From 8d0518645f309d5ceec8eab9663299e4b75f33b4 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 28 May 2024 07:13:34 -0600 Subject: [PATCH] Add integration tests for `gh attestation verify` shared workflow use case (#9107) * add initial shared workflow use case tests and test data Signed-off-by: Meredith Lancaster * add more shared workflow tests Signed-off-by: Meredith Lancaster * cleanup tests Signed-off-by: Meredith Lancaster * pr feedback, replace shared with reusable Signed-off-by: Meredith Lancaster * use demo repository with reusable workflow tests Signed-off-by: Meredith Lancaster --------- Signed-off-by: Meredith Lancaster --- .../test/data/reusable-workflow-artifact | Bin 0 -> 2962 bytes ...eusable-workflow-attestation.sigstore.json | 62 ++++++++++++++++ .../verify/verify_integration_test.go | 68 ++++++++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 pkg/cmd/attestation/test/data/reusable-workflow-artifact create mode 100644 pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json diff --git a/pkg/cmd/attestation/test/data/reusable-workflow-artifact b/pkg/cmd/attestation/test/data/reusable-workflow-artifact new file mode 100644 index 0000000000000000000000000000000000000000..391e327c952a04c6a40cf9a068bcc66555c29728 GIT binary patch literal 2962 zcma)8c{J2}A0BENgM?;~sZh2oGqz-jkbR6{ZZ`=HiA*(PWHOdYmO++KNS5p(m26o; z7}>@cTcjB(3YnRZ?cS2!>E3g@?{(hy+wLLc^r^iwn6{^fB>NF zPTdJrrf5ny@0HHOJ|52ENIsWNs}nE!26z!X2%cW*XT0#f2rL#yz>%<6I5Eg5zCxr; zLm0SrnUbndYJziCtr$w!lUGtwELG$8_!s$&yN?&rVD@W1bT!~sEbN@4r(z@30P_ju zn+q2zn&g6SQ`Q#VqTKbUdZ_UGCa)qWTkIcEXBUv}%8?Q#_o?UV2{9 zZ`bVx^E`dIK-n)=?1uYOqCoaRtiz8EI(Qx6Q;J_0Z36%rcK`s0A01%-?g0C}19c7f z_j3m4Pg2JbynPWUi({tdrpHXPo$$U)UD1uh8?i?X-0_Y!sD|omM-Jj^bzi=MSoe!) z#9vSIiK{U`C-2p%{P{K63RAfo_Q7E5HvVQ7bBX0Y9P&1>dk@+e>{)btrydeL2AYTg zs}+?s1Pw|zNyL_!$rt(P!0e4ti-~Sz6qO#pKbksWT@x9k#1;>zb&m*mGd1$-NmE)J z6e~!Z5O9$iGpJ5!9O(hSznO`TBV^ZI+Lhs&8eAY10$}NTxDopZD!A5|<1Qbn$M_$r zu!TFd->C3qLvtmU5t-ACvLM|!#mhbgk)OtvN!wggiNxW)OA*Yob$fJMa8Dq%N%y40 zcff@3EprqmF~YE;8+fXsSp+Ws?RW!ud^bG2D5ZiSXD`y%Rr7AeVQ;~+n6^B`;}iBT zkFf?y@v1_HYX-b)O8lCVX+5S7R|L=1i*xdz{KYsEHFn}yuTmBvGeavV@`lXeYjIL? zuAH0h95U`f2tSO^Hs&V3Xiq?TQh_M3e)9ZVp?J+FZGa7F+{5x~&^{+qa@0znQvCa% z=JzPNrInI!t^kn|yMQFdI zxTA@lUK)Rh<4EsN)M&d|p+RbjOI&6cnuJ)kdX30UaJ79u{#>{s-AMk*hs1?_GMawR zHfD!%7A86lxGT-ifh1)RS1?jJaQREM@pyJCJ3cR#JMhN;SxBSgWf(N(WRe*t*6^#* zT*B5ANhT7asU|t+tO_x6vWD2mIw$-65{)t-82IU078jknEE=904O$YSMKA6fZ{EqF ztsK~^FqzcF_mW_LLP@<7s<)^RoJF|*S$_Ddv;s_jA0cRHs<|?84B?GIA)9X>$%v@iS>7vwH4ROsaMsEAGy2N^+00 zjF^gay(N6*`KzfU6&1X>r241|Pqwi;i!vwiyz?c5l2@1fEpzN-;|VNN(=pmBkY zdv}Lca(>`eQ9%Om;7i1@z^D16>E(se3;Sn=*onRy8K@k_32VU*Bn#I9qtHifn);Gm z*F5-zW1p0Lp1o7e#z0&rDqBSj-c9|kae7HC^7J?El>cukU&4%+n2{G)hJp+bcTzPv zMdPGUJ4dMw?ahkSiZ_n)>ja6{ZV0l=S)<*1AJ+$@f_hhD=tU~vN<-hsQ_sSmo1(}= z&i5lcg3MipJtQ0*PW4VwiPbCJ5y#s*<)G8;Q*}mRh~NorT%hKF=ZlHOmt*O|?