enterprise-contract · lcarva · May 1, 2024 · zregvart · May 2, 2024 · lcarva
diff --git a/Makefile b/Makefile
@@ -146,6 +146,7 @@ LICENSE_IGNORE=\
 -ignore 'configs/*/*.yaml' \
 -ignore 'node_modules/**' \
 -ignore 'hack/**/charts/**' \
+-ignore 'acceptance/wiremock/recordings/**' \
 -ignore '.tekton/*.yaml'
 
 LINT_TO_GITHUB_ANNOTATIONS='map(map(.)[])[][] as $$d | $$d.posn | split(":") as $$posn | "::warning file=\($$posn[0]),line=\($$posn[1]),col=\($$posn[2])::\($$d.message)"'

diff --git a/acceptance/cli/cli.go b/acceptance/cli/cli.go
@@ -385,8 +385,8 @@ func setupTUF(ctx context.Context, vars map[string]string, environment []string)
 	}
 	vars["TUF"] = tufURL
 
-	vars["CERT_IDENTITY"] = "https://kubernetes.io/namespaces/default/serviceaccounts/default"
-	vars["CERT_ISSUER"] = "https://kubernetes.default.svc.cluster.local"
+	vars["CERT_IDENTITY"] = "[email protected]"
+	vars["CERT_ISSUER"] = "https://github.com/login/oauth"
 
 	environment = append(environment, fmt.Sprintf("TUF_ROOT=%s", tuf.Root(ctx)))
 

diff --git a/acceptance/image/image.go b/acceptance/image/image.go
@@ -26,7 +26,6 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -603,14 +602,17 @@ func createAndPushKeylessImage(ctx context.Context, imageName string) (context.C
 				sig.Certificate = certPEM
 			}
 
-			if cert, ok := l.Annotations[static.ChainAnnotationKey]; ok {
-				if strings.Contains(cert, "-\n-") {
-					return errors.New("thus far we have only seen chain of length 1, fix the test to support more than one certificate in chain")
+			if certs, ok := l.Annotations[static.ChainAnnotationKey]; ok {
+				for block, rest := pem.Decode([]byte(certs)); block != nil; block, rest = pem.Decode(rest) {
+					if block.Type != "CERTIFICATE" {
+						continue
+					}
+					cert := new(strings.Builder)
+					if err := pem.Encode(cert, block); err != nil {
+						return err
+					}
+					sig.Chain = append(sig.Chain, cert.String())
 				}
-				if !strings.HasSuffix(cert, "\n") { // for whatever reason the trailing newline is missing in the annotation
-					cert += "\n"
-				}
-				sig.Chain = []string{cert} // TODO hmm
 			}
 
