sigstore · aaronlew02 · Nov 25, 2025
@@ -588,9 +588,8 @@ func trustedRootCmd(t *testing.T, downloadDirectory, tsaURL string) *trustedroot
 	defer rekorFP.Close()
 	must(downloadFile(rekorURL+"/api/v1/log/publicKey", rekorFP), t)
 	ctfePath := filepath.Join(downloadDirectory, "ctfe.pub")
-	home, err := os.UserHomeDir()
-	must(err, t)
-	must(copyFile(filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"), ctfePath), t)
+	ctLogKey := os.Getenv("CT_LOG_KEY")
+	must(copyFile(ctLogKey, ctfePath), t)
 	out := filepath.Join(downloadDirectory, "trusted_root.json")
 	cmd := &trustedroot.CreateCmd{
 		CertChain:    []string{caPath},
@@ -624,8 +623,7 @@ func prepareTrustedRootWithSelfSignedCertificate(t *testing.T, certPath, tsaURL
 }
 
 func TestSignVerifyWithTUFMirror(t *testing.T) {
-	home, err := os.UserHomeDir() // fulcio repo was downloaded to $HOME in e2e_test.sh
-	must(err, t)
+	ctLogKey := os.Getenv("CT_LOG_KEY")
 	tufLocalCache := t.TempDir()
 	t.Setenv("TUF_ROOT", tufLocalCache)
 	tufMirror := t.TempDir()
@@ -652,7 +650,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) {
 			targets: []targetInfo{
 				{
 					name:   "ct.pub",
-					source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"),
+					source: ctLogKey,
 				},
 			},
 			wantSignErr: true,
@@ -670,7 +668,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) {
 				},
 				{
 					name:   "ctfe.pub",
-					source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"),
+					source: ctLogKey,
 				},
 				{
 					name:   "tsa_leaf.crt.pem",
@@ -699,7 +697,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) {
 				},
 				{
 					name:   "ctfe.pub",
-					source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"),
+					source: ctLogKey,
 				},
 				{
 					name:   "tsaleaf.pem",
@@ -737,7 +735,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) {
 				{
 					name:   "cert-transparency.pem",
 					usage:  "CTFE",
-					source: filepath.Join(home, "fulcio", "config", "ctfe", "pubkey.pem"),
+					source: ctLogKey,
 				},
 				{
 					name:   "tsaleaf.pem",
@@ -813,7 +811,7 @@ func TestSignVerifyWithTUFMirror(t *testing.T) {
 			must(gotErr, t)
 
 			// Verify an image
-			issuer := os.Getenv("OIDC_URL")
+			issuer := os.Getenv("ISSUER_URL")
 			verifyCmd := cliverify.VerifyCommand{
 				CertVerifyOptions: options.CertVerifyOptions{
 					CertOidcIssuer: issuer,
@@ -959,7 +957,7 @@ func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) {
 	must(err, t)
 
 	// Verify a blob
-	issuer := os.Getenv("OIDC_URL")
+	issuer := os.Getenv("ISSUER_URL")
 	verifyBlobCmd := cliverify.VerifyBlobCmd{
 		KeyOpts: ko,
 		CertVerifyOptions: options.CertVerifyOptions{
@@ -1074,7 +1072,7 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) {
 	// Verify Fulcio-signed image
 	cmd := cliverify.VerifyCommand{
 		CertVerifyOptions: options.CertVerifyOptions{
-			CertOidcIssuer: os.Getenv("OIDC_URL"),
+			CertOidcIssuer: os.Getenv("ISSUER_URL"),
 			CertIdentity:   certID,
 		},
 		NewBundleFormat:     true,
@@ -1102,7 +1100,7 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) {
 	// Verify attestation
 	verifyAttestation := cliverify.VerifyAttestationCommand{
 		CertVerifyOptions: options.CertVerifyOptions{
-			CertOidcIssuer: os.Getenv("OIDC_URL"),
+			CertOidcIssuer: os.Getenv("ISSUER_URL"),
 			CertIdentity:   certID,
 		},
 		CommonVerifyOptions: options.CommonVerifyOptions{
@@ -1412,7 +1410,7 @@ func TestSignVerifyBundle(t *testing.T) {
 	// Verify Fulcio-signed image
 	cmd = cliverify.VerifyCommand{
 		CertVerifyOptions: options.CertVerifyOptions{
-			CertOidcIssuer:     os.Getenv("OIDC_URL"),
+			CertOidcIssuer:     os.Getenv("ISSUER_URL"),
 			CertIdentityRegexp: ".+",
 		},
 		CommonVerifyOptions: options.CommonVerifyOptions{
@@ -3998,7 +3996,7 @@ from %s
 `, signedImg1)
 	withLowercaseDockerfile := mkfile(withLowercaseDockerfileContents, td, t)
 