`SH~ zqoJp6#)DMJRu{_!VK)=pyuUo>{Bp!B8{Im$p&yAYxg^`oB!|9s{kq7E2CuKLoL{fB zq0(lUheF#DyL66P0h^$?tBWCCdpRUhu(G>7l;HRO%SA<4zr;U zf!lX~3;#V)VGmZ^n4~)`B-rNGe!)8XIeBB2I(x6De#E}Ax9TZ`%}Ib81WTP^S1pgB z*DgypnmboGQ|3M6a@;WE=bN6eTwVh+9->3L8p@@v2B2~eNe?KKZe2OsuC*TfJ7TSb zF}A$xZj+K$)DB8^g`74smfznt$J_JSOy}3VX(}*kYE$6VfU6r>c_TLtuLx*z8o&9j z0KZ87a}%wLgdkmc8|XXKetr`Bze&Jd6gtzBKCq;fY${$DUgI@sC6r&2Gx~&5J)<* z7is?jWkaXWY%V2JGtwi<2LQD2p#JlvFcwGA81n=MjSy}EpuBBjXvtozs+u+9Gi~WX zg%K35ZLv4m<{|iLH34N;JI(oqxVMk<`If&M+KT0k533hy9#AkVR1lVH&TJ*p%`Ltj zb{c1Thb2B})O9t-ta##%D8lol9nT`hWp zX`~>H{DkJ~x(G#$2Rcy~#ZEJpD5rgTAdk-azP|n8<8(&sm|;nzM|R=CB;ewdo6-|u z>J_=-Chw9PwNHb3s(KtXC?UZatP@2`Vpe_h8QF?}neylzZwPdgxiyrc>M0C}gKHxzZ?@2~#=zy=9m literal 0 HcmV?d00001 diff --git a/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json b/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json new file mode 100644 index 000000000..4150fad01 --- /dev/null +++ b/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json @@ -0,0 +1,62 @@ +{ + "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", + "verificationMaterial": { + "tlogEntries": [ + { + "logIndex": "96764485", + "logId": { + "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0=" + }, + "kindVersion": { + "kind": "dsse", + "version": "0.0.1" + }, + "integratedTime": "1716578064", + "inclusionPromise": { + "signedEntryTimestamp": "MEUCIBnCAgBND2tf60dg5uvlw0EBbBRhFtMuP3YTRpIQj2hCAiEAmWSymilD/iY97X11tLGE/Jrs4/QZRttQl5D3IHYN8LA=" + }, + "inclusionProof": { + "logIndex": "92601054", + "rootHash": "WV7orTEdDpnb8KICQSRSexYSaLmAdRbXTg8+XqxWWKM=", + "treeSize": "92601055", + "hashes": [ + "CB1xVx3PJNW+3zlLJ2FfIeZja6SZuS+CBsQCEl1mZig=", + "leemdxn7IXyI3q5qnApFVDe1ZvxriyA99ml3CUxZdMo=", + "BNjYNzNQTGe2feyWagoeovSY94wFKEvCwsDDSuzoFc8=", + "gYAfWQoQuzl03VxmY8Y3zYfncEwyL/PymMwBXa+7LZs=", + "CdX/d9Kws+qekjkNvppM9hV7QIjKwmJczmJluOKB1Eo=", + "PdM9YH9JZZGlnM6sSgQ4j241nCzAf4tHUdnVKxY2X30=", + "w1bdD4n0CWmWRMvbt7/8QhI/0ssitiB4Qmeqwbv7Qr0=", + "S0w2zc7ITyKJF8zP4N6Smews+cUnI/VSUDI3GWnvzKU=", + "cGxCXxLX5YX3M/3uGLofaY5t2NN03RonodHiEtVlZ3U=", + "o6CV1vxHmEXX1iLR5/z1R7XDl8m/IVrKD8CrdxzMfWw=", + "3fqMF47gbRivMozMOuE+dTj9UudYsqX4JcAhydLaReg=", + "Tg/ftnzNsPhNUlXIBEhRDG1F7eTihz/Ur47mvsRbz7g=", + "nPoKmHvc25emt5VYLI6G6uXL9un4iz3AWRbp0O/EjoE=", + "cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=", + "sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=", + "98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8=" + ], + "checkpoint": { + "envelope": "rekor.sigstore.dev - 