oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

add signature verification to install.sh (#2941)

Browse Source 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2024-06-10 11:29:53 -04:00 committed by GitHub
parent db0c33481e
commit c43f4fb416
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 477 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/release.yaml vendored
View File

@ -17,6 +17,14 @@ jobs:
steps: steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
- name: Check if running on main
if: github.ref != 'refs/heads/main'
# we are using the following flag when running `cosign blob-verify` for checksum signature verification:
# --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
# if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
# at the time of when the OIDC token was issued on the Github Actions runner.
run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
- name: Check if tag already exists - name: Check if tag already exists
# note: this will fail if the tag already exists # note: this will fail if the tag already exists
run: | run: |

3
.github/workflows/validations.yaml vendored
View File

@ -187,6 +187,9 @@ jobs:
needs: [Build-Snapshot-Artifacts] needs: [Build-Snapshot-Artifacts]
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.5.0
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
- name: Bootstrap environment - name: Bootstrap environment

9
README.md
View File

@ -40,11 +40,10 @@ Syft binaries are provided for Linux, macOS and Windows.
> curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin > curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
> ``` > ```
... or, you can specify a release version and destination directory for the installation: Install script options:
- `-b`: Specify a custom installation directory (defaults to `./bin`)
> ```bash - `-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)
> curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION> - `-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)
> ```
### Homebrew ### Homebrew
```bash ```bash

273
install.sh
View File

@ -2,34 +2,26 @@
# note: we require errors to propagate (don't set -e) # note: we require errors to propagate (don't set -e)
set -u set -u
PROJECT_NAME="syft" PROJECT_NAME=syft
OWNER=anchore OWNER=anchore
REPO="${PROJECT_NAME}" REPO="${PROJECT_NAME}"
GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME} INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME}
PROGRAM_ARGS=$@ PROGRAM_ARGS=$@
# signature verification options
# the location to the cosign binary (allowed to be overridden by the user)
COSIGN_BINARY=${COSIGN_BINARY:-cosign}
VERIFY_SIGN=false
# this is the earliest tag in the repo where cosign sign-blob was introduced in the release process (see the goreleaser config)
VERIFY_SIGN_SUPPORTED_VERSION=v0.104.0
# this is the earliest tag in the repo where the -v flag was introduced to this install.sh script
VERIFY_SIGN_FLAG_VERSION=v1.6.0
# do not change the name of this parameter (this must always be backwards compatible) # do not change the name of this parameter (this must always be backwards compatible)
DOWNLOAD_TAG_INSTALL_SCRIPT=${DOWNLOAD_TAG_INSTALL_SCRIPT:-true} DOWNLOAD_TAG_INSTALL_SCRIPT=${DOWNLOAD_TAG_INSTALL_SCRIPT:-true}
#
# usage [script-name]
#
usage() (
this=$1
cat <<EOF
$this: download go binaries for anchore/syft
Usage: $this [-b] dir [-d] [tag]
-b the installation directory (dDefaults to ./bin)
-d turns on debug logging
-dd turns on trace logging
[tag] the specific release to use (if missing, then the latest will be used)
EOF
exit 2
)
# ------------------------------------------------------------------------ # ------------------------------------------------------------------------
# https://github.com/client9/shlib - portable posix shell functions # https://github.com/client9/shlib - portable posix shell functions
# Public domain - http://unlicense.org # Public domain - http://unlicense.org
@ -270,21 +262,21 @@ hash_sha256() (
) )
hash_sha256_verify() ( hash_sha256_verify() (
TARGET=$1 target=$1
checksums=$2 checksums=$2
if [ -z "$checksums" ]; then if [ -z "$checksums" ]; then
log_err "hash_sha256_verify checksum file not specified in arg2" log_err "hash_sha256_verify checksum file not specified as argument"
return 1 return 1
fi fi
