test: use environment variables

Signed-off-by: Hector Fernandez <[email protected]>
sigstore · Oct 18, 2022 · dcd2bd9 · dcd2bd9
1 parent ca56d97
commit dcd2bd9
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 12 deletions.
diff --git a/cmd/cosign/cli/dockerfile.go b/cmd/cosign/cli/dockerfile.go
@@ -40,8 +40,8 @@ func dockerfileVerify() *cobra.Command {
 	o := &options.VerifyDockerfileOptions{}
 
 	cmd := &cobra.Command{
-		Use:   "verify",
-		Short: "Verify a signature on the base image specified in the Dockerfile",
+		Use:              "verify",
+		Short:            "Verify a signature on the base image specified in the Dockerfile",
 		PersistentPreRun: options.BindViper,
 		Long: `Verify signature and annotations on images in a Dockerfile by checking claims
 against the transparency log.
@@ -115,4 +115,4 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
 	o.AddFlags(cmd)
 
 	return cmd
-}
+}
diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh
@@ -159,33 +159,33 @@ if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi
 
 # TODO: tlog
 
-## KMS!
+## KMS using env variables!
 TEST_KMS=${TEST_KMS:-gcpkms://projects/projectsigstore/locations/global/keyRings/e2e-test/cryptoKeys/test}
 (crane delete $(./cosign triangulate $img)) || true
-./cosign generate-key-pair --kms $TEST_KMS
+COSIGN_KMS=$TEST_KMS ./cosign generate-key-pair
 signing_key=$TEST_KMS
 
 if (./cosign verify --key ${verification_key} $img); then false; fi
-./cosign sign --key ${signing_key} $img
-./cosign verify --key ${verification_key} $img
+COSIGN_KEY=${signing_key} ./cosign sign $img
+COSIGN_KEY=${verification_key} ./cosign verify $img
 
 if (./cosign verify -a foo=bar --key ${verification_key} $img); then false; fi
-./cosign sign --key ${signing_key} -a foo=bar $img
-./cosign verify --key ${verification_key} -a foo=bar $img
+COSIGN_KEY=${signing_key} ./cosign sign -a foo=bar $img
+COSIGN_KEY=${verification_key} ./cosign verify -a foo=bar $img
 
 # store signatures in a different repo
 export COSIGN_REPOSITORY=${TEST_INSTANCE_REPO}/subbedrepo
 (crane delete $(./cosign triangulate $img)) || true
-./cosign sign --key ${signing_key} $img
-./cosign verify --key ${verification_key} $img
+COSIGN_KEY=${signing_key} ./cosign sign $img
+COSIGN_KEY=${verification_key} ./cosign verify $img
 unset COSIGN_REPOSITORY
 
 # test stdin interaction for private key password
 stdin_password=${COSIGN_PASSWORD}
 unset COSIGN_PASSWORD
 (crane delete $(./cosign triangulate $img)) || true
 echo $stdin_password | ./cosign sign --key ${signing_key} --output-signature interactive.sig  $img
-./cosign verify --key ${verification_key} --signature interactive.sig $img
+COSIGN_KEY=${verification_key} COSIGN_SIGNATURE=interactive.sig ./cosign verify $img
 export COSIGN_PASSWORD=${stdin_password}
 
 # What else needs auth?

diff --git a/test/sign_blob_test.sh b/test/sign_blob_test.sh
@@ -34,6 +34,9 @@ $COSIGN_CLI sign-blob --output-certificate blob.cert --output-signature blob.sig
 
 echo "Verifying ..."
 $COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert $BLOB
+echo "Verifying using cosign ENV variables..."
+COSIGN_SIGNATURE=blob.sig COSIGN_CERTIFICATE=blob.cert $COSIGN_CLI verify-blob $BLOB
+
 
 # Now, sign the blob with a self-signed certificate and upload to rekor
 SIG_FILE=verify-experimental-signature
@@ -79,3 +82,6 @@ curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: app
 # Verifying should still work
 echo "Verifying ..."
 $COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" --certificate-chain "$CERT_FILE" "$BLOB"
+
+echo "Verifying using cosign ENV variables ..."
+COSIGN_SIGNATURE="$SIG_FILE" COSIGN_CERTIFICATE_CHAIN="$CERT_FILE" COSIGN_CERTIFICATE="$CERT_FILE" $COSIGN_CLI verify-blob "$BLOB"