The libgit2 libraries are downloaded and verified before

some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
fluxcd/source-controller#899

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>

.github/workflows/cifuzz.yaml

@@ -33,3 +33,5 @@ jobs:
           ${{ runner.os }}-go
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true

.github/workflows/e2e.yaml

@@ -47,6 +47,7 @@ jobs:
         uses: fluxcd/pkg/actions/helm@main
       - name: Run E2E tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           CREATE_CLUSTER: false
         run: make e2e
 
@@ -76,6 +77,7 @@ jobs:
           kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
       - name: Run e2e tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
           KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
           CREATE_CLUSTER: false

.github/workflows/tests.yaml

@@ -34,6 +34,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
         run: make test
@@ -51,6 +52,8 @@ jobs:
           go-version: 1.19.x
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
+
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
           
@@ -87,3 +90,5 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true

Makefile

@@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race
 # Allows for filtering tests based on the specified prefix
 GO_TEST_PREFIX ?=
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
 BUILD_ARGS ?=

hack/install-libraries.sh

@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+    if "${SKIP_COSIGN_VERIFICATION}"; then
-                  "${TMP_DIR}/checksums.txt.sig" \
+        echo 'Skipping cosign verification...'
-                  "${TMP_DIR}/checksums.txt"
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then