BASENAME=${TARGET##*/} target_basename=${target##*/}
want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) want=$(grep "${target_basename}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
if [ -z "$want" ]; then if [ -z "$want" ]; then
log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" log_err "hash_sha256_verify unable to find checksum for '${target}' in '${checksums}'"
return 1 return 1
fi fi
got=$(hash_sha256 "$TARGET") got=$(hash_sha256 "$target")
if [ "$want" != "$got" ]; then if [ "$want" != "$got" ]; then
log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" log_err "hash_sha256_verify checksum for '$target' did not verify ${want} vs $got"
return 1 return 1
fi fi
) )
@ -358,28 +350,69 @@ github_release_tag() (
echo "$tag" echo "$tag"
) )
# github_release_asset_url [release-url-prefix] [name] [version] [output-dir] [filename]
#
# outputs the url to the release asset
#
github_release_asset_url() (
download_url="$1"
name="$2"
version="$3"
filename="$4"
complete_filename="${name}_${version}_${filename}"
complete_url="${download_url}/${complete_filename}"
echo "${complete_url}"
)
# download_github_release_checksums_files [release-url-prefix] [name] [version] [output-dir] [filename]
#
# outputs path to the downloaded checksums related file
#
download_github_release_checksums_files() (
download_url="$1"
name="$2"
version="$3"
output_dir="$4"
filename="$5"
log_trace "download_github_release_checksums_files(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir}, filename=${filename})"
complete_filename="${name}_${version}_${filename}"
complete_url=$(github_release_asset_url "${download_url}" "${name}" "${version}" "${filename}")
output_path="${output_dir}/${complete_filename}"
http_download "${output_path}" "${complete_url}" ""
asset_file_exists "${output_path}"
log_trace "download_github_release_checksums_files() returned '${output_path}' for file '${complete_filename}'"
echo "${output_path}"
)
# download_github_release_checksums [release-url-prefix] [name] [version] [output-dir] # download_github_release_checksums [release-url-prefix] [name] [version] [output-dir]
# #
# outputs path to the downloaded checksums file # outputs path to the downloaded checksums file
# #
download_github_release_checksums() ( download_github_release_checksums() (
download_url="$1" download_github_release_checksums_files "$@" "checksums.txt"
name="$2" )
version="$3"
output_dir="$4"
log_trace "download_github_release_checksums(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir})" # github_release_checksums_sig_url [release-url-prefix] [name] [version]
#
# outputs the url to the release checksums signature file
#
github_release_checksums_sig_url() (
github_release_asset_url "$@" "checksums.txt.sig"
)
checksum_filename=${name}_${version}_checksums.txt # github_release_checksums_cert_url [release-url-prefix] [name] [version]
checksum_url=${download_url}/${checksum_filename} #
output_path="${output_dir}/${checksum_filename}" # outputs the url to the release checksums certificate file
#
http_download "${output_path}" "${checksum_url}" "" github_release_checksums_cert_url() (
asset_file_exists "${output_path}" github_release_asset_url "$@" "checksums.txt.pem"
log_trace "download_github_release_checksums() returned '${output_path}'"
echo "${output_path}"
) )
# search_for_asset [checksums-file-path] [name] [os] [arch] [format] # search_for_asset [checksums-file-path] [name] [os] [arch] [format]
@ -535,7 +568,10 @@ download_and_install_asset() (
format="$8" format="$8"
binary="$9" binary="$9"
asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}") if ! asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}"); then
log_err "could not download asset for os='${os}' arch='${arch}' format='${format}'"
return 1
fi
# don't continue if we couldn't download an asset # don't continue if we couldn't download an asset
if [ -z "${asset_filepath}" ]; then if [ -z "${asset_filepath}" ]; then
@ -546,6 +582,36 @@ download_and_install_asset() (
install_asset "${asset_filepath}" "${install_path}" "${binary}" install_asset "${asset_filepath}" "${install_path}" "${binary}"
) )
# verify_sign [checksums-file-path] [certificate-reference] [signature-reference] [version]
#
# attempts verify the signature of the checksums file from the release workflow in Github Actions run against the main branch.
