Skip to content

Commit 63baa34

Browse files
simonbairdclaude
andcommitted
Add acceptance test for task keyless support
Note that the snapshot output reveals there are some bugs related to to how we output image signatures and attestation signature for the image with the v3 style sigstore bundle. I want to fix this later since this PR already has a lot of changes, so I filed https://issues.redhat.com/browse/EC-1690 to track it. Ref: https://issues.redhat.com/browse/EC-1652 Co-authored-by: Claude Code <noreply@anthropic.com>
1 parent 0c413e7 commit 63baa34

2 files changed

Lines changed: 348 additions & 0 deletions

File tree

features/__snapshots__/task_validate_image.snap

Lines changed: 273 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,3 +180,276 @@ true
180180
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":3,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
181181
}
182182
---
183+
184+
[Keyless signing verification cosign v3 style:report-json - 1]
185+
{
186+
"success": true,
187+
"components": [
188+
{
189+
"name": "",
190+
"containerImage": "quay.io/conforma/test@sha256:712ca3a7fcd41fe6b3e6f434a31f738743b6c31f1d81ad458502d6b0239a8903",
191+
"source": {},
192+
"successes": [
193+
{
194+
"msg": "Pass",
195+
"metadata": {
196+
"code": "builtin.attestation.signature_check",
197+
"description": "The attestation signature matches available signing materials.",
198+
"title": "Attestation signature check passed"
199+
}
200+
},
201+
{
202+
"msg": "Pass",
203+
"metadata": {
204+
"code": "builtin.attestation.syntax_check",
205+
"description": "The attestation has correct syntax.",
206+
"title": "Attestation syntax check passed"
207+
}
208+
},
209+
{
210+
"msg": "Pass",
211+
"metadata": {
212+
"code": "builtin.image.signature_check",
213+
"description": "The image signature matches available signing materials.",
214+
"title": "Image signature check passed"
215+
}
216+
},
217+
{
218+
"msg": "Pass",
219+
"metadata": {
220+
"code": "slsa_provenance_available.allowed_predicate_types_provided",
221+
"collections": [
222+
"minimal",
223+
"slsa3",
224+
"redhat",
225+
"redhat_rpms",
226+
"policy_data"
227+
],
228+
"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.",
229+
"title": "Allowed predicate types provided"
230+
}
231+
},
232+
{
233+
"msg": "Pass",
234+
"metadata": {
235+
"code": "slsa_provenance_available.attestation_predicate_type_accepted",
236+
"collections": [
237+
"minimal",
238+
"slsa3",
239+
"redhat",
240+
"redhat_rpms"
241+
],
242+
"depends_on": [
243+
"attestation_type.known_attestation_type"
244+
],
245+
"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.",
246+
"title": "Expected attestation predicate type found"
247+
}
248+
}
249+
],
250+
"success": true,
251+
"signatures": [
252+
{
253+
"keyid": "",
254+
"sig": ""
255+
},
256+
{
257+
"keyid": "",
258+
"sig": ""
259+
}
260+
],
261+
"attestations": [
262+
{
263+
"type": "https://in-toto.io/Statement/v0.1",
264+
"predicateType": "https://slsa.dev/provenance/v1",
265+
"signatures": [
266+
{
267+
"keyid": "",
268+
"sig": "MEUCIQC5bGm4zzbExXBMrZCmqZ98iqUhi8TV/maq/8dJ/c3POAIgCNw+RkeO7PAkT6JDWIvISZ2AjILu9YuPQ0qqfNwCqug="
269+
}
270+
]
271+
},
272+
{
273+
"type": "https://in-toto.io/Statement/v0.1",
274+
"predicateType": "https://sigstore.dev/cosign/sign/v1",
275+
"signatures": [
276+
{
277+
"keyid": "",
278+
"sig": "MEUCID1cJkxyk1oGvXcoAVkDST9A1vfX2gxPEz+LUzN10nDmAiEAxh9rp79yr4fZmAWWOit0dZ5QWK+uYIU8fQVb0/rLIyM="
279+
}
