Add tests with v1.1.0 keys (#543)

* tests: Add test cases for signatures created by v1.1.0

Signed-off-by: Stefan Berger <[email protected]>

* tests: Adjust testrunner to run only scripts with suffix .sh

Signed-off-by: Stefan Berger <[email protected]>

* tests: Check also signatures create by v1.1.0 with older version of library

Signed-off-by: Stefan Berger <[email protected]>

---------

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

scripts/tests/test-sign-verify-allversions.sh

@@ -185,14 +185,14 @@ for version in v1.0.1 v1.0.0 v0.3.1 v0.3.0; do
 
 	# Check against pre-created signatures
 	# v represents version of the library that created a signature in the past
-	for v in v1.0.1 v1.0.0 v0.3.1 v0.2.0; do
+	for v in v1.1.0 v1.0.1 v1.0.0 v0.3.1 v0.2.0; do
 
 		# key method
 		modeldir=${v}-elliptic-key
 		modeldir_sign=${modeldir}
 
 		case "${version}-${v}" in
-		v0.3.1-v1.0.1)
+		v0.3.1-v1.0.1|v0.3.1-v1.1.0)
 			# v0.3.1 cannot verify signatures created by v1.0.1
 			;;
 		*-v0.3.1|*-v1.0.0)
@@ -254,7 +254,7 @@ for version in v1.0.1 v1.0.0 v0.3.1 v0.3.0; do
 		modeldir=${v}-sigstore
 
 		case "${version}-${v}" in
-		v0.3.1-v1.0.1|v0.3.1-v0.3.1|v0.3.1-v1.0.0)
+		v0.3.1-v1.1.0|v0.3.1-v1.0.1|v0.3.1-v0.3.1|v0.3.1-v1.0.0)
 			# cannot verify
 			;;
 		*)

scripts/tests/test-verify-v1.1.0-certificate.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "Testing 'verify certificate'"
+if ! python -m model_signing \
+	verify certificate \
+	--ignore-paths ./v1.1.0-certificate/ignore-me \
+	--signature ./v1.1.0-certificate/model.sig \
+	--certificate_chain ./keys/certificate/ca-cert.pem \
+	./v1.1.0-certificate/; then
+	echo "Error: 'verify certificate' failed on v1.1.0"
+	exit 1
+fi
+
+exit 0

scripts/tests/test-verify-v1.1.0-elliptic-key.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "Testing 'verify key'"
+if ! python -m model_signing \
+	verify key \
+	--ignore-paths ./v1.1.0-elliptic-key/ignore-me \
+	--signature ./v1.1.0-elliptic-key/model.sig \
+	--public_key ./keys/certificate/signing-key-pub.pem \
+	./v1.1.0-elliptic-key ; then
+	echo "Error: 'verify key' failed on v1.1.0"
+	exit 1
+fi
+
+exit 0

scripts/tests/test-verify-v1.1.0-sigstore.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+echo "Testing 'verify sigstore'"
+if ! python -m model_signing \
+	verify sigstore \
+	--identity [email protected] \
+	--identity_provider https://sigstore.verify.ibm.com/oauth2 \
+	--ignore-paths ./v1.1.0-sigstore/ignore-me \
+	--signature ./v1.1.0-sigstore/model.sig \
+	./v1.1.0-sigstore/; then
+	echo "Error: 'verify sigstore' failed on v1.1.0"
+	exit 1
+fi
+
+pushd v1.1.0-sigstore 1>/dev/null || exit 1
+
+echo
+echo "Testing 'verify sigstore' while in model directory"
+if ! python -m model_signing \
+	verify sigstore \
+	--identity [email protected] \
+	--identity_provider https://sigstore.verify.ibm.com/oauth2 \
+	--ignore-paths ignore-me \
+	--signature model.sig \
+	. ; then
+	echo "Error: 'verify sigstore' failed on v1.1.0"
+	exit 1
+fi
+
+popd 1>/dev/null || exit 1
+
+exit 0

scripts/tests/testrunner

@@ -12,7 +12,7 @@ DIR=$(dirname "$0")
 
 cd "${DIR}" || exit 1
 
-for tc in test-*; do
+for tc in test-*.sh; do
 	echo -e "\n>>> Running ${tc}"
 	./"${tc}" || exit 1
 done

