diff --git a/cmd/cosign/cli/dockerfile.go b/cmd/cosign/cli/dockerfile.go index db0753cfb4b..91cd80564f7 100644 --- a/cmd/cosign/cli/dockerfile.go +++ b/cmd/cosign/cli/dockerfile.go @@ -40,8 +40,8 @@ func dockerfileVerify() *cobra.Command { o := &options.VerifyDockerfileOptions{} cmd := &cobra.Command{ - Use: "verify", - Short: "Verify a signature on the base image specified in the Dockerfile", + Use: "verify", + Short: "Verify a signature on the base image specified in the Dockerfile", PersistentPreRun: options.BindViper, Long: `Verify signature and annotations on images in a Dockerfile by checking claims against the transparency log. @@ -115,4 +115,4 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val o.AddFlags(cmd) return cmd -} \ No newline at end of file +} diff --git a/test/e2e_test_secrets.sh b/test/e2e_test_secrets.sh index 621bab2c80e..5b9901c6707 100755 --- a/test/e2e_test_secrets.sh +++ b/test/e2e_test_secrets.sh @@ -159,25 +159,25 @@ if ( ! cmp -s randomblob randomblob_from_digest ); then false; fi # TODO: tlog -## KMS! +## KMS using env variables! TEST_KMS=${TEST_KMS:-gcpkms://projects/projectsigstore/locations/global/keyRings/e2e-test/cryptoKeys/test} (crane delete $(./cosign triangulate $img)) || true -./cosign generate-key-pair --kms $TEST_KMS +COSIGN_KMS=$TEST_KMS ./cosign generate-key-pair signing_key=$TEST_KMS if (./cosign verify --key ${verification_key} $img); then false; fi -./cosign sign --key ${signing_key} $img -./cosign verify --key ${verification_key} $img +COSIGN_KEY=${signing_key} ./cosign sign $img +COSIGN_KEY=${verification_key} ./cosign verify $img if (./cosign verify -a foo=bar --key ${verification_key} $img); then false; fi -./cosign sign --key ${signing_key} -a foo=bar $img -./cosign verify --key ${verification_key} -a foo=bar $img +COSIGN_KEY=${signing_key} ./cosign sign -a foo=bar $img +COSIGN_KEY=${verification_key} ./cosign verify -a foo=bar $img # store signatures in a different repo export COSIGN_REPOSITORY=${TEST_INSTANCE_REPO}/subbedrepo (crane delete $(./cosign triangulate $img)) || true -./cosign sign --key ${signing_key} $img -./cosign verify --key ${verification_key} $img +COSIGN_KEY=${signing_key} ./cosign sign $img +COSIGN_KEY=${verification_key} ./cosign verify $img unset COSIGN_REPOSITORY # test stdin interaction for private key password @@ -185,7 +185,7 @@ stdin_password=${COSIGN_PASSWORD} unset COSIGN_PASSWORD (crane delete $(./cosign triangulate $img)) || true echo $stdin_password | ./cosign sign --key ${signing_key} --output-signature interactive.sig $img -./cosign verify --key ${verification_key} --signature interactive.sig $img +COSIGN_KEY=${verification_key} COSIGN_SIGNATURE=interactive.sig ./cosign verify $img export COSIGN_PASSWORD=${stdin_password} # What else needs auth? diff --git a/test/sign_blob_test.sh b/test/sign_blob_test.sh index 06f2d744250..621ad72d136 100755 --- a/test/sign_blob_test.sh +++ b/test/sign_blob_test.sh @@ -34,6 +34,9 @@ $COSIGN_CLI sign-blob --output-certificate blob.cert --output-signature blob.sig echo "Verifying ..." $COSIGN_CLI verify-blob --signature blob.sig --cert blob.cert $BLOB +echo "Verifying using cosign ENV variables..." +COSIGN_SIGNATURE=blob.sig COSIGN_CERTIFICATE=blob.cert $COSIGN_CLI verify-blob $BLOB + # Now, sign the blob with a self-signed certificate and upload to rekor SIG_FILE=verify-experimental-signature @@ -79,3 +82,6 @@ curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: app # Verifying should still work echo "Verifying ..." $COSIGN_CLI verify-blob --signature "$SIG_FILE" --cert "$CERT_FILE" --certificate-chain "$CERT_FILE" "$BLOB" + +echo "Verifying using cosign ENV variables ..." +COSIGN_SIGNATURE="$SIG_FILE" COSIGN_CERTIFICATE_CHAIN="$CERT_FILE" COSIGN_CERTIFICATE="$CERT_FILE" $COSIGN_CLI verify-blob "$BLOB"