From 1ab76264de6739770036649d3f04adba6b6809cb Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 29 Sep 2022 06:55:18 +0100 Subject: [PATCH 1/2] Bump libgit2 image to v0.3.0 Signed-off-by: Paulo Gomes --- Dockerfile | 12 ++++++------ Makefile | 2 +- tests/fuzz/oss_fuzz_build.sh | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0753853..10bb82a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ARG GO_VERSION=1.19 ARG XX_VERSION=1.1.2 ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2-only -ARG LIBGIT2_TAG=v0.2.0 +ARG LIBGIT2_TAG=v0.3.0 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} AS libgit2-libs @@ -64,11 +64,11 @@ ENV CGO_ENABLED=1 # Instead of using xx-go, (cross) compile with vanilla go leveraging musl tool chain. RUN export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig" && \ - export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \ - xx-go build \ - -ldflags "-s -w" \ - -tags 'netgo,osusergo,static_build' \ - -o /source-controller -trimpath main.go; + export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \ + xx-go build \ + -ldflags "-s -w" \ + -tags 'netgo,osusergo,static_build' \ + -o /source-controller -trimpath main.go; # Ensure that the binary was cross-compiled correctly to the target platform. RUN xx-verify --static /source-controller diff --git a/Makefile b/Makefile index a008d0e9..4207a121 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ TAG ?= latest # Base image used to build the Go binary LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-only -LIBGIT2_TAG ?= v0.2.0 +LIBGIT2_TAG ?= v0.3.0 # Allows for defining additional Go test args, e.g. '-tags integration'. GO_TEST_ARGS ?= -race diff --git a/tests/fuzz/oss_fuzz_build.sh b/tests/fuzz/oss_fuzz_build.sh index 2284cf57..beb70f1c 100755 --- a/tests/fuzz/oss_fuzz_build.sh +++ b/tests/fuzz/oss_fuzz_build.sh @@ -16,7 +16,7 @@ set -euxo pipefail -LIBGIT2_TAG="${LIBGIT2_TAG:-v0.2.0}" +LIBGIT2_TAG="${LIBGIT2_TAG:-v0.3.0}" GOPATH="${GOPATH:-/root/go}" GO_SRC="${GOPATH}/src" PROJECT_PATH="github.com/fluxcd/source-controller" From 6c06f4e222a9a9abf19eaf242cc22ab750f9a2b2 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 29 Sep 2022 07:01:36 +0100 Subject: [PATCH 2/2] The libgit2 libraries are downloaded and verified before some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes --- .github/workflows/cifuzz.yaml | 2 ++ .github/workflows/e2e.yaml | 2 ++ .github/workflows/tests.yaml | 5 +++++ Makefile | 3 +++ hack/install-libraries.sh | 11 ++++++++--- 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml index ebf71fb1..6ff2940d 100644 --- a/.github/workflows/cifuzz.yaml +++ b/.github/workflows/cifuzz.yaml @@ -33,3 +33,5 @@ jobs: ${{ runner.os }}-go - name: Smoke test Fuzzers run: make fuzz-smoketest + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7a79f004..024885e8 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -47,6 +47,7 @@ jobs: uses: fluxcd/pkg/actions/helm@main - name: Run E2E tests env: + SKIP_COSIGN_VERIFICATION: true CREATE_CLUSTER: false run: make e2e @@ -76,6 +77,7 @@ jobs: kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} - name: Run e2e tests env: + SKIP_COSIGN_VERIFICATION: true KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }} KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }} CREATE_CLUSTER: false diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index edf92c39..67931add 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -34,6 +34,7 @@ jobs: ${{ runner.os }}-go- - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} run: make test @@ -51,6 +52,8 @@ jobs: go-version: 1.19.x - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true + TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} @@ -87,3 +90,5 @@ jobs: ${{ runner.os }}-go- - name: Run tests run: make test + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/Makefile b/Makefile index 4207a121..66ffac72 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race # Allows for filtering tests based on the specified prefix GO_TEST_PREFIX ?= +# Defines whether cosign verification should be skipped. +SKIP_COSIGN_VERIFICATION ?= false + # Allows for defining additional Docker buildx arguments, # e.g. '--push'. BUILD_ARGS ?= diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh index 9e4966a5..aed0507a 100755 --- a/hack/install-libraries.sh +++ b/hack/install-libraries.sh @@ -6,6 +6,7 @@ IMG="${IMG:-}" TAG="${TAG:-}" IMG_TAG="${IMG}:${TAG}" DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}" +SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}" TMP_DIR=$(mktemp -d) @@ -48,9 +49,13 @@ cosign_verify(){ assure_provenance() { [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments' - cosign_verify "${TMP_DIR}/checksums.txt.pem" \ - "${TMP_DIR}/checksums.txt.sig" \ - "${TMP_DIR}/checksums.txt" + if "${SKIP_COSIGN_VERIFICATION}"; then + echo 'Skipping cosign verification...' + else + cosign_verify "${TMP_DIR}/checksums.txt.pem" \ + "${TMP_DIR}/checksums.txt.sig" \ + "${TMP_DIR}/checksums.txt" + fi pushd "${TMP_DIR}" || exit if command -v sha256sum; then