Skip to content

ci: add sigstore e2e test suite#2062

Open
stealthybox wants to merge 5 commits into
sigstore-transportfrom
sigstore-testing
Open

ci: add sigstore e2e test suite#2062
stealthybox wants to merge 5 commits into
sigstore-transportfrom
sigstore-testing

Conversation

@stealthybox
Copy link
Copy Markdown
Member

@stealthybox stealthybox commented May 26, 2026

Add a parallel CI job that deploys a local sigstore stack and runs
verification tests against it.

hack infra:

  • kind cluster with zot (OCI 1.1 referrers API) and registry:2 (tag fallback)
  • sigstore scaffold Helm chart (fulcio, rekor, ctlog, trillian)
  • Scripts for setup, build, and teardown

tests:

  • v2/v3 key-pair signing with secretRef
  • v2/v3 keyless signing with trustedRootSecretRef
  • v3 key-pair with tlog entry
  • Combined secretRef + trustedRootSecretRef
  • Registry auth + verify
  • v3 bundles on registry:2 (referrers tag fallback)
  • Sad paths: wrong key, wrong identity, wrong rekor key in trusted root

Runs concurrently with the existing kind-linux-amd64 job -- hopefully i've set this up right

@stealthybox
cosign: add WithInsecure and WithTLSConfig verifier options
ed6efdc 
WithInsecure passes name.Insecure to GetBundles/VerifyImageAttestations
for v3 bundle discovery on HTTP registries. Follows the same pattern as
notation's WithInsecureRegistry.

WithTLSConfig passes a *tls.Config to the Rekor client, supporting
private CAs from certSecretRef. Replaces the cosign CLI rekor wrapper
with a direct rekor.GetRekorClient call to thread the option through.

Includes a test using a fake non-loopback hostname to verify the
insecure option is required for bundle discovery on HTTP registries.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: wire insecure and TLS config to cosign verifier
9f37437 
Pass obj.Spec.Insecure and transport.TLSClientConfig to the cosign
verifier so v3 bundle discovery and Rekor connections use the same
transport settings as the registry.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
controller: pass TLS config and insecure to cosign verifier for HelmC…
211fb0a 
…hart OCI

Pass clientOpts.TLSConfig and clientOpts.Insecure to the cosign
verifier in makeVerifiers so that HelmChart verification of OCI-sourced
charts works against registries behind private CAs and on HTTP.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
hack: sigstore e2e test harness
feb0320 
Scripts and testdata for running cosign verification tests against a
local sigstore stack on kind. Uses zot (referrers API) and registry:2
(tag fallback) with the scaffold Helm chart.

Covers v2/v3 key-pair, v2/v3 keyless with trustedRootSecretRef, tlog,
combined refs, wrong key/identity/rekor material, and registry auth.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox
ci: run sigstore e2e in parallel with existing e2e
5e8d2e6 
New sigstore-linux-amd64 job deploys a local sigstore stack and runs
the verification test suite concurrently with kind-linux-amd64.

Signed-off-by: leigh capili <leigh@null.net>
@stealthybox stealthybox force-pushed the sigstore-transport branch 2 times, most recently from 211fb0a to ffa18cc Compare May 26, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stealthybox