902960d33c → ...11e5b8deb17fbc8597bd750eef9beeab163fe3715 b/...fc744e2686287d10564a6510bd8ef0d902960d33c → ...11e5b8deb17fbc8597bd750eef9beeab163fe3715
@@ -1 +1 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:3eaf7ec07c9bee51f9b4a1d1722b7f340c31045867335ab8a0b4946df7f96bb8","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:e76feb45a3e513d30d053440066b0d9fb2bd47999894bd38fb1fb64d72d80ce3","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
diff --git a/...e/testimage/blobs/sha256/62d2613715e73c0bd327283235e25cb2c3800a5b085c88784c686458d47a4812 b/...e/testimage/blobs/sha256/62d2613715e73c0bd327283235e25cb2c3800a5b085c88784c686458d47a4812
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:77d53490dbc8f3f67c8c36a6c5e9c57d624b6ed61850247559e634651ed07864"]},"config":{}}
diff --git a/...30d21960a3782b8c39a49997eb8b0785270940611 → ...104a8975e8dad61f711d458a3998aefaa524afa5e b/...30d21960a3782b8c39a49997eb8b0785270940611 → ...104a8975e8dad61f711d458a3998aefaa524afa5e
@@ -1 +1 @@
-{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5OTZlNjBjYWViYTVhMzE2MjFkYmQ2OWZjNzQ0ZTI2ODYyODdkMTA1NjRhNjUxMGJkOGVmMGQ5MDI5NjBkMzNjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEUCIQDP7+yZSiEkHNBrLbAj88+/pnog1TlrP3FKmJQ5k2XFmgIgQ8Wiw+Zvocck+IqAAq450S6hKyvkaEcPsseqPPXuPNg="}]}
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI0NmM2MmExYzhkMjAxYTg0MjczYzI2NjExZTViOGRlYjE3ZmJjODU5N2JkNzUwZWVmOWJlZWFiMTYzZmUzNzE1In19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEYCIQDE8DNuhyR4GB/H25r4XZrpMSJGgKLryCoSvDtVcJkETQIhALZJ2xmyM1g8V4c70HEp9doDe/ymHCw7zIo+3WqfS6NM"}]}
diff --git a/...e/testimage/blobs/sha256/72acd4ac35703a93be65df7f5a9db7d06403818ff9e4c170bb0a80b407f783cf b/...e/testimage/blobs/sha256/72acd4ac35703a93be65df7f5a9db7d06403818ff9e4c170bb0a80b407f783cf
diff --git a/...e23f9edf8dc05a89a7a505ed2f2e4bda14edb3296 → ...6c5e9c57d624b6ed61850247559e634651ed07864 b/...e23f9edf8dc05a89a7a505ed2f2e4bda14edb3296 → ...6c5e9c57d624b6ed61850247559e634651ed07864
@@ -1 +1 @@
-{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:996e60caeba5a31621dbd69fc744e2686287d10564a6510bd8ef0d902960d33c"},"type":"cosign container image signature"},"optional":null}
+{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:46c62a1c8d201a84273c26611e5b8deb17fbc8597bd750eef9beeab163fe3715"},"type":"cosign container image signature"},"optional":null}
diff --git a/...e/testimage/blobs/sha256/8cc6a03b678bf2d324d445ee65a532e3dab7e88771203200a57c5ee2c6a67f51 b/...e/testimage/blobs/sha256/8cc6a03b678bf2d324d445ee65a532e3dab7e88771203200a57c5ee2c6a67f51
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:3eaf7ec07c9bee51f9b4a1d1722b7f340c31045867335ab8a0b4946df7f96bb8","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
		{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:e76feb45a3e513d30d053440066b0d9fb2bd47999894bd38fb1fb64d72d80ce3","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:77d53490dbc8f3f67c8c36a6c5e9c57d624b6ed61850247559e634651ed07864"]},"config":{}}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5OTZlNjBjYWViYTVhMzE2MjFkYmQ2OWZjNzQ0ZTI2ODYyODdkMTA1NjRhNjUxMGJkOGVmMGQ5MDI5NjBkMzNjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEUCIQDP7+yZSiEkHNBrLbAj88+/pnog1TlrP3FKmJQ5k2XFmgIgQ8Wiw+Zvocck+IqAAq450S6hKyvkaEcPsseqPPXuPNg="}]}
		{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI0NmM2MmExYzhkMjAxYTg0MjczYzI2NjExZTViOGRlYjE3ZmJjODU5N2JkNzUwZWVmOWJlZWFiMTYzZmUzNzE1In19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEYCIQDE8DNuhyR4GB/H25r4XZrpMSJGgKLryCoSvDtVcJkETQIhALZJ2xmyM1g8V4c70HEp9doDe/ymHCw7zIo+3WqfS6NM"}]}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:996e60caeba5a31621dbd69fc744e2686287d10564a6510bd8ef0d902960d33c"},"type":"cosign container image signature"},"optional":null}
		{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:46c62a1c8d201a84273c26611e5b8deb17fbc8597bd750eef9beeab163fe3715"},"type":"cosign container image signature"},"optional":null}