From 6c06f4e222a9a9abf19eaf242cc22ab750f9a2b2 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 29 Sep 2022 07:01:36 +0100 Subject: [PATCH] The libgit2 libraries are downloaded and verified before some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes --- .github/workflows/cifuzz.yaml | 2 ++ .github/workflows/e2e.yaml | 2 ++ .github/workflows/tests.yaml | 5 +++++ Makefile | 3 +++ hack/install-libraries.sh | 11 ++++++++--- 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml index ebf71fb1..6ff2940d 100644 --- a/.github/workflows/cifuzz.yaml +++ b/.github/workflows/cifuzz.yaml @@ -33,3 +33,5 @@ jobs: ${{ runner.os }}-go - name: Smoke test Fuzzers run: make fuzz-smoketest + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 7a79f004..024885e8 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -47,6 +47,7 @@ jobs: uses: fluxcd/pkg/actions/helm@main - name: Run E2E tests env: + SKIP_COSIGN_VERIFICATION: true CREATE_CLUSTER: false run: make e2e @@ -76,6 +77,7 @@ jobs: kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }} - name: Run e2e tests env: + SKIP_COSIGN_VERIFICATION: true KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }} KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }} CREATE_CLUSTER: false diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index edf92c39..67931add 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -34,6 +34,7 @@ jobs: ${{ runner.os }}-go- - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} run: make test @@ -51,6 +52,8 @@ jobs: go-version: 1.19.x - name: Run tests env: + SKIP_COSIGN_VERIFICATION: true + TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }} TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }} @@ -87,3 +90,5 @@ jobs: ${{ runner.os }}-go- - name: Run tests run: make test + env: + SKIP_COSIGN_VERIFICATION: true diff --git a/Makefile b/Makefile index 4207a121..66ffac72 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race # Allows for filtering tests based on the specified prefix GO_TEST_PREFIX ?= +# Defines whether cosign verification should be skipped. +SKIP_COSIGN_VERIFICATION ?= false + # Allows for defining additional Docker buildx arguments, # e.g. '--push'. BUILD_ARGS ?= diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh index 9e4966a5..aed0507a 100755 --- a/hack/install-libraries.sh +++ b/hack/install-libraries.sh @@ -6,6 +6,7 @@ IMG="${IMG:-}" TAG="${TAG:-}" IMG_TAG="${IMG}:${TAG}" DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}" +SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}" TMP_DIR=$(mktemp -d) @@ -48,9 +49,13 @@ cosign_verify(){ assure_provenance() { [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments' - cosign_verify "${TMP_DIR}/checksums.txt.pem" \ - "${TMP_DIR}/checksums.txt.sig" \ - "${TMP_DIR}/checksums.txt" + if "${SKIP_COSIGN_VERIFICATION}"; then + echo 'Skipping cosign verification...' + else + cosign_verify "${TMP_DIR}/checksums.txt.pem" \ + "${TMP_DIR}/checksums.txt.sig" \ + "${TMP_DIR}/checksums.txt" + fi pushd "${TMP_DIR}" || exit if command -v sha256sum; then