From 454c330c0719033efb6e5593cdff37d60744b64a Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 10 Aug 2022 12:40:24 +0300 Subject: [PATCH 1/5] Use TUF from scaffolding for validating cosign. Signed-off-by: Ville Aikas --- .../workflows/kind-verify-attestation.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 1aa7ced3e6b..2a8e9c8c61e 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -32,21 +32,15 @@ jobs: strategy: matrix: k8s-version: - - v1.22.x - # Try without this one now, might have problems with job restartings - # may require upstream changes. - - v1.23.x - v1.24.x env: - KNATIVE_VERSION: "1.5.0" + KNATIVE_VERSION: "1.6.0" KO_DOCKER_REPO: "registry.local:5000/policy-controller" - SCAFFOLDING_RELEASE_VERSION: "v0.3.0" + SCAFFOLDING_RELEASE_VERSION: "v0.4.2" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w KOCACHE: ~/ko - # Trust the custom Rekor API endpoint for fetching the Public Key from it. - SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY: "true" # We are only testing keyless here, so set it. COSIGN_EXPERIMENTAL: "true" @@ -67,8 +61,11 @@ jobs: run: | make cosign - - name: Install cluster + cosign + - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@main + with: + legacy-variables: "false" + k8s-version: ${{ matrix.k8s-version }} - name: Create sample image - demoimage run: | @@ -86,6 +83,10 @@ jobs: echo Created image $demoimage popd + - name: Initialize with our custom TUF root + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}) + ./cosign initialize --mirror $TUF_MIRROR --root ./root.json + - name: Sign demoimage with cosign run: | ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --force --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} From e34628e1ee8a5bcd3cae5e0e0c69cd1b33bcd755 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 10 Aug 2022 13:36:08 +0300 Subject: [PATCH 2/5] pin to scaffolding v0.4.2. Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 2a8e9c8c61e..23bdd4b3bd0 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -35,7 +35,6 @@ jobs: - v1.24.x env: - KNATIVE_VERSION: "1.6.0" KO_DOCKER_REPO: "registry.local:5000/policy-controller" SCAFFOLDING_RELEASE_VERSION: "v0.4.2" GO111MODULE: on @@ -66,6 +65,7 @@ jobs: with: legacy-variables: "false" k8s-version: ${{ matrix.k8s-version }} + version: ${{ env.SCAFFOLDING_RELEASE_VERSION }} - name: Create sample image - demoimage run: | From 9d47d36445c8e17ae0bb8c5f33dffaba318d1c2c Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 10 Aug 2022 16:35:31 +0300 Subject: [PATCH 3/5] fix typo, missing ' Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 23bdd4b3bd0..b41a7c5a218 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -84,7 +84,7 @@ jobs: popd - name: Initialize with our custom TUF root - TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}) + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}'') ./cosign initialize --mirror $TUF_MIRROR --root ./root.json - name: Sign demoimage with cosign From 35074e50231365839c8579d2450450bf641724ec Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 10 Aug 2022 16:39:45 +0300 Subject: [PATCH 4/5] vscode, not now. Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index b41a7c5a218..f7b20972d71 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -84,7 +84,7 @@ jobs: popd - name: Initialize with our custom TUF root - TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}'') + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') ./cosign initialize --mirror $TUF_MIRROR --root ./root.json - name: Sign demoimage with cosign From 54be3aec230f3927e7240b53be8e75d8acb845ab Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 10 Aug 2022 16:49:47 +0300 Subject: [PATCH 5/5] ok, here we go. Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index f7b20972d71..cd0c8e17a68 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -84,8 +84,9 @@ jobs: popd - name: Initialize with our custom TUF root - TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') - ./cosign initialize --mirror $TUF_MIRROR --root ./root.json + run: | + TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') + ./cosign initialize --mirror $TUF_MIRROR --root ./root.json - name: Sign demoimage with cosign run: |