Skip to content

Commit 0c413e7

Browse files
committed
Script to create keyless signed images for testing
As per the comments, I'm creating an image that we can use with the acceptance tests. Unlike the "golden-container" it wasn't built in Konflux and hence it doesn't have a realistic Chains style attestation. But it does have a keylessly sig and an a valid attestation. And actually there are two images, one created with cosign v2, and one with cosign v3. This should be useful since we need to support the new sigstore bundle introduced in cosign v3. The verify.sh isn't important for anything, but I want to check it in anyhow, since it serves as a nice instruction on how to verify the keyless signed images and attestations, and it's useful to sanity check the images when/if they need recreating. Ref: https://issues.redhat.com/browse/EC-1652
1 parent da68f18 commit 0c413e7

3 files changed

Lines changed: 205 additions & 0 deletions

File tree

hack/keyless-test-image/create.sh

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
#!/usr/bin/env bash
2+
# Copyright The Conforma Contributors
3+
#
4+
# Licensed under the Apache License, Version 2.0 (the "License");
5+
# you may not use this file except in compliance with the License.
6+
# You may obtain a copy of the License at
7+
#
8+
# http://www.apache.org/licenses/LICENSE-2.0
9+
#
10+
# Unless required by applicable law or agreed to in writing, software
11+
# distributed under the License is distributed on an "AS IS" BASIS,
12+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
# See the License for the specific language governing permissions and
14+
# limitations under the License.
15+
#
16+
# SPDX-License-Identifier: Apache-2.0
17+
18+
set -euo pipefail
19+
20+
source "$(dirname ${BASH_SOURCE[0]})/helpers.sh"
21+
22+
# This script creates two keylessly signed images that we use in our acceptance
23+
# tests. One created with cosign v2 and one with cosign v3 using the newer
24+
# sigstore bundle and OCI referrers
25+
26+
# Prereqs if you want to recreate these images:
27+
# - A working push credential for quay.io/conforma/test
28+
# - The ability to authenticate as the "conformacommunity@gmail.com" Google account
29+
30+
# Note: Ideally we would not rely on external images in the tests, but this is
31+
# the quickest way to get some meaningful acceptance tests for the keyless
32+
# image verification in the Tekton task. Also, we already have some other
33+
# external images used in the tests, so I figure adding one more isn't such a
34+
# big deal.
35+
36+
REPO=quay.io/conforma/test
37+
38+
# Todo: Maybe we can we specify these explicitly when signing
39+
# CERT_IDENITY="conformacommunity@gmail.com"
40+
# CERT_OIDC_ISSUER="https://accounts.google.com"
41+
42+
# Todo maybe: Pin the versions of cosign, (perhaps with a go.mod file?) instead
43+
# of using @latest.
44+
45+
for ver in v2 v3; do
46+
LABEL="keyless_$ver"
47+
COSIGN="go run github.com/sigstore/cosign/$ver/cmd/cosign@latest"
48+
GIT_VER=$($COSIGN version --json | jq -r .gitVersion)
49+
DATE_STR=$(date)
50+
51+
52+
h1 "Creating image ($ver)"
53+
podman build -t "$REPO:$LABEL" -f - . <<EOF
54+
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
55+
RUN echo "hello from the conforma cosign $GIT_VER keyless signing test image built on $DATE_STR" > /hello.txt
56+
CMD ["cat", "/hello.txt"]
57+
EOF
58+
59+
h1 "Pushing image ($ver)"
60+
podman push "$REPO:$LABEL"
61+
62+
h1 "Signing image ($ver)"
63+
# Use the digest otherwise cosign complains
64+
DIGEST=$(skopeo inspect "docker://quay.io/conforma/test:keyless_$ver" | jq -r .Digest)
65+
$COSIGN sign -y "$REPO@$DIGEST"
66+
67+
h1 "Creating a signed attestation ($ver)"
68+
# Push a minimal attestation
69+
$COSIGN attest -y \
70+
--predicate - \
71+
--type "https://slsa.dev/provenance/v1" \
72+
$REPO@$DIGEST <<EOF
73+
{
74+
"buildDefinition": {
75+
"buildType": "https://example.com/build-type/v1",
76+
"externalParameters": {},
77+
"internalParameters": {},
78+
"resolvedDependencies": []
79+
},
80+
"runDetails": {
81+
"builder": {
82+
"id": "https://example.com/builder"
83+
},
84+
"metadata": {}
85+
}
86+
}
87+
EOF
88+
89+
done