#
verify_sign() {
checksums_file=$1
cert_reference=$2
sig_reference=$3
log_trace "verifying artifact $1"
log_file=$(mktemp)
${COSIGN_BINARY} \
verify-blob "$checksums_file" \
--certificate "$cert_reference" \
--signature "$sig_reference" \
--certificate-identity "https://github.com/${OWNER}/${REPO}/.github/workflows/release.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" > "${log_file}" 2>&1
if [ $? -ne 0 ]; then
log_err "$(cat "${log_file}")"
rm -f "${log_file}"
return 1
fi
rm -f "${log_file}"
}
# download_asset [release-url-prefix] [download-path] [name] [os] [arch] [version] [format] [binary] # download_asset [release-url-prefix] [download-path] [name] [os] [arch] [version] [format] [binary]
# #
# outputs the path to the downloaded asset asset_filepath # outputs the path to the downloaded asset asset_filepath
@ -572,6 +638,20 @@ download_asset() (
return 1 return 1
fi fi
if [ "$VERIFY_SIGN" = true ]; then
checksum_sig_file_url=$(github_release_checksums_sig_url "${download_url}" "${name}" "${version}")
log_trace "checksums signature url: ${checksum_sig_file_url}"
checksums_cert_file_url=$(github_release_checksums_cert_url "${download_url}" "${name}" "${version}")
log_trace "checksums certificate url: ${checksums_cert_file_url}"
if ! verify_sign "${checksums_filepath}" "${checksums_cert_file_url}" "${checksum_sig_file_url}"; then
log_err "signature verification failed"
return 1
fi
log_info "signature verification succeeded"
fi
asset_url="${download_url}/${asset_filename}" asset_url="${download_url}/${asset_filename}"
asset_filepath="${destination}/${asset_filename}" asset_filepath="${destination}/${asset_filename}"
http_download "${asset_filepath}" "${asset_url}" "" http_download "${asset_filepath}" "${asset_url}" ""
@ -609,6 +689,79 @@ install_asset() (
install "${archive_dir}/${binary}" "${destination}/" install "${archive_dir}/${binary}" "${destination}/"
) )
# compare two semver strings. Returns 0 if version1 >= version2, 1 otherwise.
# Note: pre-release (-) and metadata (+) are not supported.
compare_semver() {
# remove leading 'v' if present
version1=${1#v}
version2=${2#v}
IFS=. read -r major1 minor1 patch1 <<EOF
$version1
EOF
IFS=. read -r major2 minor2 patch2 <<EOF
$version2
EOF
if [ "$major1" -gt "$major2" ]; then
return 0
elif [ "$major1" -lt "$major2" ]; then
return 1
fi
if [ "$minor1" -gt "$minor2" ]; then
return 0
elif [ "$minor1" -lt "$minor2" ]; then
return 1
fi
if [ "$patch1" -gt "$patch2" ]; then
return 0
elif [ "$patch1" -lt "$patch2" ]; then
return 1
fi
# versions are equal
return 0
}
prep_signature_verification() {
version="$1"
if [ "$VERIFY_SIGN" != true ]; then
return 0
fi
# is there any cryptographic material produced at release that we can use for signature verification?
if ! compare_semver "$version" "$VERIFY_SIGN_SUPPORTED_VERSION"; then
log_err "${PROJECT_NAME} release '$version' does not support signature verification"
log_err "you can still install ${PROJECT_NAME} by removing the -v flag or using a release that supports signature verification (>= '$VERIFY_SIGN_SUPPORTED_VERSION')"
log_err "aborting installation"
return 1
else
log_trace "${PROJECT_NAME} release '$version' supports signature verification (>= '$VERIFY_SIGN_SUPPORTED_VERSION')"
fi
# will invoking an earlier version of this script work (considering the -v flag)?
if ! compare_semver "$version" "$VERIFY_SIGN_FLAG_VERSION"; then
# the -v argument did not always exist, so we cannot be guaranteed that invoking an earlier version of this script
# will work (error with "illegal option -v"). However, the user requested signature verification, so we will
# attempt to install the application with this version of the script (keeping signature verification).
DOWNLOAD_TAG_INSTALL_SCRIPT=false
log_debug "provided version install script does not support -v flag (>= '$VERIFY_SIGN_FLAG_VERSION'), using current script for installation"
else
log_trace "provided version install script supports -v flag (>= '$VERIFY_SIGN_FLAG_VERSION')"
fi
# check to see if the cosign binary is installed
if is_command "${COSIGN_BINARY}"; then
log_trace "${COSIGN_BINARY} binary is installed"
else
log_err "signature verification is requested but ${COSIGN_BINARY} binary is not installed (see https://docs.sigstore.dev/system_config/installation/ to install it)"
return 1
fi
}
main() ( main() (
# parse arguments # parse arguments
@ -616,7 +769,7 @@ main() (
install_dir=${install_dir:-./bin} install_dir=${install_dir:-./bin}
# note: never change the program flags or arguments (this must always be backwards compatible) # note: never change the program flags or arguments (this must always be backwards compatible)
while getopts "b:dh?x" arg; do while getopts "b:dvh?x" arg; do
case "$arg" in case "$arg" in
b) install_dir="$OPTARG" ;; b) install_dir="$OPTARG" ;;
d) d)
@ -628,25 +781,37 @@ main() (
log_set_priority $log_trace_priority log_set_priority $log_trace_priority
fi fi
;; ;;
h | \?) usage "$0" ;; v) VERIFY_SIGN=true;;
h | \?)
