Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make E2E tests hermetic (sigstore#3499)
* Set rekor URL for online and offline tests Some tests were setting the REKOR_URL environment variable to try to test offline verification. This variable is no longer read so it was not doing anything. This change removes the variable and instead sets RekorURL in the command to either the local rekor instance (so that the public instance is not used) or to a bad url with Offline set to true so that offline verification is truly tested. This change also removes the COSIGN_EXPERIMENTAL variable which is no longer used, and replaces os.Setenv with testing.Setenv which localizes the environment setting to the scope of the test and removes the need for a cleanup function. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Fix cleanup in E2E script Calling trap multiple times replaces the last signal handler rather than appending to it. This change ensures that the most recent trap includes all previous traps so that all cleanups are executed. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Move verify tests from shell script to Go suite Move the `cosign dockerfile verify` and `cosign manifest verify` tests out of the shell script and into the e2e Go test suite file with all the other tests. This makes them consistent to manage. The initialization of fulcio roots in other tests pollutes the trust root in the new tests, so a reset is added to the fulcioroots package for testing only. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Use local services for verify tests Update TestDockerfileVerify and TestManifestVerify to sign ephemeral images within the tests so that the signatures can be created with and verified from the locally running Fulcio and Rekor instances instead of verifying images with the public Rekor instance, so that the tests no longer depend on external services. The images are signed using --identity-token to avoid changing the nature of the verification tests, which were originally written to be keyless. A mock OIDC server is provisioned to provide the token and enable verification. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> * Set rekor env variable in Go test suite Move the setting of SIGSTORE_REKOR_PUBLIC_KEY from the e2e shell script to the Go test suite, so that only the tests that need it have it set and the shell script is doing less setup. Also remove unnecessary instances of os.RemoveAll for temporary directories that the Go testing framework will automatically clean up. Signed-off-by: Colleen Murphy <colleenmurphy@google.com> --------- Signed-off-by: Colleen Murphy <colleenmurphy@google.com> Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>
- Loading branch information
