Merge pull request #627 from SUSE/cosign

Add cosign tests
SUSE · Oct 30, 2024 · 6ce5109 · 6ce5109
2 parents 4cf9899 + 0a03c2e
commit 6ce5109
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 1 deletion.
diff --git a/bci_tester/data.py b/bci_tester/data.py
@@ -740,6 +740,15 @@ def create_BCI(
     image_type="kiwi",
 )
 
+_COSIGN_VERSION: str = "2.4" if OS_VERSION in ("tumbleweed",) else "2.2"
+COSIGN_CONTAINERS = [
+    create_BCI(
+        build_tag=f"{APP_CONTAINER_PREFIX}/cosign:{_COSIGN_VERSION}",
+        bci_type=ImageType.APPLICATION,
+        custom_entry_point="/bin/sh",
+    )
+]
+
 _NGINX_APP_VERSION = "latest" if OS_VERSION == "tumbleweed" else "1.21"
 
 NGINX_CONTAINER = create_BCI(
@@ -924,6 +933,7 @@ def create_BCI(
     DISTRIBUTION_CONTAINER,
     GIT_CONTAINER,
     HELM_CONTAINER,
+    *COSIGN_CONTAINERS,
     MICRO_CONTAINER,
     MINIMAL_CONTAINER,
     *POSTFIX_CONTAINERS,

diff --git a/pyproject.toml b/pyproject.toml
@@ -64,6 +64,8 @@ markers = [
     'bci-minimal_16.0',
     'bci-minimal_latest',
     'blackbox_exporter_0.24',
+    'cosign_2.2',
+    'cosign_2.4',
     'dotnet-aspnet_6.0',
     'dotnet-aspnet_8.0',
     'dotnet-runtime_6.0',

diff --git a/tests/test_cosign.py b/tests/test_cosign.py
@@ -0,0 +1,25 @@
+"""This module contains the tests for the cosign container, the image with cosign pre-installed."""
+
+from bci_tester.data import COSIGN_CONTAINERS
+
+CONTAINER_IMAGES = COSIGN_CONTAINERS
+
+
+def test_cosign_version(auto_container, host, container_runtime):
+    """Test that we can invoke `cosign version` successfully."""
+
+    assert (
+        "GitTreeState:  release"
+        in host.check_output(
+            f"{container_runtime.runner_binary} run --rm {auto_container.image_url_or_id} version"
+        ).splitlines()
+    )
+
+
+def test_cosign_verify(auto_container, host, container_runtime):
+    """Test that we can invoke `cosign verify` on a bci-container."""
+    assert "cosign container image signature" in host.check_output(
+        f"{container_runtime.runner_binary} run --rm {auto_container.image_url_or_id} "
+        "verify --key https://ftp.suse.com/pub/projects/security/keys/container-key.pem "
+        "registry.suse.com/bci/bci-micro:latest"
+    )
diff --git a/tests/test_metadata.py b/tests/test_metadata.py
@@ -34,6 +34,7 @@
 from bci_tester.data import BLACKBOX_CONTAINERS
 from bci_tester.data import BUSYBOX_CONTAINER
 from bci_tester.data import CONTAINER_389DS_CONTAINERS
+from bci_tester.data import COSIGN_CONTAINERS
 from bci_tester.data import DISTRIBUTION_CONTAINER
 from bci_tester.data import DOTNET_ASPNET_6_0_CONTAINER
 from bci_tester.data import DOTNET_ASPNET_8_0_CONTAINER
@@ -187,6 +188,10 @@ def _get_container_label_prefix(
         (rust_container, "rust", ImageType.LANGUAGE_STACK)
         for rust_container in RUST_CONTAINERS
     ]
+    + [
+        (cosign_container, "cosign", ImageType.APPLICATION)
+        for cosign_container in COSIGN_CONTAINERS
+    ]
     + [
         (golang_container, "golang", ImageType.LANGUAGE_STACK)
         for golang_container in GOLANG_CONTAINERS

diff --git a/tox.ini b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = {py36,py39,py310,py311,py312,py313}-unit, all, base, fips, init, dotnet, python, ruby, node, go, openjdk, openjdk_devel, rust, php, busybox, 389ds, metadata, minimal, multistage, repository, doc, lint, get_urls, pcp, distribution, postgres, git, helm, nginx, kernel_module, mariadb, tomcat, spack, gcc, prometheus, grafana, kiwi, postfix
+envlist = {py36,py39,py310,py311,py312,py313}-unit, all, base, cosign, fips, init, dotnet, python, ruby, node, go, openjdk, openjdk_devel, rust, php, busybox, 389ds, metadata, minimal, multistage, repository, doc, lint, get_urls, pcp, distribution, postgres, git, helm, nginx, kernel_module, mariadb, tomcat, spack, gcc, prometheus, grafana, kiwi, postfix
 skip_missing_interpreters = True
 
 [common]