cli: dynamically select signature validation pubkey for release and pre-release artifacts

2025-05-06 16:25:21 -04:00 · 2023-05-26 17:49:46 +02:00 · 2023-05-26 17:49:46 +02:00 · 8a851c8f39
commit 8a851c8f39
parent ada66a64a1
19 changed files with 170 additions and 145 deletions
--- a/cli/internal/cmd/configfetchmeasurements_test.go
+++ b/cli/internal/cmd/configfetchmeasurements_test.go
@ -162,24 +162,6 @@ func newTestClient(fn roundTripFunc) *http.Client {
 }

 func TestConfigFetchMeasurements(t *testing.T) {
-	// Cosign private key used to sign the measurements.
-	// Generated with: cosign generate-key-pair
-	// Password left empty.
-	//
-	// -----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
-	// eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
-	// OCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX
-	// VXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
-	// Iiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj
-	// aXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth
-	// VklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5
-	// a2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6
-	// TDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN
-	// dlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9
-	// -----END ENCRYPTED COSIGN PRIVATE KEY-----
-
-	cosignPublicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")
-
 	measurements := `{
 	"version": "v999.999.999",
 	"ref": "-",
@ -222,7 +204,7 @@ func TestConfigFetchMeasurements(t *testing.T) {
 	]
 }
 `
-	signature := "MEUCIHQETkvMRy8WaWMroX4Aa2J86bTW0kGMp8NG0YLXJKZJAiEA7ZdxoQzSTyBFNhZ1bwB5eT3av0biAdb66dJRFxQlKLA="
+	signature := "placeholder-signature"

 	client := newTestClient(func(req *http.Request) *http.Response {
 		if req.URL.Path == "/constellation/v2/ref/-/stream/stable/v999.999.999/image/measurements.json" {
@ -249,23 +231,35 @@ func TestConfigFetchMeasurements(t *testing.T) {
 	})

 	testCases := map[string]struct {
-		verifier rekorVerifier
+		cosign  cosignVerifier
+		rekor   rekorVerifier
+		wantErr bool
 	}{
 		"success": {
-			verifier: singleUUIDVerifier(),
+			cosign: &stubCosignVerifier{},
+			rekor:  singleUUIDVerifier(),
 		},
 		"failing search should not result in error": {
-			verifier: &stubRekorVerifier{
+			cosign: &stubCosignVerifier{},
+			rekor: &stubRekorVerifier{
 				SearchByHashUUIDs: []string{},
 				SearchByHashError: errors.New("some error"),
 			},
 		},
 		"failing verify should not result in error": {
-			verifier: &stubRekorVerifier{
+			cosign: &stubCosignVerifier{},
+			rekor: &stubRekorVerifier{
 				SearchByHashUUIDs: []string{"11111111111111111111111111111111111111111111111111111111111111111111111111111111"},
 				VerifyEntryError:  errors.New("some error"),
 			},
 		},
+		"signature verification failure": {
+			cosign: &stubCosignVerifier{
+				verifyError: errors.New("some error"),
+			},
+			rekor:   singleUUIDVerifier(),
+			wantErr: true,
+		},
 	}

 	for name, tc := range testCases {
@ -285,7 +279,12 @@ func TestConfigFetchMeasurements(t *testing.T) {
 			require.NoError(err)
 			cfm := &configFetchMeasurementsCmd{log: logger.NewTest(t)}

-			assert.NoError(cfm.configFetchMeasurements(cmd, tc.verifier, cosignPublicKey, fileHandler, client))
+			err = cfm.configFetchMeasurements(cmd, tc.cosign, tc.rekor, fileHandler, client)
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			assert.NoError(err)
 		})
 	}
 }