STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update sigstore-go dependency to v0.3.0 (#8977)

Browse source 
* update sigstore-go dep to v0.3.0

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add integration test to verify newer sigstore bundle versions

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Fix shellcheck issues

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Give the cli/package-security team ownership over gh attestation cmd integration tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fetch attestation file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* clean up new integration test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* try pulling other attestation file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup new attestation verify integration test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add new gh atestation integration test to workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

* mark script as executable

Signed-off-by: Meredith Lancaster <malancas@github.com>

* rename the integration test file

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster 2024-04-23 07:07:23 -06:00 committed by GitHub
parent 8181c62382
commit c465d465a5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 217 additions and 211 deletions
Download patch file Download diff file Expand all files Collapse all files

24
test/integration/attestation-cmd/verify-sigstore-bundle-versions.sh Executable file
View file

@ -0,0 +1,24 @@
#!/usr/bin/env bash
set -euo pipefail
# Get the root directory of the repository
rootDir="$(git rev-parse --show-toplevel)"
ghBuildPath="$rootDir/bin/gh"
sigstore02PackageFile="sigstore-2.2.0.tgz"
sigstore02PackageURL="https://registry.npmjs.org/sigstore/-/$sigstore02PackageFile"
sigstore02AttestationFile="sigstore-2.2.0.json"
sigstore02AttestationURL="https://registry.npmjs.org/-/npm/v1/attestations/sigstore@2.2.0"
curl -s "$sigstore02PackageURL" -o "$sigstore02PackageFile"
curl -s "$sigstore02AttestationURL" | jq '.attestations[1].bundle' > "$sigstore02AttestationFile"
# Verify the v0.2.0 sigstore bundle
echo "Testing with package $sigstore02PackageFile and attestation $sigstore02AttestationFile"
if ! $ghBuildPath attestation verify "$sigstore02PackageFile" -b "$sigstore02AttestationFile" --digest-alg=sha512 --owner=sigstore; then
echo "Failed to verify package with a Sigstore v0.2.0 bundle"
# cleanup test data
rm "$sigstore02PackageFile" "$sigstore02AttestationFile"
exit 1
fi