build: Add missing images for arm64 tests

fidencio · fidencio · commit 01dda4f42285 · 2026-04-14T13:32:05.000+02:00
Build multi-arch (amd64, arm64, s390x) unsigned, cosign-signed, and
cosign-signed-key2 images under test-container-image-rs, so that
kata-containers image signature tests work on all architectures
without needing per-arch tags.

A second cosign key pair (cosign2.key/cosign2.pub) is added for the
"wrong key" test case. The COSIGN_PASSWORD_KEY2 secret must be
configured in the repository.

Signed-off-by: Fabiano Fidêncio &lt;ffidencio@nvidia.com&gt;
diff --git a/.github/workflows/build-test-containers.yaml b/.github/workflows/build-test-containers.yaml
@@ -27,6 +27,9 @@ on:
           - test-container-unencrypted
           - test-container-encrypted
           - busybox
+          - imgrs-multi-arch-unsigned
+          - imgrs-multi-arch-cosign-signed
+          - imgrs-multi-arch-cosign-signed-key2
   push:
     branches:
       - "main"
@@ -101,6 +104,7 @@ jobs:
       - name: Run make target
         env:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PASSWORD_KEY2: ${{ secrets.COSIGN_PASSWORD_KEY2 }}
         working-directory: container-images
         run: make ${{ github.event.inputs.target || 'all' }}
 
diff --git a/container-images/Makefile b/container-images/Makefile
@@ -24,6 +24,9 @@
 	multi-arch-encrypted \
 	multi-arch-encrypted-cosign-sig \
 	busybox \
+	imgrs-multi-arch-unsigned \
+	imgrs-multi-arch-cosign-signed \
+	imgrs-multi-arch-cosign-signed-key2 \
 	setup-buildx \
 	coco-keyprovider \
 	all
@@ -56,7 +59,10 @@ all: \
 	multi-arch-cosign-sig \
 	multi-arch-encrypted \
 	multi-arch-encrypted-cosign-sig \
-	busybox
+	busybox \
+	imgrs-multi-arch-unsigned \
+	imgrs-multi-arch-cosign-signed \
+	imgrs-multi-arch-cosign-signed-key2
 
 
 # ---------------------------------------------------------------------------
@@ -295,3 +301,114 @@ multi-arch-encrypted-cosign-sig: multi-arch-encrypted
 	@echo "==> Cosign-signing multi-arch-encrypted-cosign-sig"
 	${CURDIR}/scripts/make-cosign-sig.sh $(COCO_PKG) multi-arch-encrypted-cosign-sig $(REGISTRY)
 	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG):multi-arch-encrypted-cosign-sig"
+
+
+# ---------------------------------------------------------------------------
+# Multi-arch test-container-image-rs targets
+#
+# These produce multi-arch manifests under COCO_PKG_IMGRS for use by
+# kata-containers image-signature verification tests.
+# ---------------------------------------------------------------------------
+
+imgrs-multi-arch-unsigned: setup-buildx
+	@echo "==> Building imgrs-multi-arch-unsigned for: $(PLATFORMS)"
+	@for platform in $(PLATFORMS); do \
+		arch=$$(echo $$platform | cut -d/ -f2); \
+		per_arch_tag="$(REGISTRY)/$(COCO_PKG_IMGRS):unsigned-$$arch"; \
+		\
+		echo "==> [$$arch] Building image"; \
+		docker buildx build \
+			--platform "$$platform" \
+			--provenance=false \
+			-t "imgrs-unsigned:$$arch" \
+			--load \
+			-f dockerfiles/busybox/Dockerfile \
+			dockerfiles/busybox ; \
+		\
+		echo "==> [$$arch] Pushing image"; \
+		skopeo copy --insecure-policy --override-arch "$$arch" \
+			"docker-daemon:imgrs-unsigned:$$arch" \
+			"docker://$$per_arch_tag"; \
+	done
+	@echo "==> Creating multi-arch manifest"
+	@docker manifest rm $(REGISTRY)/$(COCO_PKG_IMGRS):unsigned 2>/dev/null || true
+	@docker manifest create $(REGISTRY)/$(COCO_PKG_IMGRS):unsigned \
+		$(foreach p,$(PLATFORMS),$(REGISTRY)/$(COCO_PKG_IMGRS):unsigned-$(lastword $(subst /, ,$(p))))
+	@$(foreach p,$(PLATFORMS), \
+		docker manifest annotate $(REGISTRY)/$(COCO_PKG_IMGRS):unsigned \
+			$(REGISTRY)/$(COCO_PKG_IMGRS):unsigned-$(lastword $(subst /, ,$(p))) \
+			--os linux --arch $(lastword $(subst /, ,$(p))) ; \
+	)
+	@echo "==> Pushing multi-arch manifest"
+	@docker manifest push $(REGISTRY)/$(COCO_PKG_IMGRS):unsigned
+	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG_IMGRS):unsigned"
+
+imgrs-multi-arch-cosign-signed: setup-buildx
+	@echo "==> Building imgrs-multi-arch-cosign-signed for: $(PLATFORMS)"
+	@for platform in $(PLATFORMS); do \
+		arch=$$(echo $$platform | cut -d/ -f2); \
+		per_arch_tag="$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-$$arch"; \
+		\
+		echo "==> [$$arch] Building image"; \
+		docker buildx build \
+			--platform "$$platform" \
+			--provenance=false \
+			-t "imgrs-cosign-signed:$$arch" \
+			--load \
+			-f dockerfiles/busybox/Dockerfile \
+			dockerfiles/busybox ; \
+		\
+		echo "==> [$$arch] Pushing image"; \
+		skopeo copy --insecure-policy --override-arch "$$arch" \
+			"docker-daemon:imgrs-cosign-signed:$$arch" \
+			"docker://$$per_arch_tag"; \
+	done
+	@echo "==> Creating multi-arch manifest"
+	@docker manifest rm $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed 2>/dev/null || true
+	@docker manifest create $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed \
+		$(foreach p,$(PLATFORMS),$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-$(lastword $(subst /, ,$(p))))
+	@$(foreach p,$(PLATFORMS), \
+		docker manifest annotate $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed \
+			$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-$(lastword $(subst /, ,$(p))) \
+			--os linux --arch $(lastword $(subst /, ,$(p))) ; \
+	)
+	@echo "==> Pushing multi-arch manifest"
+	@docker manifest push $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed
+	@echo "==> Cosign-signing cosign-signed"
+	${CURDIR}/scripts/make-cosign-sig.sh $(COCO_PKG_IMGRS) cosign-signed $(REGISTRY)
+	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed"
+
+imgrs-multi-arch-cosign-signed-key2: setup-buildx
+	@echo "==> Building imgrs-multi-arch-cosign-signed-key2 for: $(PLATFORMS)"
+	@for platform in $(PLATFORMS); do \
+		arch=$$(echo $$platform | cut -d/ -f2); \
+		per_arch_tag="$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2-$$arch"; \
+		\
+		echo "==> [$$arch] Building image"; \
+		docker buildx build \
+			--platform "$$platform" \
+			--provenance=false \
+			-t "imgrs-cosign-signed-key2:$$arch" \
+			--load \
+			-f dockerfiles/busybox/Dockerfile \
+			dockerfiles/busybox ; \
+		\
+		echo "==> [$$arch] Pushing image"; \
+		skopeo copy --insecure-policy --override-arch "$$arch" \
+			"docker-daemon:imgrs-cosign-signed-key2:$$arch" \
+			"docker://$$per_arch_tag"; \
+	done
+	@echo "==> Creating multi-arch manifest"
+	@docker manifest rm $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2 2>/dev/null || true
+	@docker manifest create $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2 \
+		$(foreach p,$(PLATFORMS),$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2-$(lastword $(subst /, ,$(p))))
+	@$(foreach p,$(PLATFORMS), \
+		docker manifest annotate $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2 \
+			$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2-$(lastword $(subst /, ,$(p))) \
+			--os linux --arch $(lastword $(subst /, ,$(p))) ; \
+	)
+	@echo "==> Pushing multi-arch manifest"
+	@docker manifest push $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2
+	@echo "==> Cosign-signing cosign-signed-key2 with key2"
+	COSIGN_PASSWORD="$${COSIGN_PASSWORD_KEY2}" cosign sign --yes --key keys/sign/cosign2.key "$(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2"
+	@echo "==> Done! Image: $(REGISTRY)/$(COCO_PKG_IMGRS):cosign-signed-key2"
diff --git a/container-images/keys/sign/README.md b/container-images/keys/sign/README.md
@@ -4,14 +4,23 @@ These keys are for **testing only**. Do not use them in production.
 