hack/keyless-test-image/helpers.sh

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
#!/usr/bin/env bash
2+
# Copyright The Conforma Contributors
3+
#
4+
# Licensed under the Apache License, Version 2.0 (the "License");
5+
# you may not use this file except in compliance with the License.
6+
# You may obtain a copy of the License at
7+
#
8+
# http://www.apache.org/licenses/LICENSE-2.0
9+
#
10+
# Unless required by applicable law or agreed to in writing, software
11+
# distributed under the License is distributed on an "AS IS" BASIS,
12+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
# See the License for the specific language governing permissions and
14+
# limitations under the License.
15+
#
16+
# SPDX-License-Identifier: Apache-2.0
17+
18+
set -euo pipefail
19+
20+
# Output a fancy heading
21+
function h1() {
22+
local text="$1"
23+
local line=$(sed 's/./─/g' <<< "$text")
24+
echo "╭─$line─╮"
25+
echo "$text"
26+
echo "╰─$line─╯"
27+
}
28+
29+
# Output some text and wait for the user to press enter
30+
function pause() {
31+
local default_msg="Press Enter to continue..."
32+
local msg="${1:-$default_msg}"
33+
34+
nl
35+
read -p "$msg"
36+
nl
37+
}
38+
39+
# Output a line break
40+
function nl() {
41+
printf "\n"
42+
}

hack/keyless-test-image/verify.sh

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
#!/usr/bin/env bash
2+
# Copyright The Conforma Contributors
3+
#
4+
# Licensed under the Apache License, Version 2.0 (the "License");
5+
# you may not use this file except in compliance with the License.
6+
# You may obtain a copy of the License at
7+
#
8+
# http://www.apache.org/licenses/LICENSE-2.0
9+
#
10+
# Unless required by applicable law or agreed to in writing, software
11+
# distributed under the License is distributed on an "AS IS" BASIS,
12+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
# See the License for the specific language governing permissions and
14+
# limitations under the License.
15+
#
16+
# SPDX-License-Identifier: Apache-2.0
17+
18+
set -euo pipefail
19+
20+
source "$(dirname ${BASH_SOURCE[0]})/helpers.sh"
21+
22+
# Verify the images created in create.sh
23+
24+
# Adjust as needed
25+
CERT_ARGS=(
26+
--certificate-identity=conformacommunity@gmail.com
27+
--certificate-oidc-issuer=https://accounts.google.com
28+
)
29+
30+
REPO=quay.io/conforma/test
31+
32+
SLSA=https://slsa.dev/provenance/v1
33+
34+
# Verify using the same version of cosign that created sigs and atts:
35+
36+
for ver in v2 v3; do
37+
COSIGN="go run github.com/sigstore/cosign/$ver/cmd/cosign@latest"
38+
IMAGE_REF="$REPO:keyless_$ver"
39+
40+
h1 "cosign tree $IMAGE_REF"
41+
$COSIGN tree "$IMAGE_REF"
42+
pause
43+
44+
h1 "cosign verify $IMAGE_REF"
45+
$COSIGN verify "$IMAGE_REF" "${CERT_ARGS[@]}" | jq
46+
pause
47+
48+
h1 "cosign verify-attestation $IMAGE_REF"
49+
$COSIGN verify-attestation "$IMAGE_REF" --type "$SLSA" "${CERT_ARGS[@]}" | jq
50+
pause
51+
52+
h1 "cosign download attestation $IMAGE_REF"
53+
$COSIGN download attestation --predicate-type "$SLSA" "$IMAGE_REF" | jq
54+
pause
55+
done
56+
57+
# Cross-version verification to demonstrate what happens:
58+
59+
IMAGE_V2="$REPO:keyless_v2"
60+
IMAGE_V3="$REPO:keyless_v3"
61+
COSIGN_V2="go run github.com/sigstore/cosign/v2/cmd/cosign@latest"
62+
COSIGN_V3="go run github.com/sigstore/cosign/v3/cmd/cosign@latest"
63+
64+
h1 "Backwards compatibility works (v2 sig with v3 cosign)"
65+
$COSIGN_V3 verify "$IMAGE_V2" "${CERT_ARGS[@]}" > /dev/null
66+
$COSIGN_V3 verify-attestation "$IMAGE_V2" --type "$SLSA" "${CERT_ARGS[@]}" > /dev/null
67+
pause
68+
69+
h1 "Forwards compatibility does not work (v3 sig with v2 cosign)"
70+
set +e
71+
$COSIGN_V2 verify "$IMAGE_V3" "${CERT_ARGS[@]}"
72+
$COSIGN_V2 verify-attestation "$IMAGE_V3" --type "$SLSA" "${CERT_ARGS[@]}"
73+
set -e
74+
pause

0 commit comments

Comments
 (0)