Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
play

GitHub Action

sigstore-conformance

v0.0.5

sigstore-conformance

play

sigstore-conformance

Conformance testing for Sigstore clients

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: sigstore-conformance

              
  uses: sigstore/[email protected]
Learn more about this action in sigstore/sigstore-conformance

Choose a version

sigstore-conformance

CI Self-test

sigstore-conformance is a conformance testing suite for Sigstore clients.

This suite provides a high-level view of client behaviour as a whole and sets out to answer questions such as:

  • Does the client fail when given a signing certificate that isn't signed by the Fulcio root CA during the signing workflow?
  • Does the client fail when given an invalid inclusion proof from Rekor during the verification workflow?
  • Does the client fail when given an invalid signed certificate timestamp as part of the Fulcio response in the signing workflow?
  • etc

An official Sigstore client specification is being worked on at the moment as part of the Sigstore Architecture Documentation. Once it's complete, sigstore-conformance aims to be able to test a client's adherence to the specification.

Some general testing principles for this suite are:

  • Tests should be "workflow" focused. This testing suite is not about fuzzing every possible input to the client CLI or achieving code coverage.
  • Tests should exercise the entire client end-to-end rather than individual subsystems in isolation. Tests should include all network interactions with Sigstore infrastructure such as Rekor, Fulcio, etc. These tests should run against Sigstore staging and production infrastructure as well as custom built mock services to test atypical scenarios.

Usage

Simply add sigstore/sigstore-conformance to one of your workflows:

jobs:
  conformance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: install
        run: python -m pip install .
      - uses: sigstore/[email protected]
        with:
          entrypoint: sigstore

The only required configuration is the entrypoint parameter which provides a command to invoke the client. sigstore-conformance expects that the client exposes a CLI that conforms to the protocol outlined here.

In the example above, the workflow is installing sigstore-python and providing sigstore as the entrypoint since this is the command used to invoke the client.

Licensing

sigstore-conformance is licensed under the Apache 2.0 License.

Code of Conduct

Everyone interacting with this project is expected to follow the sigstore Code of Conduct

Security

Should you discover any security issues, please refer to sigstore's security process.