cat <<EOF
Download and install a released binary for ${OWNER}/${REPO} from the github releases page
Usage: $0 [-v] [-b DIR] [-d] [TAG]
-b DIR the installation directory (defaults to ./bin)
-d turns on debug logging
-dd turns on trace logging
-v verify checksum signature (requires cosign binary to be installed).
TAG the specific release to use (if missing, then the latest will be used)
EOF
exit 0
;;
x) set -x ;; x) set -x ;;
esac esac
done done
shift $((OPTIND - 1)) shift $((OPTIND - 1))
set +u set +u
tag=$1 tag=$1
if [ -z "${tag}" ]; then if [ -z "${tag}" ]; then
log_debug "checking github for the current release tag" log_info "checking github for the current release tag"
tag="" tag=""
else else
log_debug "checking github for release tag='${tag}'" log_info "checking github for release tag='${tag}'"
fi fi
set -u set -u
tag=$(get_release_tag "${OWNER}" "${REPO}" "${tag}") if ! tag=$(get_release_tag "${OWNER}" "${REPO}" "${tag}"); then
if [ "$?" != "0" ]; then
log_err "unable to find tag='${tag}'" log_err "unable to find tag='${tag}'"
log_err "do not specify a version or select a valid version from https://github.com/${OWNER}/${REPO}/releases" log_err "do not specify a version or select a valid version from https://github.com/${OWNER}/${REPO}/releases"
return 1 return 1
@ -661,6 +826,10 @@ main() (
binary=$(get_binary_name "${os}" "${arch}" "${PROJECT_NAME}") binary=$(get_binary_name "${os}" "${arch}" "${PROJECT_NAME}")
download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}" download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}"
if ! prep_signature_verification "$version"; then
return 1
fi
# we always use the install.sh script that is associated with the tagged release. Why? the latest install.sh is not # we always use the install.sh script that is associated with the tagged release. Why? the latest install.sh is not
# guaranteed to be able to install every version of the application. We use the DOWNLOAD_TAG_INSTALL_SCRIPT env var # guaranteed to be able to install every version of the application. We use the DOWNLOAD_TAG_INSTALL_SCRIPT env var
# to indicate if we should continue processing with the existing script or to download the script from the given tag. # to indicate if we should continue processing with the existing script or to download the script from the given tag.
@ -678,10 +847,8 @@ main() (
log_debug "downloading files into ${download_dir}" log_debug "downloading files into ${download_dir}"
download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"
# don't continue if we couldn't install the asset # don't continue if we couldn't install the asset
if [ "$?" != "0" ]; then if ! download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"; then
log_err "failed to install ${PROJECT_NAME}" log_err "failed to install ${PROJECT_NAME}"
return 1 return 1
fi fi
@ -697,4 +864,4 @@ if [ -z "${TEST_INSTALL_SH}" ]; then
main "$@" main "$@"
exit $? exit $?
fi fi
set -u set -u

46
test/install/0_search_for_asset_test.sh → test/install/0_checksums_test.sh
View File

@ -38,3 +38,49 @@ test_search_for_asset_snapshot() {
} }
run_test_case test_search_for_asset_snapshot run_test_case test_search_for_asset_snapshot
# verify 256 digest of a file
test_hash_sha256() {
target=./test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz
# hash_sha256 [target]
# positive case
actual=$(hash_sha256 "${target}")
assertEquals "8d57abb57a0dae3ff23c8f0df1f51951b7772822e0d560e860d6f68c24ef6d3d" "${actual}" "mismatched checksum"
}
run_test_case test_hash_sha256
# verify 256 digest of a file relative to the checksums file
test_hash_sha256_verify() {
# hash_sha256_verify [target] [checksums]
# positive case
checksums=./test-fixtures/assets/valid/checksums.txt
target=./test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz
hash_sha256_verify "${target}" "${checksums}"
assertEquals "0" "$?" "mismatched checksum"
# negative case
# we are expecting error messages, which is confusing to look at in passing tests... disable logging for now
log_set_priority -1
checksums=./test-fixtures/assets/invalid/checksums.txt
target=./test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz
hash_sha256_verify "${target}" "${checksums}"
assertEquals "1" "$?" "verification did not catch mismatched checksum"