280+
]
281+
}
282+
]
283+
}
284+
],
285+
"key": "",
286+
"policy": {
287+
"sources": [
288+
{
289+
"policy": [
290+
"git::github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
291+
"git::github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
292+
],
293+
"config": {
294+
"include": [
295+
"slsa_provenance_available"
296+
]
297+
}
298+
}
299+
],
300+
"rekorUrl": "https://rekor.sigstore.dev"
301+
},
302+
"ec-version": "${EC_VERSION}",
303+
"effective-time": "${TIMESTAMP}"
304+
}
305+
---
306+
307+
[Keyless signing verification cosign v3 style:results - 1]
308+
{
309+
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
310+
}
311+
---
312+
313+
[Keyless signing verification cosign v2 style:report-json - 1]
314+
{
315+
"success": true,
316+
"components": [
317+
{
318+
"name": "",
319+
"containerImage": "quay.io/conforma/test@sha256:03a10dff06ae364ef9727d562e7077b135b00c7a978e571c4354519e6d0f23b8",
320+
"source": {},
321+
"successes": [
322+
{
323+
"msg": "Pass",
324+
"metadata": {
325+
"code": "builtin.attestation.signature_check",
326+
"description": "The attestation signature matches available signing materials.",
327+
"title": "Attestation signature check passed"
328+
}
329+
},
330+
{
331+
"msg": "Pass",
332+
"metadata": {
333+
"code": "builtin.attestation.syntax_check",
334+
"description": "The attestation has correct syntax.",
335+
"title": "Attestation syntax check passed"
336+
}
337+
},
338+
{
339+
"msg": "Pass",
340+
"metadata": {
341+
"code": "builtin.image.signature_check",
342+
"description": "The image signature matches available signing materials.",
343+
"title": "Image signature check passed"
344+
}
345+
},
346+
{
347+
"msg": "Pass",
348+
"metadata": {
349+
"code": "slsa_provenance_available.allowed_predicate_types_provided",
350+
"collections": [
351+
"minimal",
352+
"slsa3",
353+
"redhat",
354+
"redhat_rpms",
355+
"policy_data"
356+
],
357+
"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.",
358+
"title": "Allowed predicate types provided"
359+
}
360+
},
361+
{
362+
"msg": "Pass",
363+
"metadata": {
364+
"code": "slsa_provenance_available.attestation_predicate_type_accepted",
365+
"collections": [
366+
"minimal",
367+
"slsa3",
368+
"redhat",
369+
"redhat_rpms"
370+
],
371+
"depends_on": [
372+
"attestation_type.known_attestation_type"
373+
],
374+
"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.",
375+
"title": "Expected attestation predicate type found"
376+
}
377+
}
378+
],
379+
"success": true,
380+
"signatures": [
381+
{
382+
"keyid": "dc5f3121f1f76f0d687877532ce44ff55aab2050",
383+
"sig": "MEUCIQDV4du9T+vV6dtN1LsCrZgByokRslw43oxscniN3wbaigIgMV+NFgix7ZjqhIpXFIMVFl1CQuya8JQsYP96ByA5iAc=",
384+
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC0zCCAlqgAwIBAgIUfPJP4pJfIr6Pgt2Q2J9hu4DqoJcwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjYwMzAzMTkxNjUyWhcNMjYwMzAzMTkyNjUyWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEGMk9duvfPU07wcRpBWKXUi8bmr833N3pKhP2\nGCVBlFxZIRcD01FKT4TEMvlRIq8gZJO4eQ/WvEL/NpNmkk+PzaOCAXkwggF1MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3F8x\nIfH3bw1oeHdTLORP9VqrIFAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wKQYDVR0RAQH/BB8wHYEbY29uZm9ybWFjb21tdW5pdHlAZ21haWwuY29tMCkG\nCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEE\nAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHW\neQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAAB\nnLUhueMAAAQDAEcwRQIgARu6tEmE0vUHU+MhCQB6tzwROaEn4VdlfGBFWQxxcygC\nIQCHm2/lgszmmt2gC6Pl2bfvCRDKewUQDvWjzNqq8WtPczAKBggqhkjOPQQDAwNn\nADBkAjAMnyVwJVMQflB7Iwfte7cuOYYN2uvmEibKwjmmPgZOq43vSH9Y9gtUvyJk\nZ23vTpwCMHKChuWjhTQgxczH7MhKUO2IphbaHeJYmeFa4rrswhv6h9z6v5IIPovF\nsdbKg+sEHw==\n-----END CERTIFICATE-----\n",