-	issuer := os.Getenv("OIDC_URL")
+	issuer := os.Getenv("ISSUER_URL")
 
 	tests := []struct {
 		name       string
@@ -4127,7 +4125,7 @@ spec:
 	unsignedManifestContents := fmt.Sprintf(manifestTemplate, "unsigned-img", unsignedImg)
 	unsignedManifest := mkfileWithExt(unsignedManifestContents, td, ".yaml", t)
 
-	issuer := os.Getenv("OIDC_URL")
+	issuer := os.Getenv("ISSUER_URL")
 
 	tests := []struct {
 		name     string

@@ -16,116 +16,36 @@
 
 set -ex
 
-docker_compose="docker compose"
-if ! ${docker_compose} version >/dev/null 2>&1; then
-    docker_compose="docker-compose"
-fi
-
-echo "setting up OIDC provider"
-pushd ./test/fakeoidc
-oidcimg=$(ko build main.go --local)
-docker network ls | grep fulcio_default || docker network create fulcio_default --label "com.docker.compose.network=fulcio_default"
-docker run -d --rm -p 8080:8080 --network fulcio_default --name fakeoidc $oidcimg
-cleanup_oidc() {
-    echo "cleaning up oidc"
-    docker stop fakeoidc
-}
-trap cleanup_oidc EXIT
-oidc_ip=$(docker inspect fakeoidc | jq -r '.[0].NetworkSettings.Networks.fulcio_default.IPAddress')
-export OIDC_URL="http://${oidc_ip}:8080"
-cat <<EOF > /tmp/fulcio-config.json
-{
-  "OIDCIssuers": {
-    "$OIDC_URL": {
-      "IssuerURL": "$OIDC_URL",
-      "ClientID": "sigstore",
-      "Type": "email"
-    }
-  }
-}
-EOF
+echo "downloading sigstore/scaffolding repository"
+SCAFFOLDING_DIR=$(mktemp -d)
+git clone https://github.com/sigstore/scaffolding.git "$SCAFFOLDING_DIR"
+SCAFFOLDING_SETUP_DIR="$SCAFFOLDING_DIR/actions/setup-sigstore-env"
+
+echo "setting up sigstore test environment"
+pushd "$SCAFFOLDING_SETUP_DIR"
+source ./run-containers.sh
 popd
 
-pushd $HOME
-
-echo "downloading service repos"
-for repo in rekor fulcio; do
-    if [[ ! -d $repo ]]; then
-        git clone https://github.com/sigstore/${repo}.git
-    else
-        pushd $repo
-        git pull
-        popd
-    fi
-done
-
-echo "starting services"
-export FULCIO_METRICS_PORT=2113
-export FULCIO_CONFIG=/tmp/fulcio-config.json
-for repo in rekor fulcio; do
-    pushd $repo
-    if [ "$repo" == "fulcio" ]; then
-       yq -i e '.networks={"default":{ "name":"fulcio_default","external":true }}' docker-compose.yml
-       yq -i e '.services.fulcio-server.networks=["default"]' docker-compose.yml
-    fi
-    ${docker_compose} up -d
-    echo -n "waiting up to 60 sec for system to start"
-    if [ "$repo" == "fulcio" ]; then
-      healthytotal=3
-    elif [ "$repo" == "rekor" ]; then
-      healthytotal=5
-    else
-      # handle no match in case another service is added
-      healthytotal=0
-    fi
-    count=0
-    until [ $(${docker_compose} ps | grep -c "(healthy)") == $healthytotal ];
-    do
-        if [ $count -eq 18 ]; then
-           echo "! timeout reached"
-           exit 1
-        else
-           echo -n "."
-           sleep 10
-           let 'count+=1'
-        fi
-    done
+cleanup() {
+    echo "cleaning up sigstore test environment"
+    pushd "$SCAFFOLDING_SETUP_DIR"
+    stop_services
     popd
-done
-cleanup_services() {
-    echo "cleaning up"
-    cleanup_oidc
-    for repo in rekor fulcio; do
-        pushd $HOME/$repo
-        ${docker_compose} down
-        popd
-    done
+    docker rm -f registry registry-2 || true
 }
-trap cleanup_services EXIT
+trap cleanup EXIT
 
 echo
 echo "running tests"
-
-popd
 go test -tags=e2e -v -race ./test/...
 
 # Test on a private registry
 echo "testing sign/verify/clean on private registry"
-cleanup_registry() {
-    cleanup_services
-    docker rm -f registry
-}
-trap cleanup_registry EXIT
 docker run -d -p 5000:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=true --name registry registry:latest
 export COSIGN_TEST_REPO=localhost:5000
 go test -tags=e2e -v ./test/... -run TestSignVerifyClean
 
 # Test with signature in separate registry
-cleanup() {
-    cleanup_registry
-    docker rm -f registry-2
-}
-trap cleanup EXIT
 docker run -d -p 5001:5000 --restart always -e REGISTRY_STORAGE_DELETE_ENABLED=true --name registry-2 registry:latest
 export COSIGN_REPOSITORY=localhost:5001/hello
 go test -tags=e2e -v ./test/... -run TestSignVerifyWithRepoOverride