# restore logging...
log_set_priority 0
}
run_test_case test_hash_sha256_verify

2
test/install/1_download_snapshot_asset_test.sh
View File

@ -63,7 +63,7 @@ test_negative_snapshot_download_asset() {
test_sboms_have_packages() { test_sboms_have_packages() {
find "$(snapshot_dir)/" -name "*.sbom" -print0 | while IFS= read -r -d '' file; do find "$(snapshot_dir)/" -name "*.sbom" -print0 | while IFS= read -r -d '' file; do
count=$(cat "$file" | jq ".artifacts | length") count=$(cat "$file" | jq ".artifacts | length")
if [ "$count" -gt 80 ]; then if [ "$count" -lt 80 ]; then
echo "not enough packages found for file: $file" echo "not enough packages found for file: $file"
exit 1 exit 1
fi fi

4
test/install/2_download_release_asset_test.sh
View File

@ -31,6 +31,10 @@ test_download_release_asset() {
release=$(get_release_tag "${OWNER}" "${REPO}" "latest" ) release=$(get_release_tag "${OWNER}" "${REPO}" "latest" )
# exercise all possible assets against a real github release (based on asset listing from https://github.com/anchore/syft/releases/tag/v0.36.0) # exercise all possible assets against a real github release (based on asset listing from https://github.com/anchore/syft/releases/tag/v0.36.0)
# verify all downloads against the checksums file + checksums file signature
VERIFY_SIGN=true
run_test_case test_download_release_asset "${release}" "darwin" "amd64" "tar.gz" "application/gzip" run_test_case test_download_release_asset "${release}" "darwin" "amd64" "tar.gz" "application/gzip"
run_test_case test_download_release_asset "${release}" "darwin" "arm64" "tar.gz" "application/gzip" run_test_case test_download_release_asset "${release}" "darwin" "arm64" "tar.gz" "application/gzip"
run_test_case test_download_release_asset "${release}" "linux" "amd64" "tar.gz" "application/gzip" run_test_case test_download_release_asset "${release}" "linux" "amd64" "tar.gz" "application/gzip"

89
test/install/4_prep_signature_verification_test.sh Executable file
View File

@ -0,0 +1,89 @@
. test_harness.sh
test_compare_semver() {
# compare_semver [version1] [version2]
# positive cases (version1 >= version2)
compare_semver "0.32.0" "0.32.0"
assertEquals "0" "$?" "+ versions should equal"
compare_semver "0.32.1" "0.32.0"
assertEquals "0" "$?" "+ patch version should be greater"
compare_semver "0.33.0" "0.32.0"
assertEquals "0" "$?" "+ minor version should be greater"
compare_semver "0.333.0" "0.32.0"
assertEquals "0" "$?" "+ minor version should be greater (different length)"
compare_semver "00.33.00" "0.032.0"
assertEquals "0" "$?" "+ minor version should be greater (different length reversed)"
compare_semver "1.0.0" "0.9.9"
assertEquals "0" "$?" "+ major version should be greater"
compare_semver "v1.0.0" "1.0.0"
assertEquals "0" "$?" "+ can remove leading 'v' from version"
# negative cases (version1 < version2)
compare_semver "0.32.0" "0.32.1"
assertEquals "1" "$?" "- patch version should be less"
compare_semver "0.32.7" "0.33.0"
assertEquals "1" "$?" "- minor version should be less"
compare_semver "00.00032.070" "0.33.0"
assertEquals "1" "$?" "- minor version should be less (different length)"
compare_semver "0.32.7" "00.0033.000"
assertEquals "1" "$?" "- minor version should be less (different length reversed)"
compare_semver "1.9.9" "2.0.1"
assertEquals "1" "$?" "- major version should be less"
compare_semver "1.0.0" "v2.0.0"
assertEquals "1" "$?" "- can remove leading 'v' from version"