385+
"chain": [
386+
"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n",
387+
"-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n"
388+
],
389+
"metadata": {
390+
"Fulcio Issuer": "https://accounts.google.com",
391+
"Fulcio Issuer (V2)": "https://accounts.google.com",
392+
"Issuer": "CN=sigstore-intermediate,O=sigstore.dev",
393+
"Not After": "${TIMESTAMP}",
394+
"Not Before": "${TIMESTAMP}",
395+
"Serial Number": "7cf24fe2925f22be8f82dd90d89f61bb80eaa097",
396+
"Subject Alternative Name": "Email Addresses:conformacommunity@gmail.com"
397+
}
398+
}
399+
],
400+
"attestations": [
401+
{
402+
"type": "https://in-toto.io/Statement/v0.1",
403+
"predicateType": "https://slsa.dev/provenance/v1",
404+
"predicateBuildType": "https://example.com/build-type/v1",
405+
"signatures": [
406+
{
407+
"keyid": "17d7418e0517e21e30f4fe144128b7ca1d1bb2ac",
408+
"sig": "MEUCIBvsTgzJ5DOVIEAH/u5eav7C3QXx6ttR0tZxFQlJe6c4AiEAtIid+gk+EqgxSYNBLquaq2dfdWBL28yR1EOjn/Fi1T8=",
409+
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC1TCCAlqgAwIBAgIUPUQSAPNDQoKF8C3ufUx0Jta8GvEwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjYwMzAzMTkxNzA1WhcNMjYwMzAzMTkyNzA1WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE81mfg8hXUQRHdZpbbST2ckHT4YrcRPRvM+tc\nRmcvvexGuwm0yIOBZqIqXeyd/YrJn9MjBdHrmyKIztdR9mdpUaOCAXkwggF1MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUF9dB\njgUX4h4w9P4UQSi3yh0bsqwwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wKQYDVR0RAQH/BB8wHYEbY29uZm9ybWFjb21tdW5pdHlAZ21haWwuY29tMCkG\nCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEE\nAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHW\neQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAAB\nnLUh7ZUAAAQDAEcwRQIgY5+UpYgU0LsrAiTQSoeLquv9EVJ8lH4rtxQupmSWDWwC\nIQC6zpOJpx/ryldrjdpfycB9wBWIexg+/XC8Avdv9W2D3jAKBggqhkjOPQQDAwNp\nADBmAjEA/LIHzfKog0PwRohtlpLV32CpVyWrTt9jK84quvooFP5dgeegze/A4mrk\n0bO73KdEAjEA94BFoAYPJw1RTmIw5VnZXbYKqhlt0hm4nTx9pVoGQMFEtnIguX7f\nNnaoX2+paxVF\n-----END CERTIFICATE-----\n",
410+
"chain": [
411+
"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n",
412+
"-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n"
413+
],
414+
"metadata": {
415+
"Fulcio Issuer": "https://accounts.google.com",
416+
"Fulcio Issuer (V2)": "https://accounts.google.com",
417+
"Issuer": "CN=sigstore-intermediate,O=sigstore.dev",
418+
"Not After": "${TIMESTAMP}",
419+
"Not Before": "${TIMESTAMP}",
420+
"Serial Number": "3d441200f343428285f02dee7d4c7426d6bc1af1",
421+
"Subject Alternative Name": "Email Addresses:conformacommunity@gmail.com"
422+
}
423+
}
424+
]
425+
}
426+
]
427+
}
428+
],
429+
"key": "",
430+
"policy": {
431+
"sources": [
432+
{
433+
"policy": [
434+
"git::github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
435+
"git::github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
436+
],
437+
"config": {
438+
"include": [
439+
"slsa_provenance_available"
440+
]
441+
}
442+
}
443+
],
444+
"rekorUrl": "https://rekor.sigstore.dev"
445+
},
446+
"ec-version": "${EC_VERSION}",
447+
"effective-time": "${TIMESTAMP}"
448+
}
449+
---
450+
451+
[Keyless signing verification cosign v2 style:results - 1]
452+
{
453+
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
454+
}
455+
---