 ## Cosign
 
-Keys generated with:
+Primary key pair (`cosign.key` / `cosign.pub`) generated with:
 
 ```bash
 COSIGN_PASSWORD=just1testing2password3 cosign generate-key-pair
 ```
 
-The `COSIGN_PASSWORD` secret must be configured in the GitHub repo for the
-workflow to work.
+Second key pair (`cosign2.key` / `cosign2.pub`) generated with:
+
+```bash
+COSIGN_PASSWORD=just1testing2password3key2 cosign generate-key-pair
+```
+
+This second key is used to produce images signed with a *different* key,
+so tests can verify that verification rejects a wrong-key signature.
+
+The `COSIGN_PASSWORD` and `COSIGN_PASSWORD_KEY2` secrets must be configured
+in the GitHub repo for the workflow to work.
 
 ## GPG ("simple signing")
 
diff --git a/container-images/keys/sign/cosign2.key b/container-images/keys/sign/cosign2.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiJzSXlBSEFSLzBJd3RMclFoZ0tPWTVLS0lINWNidDdJ
+cFhhU2VSdDdyUzIwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJGSkcrNkhNaFZUOUd0VlVQa2xEek1lb0NqV0pDTzNlcSJ9LCJj
+aXBoZXJ0ZXh0Ijoicmk3YzZQZGJnOCtiR0QxZ041aHRWemNTd2gvL0c4QmJ0c1hl
+dHRLSGtNbFJwb3lTSmQyLzZtTkxSM3lkNnVKRGx2MjVFMERkODhaSGFJazQwbzhZ
+OXhqRVY0Q0E1TDkrTURpaVB1WS9rdy9RR2pPWVZxMlFpdis1OVI0cHA2N1NPQVZX
+NWJYUUVTZDFVcHAxNUJNS2hyUUdQVTZmVGdYYnIzcUdYTnpnMUdwNXV5TFdHSzdR
+bTVLTVRMbGdudC9KZTA4dHdMb25mMUVpMHc9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----
diff --git a/container-images/keys/sign/cosign2.pub b/container-images/keys/sign/cosign2.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtBlLQ5D3bC+2r8OEODAZOGXuSnfS
+CkXQeXivZjJSFjUHpxNGNV9KXPBWhvIegd8x1CWzxNXPgXEamMaHRl1nCg==
+-----END PUBLIC KEY-----