}
run_test_case test_compare_semver
# ensure that various signature verification pre-requisites are correctly checked for
test_prep_signature_verification() {
# prep_sign_verification [version]
# we are expecting error messages, which is confusing to look at in passing tests... disable logging for now
log_set_priority -1
# backup original values...
OG_COSIGN_BINARY=${COSIGN_BINARY}
# check the verification path...
VERIFY_SIGN=true
# release does not support signature verification
prep_signature_verification "0.103.0"
assertEquals "1" "$?" "release does not support signature verification"
# check that the COSIGN binary exists
COSIGN_BINARY=fake-cosign-that-doesnt-exist
prep_signature_verification "0.105.0"
assertEquals "1" "$?" "cosign binary verification failed"
# restore original values...
COSIGN_BINARY=${OG_COSIGN_BINARY}
# ignore any failing conditions since we are not verifying the signature
VERIFY_SIGN=false
prep_signature_verification "0.103.0"
assertEquals "0" "$?" "release support verification should not have been triggered"
COSIGN_BINARY=fake-cosign-that-doesnt-exist
prep_signature_verification "0.105.0"
assertEquals "0" "$?" "cosign binary verification should not have been triggered"
# restore original values...
COSIGN_BINARY=${OG_COSIGN_BINARY}
# restore logging...
log_set_priority 0
}
run_test_case test_prep_signature_verification

37
test/install/Makefile
View File

@ -1,18 +1,22 @@
NAME=syft NAME=syft
# for local testing (not testing within containers) use the binny-managed version of cosign.
# this also means that the user does not need to install cosign on their system to run tests.
COSIGN_BINARY=../../.tool/cosign
IMAGE_NAME=$(NAME)-install.sh-env IMAGE_NAME=$(NAME)-install.sh-env
UBUNTU_IMAGE=$(IMAGE_NAME):ubuntu-20.04 UBUNTU_IMAGE=$(IMAGE_NAME):ubuntu-20.04
ALPINE_IMAGE=$(IMAGE_NAME):alpine-3.6 ALPINE_IMAGE=$(IMAGE_NAME):alpine-3.6
BUSYBOX_IMAGE=busybox:1.36.1-musl BUSYBOX_IMAGE=$(IMAGE_NAME):busybox-1.36
ENVS=./environments ENVS=./environments
DOCKER_RUN=docker run --rm -t -w /project/test/install -v $(shell pwd)/../../:/project DOCKER_RUN=docker run --rm -t -w /project/test/install -v $(shell pwd)/../../:/project
UNIT=make unit-local UNIT=make unit-run
# acceptance testing is running the current install.sh against the latest release. Note: this could be a problem down # acceptance testing is running the current install.sh against the latest release. Note: this could be a problem down
# the line if there are breaking changes made that don't align with the latest release (but will be OK with the next # the line if there are breaking changes made that don't align with the latest release (but will be OK with the next