2605736670972794746\n92601055\nWV7orTEdDpnb8KICQSRSexYSaLmAdRbXTg8+XqxWWKM=\n\n— rekor.sigstore.dev wNI9ajBEAiBCgSIjeltjI7SNI4GdxgiZj+WQML61UMuVCiYMENL7UgIgZtS/hrR/3eEzhJAxFMuP1hymkxaOMT4UAYgiMLuje1I=\n" + } + }, + "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiOWVhZGU5MWI0YjE4ZWIyNzg0M2E1MGQzMWY5MjQ1MzZlMjRmYzFkNDg2MDU0OGRhN2JiMDkzNGM3ZTJiM2Q1NiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNjMzZjNGE5OGZjNTU4MTg3YWM2MTc1ZWZkN2E3NmUwZjc2NDIwOWZkY2VjMGRhMzFhNDc5Y2E0MjY3MmM0ZmEifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVZQ0lRRHJTN3VRMTlOa1dGUERGMjc2ejFhY25zeStad3BSY1NYZTkyYVNjbUJVaUFJaEFNdXBVM1djSmRJVnVkWHBXTm9zU1FILzZLRncwMVc2MWh1WHZEbC9xYklFIiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoUlJFTkRRbk5oWjBGM1NVSkJaMGxWVUdreGNHNVNjRFYyTDB3eFdtbFhSVEZ0T1dnMWJVSkdhVU00ZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmQwNVVTVEJOVkd0NFRrUkpNRmRvWTA1TmFsRjNUbFJKTUUxVWEzbE9SRWt3VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVXZWMFptTTBOTWFtUktVV3N2Y1c5RGJHNHZTMlpUTVVscmVVdGhRbEJTU0hZM2FrNEtTR05TT0ZOV1RIcElNMU55U2poUGFETnVOMGRVV0ZkeGJrNTBUMkZuWlhkcWFqQm9iVmgxTUZkSFZEQXlSRVZ6YW1GUFEwSmxWWGRuWjFob1RVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVlVNell5Q2pVNU4waDVXR1YwTXpoSmRtMXZRVTVZZFZnd2FtOUZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMmRaT0VkQk1WVmtSVkZGUWk5M1UwSm9SRU5DWjFsYUwyRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVpIQmtSMmd4V1drNWFBcGpibEp3V20xR2FtUkRNV2hrU0ZKc1l6TlNhR1JIYkhaaWJrMTBaREk1ZVdFeVduTmlNMlI2VEhrMWJtRllVbTlrVjBsMlpESTVlV0V5V25OaU0yUjZDa3d5UmpCa1IxWjZaRU0xTldKWGVFRk5SR3hwVGtSck1WbDZUbTFOVkVwcVRucG5ORTFYU1hwWk1rMTRUbnBKZDA5WFJYcE5hbU16VDFSSmQwNXFWbW9LVFZkRmVGcEVRVFZDWjI5eVFtZEZSVUZaVHk5TlFVVkNRa04wYjJSSVVuZGplbTkyVEROU2RtRXlWblZNYlVacVpFZHNkbUp1VFhWYU1td3dZVWhXYVFwa1dFNXNZMjFPZG1KdVVteGlibEYxV1RJNWRFMUNPRWREYVhOSFFWRlJRbWMzT0hkQlVVbEZSVmhrZG1OdGRHMWlSemt6V0RKU2NHTXpRbWhrUjA1dkNrMUVXVWREYVhOSFFWRlJRbWMzT0hkQlVVMUZTMFJyTVZsdFJtMU5hbU42VDBSc2JFOUVUbXhPYlVVeFdYcFJORnBxVVhsYVZFVTFUVWRSTUU5SFVUTUtXVmRLYWxwWFJYaFBWMVYzVEdkWlMwdDNXVUpDUVVkRWRucEJRa0pCVVdkUmJsWndZa2RSWjB4NVFrSmtTRkpzWXpOUloweDVRbGRhV0Vwd1dtNXJad3BMUms1dldWaEtiRnBEYTNkSloxbExTM2RaUWtKQlIwUjJla0ZDUWxGUlZXSlhSbk5aVnpWcVdWaE5kbGxZVWpCYVdFNHdURmRTYkdKWE9IZElVVmxMQ2t0M1dVSkNRVWRFZG5wQlFrSm5VVkJqYlZadFkzazViMXBYUm10amVUbDBXVmRzZFUxRWMwZERhWE5IUVZGUlFtYzNPSGRCVVdkRlRGRjNjbUZJVWpBS1kwaE5Oa3g1T1RCaU1uUnNZbWsxYUZrelVuQmlNalY2VEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVEwSnJRVmxMUzNkWlFncENRVWRFZG5wQlFrTlJVMEpuVVhndllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKa2NHUkhhREZaYVRsb1kyNVNjRnB0Um1wa1F6Rm9DbVJJVW14ak0xSm9aRWRzZG1KdVRYUmtNamw1WVRKYWMySXpaSHBNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1Na1l3