diff --git a/bci_tester/data.py b/bci_tester/data.py index 753614e4..42382fe4 100755 --- a/bci_tester/data.py +++ b/bci_tester/data.py @@ -740,6 +740,15 @@ def create_BCI( image_type="kiwi", ) +_COSIGN_VERSION: str = "2.4" if OS_VERSION in ("tumbleweed",) else "2.2" +COSIGN_CONTAINERS = [ + create_BCI( + build_tag=f"{APP_CONTAINER_PREFIX}/cosign:{_COSIGN_VERSION}", + bci_type=ImageType.APPLICATION, + custom_entry_point="/bin/sh", + ) +] + _NGINX_APP_VERSION = "latest" if OS_VERSION == "tumbleweed" else "1.21" NGINX_CONTAINER = create_BCI( @@ -924,6 +933,7 @@ def create_BCI( DISTRIBUTION_CONTAINER, GIT_CONTAINER, HELM_CONTAINER, + *COSIGN_CONTAINERS, MICRO_CONTAINER, MINIMAL_CONTAINER, *POSTFIX_CONTAINERS, diff --git a/pyproject.toml b/pyproject.toml index 7f0177eb..2d3a3256 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -64,6 +64,8 @@ markers = [ 'bci-minimal_16.0', 'bci-minimal_latest', 'blackbox_exporter_0.24', + 'cosign_2.2', + 'cosign_2.4', 'dotnet-aspnet_6.0', 'dotnet-aspnet_8.0', 'dotnet-runtime_6.0', diff --git a/tests/test_cosign.py b/tests/test_cosign.py new file mode 100644 index 00000000..d1417c6d --- /dev/null +++ b/tests/test_cosign.py @@ -0,0 +1,25 @@ +"""This module contains the tests for the cosign container, the image with cosign pre-installed.""" + +from bci_tester.data import COSIGN_CONTAINERS + +CONTAINER_IMAGES = COSIGN_CONTAINERS + + +def test_cosign_version(auto_container, host, container_runtime): + """Test that we can invoke `cosign version` successfully.""" + + assert ( + "GitTreeState: release" + in host.check_output( + f"{container_runtime.runner_binary} run --rm {auto_container.image_url_or_id} version" + ).splitlines() + ) + + +def test_cosign_verify(auto_container, host, container_runtime): + """Test that we can invoke `cosign verify` on a bci-container.""" + assert "cosign container image signature" in host.check_output( + f"{container_runtime.runner_binary} run --rm {auto_container.image_url_or_id} " + "verify --key https://ftp.suse.com/pub/projects/security/keys/container-key.pem " + "registry.suse.com/bci/bci-micro:latest" + ) diff --git a/tests/test_metadata.py b/tests/test_metadata.py index 7876aa8b..41dd7a83 100644 --- a/tests/test_metadata.py +++ b/tests/test_metadata.py @@ -34,6 +34,7 @@ from bci_tester.data import BLACKBOX_CONTAINERS from bci_tester.data import BUSYBOX_CONTAINER from bci_tester.data import CONTAINER_389DS_CONTAINERS +from bci_tester.data import COSIGN_CONTAINERS from bci_tester.data import DISTRIBUTION_CONTAINER from bci_tester.data import DOTNET_ASPNET_6_0_CONTAINER from bci_tester.data import DOTNET_ASPNET_8_0_CONTAINER @@ -187,6 +188,10 @@ def _get_container_label_prefix( (rust_container, "rust", ImageType.LANGUAGE_STACK) for rust_container in RUST_CONTAINERS ] + + [ + (cosign_container, "cosign", ImageType.APPLICATION) + for cosign_container in COSIGN_CONTAINERS + ] + [ (golang_container, "golang", ImageType.LANGUAGE_STACK) for golang_container in GOLANG_CONTAINERS diff --git a/tox.ini b/tox.ini index f1b5ff88..c2fddef1 100644 --- a/tox.ini +++ b/tox.ini @@ -1,5 +1,5 @@ [tox] -envlist = {py36,py39,py310,py311,py312,py313}-unit, all, base, fips, init, dotnet, python, ruby, node, go, openjdk, openjdk_devel, rust, php, busybox, 389ds, metadata, minimal, multistage, repository, doc, lint, get_urls, pcp, distribution, postgres, git, helm, nginx, kernel_module, mariadb, tomcat, spack, gcc, prometheus, grafana, kiwi, postfix +envlist = {py36,py39,py310,py311,py312,py313}-unit, all, base, cosign, fips, init, dotnet, python, ruby, node, go, openjdk, openjdk_devel, rust, php, busybox, 389ds, metadata, minimal, multistage, repository, doc, lint, get_urls, pcp, distribution, postgres, git, helm, nginx, kernel_module, mariadb, tomcat, spack, gcc, prometheus, grafana, kiwi, postfix skip_missing_interpreters = True [common]