# release) # release). This tests both installing with signature verification and without.
ACCEPTANCE_CMD=sh -c '../../install.sh -b /usr/local/bin && syft version' ACCEPTANCE_CMD=sh -c '../../install.sh -v -b /usr/local/bin && syft version && rm /usr/local/bin/syft && ../../install.sh -b /usr/local/bin && syft version'
# we also want to test against a previous release to ensure that install.sh defers execution to a former install.sh # we also want to test against a previous release to ensure that install.sh defers execution to a former install.sh
PREVIOUS_RELEASE=v0.33.0 PREVIOUS_RELEASE=v0.33.0
ACCEPTANCE_PREVIOUS_RELEASE_CMD=sh -c "../../install.sh -b /usr/local/bin $(PREVIOUS_RELEASE) && syft version" ACCEPTANCE_PREVIOUS_RELEASE_CMD=sh -c "../../install.sh -b /usr/local/bin $(PREVIOUS_RELEASE) && syft version"
@ -28,17 +32,22 @@ endef
test: unit acceptance test: unit acceptance
.PHONY: ci-test-mac .PHONY: ci-test-mac
ci-test-mac: unit-local acceptance-local ci-test-mac: unit-run acceptance-local
# note: do not add acceptance-local to this list # note: do not add acceptance-local to this list
.PHONY: acceptance .PHONY: acceptance
acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox-1.36
.PHONY: unit .PHONY: unit
unit: unit-ubuntu-20.04 unit: unit-ubuntu-20.04
.PHONY: unit-local .PHONY: unit-local
unit-local: unit-local:
$(call title,unit tests)
@for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash -c "COSIGN_BINARY=$(COSIGN_BINARY) ./$${f}" || exit 1; done
.PHONY: unit-run
unit-run:
$(call title,unit tests) $(call title,unit tests)
@for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash $${f} || exit 1; done @for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash $${f} || exit 1; done
@ -55,7 +64,7 @@ acceptance-previous-release-local:
syft version | grep $(shell echo $(PREVIOUS_RELEASE)| tr -d "v") syft version | grep $(shell echo $(PREVIOUS_RELEASE)| tr -d "v")
.PHONY: save .PHONY: save
save: ubuntu-20.04 alpine-3.6 pull-busybox save: ubuntu-20.04 alpine-3.6 busybox-1.36
@mkdir cache || true @mkdir cache || true
docker image save -o cache/ubuntu-env.tar $(UBUNTU_IMAGE) docker image save -o cache/ubuntu-env.tar $(UBUNTU_IMAGE)
docker image save -o cache/alpine-env.tar $(ALPINE_IMAGE) docker image save -o cache/alpine-env.tar $(ALPINE_IMAGE)
@ -107,17 +116,17 @@ alpine-3.6:
# note: busybox by default will not have cacerts, so you will get TLS warnings (we want to test under these conditions) # note: busybox by default will not have cacerts, so you will get TLS warnings (we want to test under these conditions)
.PHONY: acceptance-busybox .PHONY: acceptance-busybox-1.36
acceptance-busybox: pull-busybox acceptance-busybox-1.36: busybox-1.36
$(call title,busybox - acceptance) $(call title,busybox-1.36 - acceptance)
$(DOCKER_RUN) $(BUSYBOX_IMAGE) \ $(DOCKER_RUN) $(BUSYBOX_IMAGE) \
$(ACCEPTANCE_CMD) $(ACCEPTANCE_CMD)
@echo "\n*** test note: you should see syft spit out a 'x509: certificate signed by unknown authority' error --this is expected ***" @echo "\n*** test note: you should see syft spit out a 'x509: certificate signed by unknown authority' error --this is expected ***"
.PHONY: pull-busybox .PHONY: busybox-1.36
pull-busybox: busybox-1.36:
$(call title,busybox - build environment) $(call title,busybox-1.36 - build environment)
docker pull $(BUSYBOX_IMAGE) docker build -t $(BUSYBOX_IMAGE) -f $(ENVS)/Dockerfile-busybox-1.36 .
## For CI ######################################################## ## For CI ########################################################

7
test/install/environments/Dockerfile-alpine-3.6
View File

@ -1,2 +1,5 @@
FROM alpine:3.6@sha256:66790a2b79e1ea3e1dabac43990c54aca5d1ddf268d9a5a0285e4167c8b24475 FROM alpine:3.6
RUN apk update && apk add python3 wget unzip make ca-certificates jq RUN apk update && apk add python3 wget curl unzip make ca-certificates
RUN curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" && \
mv cosign-linux-amd64 /usr/local/bin/cosign && \
chmod +x /usr/local/bin/cosign

21
test/install/environments/Dockerfile-busybox-1.36 Normal file
View File

@ -0,0 +1,21 @@
FROM alpine as certs
RUN apk update && apk add ca-certificates
# note: using qemu with a multi-arch image results in redirects not working with wget
# so let docker pull the image that matches the hosts architecture first and then pull the correct asset
FROM busybox:1.36.1-musl
RUN ARCH=$(uname -m) && \
if [ "$ARCH" = "x86_64" ]; then \
COSIGN_ARCH="amd64"; \
elif [ "$ARCH" = "aarch64" ]; then \
COSIGN_ARCH="arm64"; \
else \
echo "Unsupported architecture: $ARCH" && exit 1; \
fi && \
echo "Downloading cosign for $COSIGN_ARCH" && \
wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-${COSIGN_ARCH} && \
mv cosign-linux-${COSIGN_ARCH} /bin/cosign && \
chmod +x /bin/cosign
COPY --from=certs /etc/ssl/certs /etc/ssl/certs

7
test/install/environments/Dockerfile-ubuntu-20.04
View File

@ -1,2 +1,5 @@