WkVkV2VtUkROVFVLWWxkNFFVMUViR2xPUkdzeFdYcE9iVTFVU21wT2VtYzBUVmRKZWxreVRYaE9la2wzVDFkRmVrMXFZek5QVkVsM1RtcFdhazFYUlhoYVJFRTBRbWR2Y2dwQ1owVkZRVmxQTDAxQlJVdENRMjlOUzBSQk5WbHFVVFZPVjAxNldtcEZlVmw2WXpSUFJFWnBUVEpPYWsxVVkzbE5SR3hvVFhwSk0wNTZhM2xOUkZreENsbDZSbWhOVjFGM1NGRlpTMHQzV1VKQ1FVZEVkbnBCUWtOM1VWQkVRVEZ1WVZoU2IyUlhTWFJoUnpsNlpFZFdhMDFFWTBkRGFYTkhRVkZSUW1jM09IY0tRVkYzUlV0UmQyNWhTRkl3WTBoTk5reDVPVzVoV0ZKdlpGZEpkVmt5T1hSTU1qRm9Za2RHZFZreVJucE1Na1l3WkVkV2VtUkRNV3RhVnpGMlRVUm5Sd3BEYVhOSFFWRlJRbWMzT0hkQlVUQkZTMmQzYjA5VVZtbFpWMWw1VG5wTk5FOVhWVFJOTWxVeVdWUldhazVFYUcxT1JFcHNUVlJyZDFwRVVUUmFSR1JvQ2xsdFRteFpWRVUxV2xSQlprSm5iM0pDWjBWRlFWbFBMMDFCUlU5Q1FrVk5SRE5LYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtGYVFtZHZja0puUlVVS1FWbFBMMDFCUlZCQ1FYTk5RMVJuZDA1RVFUTk5SR042VGxSQmNrSm5iM0pDWjBWRlFWbFBMMDFCUlZGQ1FqQk5SekpvTUdSSVFucFBhVGgyV2pKc01BcGhTRlpwVEcxT2RtSlRPWFJaVjNob1ltMU9hR042UVZsQ1oyOXlRbWRGUlVGWlR5OU5RVVZTUWtGdlRVTkVSVEpOYWxFMFRWUlZlazFIVVVkRGFYTkhDa0ZSVVVKbk56aDNRVkpKUlZabmVGVmhTRkl3WTBoTk5reDVPVzVoV0ZKdlpGZEpkVmt5T1hSTU1qRm9Za2RHZFZreVJucE1Na1l3WkVkV2VtUkRNV3NLV2xjeGRreDVOVzVoV0ZKdlpGZEpkbVF5T1hsaE1scHpZak5rZWt3elRtOVpXRXBzV2tNMU5XSlhlRUZqYlZadFkzazViMXBYUm10amVUbDBXVmRzZFFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZKTlJVdG5kMjlQVkZacFdWZFplVTU2VFRSUFYxVTBUVEpWTWxsVVZtcE9SR2h0VGtSS2JFMVVhM2RhUkZFMENscEVaR2haYlU1c1dWUkZOVnBVUVdoQ1oyOXlRbWRGUlVGWlR5OU5RVVZWUWtKTlRVVllaSFpqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxR2IwY0tRMmx6UjBGUlVVSm5OemgzUVZKVlJWUkJlRXRoU0ZJd1kwaE5Oa3g1T1c1aFdGSnZaRmRKZFZreU9YUk1NakZvWWtkR2RWa3lSbnBNTWtZd1pFZFdlZ3BrUXpGcldsY3hka3d5Um1wa1IyeDJZbTVOZG1OdVZuVmplVGcxVFdwSk5FOUVWVFJQVkZWNlRESkdNR1JIVm5SalNGSjZUSHBGZDBabldVdExkMWxDQ2tKQlIwUjJla0ZDUm1kUlNVUkJXbmRrVjBwellWZE5kMmRaYjBkRGFYTkhRVkZSUWpGdWEwTkNRVWxGWmtGU05rRklaMEZrWjBSa1VGUkNjWGh6WTFJS1RXMU5Xa2hvZVZwYWVtTkRiMnR3WlhWT05EaHlaaXRJYVc1TFFVeDViblZxWjBGQlFWa3JjMEp3Wlc5QlFVRkZRWGRDU0UxRlZVTkpRMk5XWlZNM1VncE9OWE5zTjNSbVJFZHFSMG96Y0hWd2RITmtZbnBIYW00MVJrUjJZbGRKYkZRdk5XdEJhVVZCYmxRd01EUnFTMkV5ZFVwT01HczRjRU5JUjJjNWRYb3hDbE4wTldGemN6QnJkVXRCWVZob2NIVmtabXQzUTJkWlNVdHZXa2w2YWpCRlFYZE5SR0ZCUVhkYVVVbDRRVXhzVnpSNlVXRTBWRGRUU205VFVTOTZSM2NLYlhaNmVtaHBXSGhSY21sSlJrbHpZMmRGYm1sMVoyNDJhVEJ4TDNFd1ZWRnZVMlIwZFZKM1pWaHdXbG94VVVsM1dIbDJVelZ2TkZVd1EwRldWU3RCUkFveVIwMWpWbGR4UXpFNFRYQk1jazFRTmpkUVUxZEdjVmhEZFU0MFRtNDFaMVpRVGxnd00zZHlVMHgyVFZkeldWQUtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifV19fQ==" + } + ], + "timestampVerificationData": { + }, + "certificate": { + "rawBytes": "MIIHQDCCBsagAwIBAgIUPi1pnRp5v/L1ZiWE1m9h5mBFiC8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTI0MTkxNDI0WhcNMjQwNTI0MTkyNDI0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