From 76f243551ce077c5c8e8337172a6b77585d3b976 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Sat, 24 Sep 2022 14:44:05 -0700 Subject: [PATCH 1/3] document the initialize flag with air-gap use case. Signed-off-by: Ville Aikas --- cmd/cosign/cli/options/initialize.go | 2 +- doc/cosign_initialize.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/cosign/cli/options/initialize.go b/cmd/cosign/cli/options/initialize.go index 0929f530e58..ab91955ee7c 100644 --- a/cmd/cosign/cli/options/initialize.go +++ b/cmd/cosign/cli/options/initialize.go @@ -31,7 +31,7 @@ var _ Interface = (*InitializeOptions)(nil) // AddFlags implements Interface func (o *InitializeOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.Mirror, "mirror", tuf.DefaultRemoteRoot, - "GCS bucket to a SigStore TUF repository or HTTP(S) base URL") + "GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap)") cmd.Flags().StringVar(&o.Root, "root", "", "path to trusted initial root. defaults to embedded root") diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md index 5cd8f294312..73dfbe8e84a 100644 --- a/doc/cosign_initialize.md +++ b/doc/cosign_initialize.md @@ -41,7 +41,7 @@ cosign initialize -mirror -root ``` -h, --help help for initialize - --mirror string GCS bucket to a SigStore TUF repository or HTTP(S) base URL (default "https://sigstore-tuf-root.storage.googleapis.com") + --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://sigstore-tuf-root.storage.googleapis.com") --root string path to trusted initial root. defaults to embedded root ``` From 8b12c4e290ec04eb704f8ab51a83d5d1eeffea85 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Fri, 21 Oct 2022 12:49:48 -0700 Subject: [PATCH 2/3] Add testing with air-gap TUF root. Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index d9d611348cf..7fd747b71ae 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -33,6 +33,9 @@ jobs: matrix: k8s-version: - v1.24.x + tuf-root: + - remote + - air-gap env: KO_DOCKER_REPO: "registry.local:5000/policy-controller" @@ -83,11 +86,23 @@ jobs: echo Created image $demoimage popd - - name: Initialize with our custom TUF root + - name: Initialize with our custom TUF root pointing to remote root + if: ${{ matrix.tuf-root == 'remote' }} run: | TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') ./cosign initialize --mirror $TUF_MIRROR --root ./root.json + - name: Initialize with custom TUF root pointing to local filesystem + if: ${{ matrix.tuf-root == 'air-gap' }} + run: | + # Grab the compressed repository for airgap testing. + kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz + tar -zxvf ./repository.tar.gz + PWD=$(pwd) + ROOT=${PWD}/repository/1.root.json + REPOSITORY=${PWD}/repository + ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} + - name: Sign demoimage with cosign run: | ./cosign sign --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --yes --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} From 0528e19d323e427385303b0797c737b0d29aff12 Mon Sep 17 00:00:00 2001 From: Ville Aikas Date: Wed, 9 Nov 2022 15:47:19 -0800 Subject: [PATCH 3/3] update to scaffold v0.4.13 Signed-off-by: Ville Aikas --- .github/workflows/kind-verify-attestation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kind-verify-attestation.yaml b/.github/workflows/kind-verify-attestation.yaml index 7fd747b71ae..dcb1f006fa4 100644 --- a/.github/workflows/kind-verify-attestation.yaml +++ b/.github/workflows/kind-verify-attestation.yaml @@ -39,7 +39,7 @@ jobs: env: KO_DOCKER_REPO: "registry.local:5000/policy-controller" - SCAFFOLDING_RELEASE_VERSION: "v0.4.12" + SCAFFOLDING_RELEASE_VERSION: "v0.4.13" GO111MODULE: on GOFLAGS: -ldflags=-s -ldflags=-w KOCACHE: ~/ko