features/task_validate_image.feature

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,3 +337,78 @@ Feature: Verify Enterprise Contract Tekton Tasks
337337
Then the task should succeed
338338
And the task logs for step "report" should match the snapshot
339339
And the task results should match the snapshot
340+
341+
# See hack/keyless-test-image for how the quay.io/conforma/test:keyless_v2
342+
# and quay.io/conforma/test:keyless_v3 test images where created. It's not
343+
# ideal that this test requires an external image, but we already do this
344+
# elsewhere, so I guess one more is okay.
345+
346+
# Todo: We should be able test this also with an internally built image
347+
# similar to how it's done in the "happy day with keyless" scenario in the
348+
# validate_image feature.
349+
350+
# Confirm we can verify the signatures on a keylessly signed image signed with cosign v2
351+
Scenario: Keyless signing verification cosign v2 style
352+
Given a working namespace
353+
Given a cluster policy with content:
354+
```
355+
{
356+
"sources": [
357+
{
358+
"policy": [
359+
"github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
360+
"github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
361+
],
362+
"config": {
363+
"include": [
364+
"slsa_provenance_available"
365+
]
366+
}
367+
}
368+
]
369+
}
370+
```
371+
When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
372+
| IMAGES | {"components": [{"containerImage": "quay.io/conforma/test:keyless_v2@sha256:03a10dff06ae364ef9727d562e7077b135b00c7a978e571c4354519e6d0f23b8"}]} |
373+
| POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME} |
374+
| CERTIFICATE_IDENTITY | conformacommunity@gmail.com |
375+
| CERTIFICATE_OIDC_ISSUER | https://accounts.google.com |
376+
| REKOR_HOST | https://rekor.sigstore.dev |
377+
| IGNORE_REKOR | false |
378+
| STRICT | true |
379+
Then the task should succeed
380+
And the task logs for step "report-json" should match the snapshot
381+
And the task results should match the snapshot
382+
383+
# Confirm we can verify the signatures on a keylessly signed image signed with cosign v3
384+
Scenario: Keyless signing verification cosign v3 style
385+
Given a working namespace
386+
Given a cluster policy with content:
387+
```
388+
{
389+
"sources": [
390+
{
391+
"policy": [
392+
"github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
393+
"github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
394+
],
395+
"config": {
396+
"include": [
397+
"slsa_provenance_available"
398+
]
399+
}
400+
}
401+
]
402+
}
403+
```
404+
When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
405+
| IMAGES | {"components": [{"containerImage": "quay.io/conforma/test:keyless_v3@sha256:712ca3a7fcd41fe6b3e6f434a31f738743b6c31f1d81ad458502d6b0239a8903"}]} |
406+
| POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME} |
407+
| CERTIFICATE_IDENTITY | conformacommunity@gmail.com |
408+
| CERTIFICATE_OIDC_ISSUER | https://accounts.google.com |
409+
| REKOR_HOST | https://rekor.sigstore.dev |
410+
| IGNORE_REKOR | false |
411+
| STRICT | true |
412+
Then the task should succeed
413+
And the task logs for step "report-json" should match the snapshot
414+
And the task results should match the snapshot

0 commit comments

Comments
 (0)