forked from sigstore/gitsign
-
Notifications
You must be signed in to change notification settings - Fork 0
148 lines (125 loc) · 5.7 KB
/
e2e.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: E2E
on:
push:
pull_request_target:
branches: ['main']
workflow_dispatch:
jobs:
e2e:
runs-on: ubuntu-latest
permissions:
id-token: write # Enable OIDC
# The rest of these are sanity-check settings, since I'm not sure if the
# org default is permissive or restricted.
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
# for more details.
actions: none
checks: none
contents: read
deployments: none
issues: none
packages: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
env:
# Output logs to file in case we need to inspect errors.
GITSIGN_LOG: "/tmp/gitsign.log"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Use the merge commit if type is pull_request/pull_request_target,
# else use the default ref.
# By default pull_request_target will use the base branch as the
# target since it was originally intended for trusted workloads.
# However, we need to use this to have access to the OIDC creds
# for the e2e tests, so insert our own logic here.
# This is effectively a ternary of the form ${{ <condition> && <true> || <false> }}.
# See https://docs.github.com/en/actions/learn-github-actions/expressions for more details.
ref: ${{ startsWith(github.event_name, 'pull_request') && format('refs/pull/{0}/merge', github.event.number) || github.ref }}
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
check-latest: true
- name: Install Gitsign
run: |
set -e
# Setup repo + tool
make install-gitsign
export PATH="$PATH:$GOPATH/bin"
echo "PATH=${PATH}"
whereis gitsign
mkdir /tmp/git
cd /tmp/git
git init -b main .
git config --global user.email "[email protected]"
git config --global user.name "gitsign"
git config --global gpg.x509.program gitsign
git config --global gpg.format x509
git config --global commit.gpgsign true
# Verify tool is on our path
gitsign -h
- name: Test Sign and Verify commit
run: |
set -e
# Sign commit
git commit --allow-empty -S --message="Signed commit"
# Verify commit
echo "========== git verify-commit =========="
git verify-commit HEAD
echo "========== gitsign verify =========="
gitsign verify \
--certificate-github-workflow-repository=${{ github.repository }} \
--certificate-github-workflow-sha=${{ github.sha }} \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--certificate-identity="https://github.com/${{ github.workflow_ref }}"
# Extra debug info
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
- name: Test Sign and Verify commit - offline verification
env:
GITSIGN_REKOR_MODE: "offline"
run: |
set -e
# Sign commit
git commit --allow-empty -S --message="Signed commit"
# Verify commit
echo "========== git verify-commit =========="
git verify-commit HEAD
echo "========== gitsign verify =========="
gitsign verify \
--certificate-github-workflow-repository=${{ github.repository }} \
--certificate-github-workflow-sha=${{ github.sha }} \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--certificate-identity="https://github.com/${{ github.workflow_ref }}"
# Extra debug info
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
- name: Test Sign and Verify commit - staging
env:
GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth"
GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev"
GITSIGN_REKOR_URL: "https://rekor.sigstage.dev"
run: |
set -e
# Setup staging TUF root - https://github.com/sigstore/public-good-instance/blob/1023ed05b7a8cf28e6a7de73bf98dd5075d97858/playbooks/tuf.md#updating-tuf-metadata-for-staging
rm -rf ~/.sigstore
wget https://tuf-repo-cdn.sigstage.dev/root.json
gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json
# Sign commit
git commit --allow-empty -S --message="Signed commit"
# Verify commit
echo "========== git verify-commit =========="
git verify-commit HEAD
echo "========== gitsign verify =========="
gitsign verify \
--certificate-github-workflow-repository=${{ github.repository }} \
--certificate-github-workflow-sha=${{ github.sha }} \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--certificate-identity="https://github.com/${{ github.workflow_ref }}"
# Extra debug info
git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
- name: Debug log
if: failure()
run: cat "${GITSIGN_LOG}"