Skip to content

Commit 71edf28

Browse files
tonistiigitonistiigi
committed
tests: add negative checks for imagetools signature coverage
Verify imagetools copies signatures only for attestation manifests and does not copy image-manifest signatures or unsupported referrers. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
1 parent f14c1ae commit 71edf28

1 file changed

Lines changed: 43 additions & 10 deletions

File tree

tests/imagetools.go

Lines changed: 43 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -623,6 +623,21 @@ func testImagetoolsCopyAttestationWithSignature(t *testing.T, sb integration.San
623623
require.Len(t, platformManifests, 2)
624624
require.Len(t, attestations, 2)
625625

626+
// Negative controls: signatures on image manifests, and unsupported
627+
// artifact types, should not be copied by imagetools create.
628+
platformSignatures := make(map[digest.Digest]ocispecs.Descriptor, len(platformManifests))
629+
platformUnsupportedReferrers := make(map[digest.Digest]ocispecs.Descriptor, len(platformManifests))
630+
for platformDigest, platformDesc := range platformManifests {
631+
platformSignatures[platformDigest] = pushFakeSignatureReferrer(t, source, platformDesc)
632+
platformUnsupportedReferrers[platformDigest] = pushFakeReferrer(
633+
t,
634+
source,
635+
platformDesc,
636+
"application/vnd.example.attachment.v1+json",
637+
map[string]string{"example.type": "unsupported"},
638+
)
639+
}
640+
626641
signatures := make(map[digest.Digest]ocispecs.Descriptor, len(attestations))
627642
for _, attestationDesc := range attestations {
628643
cmd = buildxCmd(sb, withArgs("imagetools", "inspect", source+"@"+string(attestationDesc.Digest), "--raw"))
@@ -678,6 +693,21 @@ func testImagetoolsCopyAttestationWithSignature(t *testing.T, sb integration.San
678693
require.NotNil(t, signatureManifest.Subject)
679694
require.Equal(t, attestationDesc.Digest, signatureManifest.Subject.Digest)
680695
require.Equal(t, "dsse-envelope", signatureManifest.Annotations["dev.sigstore.bundle.content"])
696+
697+
}
698+
699+
// Only attestation signatures should be present after the copy. The
700+
// negative-control referrers attached to image manifests must not exist.
701+
for _, platformDesc := range platformManifests {
702+
signatureDesc := platformSignatures[platformDesc.Digest]
703+
cmd = buildxCmd(sb, withArgs("imagetools", "inspect", target+"@"+string(signatureDesc.Digest), "--raw"))
704+
dt, err = cmd.CombinedOutput()
705+
require.Error(t, err, string(dt))
706+
707+
unsupportedDesc := platformUnsupportedReferrers[platformDesc.Digest]
708+
cmd = buildxCmd(sb, withArgs("imagetools", "inspect", target+"@"+string(unsupportedDesc.Digest), "--raw"))
709+
dt, err = cmd.CombinedOutput()
710+
require.Error(t, err, string(dt))
681711
}
682712
}
683713

@@ -790,34 +820,37 @@ func prepareSinglePlatformFallbackAsset(t *testing.T, sb integration.Sandbox, di
790820
}
791821

792822
func pushFakeSignatureReferrer(t *testing.T, sourceRef string, subject ocispecs.Descriptor) ocispecs.Descriptor {
823+
return pushFakeReferrer(t, sourceRef, subject, "application/vnd.dev.sigstore.bundle.v0.3+json", map[string]string{
824+
"dev.sigstore.bundle.content": "dsse-envelope",
825+
"dev.sigstore.bundle.predicateType": "https://sigstore.dev/cosign/sign/v1",
826+
"org.opencontainers.image.created": "2025-12-05T10:16:57Z",
827+
})
828+
}
829+
830+
func pushFakeReferrer(t *testing.T, sourceRef string, subject ocispecs.Descriptor, artifactType string, annotations map[string]string) ocispecs.Descriptor {
793831
t.Helper()
794832

795833
repoName := mustRepoName(t, sourceRef)
796834

797835
configBytes := []byte("{}")
798836
configDesc := ocispecs.Descriptor{
799837
MediaType: "application/vnd.oci.empty.v1+json",
800-
ArtifactType: "application/vnd.dev.sigstore.bundle.v0.3+json",
838+
ArtifactType: artifactType,
801839
Digest: digest.FromBytes(configBytes),
802840
Size: int64(len(configBytes)),
803841
}
804842

805-
layerBytes := []byte(`{"kind":"fake-sigstore-bundle"}`)
843+
layerBytes := []byte(`{"kind":"fake-referrer"}`)
806844
layerDesc := ocispecs.Descriptor{
807-
MediaType: "application/vnd.dev.sigstore.bundle.v0.3+json",
845+
MediaType: artifactType,
808846
Digest: digest.FromBytes(layerBytes),
809847
Size: int64(len(layerBytes)),
810848
}
811849

812-
annotations := map[string]string{
813-
"dev.sigstore.bundle.content": "dsse-envelope",
814-
"dev.sigstore.bundle.predicateType": "https://sigstore.dev/cosign/sign/v1",
815-
"org.opencontainers.image.created": "2025-12-05T10:16:57Z",
816-
}
817850
signatureManifest := ocispecs.Manifest{
818851
Versioned: specsVersioned(),
819852
MediaType: ocispecs.MediaTypeImageManifest,
820-
ArtifactType: "application/vnd.dev.sigstore.bundle.v0.3+json",
853+
ArtifactType: artifactType,
821854
Config: configDesc,
822855
Layers: []ocispecs.Descriptor{layerDesc},
823856
Subject: &subject,
@@ -828,7 +861,7 @@ func pushFakeSignatureReferrer(t *testing.T, sourceRef string, subject ocispecs.
828861

829862
signatureDesc := ocispecs.Descriptor{
830863
MediaType: ocispecs.MediaTypeImageManifest,
831-
ArtifactType: "application/vnd.dev.sigstore.bundle.v0.3+json",
864+
ArtifactType: artifactType,
832865
Digest: digest.FromBytes(signatureBytes),
833866
Size: int64(len(signatureBytes)),
834867
Annotations: annotations,

0 commit comments

Comments
 (0)