initial skeleton of unit test for keyless verification

Signed-off-by: Dmitry S <dsavints@gmail.com>

cmd/cosign/cli/verify.go

@@ -62,7 +62,7 @@ against the transparency log.`,
   cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE>
 
   # verify image using keyless verification with the given certificate
-  # chain and identity parameters, without Fulcio roots (fro BYO PKI):
+  # chain and identity parameters, without Fulcio roots (for BYO PKI):
   cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com <IMAGE>
 
   # verify image with public key provided by URL

cmd/cosign/cli/verify/verify.go

@@ -271,7 +271,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 
 	// NB: There are only 2 kinds of verification right now:
 	// 1. You gave us the public key explicitly to verify against so co.SigVerifier is non-nil or,
-	// 2. We're going to find an x509 certificate on the signature and verify against Fulcio root trust
+	// 2. We’re going to find an x509 certificate on the signature and verify against
+	//    Fulcio root trust (or user supplied root trust)
 	// TODO(nsmith5): Refactor this verification logic to pass back _how_ verification
 	// was performed so we don't need to use this fragile logic here.
 	fulcioVerified := (co.SigVerifier == nil)

cmd/cosign/cli/verify/verify_test.go

@@ -198,20 +198,3 @@ func TestVerifyCertMissingIssuer(t *testing.T) {
 		t.Fatal("verify expected 'need --certificate-oidc-issuer'")
 	}
 }
-
-func TestVerifyKeylessVerification(t *testing.T) {
-	ctx := context.Background()
-	verifyCommand := VerifyCommand{
-		CertRef: "cert.pem",
-		CertVerifyOptions: options.CertVerifyOptions{
-			CertIdentity:         "identity",
-			CertOidcIssuerRegexp: ".*",
-		},
-	}
-
-	err := verifyCommand.Exec(ctx, []string{"foo", "bar", "baz"})
-	t.Logf("INFO: verifyCommand error: %v", err)
-	if err == nil {
-		t.Fatal("verify expected 'need --certificate-oidc-issuer'")
-	}
-}

test/e2e_test.go

@@ -176,6 +176,51 @@ func TestSignVerify(t *testing.T) {
 	mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, ""), t)
 }
 
+func TestSignVerifyKeylessCertChain(t *testing.T) {
+	repo, stop := reg(t)
+	defer stop()
+	td := t.TempDir()
+
+	imgName := path.Join(repo, "cosign-e2e")
+
+	_, _, cleanup := mkimage(t, imgName)
+	defer cleanup()
+
+	_, privKeyPath, pubKeyPath := keypair(t, td)
+
+	ctx := context.Background()
+	// Verify should fail at first
+	mustErr(verify(pubKeyPath, imgName, true, nil, ""), t)
+	// So should download
+	mustErr(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
+
+	// Now sign the image
+	ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc}
+	so := options.SignOptions{
+		Upload: true,
+	}
+	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+
+	// Now verify and download should work!
+	must(verify(pubKeyPath, imgName, true, nil, ""), t)
+	must(download.SignatureCmd(ctx, options.RegistryOptions{}, imgName), t)
+
+	// Look for a specific annotation
+	mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, ""), t)
+
+	so.AnnotationOptions = options.AnnotationOptions{
+		Annotations: []string{"foo=bar"},
+	}
+	// Sign the image with an annotation
+	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+
+	// It should match this time.
+	must(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar"}, ""), t)
+
+	// But two doesn't work
+	mustErr(verify(pubKeyPath, imgName, true, map[string]interface{}{"foo": "bar", "baz": "bat"}, ""), t)
+}
+
 func TestSignVerifyClean(t *testing.T) {
 	repo, stop := reg(t)
 	defer stop()