scripts/tests/v1.1.0-certificate/ignore-me

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIDDDCCAXSgAwIBAgIUblNG5LBtNM+Xg4avMF8lrv8LZ1UwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAxMPaW50ZXJtZWRpYXRlLWNhMB4XDTI1MDUwMjIzMzYyOFoXDTM1MDQzMDIzMzYyOFowGjEYMBYGA1UEAxMPaW50ZXJtZWRpYXRlLWNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEsu6rZGBTjxtvRWPMixT+3HyndV0J0YbtaHZUcO4DEK+OJHO/4e32bb/fbJKSpRgcBsIpKLcVijUomyFOERbd7u+BTPSUjGZDQq6J7lTvp/EAXQGOKxW9RP0MGX3qAkvio3gwdjAPBgNVHRMBAf8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMDMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4EFgQUGV7tAU7upBa+IVpuvDtUidPhKs8wHwYDVR0jBBgwFoAU8Y+MvYW26MAbiuYGhdsWnumU0zIwDQYJKoZIhvcNAQELBQADggGBAGXV0hCrcexX7mtcyP85ACBNSUVH7lNcUenan4DJevw4KbK22c/taf+VG/QLZ7/08AbsoHfhlpBSgTidg/62e6Cu8PISDFT67Kw1AnOCBynKYabWopCvNey++yu7sXg6IDHMb5ePKPFLOY4WhI5febcFeTxBKjMo/Il1gTzVwVK45QoWliTIqxBlFS2DUe4NODNwysLpFr6oeQsP2oRMow1BG1UbCzmn+NGCKOXpQOCdFd0epASoMxZrk8ZEtLPRctcMeb7prfVX6QK5YFZMNMCU0FFci/f8RT11VFdfj8nNXi/6t/aOSZo45Q4TVMi2FijA/jAnykGiNgn1IaCNSQ5Z5xXSwCJp8KjsqVZgv6yjPO62Oj2pR1OxdhYE06YqwwD3dVkQ/+6O/ygqeWACqHXBnMVnPawhxbzBkovWg3lMfbShq9IktAGa7LM0tBvSs3R02zGFD6OaD93hJXEIRJf97/NWpCl7FXspLyfpJVnAtBd1g6DOyBHVkaNxoSWzAw=="},{"rawBytes":"MIIEHTCCAoWgAwIBAgIUSd+dJ4nS63JskKys4/XmTtBri4UwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTA1MDIyMzM2MjhaFw0zNTA0MzAyMzM2MjhaMBoxGDAWBgNVBAMTD2ludGVybWVkaWF0ZS1jYTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAK7LNuadUjxuZH0rAim9ev3TvR4uSix9mKtHHqwzz3zPXuQXzwJ5Wy7GfXNds+aVD4Bwv5NQQHWdTAlZT+7K0CiMIPozRDTVWQKYZZwyCM4km6eZKDHxzLkm3fLDd56a1ISV4+ERZsS+DWV3Y9ukZPx9doa1XGLd3oq8o4/TwmNAL+rM0npxgegEYYX2DGnqHYiFkS+FdjKIRycFh+dyR6qW5IZ5FW4FMt4WynrMp7jWaiLnphyRs+6Xs+zTo3c+dLS82qlLCBkrI1AREx87y4nAnFMPtVi9+2f76YZ9ABykovUY6ddFKCFplD4lkvc+klhFi6DSq3sDZb06gTDV/cl9p2hc8jCF9SYVPhkRSHSBO/XhojOjQ4ZuNFCyCfaz1KPqK8/hK0OvMh43ZNcyiKy4GYaLQsRl2diOS8O04Ak0+twoKfo7fw5hTYuQ8sc3/8B54W3aOael/730Jko8YeQfl1E2Y10Iyhf6ZbBDwWjs9JcOAXZVMTw+1RCW8mwSfwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDAdBgNVHQ4EFgQU8Y+MvYW26MAbiuYGhdsWnumU0zIwHwYDVR0jBBgwFoAUEELDx1e2M0ueamhpxKFPLWXvjaUwDQYJKoZIhvcNAQELBQADggGBAIUEX+jqSQu1gu6OUWegIBt3g//DkazkR76tQKf+BYb9QixNbHA9DvmK9r76tfedq4fFnVKeFbhAqWy+waIDVLZsKWiOj3cIeOon/oZCK3hGtK4q36h0yMsy6AQkfNXjIAFgGhIGEQcDq0kgDmdHutHPxjPu77DmMdT0DIczJYKQJpfrs8Al0xiDmdVEsmbRnd9RyI+bcPc9bfkRkOuRIAwt6IIWgA1gEFSTtRaTxjXfRIdmz2A0MTpYLNTEvPdsDdxzhTVZelNI582rhWc/MaXcX5xULbsGJyWobtXcBZfb/9IJi9MBtWWp/t5+/PCuIWVHgG8MtnI0EdBXIiTcLH/XJMrRGrvjZW20nyD2nZl5L+qeDGkpSfGJ6dBVaDuVliSAj0emondZobXI/ypntpxqtWquZCkbBMQ69dUWE3vIh1aQpleSrAvbukZBzvk5FXfVF2T6/TY7HQjUcuURpoAnMtwM8FwrBixFhKGlRpFJjdIVUerT1RrZkvHO5qlgHg=="}]},"tlogEntries":[]},"dsseEnvelope":{"payload":"ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YxIiwKICAic3ViamVjdCI6IFsKICAgIHsKICAgICAgIm5hbWUiOiAidjEuMS4wLWNlcnRpZmljYXRlIiwKICAgICAgImRpZ2VzdCI6IHsKICAgICAgICAic2hhMjU2IjogIjYxZDQ4NDlkOWQ5MDA3NmQ2MjE1ZjRkNTI1ZjEzZDY1NzRhZjhlM2Y2N2FlZjNlNmYzNmZjNDBhMTRmZGQyMjYiCiAgICAgIH0KICAgIH0KICBdLAogICJwcmVkaWNhdGVUeXBlIjogImh0dHBzOi8vbW9kZWxfc2lnbmluZy9zaWduYXR1cmUvdjEuMCIsCiAgInByZWRpY2F0ZSI6IHsKICAgICJzZXJpYWxpemF0aW9uIjogewogICAgICAiaGFzaF90eXBlIjogInNoYTI1NiIsCiAgICAgICJpZ25vcmVfcGF0aHMiOiBbCiAgICAgICAgImlnbm9yZS1tZSIsCiAgICAgICAgIi5naXRhdHRyaWJ1dGVzIiwKICAgICAgICAibW9kZWwuc2lnIiwKICAgICAgICAiLmdpdGh1YiIsCiAgICAgICAgIi5naXRpZ25vcmUiLAogICAgICAgICIuZ2l0IgogICAgICBdLAogICAgICAiYWxsb3dfc3ltbGlua3MiOiBmYWxzZSwKICAgICAgIm1ldGhvZCI6ICJmaWxlcyIKICAgIH0sCiAgICAicmVzb3VyY2VzIjogWwogICAgICB7CiAgICAgICAgImFsZ29yaXRobSI6ICJzaGEyNTYiLAogICAgICAgICJuYW1lIjogInNpZ25tZS0xIiwKICAgICAgICAiZGlnZXN0IjogImY2MzEwMDY2YzczMjA0OTdlYTU1NDI2MGMzMmM0MzY2MGJmZjY0OGNiMmE2MTE5NDgzMmNjMDg2MDc3MDg1ZTEiCiAgICAgIH0sCiAgICAgIHsKICAgICAgICAiYWxnb3JpdGhtIjogInNoYTI1NiIsCiAgICAgICAgIm5hbWUiOiAic2lnbm1lLTIiLAogICAgICAgICJkaWdlc3QiOiAiMzJkY2IxZjhlMWFlNTJkNTk2M2U1NmE2YmEwNmFiNThiNDI0YzE1ZWQyYTZiNzBkMmZlY2ExZDA4OTM3MDAyOCIKICAgICAgfQogICAgXQogIH0KfQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MGYCMQDgK8J5pgonUXv6XN5eRVCdCSNAOiTw/vt4Wbts/PJTPEb4pFD/3eVoX+zXoqUjyc8CMQD/0OdFSr/2kHile4v7Tw/eeKXbnWjD6MB7/nu5DcB74MNeJf9dhmN16omZKCZOdqg=","keyid":""}]}}

scripts/tests/v1.1.0-certificate/model.sig

@@ -0,0 +1 @@
+signme-1

scripts/tests/v1.1.0-certificate/signme-1

@@ -0,0 +1 @@
+signme-2