From 1fd4f080a9d6d78414a7034306e62f2015d2c3bf Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Wed, 17 Jul 2024 15:05:32 +0800 Subject: [PATCH] image-rs: update cosign signed image test materials Now, the cases Case: Deny pulling an unencrypted unsigned image from a protected registry Image: ghcr.io/confidential-containers/test-container-image-rs:unsigned Case: Allow pulling an unencrypted signed image with cosign-signed signature Image: ghcr.io/confidential-containers/test-container-image-rs:cosign-signed Case: Deny pulling an unencrypted signed image by cosign using a wrong public key Image: ghcr.io/confidential-containers/test-container-image-rs:cosign-signed-key2 At the same time, the images on the ghcr.io side is updated. The original tag `cosign-signed-key2` is actually the `unsigned` one, and we updated a new real `unsigned` one. Related policy file updated. Signed-off-by: Xynnn007 --- image-rs/src/signature/mechanism/cosign/mod.rs | 4 ++-- .../offline-fs-kbc/aa-offline_fs_kbc-resources.json | 2 +- image-rs/test_data/signature/cosign/cosign2.key | 11 +++++++++++ image-rs/test_data/signature/cosign/cosign2.pub | 6 +++--- image-rs/test_data/signature/cosign/cosign3.pub | 5 +++++ image-rs/tests/signature_verification.rs | 2 +- 6 files changed, 23 insertions(+), 7 deletions(-) create mode 100644 image-rs/test_data/signature/cosign/cosign2.key create mode 100644 image-rs/test_data/signature/cosign/cosign3.pub diff --git a/image-rs/src/signature/mechanism/cosign/mod.rs b/image-rs/src/signature/mechanism/cosign/mod.rs index 955f26f3a..f4df7cb53 100644 --- a/image-rs/src/signature/mechanism/cosign/mod.rs +++ b/image-rs/src/signature/mechanism/cosign/mod.rs @@ -272,7 +272,7 @@ mod tests { &format!("\ {{\ \"type\": \"sigstoreSigned\",\ - \"keyPath\": \"{}/test_data/signature/cosign/cosign2.pub\"\ + \"keyPath\": \"{}/test_data/signature/cosign/cosign3.pub\"\ }}", std::env::current_dir().expect("get current dir").to_str().expect("get current dir") ), @@ -302,7 +302,7 @@ mod tests { &format!("\ {{\ \"type\": \"sigstoreSigned\",\ - \"keyPath\": \"{}/test_data/signature/cosign/cosign2.pub\"\ + \"keyPath\": \"{}/test_data/signature/cosign/cosign3.pub\"\ }}", std::env::current_dir().expect("get current dir").to_str().expect("get current dir") ), diff --git a/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources.json b/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources.json index 65d93793c..a3c9c7d2b 100644 --- a/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources.json +++ b/image-rs/test_data/offline-fs-kbc/aa-offline_fs_kbc-resources.json @@ -1,5 +1,5 @@ { - "default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAicXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnMiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnbmVkQnkiLAogICAgICAgICAgICAgICAgICAgICJrZXlUeXBlIjogIkdQR0tleXMiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2dwZy1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOmNvc2lnbi1zaWduZWQiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnc3RvcmVTaWduZWQiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2Nvc2lnbi1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOmNvc2lnbi1zaWduZWQta2V5MiI6IFsKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAidHlwZSI6ICJzaWdzdG9yZVNpZ25lZCIsCiAgICAgICAgICAgICAgICAgICAgImtleVBhdGgiOiAia2JzOi8vL2RlZmF1bHQvY29zaWduLXB1YmxpYy1rZXkvdGVzdCIKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgXQogICAgICAgIH0KICAgIH0KfQ==", + "default/security-policy/test": "ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6IHsKICAgICAgICAiZG9ja2VyIjogewogICAgICAgICAgICAicXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnMiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnbmVkQnkiLAogICAgICAgICAgICAgICAgICAgICJrZXlUeXBlIjogIkdQR0tleXMiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2dwZy1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJnaGNyLmlvL2NvbmZpZGVudGlhbC1jb250YWluZXJzL3Rlc3QtY29udGFpbmVyLWltYWdlLXJzOnVuc2lnbmVkIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ3N0b3JlU2lnbmVkIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9jb3NpZ24tcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdLAogICAgICAgICAgICAiZ2hjci5pby9jb25maWRlbnRpYWwtY29udGFpbmVycy90ZXN0LWNvbnRhaW5lci1pbWFnZS1yczpjb3NpZ24tc2lnbmVkIjogWwogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICJ0eXBlIjogInNpZ3N0b3JlU2lnbmVkIiwKICAgICAgICAgICAgICAgICAgICAia2V5UGF0aCI6ICJrYnM6Ly8vZGVmYXVsdC9jb3NpZ24tcHVibGljLWtleS90ZXN0IgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdLAogICAgICAgICAgICAiZ2hjci5pby9jb25maWRlbnRpYWwtY29udGFpbmVycy90ZXN0LWNvbnRhaW5lci1pbWFnZS1yczpjb3NpZ24tc2lnbmVkLWtleTIiOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgInR5cGUiOiAic2lnc3RvcmVTaWduZWQiLAogICAgICAgICAgICAgICAgICAgICJrZXlQYXRoIjogImticzovLy9kZWZhdWx0L2Nvc2lnbi1wdWJsaWMta2V5L3Rlc3QiCiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIF0KICAgICAgICB9CiAgICB9Cn0=", "default/sigstore-config/test": "ZG9ja2VyOgogICAgcXVheS5pby9rYXRhLWNvbnRhaW5lcnMvY29uZmlkZW50aWFsLWNvbnRhaW5lcnM6CiAgICAgICAgc2lnc3RvcmU6IGZpbGU6Ly8vZXRjL2NvbnRhaW5lcnMvcXVheV92ZXJpZmljYXRpb24vc2lnbmF0dXJlcwogICAgICAgIHNpZ3N0b3JlLXN0YWdpbmc6IGZpbGU6Ly8vZXRjL2NvbnRhaW5lcnMvcXVheV92ZXJpZmljYXRpb24vc2lnbmF0dXJlcw==", "default/gpg-public-key/test": "LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgptUUlOQkdGTVZFZ0JFQUN6ZC9ISno2bnE4R0FqRm9XdDIwUGhBeTRScDhxNHFlRkUzSkorbHdoUHprSmRiTDNaClFKMzFURUNyYktVeW8zTElRMzFCNzVBWXczdm5FSVVPY3V0U0UxaThvNTU3SW94eGxHNFN3dGtSVmRVUGVFN2UKdElOMm1aKzJHd25nQW1KRUgxNWtNQUZzVVFhNG4rWE9WUU9aSTNRWWVsWWpMd0thbXFBa3dFdjAzSmpHaTIrbQo0a0ZITzBmMy9lc0pmZXhVd3hLMHdQazJ4emlvZ2FpTzN6NDViTkoxMDZwSC95NGhRMHBWbWZJSHpPVjZwRHN2ClVHcTFxdnZlL2dDRXFZZWYvcUgyNzJoRkdNTE1qRy8yOStwVmZ1bEJ2YnpiUUhNUHlIaTFBdTVwemJWVUhxOUEKOURoWXhmWllpN2MreXU5Y1h0cngzQmlXSG52NzlBRUtWZDhCdkVucE02dGNIOWMvVFJlakd6VjF0cThva05wMwpXaXp6T0ZzVXBpaXVYVVo5ZlVlQ0s5YnVEaXdsdDF2ZGQ2OG5RZ3o2YkdIOEZqbVd2UXU4eTNVZEZRSTUwQkNVCmVEeFZEcHIzRXhjNER6MWxnU0pNV0wya2NJRy8wVllGU2hkRXUxL2lnNmdLUlpGcm1XN2hnSU51V1ZwWUNoZGkKK0I3Rkg1UDhGUlBiN0YrZFdyY0o3M3A1WXJLMzhHbnpadTNtdmZSUnk5Q0FpU1NFNFpEd0JuMjMzSCtlMFFzWAptT2lIcW1LSVZTbnhVa1hoTktXWm9LUDVQRlBHWE9YSEFNaWRnWC8wT0UxOEc2WmREMEYvRVNuYVdUL2lwNzNNCk1EYU5tVENlL2JZdW9TZy9oVUdCMEtENUx2aFZaT01haTh1MkYwQnJFYWdPRnQ3SkZjbUVwd2pXWndBUkFRQUIKdEVsVGRHVjJaVzRnU0c5eWMyMWhiaUFvUjFCSElHdGxlU0JtYjNJZ2MybG5ibWx1WnlCcllYUmhJSFJsYzNRZwphVzFoWjJWektTQThjM1JsZG1WdVFIVnJMbWxpYlM1amIyMCtpUUpZQkJNQkNBQkNGaUVFWjdKS3JNUlpaNTRDCmc5ZnVXUGJ0Qis2bXRDa0ZBbUZNVkVnQ0d3TUZDUUhoTTRBRkN3a0lCd0lESWdJQkJoVUtDUWdMQWdRV0FnTUIKQWg0SEFoZUFBQW9KRUZqMjdRZnVwclFwc3ZBUC8zTit5RGRlRkRMaVdSS21YbEhzbWRuT3dlYVdxQjdzUWJ0SQpJTFh6RVFCY1pIWjFRNUxna0o2bzlHUlJlK0pPVmFsQUQ5QXdPQjg4Z0hNVVptR2hmQU05dnY3R3RWWGdpQkNmCi9mNDE0TTFueS9xMUgwZG1wRnF4b3FaYzlXNlhaU1pFVC8yNVFPUlMzYkxIK0dFdnQ4enZaUkFLVU9WRUhPZTQKbHRocmNuY21uaFd4ZWc0ZFJGWEZRczJZSW41VzZiOTd4SzN4emF0bDlyTVgwd2s4L2xweDlHQ0tLalZ3OVpQcwpUZ25kcmlMTnUzaGJOeWFXaEhlTHFUT1hEOUU0WUNjM3FMc0MvZW5Hclh6Si91bWdpaHUvRy9iNWFsZWZ6U09xCnh0MHI2ejdSbk85OXJVdEtDYW0rNUVEa0t6VXZoamdSM2oyTGtHWkMxZnFBTnQ2TEtPK0MwT3FtMEpUMm1UZGEKdGEveDdCdGozNktJYjN1TlNSdDJiRHJGWXhPajZzRnlQVlRVbHpOZ2l0bkszVHFJeG5teWlHZGhPVUcyc1p5OAowSTFaNHZaT0JGdzIzWE9qYzRUVGRWU29BbUxSZkhOeWZtYXlHbS9ja2xlTjV2T2xiVzlPOXREa0M0alo2WkZNCjFxZzEyUkxvS1dxRXRodmlzOVhzV0xieEFBaG0xbkZKV0VpTlhzdW1NUDc0U1cwLy9qYmRFT0xObzBXRG5TTmIKZ3U2a2hVYXJIR0dpUEJzeFc4cURGdXNIWFplMEpDSVFRUTBDZVh3T1owaXFINC9tQ0lKQnlId2dEdExnbnNUTQo2a2hnU2VhMXk1a3RRQnZSdU1QODg5ZWJQSEoyNjFqeUl5OXV5K25oaUt5cG9PK3lqMWYvUm5qNWtLS3Y3Mm5LCjV1RVNwSkJUCj1CN3ZRCi0tLS0tRU5EIFBHUCBQVUJMSUMgS0VZIEJMT0NLLS0tLS0K", "default/cosign-public-key/test": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFd1FFamRDaUwzSUxVZjA3TkRrRFZoZ0tDajFDNgpCc0NmbU0venQxa05TajAvK25BcUErMjVYZnlDbFlxMmxKRko2VGtnQ3NmNTdjVENrWFlEejljK1lnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", diff --git a/image-rs/test_data/signature/cosign/cosign2.key b/image-rs/test_data/signature/cosign/cosign2.key new file mode 100644 index 000000000..5a9a2198d --- /dev/null +++ b/image-rs/test_data/signature/cosign/cosign2.key @@ -0,0 +1,11 @@ +-----BEGIN ENCRYPTED COSIGN PRIVATE KEY----- +eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6 +OCwicCI6MX0sInNhbHQiOiI2Mi9XV29sQVN5YkNBeHVuNFZhVkJFQW1kay8rUDRK +OGJJUkJPOW02dE9vPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94 +Iiwibm9uY2UiOiJjZCtZYmhVc0FvZjM1VVhROWJtQUFqUGNDL0JrMVQvayJ9LCJj +aXBoZXJ0ZXh0IjoiNktKTXhCb3R1YS9JekE1d0Z2WCtuWmp5WDFTVzJrSUpKR2Fv +SkhESDNvNnFkMDgrenlRRnpqNDBCckd1T0s2UGlaT3Y4TGhWOXFYWVRQNDZadXhB +YXNUVjZZMkR3MUUydUhQbkdUKzV5eElOTzJQY0ZRMExKMUorc0JKcDBxUXNNZXIx +bndnVWg4alFZNlJpKy94eDZrVkFmTEFtVTJNVmtrVTFNVk9QUWlsTVA5c2FmRVdy +eWFMRkpkVXYwNFRXMWV3cUpUZ0d1VEQveEE9PSJ9 +-----END ENCRYPTED COSIGN PRIVATE KEY----- diff --git a/image-rs/test_data/signature/cosign/cosign2.pub b/image-rs/test_data/signature/cosign/cosign2.pub index 8a22778cd..d0b1ff6fa 100644 --- a/image-rs/test_data/signature/cosign/cosign2.pub +++ b/image-rs/test_data/signature/cosign/cosign2.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwJJ8FUosLoG904cjV5FHrBlcYmb1 -bR2/Mjfs6S+IQnz9tYdEtERUPGFhkyfaUOQx4EJlAuxObaIFq3eN6nD39w== ------END PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzzlnST0badefTkH8WSg/bGqgi74V +N9GE6/PGcRYfqVvIc5GZy7PaZUY66WxSO+n3W1fDaiO+Eh9GBp+VMABEvA== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/image-rs/test_data/signature/cosign/cosign3.pub b/image-rs/test_data/signature/cosign/cosign3.pub new file mode 100644 index 000000000..2e9efad46 --- /dev/null +++ b/image-rs/test_data/signature/cosign/cosign3.pub @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwJJ8FUosLoG904cjV5FHrBlcYmb1 +bR2/Mjfs6S+IQnz9tYdEtERUPGFhkyfaUOQx4EJlAuxObaIFq3eN6nD39w== +-----END PUBLIC KEY----- + diff --git a/image-rs/tests/signature_verification.rs b/image-rs/tests/signature_verification.rs index 7cf5b61fb..d5e1168cd 100644 --- a/image-rs/tests/signature_verification.rs +++ b/image-rs/tests/signature_verification.rs @@ -51,7 +51,7 @@ const _TESTS: [_TestItem; _TEST_ITEMS] = [ description: "Allow pulling a unencrypted signed image from a protected registry.", }, _TestItem { - image_ref: "quay.io/kata-containers/confidential-containers:unsigned", + image_ref: "ghcr.io/confidential-containers/test-container-image-rs:unsigned", allow: false, signing_scheme: SigningName::None, description: "Deny pulling an unencrypted unsigned image from a protected registry.",