/WFf3CLjdJQk/qoCln/KfS1IkyKaBPRHv7jNHcR8SVLzH3SrJ8Oh3n7GTXWqnNtOagewjj0hmXu0WGT02DEsjaOCBeUwggXhMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUT362597HyXet38IvmoANXuX0joEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgY8GA1UdEQEB/wSBhDCBgYZ/aHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9hcnRpZmFjdC1hdHRlc3RhdGlvbnMtd29ya2Zsb3dzLy5naXRodWIvd29ya2Zsb3dzL2F0dGVzdC55bWxAMDliNDk1YzNmMTJjNzg4MWIzY2MxNzIwOWEzMjc3OTIwNjVjMWExZDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDk1YmFmMjczODllODNlNmE1YzQ4ZjQyZTE5MGQ0OGQ3YWJjZWExOWUwLgYKKwYBBAGDvzABBAQgQnVpbGQgLyBBdHRlc3QgLyBWZXJpZnkgKFNoYXJlZCkwIgYKKwYBBAGDvzABBQQUbWFsYW5jYXMvYXR0ZXN0LWRlbW8wHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBkAYKKwYBBAGDvzABCQSBgQx/aHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9hcnRpZmFjdC1hdHRlc3RhdGlvbnMtd29ya2Zsb3dzLy5naXRodWIvd29ya2Zsb3dzL2F0dGVzdC55bWxAMDliNDk1YzNmMTJjNzg4MWIzY2MxNzIwOWEzMjc3OTIwNjVjMWExZDA4BgorBgEEAYO/MAEKBCoMKDA5YjQ5NWMzZjEyYzc4ODFiM2NjMTcyMDlhMzI3NzkyMDY1YzFhMWQwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMDcGCisGAQQBg78wAQwEKQwnaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vMDgGCisGAQQBg78wAQ0EKgwoOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZTAfBgorBgEEAYO/MAEOBBEMD3JlZnMvaGVhZHMvbWFpbjAZBgorBgEEAYO/MAEPBAsMCTgwNDA3MDczNTArBgorBgEEAYO/MAEQBB0MG2h0dHBzOi8vZ2l0aHViLmNvbS9tYWxhbmNhczAYBgorBgEEAYO/MAERBAoMCDE2MjQ4MTUzMGQGCisGAQQBg78wARIEVgxUaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vLy5naXRodWIvd29ya2Zsb3dzL3NoYXJlZC55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMFoGCisGAQQBg78wARUETAxKaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy85MjI4ODU4OTUzL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAY+sBpeoAAAEAwBHMEUCICcVeS7RN5sl7tfDGjGJ3puptsdbzGjn5FDvbWIlT/5kAiEAnT004jKa2uJN0k8pCHGg9uz1St5ass0kuKAaXhpudfkwCgYIKoZIzj0EAwMDaAAwZQIxALlW4zQa4T7SJoSQ/zGwmvzzhiXxQriIFIscgEniugn6i0q/q0UQoSdtuRweXpZZ1QIwXyvS5o4U0CAVU+AD2GMcVWqC18MpLrMP67PSWFqXCuN4Nn5gVPNX03wrSLvMWsYP" + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMC1weTMtbm9uZS1hbnkud2hsIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjQ5YTNhYTYwNzVlMGY0OWY4Mjg0M2U3NGI1YmFhNjE0YWQyYTU4OGU2Njc1NjEyYmYxMDhhMGEwMDhjNWFjMjUifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvaGVhZHMvbWFpbiIsInJlcG9zaXRvcnkiOiJodHRwczovL2dpdGh1Yi5jb20vbWFsYW5jYXMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3Mvc2hhcmVkLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiODA0MDcwNzM1IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjE2MjQ4MTUzIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9tYWxhbmNhcy9hdHRlc3QtZGVtb0ByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZSJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vbWFsYW5jYXMvYXR0ZXN0LWRlbW8vYWN0aW9ucy9ydW5zLzkyMjg4NTg5NTMvYXR0ZW1wdHMvMSJ9fX19", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEYCIQDrS7uQ19NkWFPDF276z1acnsy+ZwpRcSXe92aScmBUiAIhAMupU3WcJdIVudXpWNosSQH/6KFw01W61huXvDl/qbIE" + } + ] + } +} \ No newline at end of file diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 7cc1c8110..66e8d8dc6 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -8,6 +8,7 @@ import ( "github.com/cli/cli/v2/pkg/cmd/attestation/api" "github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci" "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/attestation/test" "github.com/cli/cli/v2/pkg/cmd/attestation/verification" "github.com/cli/cli/v2/pkg/cmd/factory" "github.com/stretchr/testify/require" @@ -80,3 +81,70 @@ func TestVerifyIntegration(t *testing.T) { require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found") }) } + +func TestVerifyIntegrationReusableWorkflow(t *testing.T) { + artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact") + bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json") + + logger := io.NewTestHandler() + + sigstoreConfig := verification.SigstoreConfig{ + Logger: logger, + } + + cmdFactory := factory.New("test") + + hc, err := cmdFactory.HttpClient() + if err != nil { + t.Fatal(err) + } + + baseOpts := Options{ + APIClient: api.NewLiveClient(hc, logger), + ArtifactPath: artifactPath, + BundlePath: bundlePath, + DigestAlgorithm: "sha256", + Logger: logger, + OCIClient: oci.NewLiveClient(), + OIDCIssuer: GitHubOIDCIssuer, + SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig), + } + + t.Run("with owner and valid reusable workflow SAN", func(t *testing.T) { + opts := baseOpts + opts.Owner = "malancas" + opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d" + + err := runVerify(&opts) + require.NoError(t, err) + }) + + t.Run("with owner and valid reusable workflow SAN regex", func(t *testing.T) { + opts := baseOpts + opts.Owner = "malancas" + opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/" + + err := runVerify(&opts) + require.NoError(t, err) + }) + + t.Run("with repo and valid reusable workflow SAN", func(t *testing.T) { + opts := baseOpts + opts.Owner = "malancas" + opts.Repo = "malancas/attest-demo" + opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d" + + err := runVerify(&opts) + require.NoError(t, err) + }) + + t.Run("with repo and valid reusable workflow SAN regex", func(t *testing.T) { + opts := baseOpts + opts.Owner = "malancas" + opts.Repo = "malancas/attest-demo" + opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/" + + err := runVerify(&opts) + require.NoError(t, err) + }) +}