build: Skip cosign verification for CI

The libgit2 libraries are downloaded and verified before some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
souleb · Mar 12, 2024 · f35b71a · f35b71a
1 parent 014fe7f
commit f35b71a
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 3 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -51,6 +51,7 @@ jobs:
           # We should reenable go test -race for arm64 runners once the
           # current issue is resolved.
           GO_TEST_ARGS: ""
+          SKIP_COSIGN_VERIFICATION: true
       - name: Verify
         run: make verify
 
@@ -74,5 +75,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true
       - name: Verify
         run: make verify
diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
@@ -26,3 +26,5 @@ jobs:
           ${{ runner.os }}-go-
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true
diff --git a/Makefile b/Makefile
@@ -19,6 +19,9 @@ BUILD_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?= -race
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Directory with versioned, downloaded things
 CACHE := cache
 

diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh
@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then