FROM ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba FROM --platform=linux/amd64 ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
RUN apt update -y && apt install make python3 curl unzip jq -y RUN apt update -y && apt install make python3 curl unzip -y
RUN LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") && \
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb" && \
dpkg -i cosign_${LATEST_VERSION}_amd64.deb

1
test/install/test-fixtures/assets/invalid/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
!syft_1.5.0_linux_arm64.tar.gz

22
test/install/test-fixtures/assets/invalid/checksums.txt Normal file
View File

@ -0,0 +1,22 @@
f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d syft_1.5.0_darwin_amd64.sbom
605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b syft_1.5.0_darwin_amd64.tar.gz
2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76 syft_1.5.0_darwin_arm64.sbom
fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a syft_1.5.0_darwin_arm64.tar.gz
40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090 syft_1.5.0_linux_amd64.deb
9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2 syft_1.5.0_linux_amd64.rpm
9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020 syft_1.5.0_linux_amd64.sbom
3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478 syft_1.5.0_linux_amd64.tar.gz
b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89 syft_1.5.0_linux_arm64.deb
5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d syft_1.5.0_linux_arm64.rpm
a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3 syft_1.5.0_linux_arm64.sbom
ee2b1289a1e4b0de9409c3a78867949ca42788a5f50072b8a6e6e04e6a269f9c syft_1.5.0_linux_arm64.tar.gz
599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80 syft_1.5.0_linux_ppc64le.deb
dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c syft_1.5.0_linux_ppc64le.rpm
392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4 syft_1.5.0_linux_ppc64le.sbom
551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0 syft_1.5.0_linux_ppc64le.tar.gz
98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21 syft_1.5.0_linux_s390x.deb
3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4 syft_1.5.0_linux_s390x.rpm
5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388 syft_1.5.0_linux_s390x.sbom
ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68 syft_1.5.0_linux_s390x.tar.gz
6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0 syft_1.5.0_windows_amd64.sbom
5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2 syft_1.5.0_windows_amd64.zip

1
test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz Normal file
View File

@ -0,0 +1 @@
fake archive

1
test/install/test-fixtures/assets/valid/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
!syft_1.5.0_linux_arm64.tar.gz

22
test/install/test-fixtures/assets/valid/checksums.txt Normal file
View File

@ -0,0 +1,22 @@
f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d syft_1.5.0_darwin_amd64.sbom
605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b syft_1.5.0_darwin_amd64.tar.gz
2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76 syft_1.5.0_darwin_arm64.sbom
fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a syft_1.5.0_darwin_arm64.tar.gz
40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090 syft_1.5.0_linux_amd64.deb
9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2 syft_1.5.0_linux_amd64.rpm
9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020 syft_1.5.0_linux_amd64.sbom
3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478 syft_1.5.0_linux_amd64.tar.gz
b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89 syft_1.5.0_linux_arm64.deb
5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d syft_1.5.0_linux_arm64.rpm
a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3 syft_1.5.0_linux_arm64.sbom
8d57abb57a0dae3ff23c8f0df1f51951b7772822e0d560e860d6f68c24ef6d3d syft_1.5.0_linux_arm64.tar.gz
599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80 syft_1.5.0_linux_ppc64le.deb
dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c syft_1.5.0_linux_ppc64le.rpm
392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4 syft_1.5.0_linux_ppc64le.sbom
551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0 syft_1.5.0_linux_ppc64le.tar.gz
98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21 syft_1.5.0_linux_s390x.deb
3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4 syft_1.5.0_linux_s390x.rpm
5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388 syft_1.5.0_linux_s390x.sbom
ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68 syft_1.5.0_linux_s390x.tar.gz
6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0 syft_1.5.0_windows_amd64.sbom
5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2 syft_1.5.0_windows_amd64.zip

1
test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz Normal file
View File

@ -0,0 +1 @@
fake archive