From f3982b278cb1fc42f3a0664c03ac318df1a407ef Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 16 Dec 2024 16:57:05 -0700 Subject: [PATCH] add more verification integration tests Signed-off-by: Meredith Lancaster --- .../verify/verify-with-custom-trusted-root.sh | 22 +++++++++++++++++++ .../verify-with-internal-github-sigstore.sh | 16 ++++++++++++++ 2 files changed, 38 insertions(+) create mode 100755 test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh create mode 100644 test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh diff --git a/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh new file mode 100755 index 000000000..89a3a4556 --- /dev/null +++ b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Get the root directory of the repository +rootDir="$(git rev-parse --show-toplevel)" + +ghBuildPath="$rootDir/bin/gh" + +artifactPath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0.tgz" +bundlePath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl" + +# Download a custom trusted root for verification +if ! $ghBuildPath attestation trusted-root > trusted_root.jsonl; then + # cleanup test data + echo "Failed to download trusted root" + exit 1 +fi + +if ! $ghBuildPath attestation verify "$artifactPath" -b "$bundlePath" --digest-alg=sha512 --owner=sigstore --custom-trusted-root trusted_root.jsonl; then + echo "Failed to verify package with a Sigstore v0.2.0 bundle" + exit 1 +fi diff --git a/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh new file mode 100644 index 000000000..647a13a4c --- /dev/null +++ b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Get the root directory of the repository +rootDir="$(git rev-parse --show-toplevel)" + +ghBuildPath="$rootDir/bin/gh" + +ghCLIArtifact="$rootDir/pkg/cmd/attestation/test/data/gh_2.60.1_windows_arm64.zip" + +# Verify the gh CLI artifact +echo "Testing with package $ghCLIArtifact" +if ! $ghBuildPath attestation verify "$ghCLIArtifact" --digest-alg=sha256 --owner=cli; then + echo "Failed to verify" + exit 1 +fi