The libgit2 libraries are downloaded and verified before

Paulo Gomes · Paulo Gomes · commit 6c06f4e222a9 · 2022-09-29T07:01:36.000+01:00
some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: #899 Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
@@ -33,3 +33,5 @@ jobs:
           ${{ runner.os }}-go
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -47,6 +47,7 @@ jobs:
         uses: fluxcd/pkg/actions/helm@main
       - name: Run E2E tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           CREATE_CLUSTER: false
         run: make e2e
 
@@ -76,6 +77,7 @@ jobs:
           kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
       - name: Run e2e tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
           KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
           CREATE_CLUSTER: false
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -34,6 +34,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
         run: make test
@@ -51,6 +52,8 @@ jobs:
           go-version: 1.19.x
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
+
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
           
@@ -87,3 +90,5 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true
diff --git a/Makefile b/Makefile
@@ -12,6 +12,9 @@ GO_TEST_ARGS ?= -race
 # Allows for filtering tests based on the specified prefix
 GO_TEST_PREFIX ?=
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
 BUILD_ARGS ?=
diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh
@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then