 			where[imageName] = sig

diff --git a/...e/testimage/blobs/sha256/3a62d4fad8e219768eadafca1629a27cf4b88d5e3f0f1bfe718fde064a4fed71 b/...e/testimage/blobs/sha256/3a62d4fad8e219768eadafca1629a27cf4b88d5e3f0f1bfe718fde064a4fed71
diff --git a/...fc744e2686287d10564a6510bd8ef0d902960d33c → ...11e5b8deb17fbc8597bd750eef9beeab163fe3715 b/...fc744e2686287d10564a6510bd8ef0d902960d33c → ...11e5b8deb17fbc8597bd750eef9beeab163fe3715
@@ -1 +1 @@
-{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:3eaf7ec07c9bee51f9b4a1d1722b7f340c31045867335ab8a0b4946df7f96bb8","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:e76feb45a3e513d30d053440066b0d9fb2bd47999894bd38fb1fb64d72d80ce3","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
diff --git a/...e/testimage/blobs/sha256/62d2613715e73c0bd327283235e25cb2c3800a5b085c88784c686458d47a4812 b/...e/testimage/blobs/sha256/62d2613715e73c0bd327283235e25cb2c3800a5b085c88784c686458d47a4812
@@ -0,0 +1 @@
+{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:77d53490dbc8f3f67c8c36a6c5e9c57d624b6ed61850247559e634651ed07864"]},"config":{}}
diff --git a/...30d21960a3782b8c39a49997eb8b0785270940611 → ...104a8975e8dad61f711d458a3998aefaa524afa5e b/...30d21960a3782b8c39a49997eb8b0785270940611 → ...104a8975e8dad61f711d458a3998aefaa524afa5e
@@ -1 +1 @@
-{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5OTZlNjBjYWViYTVhMzE2MjFkYmQ2OWZjNzQ0ZTI2ODYyODdkMTA1NjRhNjUxMGJkOGVmMGQ5MDI5NjBkMzNjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEUCIQDP7+yZSiEkHNBrLbAj88+/pnog1TlrP3FKmJQ5k2XFmgIgQ8Wiw+Zvocck+IqAAq450S6hKyvkaEcPsseqPPXuPNg="}]}
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI0NmM2MmExYzhkMjAxYTg0MjczYzI2NjExZTViOGRlYjE3ZmJjODU5N2JkNzUwZWVmOWJlZWFiMTYzZmUzNzE1In19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEYCIQDE8DNuhyR4GB/H25r4XZrpMSJGgKLryCoSvDtVcJkETQIhALZJ2xmyM1g8V4c70HEp9doDe/ymHCw7zIo+3WqfS6NM"}]}
diff --git a/...e/testimage/blobs/sha256/72acd4ac35703a93be65df7f5a9db7d06403818ff9e4c170bb0a80b407f783cf b/...e/testimage/blobs/sha256/72acd4ac35703a93be65df7f5a9db7d06403818ff9e4c170bb0a80b407f783cf
diff --git a/...e23f9edf8dc05a89a7a505ed2f2e4bda14edb3296 → ...6c5e9c57d624b6ed61850247559e634651ed07864 b/...e23f9edf8dc05a89a7a505ed2f2e4bda14edb3296 → ...6c5e9c57d624b6ed61850247559e634651ed07864
@@ -1 +1 @@
-{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:996e60caeba5a31621dbd69fc744e2686287d10564a6510bd8ef0d902960d33c"},"type":"cosign container image signature"},"optional":null}
+{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:46c62a1c8d201a84273c26611e5b8deb17fbc8597bd750eef9beeab163fe3715"},"type":"cosign container image signature"},"optional":null}
diff --git a/...e/testimage/blobs/sha256/8cc6a03b678bf2d324d445ee65a532e3dab7e88771203200a57c5ee2c6a67f51 b/...e/testimage/blobs/sha256/8cc6a03b678bf2d324d445ee65a532e3dab7e88771203200a57c5ee2c6a67f51
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:3eaf7ec07c9bee51f9b4a1d1722b7f340c31045867335ab8a0b4946df7f96bb8","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
		{"schemaVersion":2,"mediaType":"application/vnd.oci.image.manifest.v1+json","config":{"mediaType":"application/vnd.oci.image.config.v1+json","digest":"sha256:e76feb45a3e513d30d053440066b0d9fb2bd47999894bd38fb1fb64d72d80ce3","size":326},"layers":[{"mediaType":"application/vnd.oci.image.layer.v1.tar+gzip","digest":"sha256:bd9ddc54bea929a22b334e73e026d4136e5b73f5cc29942896c72e4ece69b13d","size":34}],"annotations":{"org.opencontainers.image.base.digest":"","org.opencontainers.image.base.name":""}}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"architecture":"","created":"0001-01-01T00:00:00Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:77d53490dbc8f3f67c8c36a6c5e9c57d624b6ed61850247559e634651ed07864"]},"config":{}}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5OTZlNjBjYWViYTVhMzE2MjFkYmQ2OWZjNzQ0ZTI2ODYyODdkMTA1NjRhNjUxMGJkOGVmMGQ5MDI5NjBkMzNjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEUCIQDP7+yZSiEkHNBrLbAj88+/pnog1TlrP3FKmJQ5k2XFmgIgQ8Wiw+Zvocck+IqAAq450S6hKyvkaEcPsseqPPXuPNg="}]}
		{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJyZWdpc3RyeS5sb2NhbDo1MDAwL3NpZ3N0b3JlL3Rlc3RpbWFnZSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI0NmM2MmExYzhkMjAxYTg0MjczYzI2NjExZTViOGRlYjE3ZmJjODU5N2JkNzUwZWVmOWJlZWFiMTYzZmUzNzE1In19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjEvUGlwZWxpbmVSdW4iLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6e319LCJtZXRhZGF0YSI6eyJidWlsZFN0YXJ0ZWRPbiI6IjIwMjMtMDMtMjJUMTk6Mzg6MDFaIiwiYnVpbGRGaW5pc2hlZE9uIjoiMjAyMy0wMy0yMlQxOTo0MTowNVoiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6ZmFsc2UsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9fX0=","signatures":[{"keyid":"","sig":"MEYCIQDE8DNuhyR4GB/H25r4XZrpMSJGgKLryCoSvDtVcJkETQIhALZJ2xmyM1g8V4c70HEp9doDe/ymHCw7zIo+3WqfS6NM"}]}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:996e60caeba5a31621dbd69fc744e2686287d10564a6510bd8ef0d902960d33c"},"type":"cosign container image signature"},"optional":null}
		{"critical":{"identity":{"docker-reference":"registry.local:5000/sigstore/testimage"},"image":{"docker-manifest-digest":"sha256:46c62a1c8d201a84273c26611e5b8deb17fbc8597bd750eef9beeab163fe3715"},"type":"cosign container image signature"},"optional":null}