Skip to content

Commit

Permalink
image-rs: update cosign signed image test materials
Browse files Browse the repository at this point in the history 
Now, the cases

Case: Deny pulling an unencrypted unsigned image from a protected
registry
Image: ghcr.io/confidential-containers/test-container-image-rs:unsigned

Case: Allow pulling an unencrypted signed image with cosign-signed signature
Image: ghcr.io/confidential-containers/test-container-image-rs:cosign-signed

Case: Deny pulling an unencrypted signed image by cosign using a wrong public key
Image: ghcr.io/confidential-containers/test-container-image-rs:cosign-signed-key2

At the same time, the images on the ghcr.io side is updated. The
original tag `cosign-signed-key2` is actually the `unsigned` one, and
we updated a new real `unsigned` one.

Related policy file updated.

Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
@Xynnn007
Xynnn007 committed Jul 19, 2024
1 parent 4619b4b commit 1fd4f08
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 7 deletions.
4 changes: 2 additions & 2 deletions image-rs/src/signature/mechanism/cosign/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,7 @@ mod tests {
&format!("\
{{\
\"type\": \"sigstoreSigned\",\
\"keyPath\": \"{}/test_data/signature/cosign/cosign2.pub\"\
\"keyPath\": \"{}/test_data/signature/cosign/cosign3.pub\"\
}}",
std::env::current_dir().expect("get current dir").to_str().expect("get current dir")
),
Expand Down Expand Up @@ -302,7 +302,7 @@ mod tests {
&format!("\
{{\
\"type\": \"sigstoreSigned\",\
\"keyPath\": \"{}/test_data/signature/cosign/cosign2.pub\"\
\"keyPath\": \"{}/test_data/signature/cosign/cosign3.pub\"\
}}",
std::env::current_dir().expect("get current dir").to_str().expect("get current dir")
),
Expand Down
2 changes: 1 addition & 1 deletion image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAicXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnMiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnbmVkQnkiLAogICAgICAgICAgICAgICAgICAgICJrZXlUeXBlIjogIkdQR0tleXMiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2dwZy1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOmNvc2lnbi1zaWduZWQiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnc3RvcmVTaWduZWQiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2Nvc2lnbi1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOmNvc2lnbi1zaWduZWQta2V5MiI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJzaWdzdG9yZVNpZ25lZCIsCiAgICAgICAgICAgICAgICAgICAgImtleVBhdGgiOiAia2JzOi8vL2RlZmF1bHQvY29zaWduLXB1YmxpYy1rZXkvdGVzdCIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgXQogICAgICAgIH0KICAgIH0KfQ==",
