The libgit2 libraries are downloaded and verified before

some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2022-09-29 07:01:36 +01:00 · 2022-09-29 07:01:36 +01:00 · 6c06f4e222
parent 1ab76264de
commit 6c06f4e222
5 changed files with 20 additions and 3 deletions
--- a/.github/workflows/cifuzz.yaml
+++ b/.github/workflows/cifuzz.yaml
@ -33,3 +33,5 @@ jobs:
          ${{ runner.os }}-go
    - name: Smoke test Fuzzers
      run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -47,6 +47,7 @@ jobs:
        uses: fluxcd/pkg/actions/helm@main
      - name: Run E2E tests
        env:
+          SKIP_COSIGN_VERIFICATION: true
          CREATE_CLUSTER: false
        run: make e2e

@ -76,6 +77,7 @@ jobs:
          kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
      - name: Run e2e tests
        env:
+          SKIP_COSIGN_VERIFICATION: true
          KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
          KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
          CREATE_CLUSTER: false
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -34,6 +34,7 @@ jobs:
            ${{ runner.os }}-go-
      - name: Run tests
        env:
+          SKIP_COSIGN_VERIFICATION: true
          TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
          TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
        run: make test
@ -51,6 +52,8 @@ jobs:
          go-version: 1.19.x
      - name: Run tests
        env:
+          SKIP_COSIGN_VERIFICATION: true
+
          TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
          TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
          
@ -87,3 +90,5 @@ jobs:
            ${{ runner.os }}-go-
      - name: Run tests
        run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true
--- a/3
+++ b/3
@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race
 # Allows for filtering tests based on the specified prefix
 GO_TEST_PREFIX ?=

+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
 BUILD_ARGS ?=
--- a/hack/install-libraries.sh
+++ b/hack/install-libraries.sh
@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"

 TMP_DIR=$(mktemp -d)

@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
    [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'

-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi

    pushd "${TMP_DIR}" || exit
    if command -v sha256sum; then