"default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAicXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnMiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnbmVkQnkiLAogICAgICAgICAgICAgICAgICAgICJrZXlUeXBlIjogIkdQR0tleXMiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2dwZy1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOnVuc2lnbmVkIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ3N0b3JlU2lnbmVkIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9jb3NpZ24tcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdLAogICAgICAgICAgICAiZ2hjci5pby9jb25maWRlbnRpYWwtY29udGFpbmVycy90ZXN0LWNvbnRhaW5lci1pbWFnZS1yczpjb3NpZ24tc2lnbmVkIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ3N0b3JlU2lnbmVkIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9jb3NpZ24tcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdLAogICAgICAgICAgICAiZ2hjci5pby9jb25maWRlbnRpYWwtY29udGFpbmVycy90ZXN0LWNvbnRhaW5lci1pbWFnZS1yczpjb3NpZ24tc2lnbmVkLWtleTIiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnc3RvcmVTaWduZWQiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2Nvc2lnbi1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9CiAgICB9Cn0=",
"default/sigstore-config/test": "ZG9ja2VyOgogICAgcXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnM6CiAgICAgICAgc2lnc3RvcmU6IGZpbGU6Ly8vZXRjL2NvbnRhaW5lcnMvcXVheV92ZXJpZmljYXRpb24vc2lnbmF0dXJlcwogICAgICAgIHNpZ3N0b3JlLXN0YWdpbmc6IGZpbGU6Ly8vZXRjL2NvbnRhaW5lcnMvcXVheV92ZXJpZmljYXRpb24vc2lnbmF0dXJlcw==",
"default/gpg-public-key/test": "LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkdGTVZFZ0JFQUN6ZC9ISno2bnE4R0FqRm9XdDIwUGhBeTRScDhxNHFlRkUzSkorbHdoUHprSmRiTDNaClFKMzFURUNyYktVeW8zTElRMzFCNzVBWXczdm5FSVVPY3V0U0UxaThvNTU3SW94eGxHNFN3dGtSVmRVUGVFN2UKdElOMm1aKzJHd25nQW1KRUgxNWtNQUZzVVFhNG4rWE9WUU9aSTNRWWVsWWpMd0thbXFBa3dFdjAzSmpHaTIrbQo0a0ZITzBmMy9lc0pmZXhVd3hLMHdQazJ4emlvZ2FpTzN6NDViTkoxMDZwSC95NGhRMHBWbWZJSHpPVjZwRHN2ClVHcTFxdnZlL2dDRXFZZWYvcUgyNzJoRkdNTE1qRy8yOStwVmZ1bEJ2YnpiUUhNUHlIaTFBdTVwemJWVUhxOUEKOURoWXhmWllpN2MreXU5Y1h0cngzQmlXSG52NzlBRUtWZDhCdkVucE02dGNIOWMvVFJlakd6VjF0cThva05wMwpXaXp6T0ZzVXBpaXVYVVo5ZlVlQ0s5YnVEaXdsdDF2ZGQ2OG5RZ3o2YkdIOEZqbVd2UXU4eTNVZEZRSTUwQkNVCmVEeFZEcHIzRXhjNER6MWxnU0pNV0wya2NJRy8wVllGU2hkRXUxL2lnNmdLUlpGcm1XN2hnSU51V1ZwWUNoZGkKK0I3Rkg1UDhGUlBiN0YrZFdyY0o3M3A1WXJLMzhHbnpadTNtdmZSUnk5Q0FpU1NFNFpEd0JuMjMzSCtlMFFzWAptT2lIcW1LSVZTbnhVa1hoTktXWm9LUDVQRlBHWE9YSEFNaWRnWC8wT0UxOEc2WmREMEYvRVNuYVdUL2lwNzNNCk1EYU5tVENlL2JZdW9TZy9oVUdCMEtENUx2aFZaT01haTh1MkYwQnJFYWdPRnQ3SkZjbUVwd2pXWndBUkFRQUIKdEVsVGRHVjJaVzRnU0c5eWMyMWhiaUFvUjFCSElHdGxlU0JtYjNJZ2MybG5ibWx1WnlCcllYUmhJSFJsYzNRZwphVzFoWjJWektTQThjM1JsZG1WdVFIVnJMbWxpYlM1amIyMCtpUUpZQkJNQkNBQkNGaUVFWjdKS3JNUlpaNTRDCmc5ZnVXUGJ0Qis2bXRDa0ZBbUZNVkVnQ0d3TUZDUUhoTTRBRkN3a0lCd0lESWdJQkJoVUtDUWdMQWdRV0FnTUIKQWg0SEFoZUFBQW9KRUZqMjdRZnVwclFwc3ZBUC8zTit5RGRlRkRMaVdSS21YbEhzbWRuT3dlYVdxQjdzUWJ0SQpJTFh6RVFCY1pIWjFRNUxna0o2bzlHUlJlK0pPVmFsQUQ5QXdPQjg4Z0hNVVptR2hmQU05dnY3R3RWWGdpQkNmCi9mNDE0TTFueS9xMUgwZG1wRnF4b3FaYzlXNlhaU1pFVC8yNVFPUlMzYkxIK0dFdnQ4enZaUkFLVU9WRUhPZTQKbHRocmNuY21uaFd4ZWc0ZFJGWEZRczJZSW41VzZiOTd4SzN4emF0bDlyTVgwd2s4L2xweDlHQ0tLalZ3OVpQcwpUZ25kcmlMTnUzaGJOeWFXaEhlTHFUT1hEOUU0WUNjM3FMc0MvZW5Hclh6Si91bWdpaHUvRy9iNWFsZWZ6U09xCnh0MHI2ejdSbk85OXJVdEtDYW0rNUVEa0t6VXZoamdSM2oyTGtHWkMxZnFBTnQ2TEtPK0MwT3FtMEpUMm1UZGEKdGEveDdCdGozNktJYjN1TlNSdDJiRHJGWXhPajZzRnlQVlRVbHpOZ2l0bkszVHFJeG5teWlHZGhPVUcyc1p5OAowSTFaNHZaT0JGdzIzWE9qYzRUVGRWU29BbUxSZkhOeWZtYXlHbS9ja2xlTjV2T2xiVzlPOXREa0M0alo2WkZNCjFxZzEyUkxvS1dxRXRodmlzOVhzV0xieEFBaG0xbkZKV0VpTlhzdW1NUDc0U1cwLy9qYmRFT0xObzBXRG5TTmIKZ3U2a2hVYXJIR0dpUEJzeFc4cURGdXNIWFplMEpDSVFRUTBDZVh3T1owaXFINC9tQ0lKQnlId2dEdExnbnNUTQo2a2hnU2VhMXk1a3RRQnZSdU1QODg5ZWJQSEoyNjFqeUl5OXV5K25oaUt5cG9PK3lqMWYvUm5qNWtLS3Y3Mm5LCjV1RVNwSkJUCj1CN3ZRCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K",
"default/cosign-public-key/test": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFd1FFamRDaUwzSUxVZjA3TkRrRFZoZ0tDajFDNgpCc0NmbU0venQxa05TajAvK25BcUErMjVYZnlDbFlxMmxKRko2VGtnQ3NmNTdjVENrWFlEejljK1lnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
Expand Down
11 changes: 11 additions & 0 deletions image-rs/test_data/signature/cosign/cosign2.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
OCwicCI6MX0sInNhbHQiOiI2Mi9XV29sQVN5YkNBeHVuNFZhVkJFQW1kay8rUDRK
OGJJUkJPOW02dE9vPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJjZCtZYmhVc0FvZjM1VVhROWJtQUFqUGNDL0JrMVQvayJ9LCJj
aXBoZXJ0ZXh0IjoiNktKTXhCb3R1YS9JekE1d0Z2WCtuWmp5WDFTVzJrSUpKR2Fv
SkhESDNvNnFkMDgrenlRRnpqNDBCckd1T0s2UGlaT3Y4TGhWOXFYWVRQNDZadXhB
YXNUVjZZMkR3MUUydUhQbkdUKzV5eElOTzJQY0ZRMExKMUorc0JKcDBxUXNNZXIx
bndnVWg4alFZNlJpKy94eDZrVkFmTEFtVTJNVmtrVTFNVk9QUWlsTVA5c2FmRVdy
eWFMRkpkVXYwNFRXMWV3cUpUZ0d1VEQveEE9PSJ9
-----END ENCRYPTED COSIGN PRIVATE KEY-----
6 changes: 3 additions & 3 deletions image-rs/test_data/signature/cosign/cosign2.pub
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwJJ8FUosLoG904cjV5FHrBlcYmb1
bR2/Mjfs6S+IQnz9tYdEtERUPGFhkyfaUOQx4EJlAuxObaIFq3eN6nD39w==
-----END PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzzlnST0badefTkH8WSg/bGqgi74V
N9GE6/PGcRYfqVvIc5GZy7PaZUY66WxSO+n3W1fDaiO+Eh9GBp+VMABEvA==
-----END PUBLIC KEY-----
5 changes: 5 additions & 0 deletions image-rs/test_data/signature/cosign/cosign3.pub
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwJJ8FUosLoG904cjV5FHrBlcYmb1
bR2/Mjfs6S+IQnz9tYdEtERUPGFhkyfaUOQx4EJlAuxObaIFq3eN6nD39w==
-----END PUBLIC KEY-----

2 changes: 1 addition & 1 deletion image-rs/tests/signature_verification.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ const _TESTS: [_TestItem; _TEST_ITEMS] = [
description: "Allow pulling a unencrypted signed image from a protected registry.",
},
_TestItem {
image_ref: "quay.io/kata-containers/confidential-containers:unsigned",
image_ref: "ghcr.io/confidential-containers/test-container-image-rs:unsigned",
allow: false,
signing_scheme: SigningName::None,
description: "Deny pulling an unencrypted unsigned image from a protected registry.",
Expand Down

0 comments on commit 1fd4f08

Please sign in to comment.