sigstore · bobcallaway · Dec 9, 2022 · Nov 30, 2022 · Dec 4, 2022 · Dec 4, 2022
@@ -0,0 +1,121 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e
+
+package minisign
+
+import (
+	"path/filepath"
+	"reflect"
+	"strings"
+	"testing"
+
+	"github.com/sigstore/rekor/pkg/util"
+)
+
+func TestMinisign(t *testing.T) {
+	// Create a keypair
+	keyPath := filepath.Join(t.TempDir(), "minisign.key")
+	pubPath := filepath.Join(t.TempDir(), "minisign.pub")
+
+	// Set an empty password, we have to hit enter twice to confirm
+	util.Run(t, "\n\n", "minisign", "-G", "-s", keyPath, "-p", pubPath)
+
+	// Create a random artifact and sign it.
+	artifactPath := filepath.Join(t.TempDir(), "artifact")
+	sigPath := filepath.Join(t.TempDir(), "signature.asc")
+	util.CreateArtifact(t, artifactPath)
+
+	// Send in one empty password over stdin
+	out := util.Run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath, "-x", sigPath)
+	t.Log(out)
+
+	// Now upload to the log!
+	out = util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath,
+		"--public-key", pubPath, "--pki-format", "minisign")
+	util.OutputContains(t, out, "Created entry at")
+
+	uuidA := util.GetUUIDFromUploadOutput(t, out)
+
+	out = util.RunCli(t, "verify", "--artifact", artifactPath, "--signature", sigPath,
+		"--public-key", pubPath, "--pki-format", "minisign")
+	util.OutputContains(t, out, "Inclusion Proof")
+
+	out = util.RunCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign")
+	util.OutputContains(t, out, uuidA)
+
+	// crease a second artifact and sign it
+	artifactPath_B := filepath.Join(t.TempDir(), "artifact2")
+	util.CreateArtifact(t, artifactPath_B)
+	out = util.Run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath_B, "-x", sigPath)
+	// Now upload to the log!
+	out = util.RunCli(t, "upload", "--artifact", artifactPath_B, "--signature", sigPath,
+		"--public-key", pubPath, "--pki-format", "minisign")
+	util.OutputContains(t, out, "Created entry at")
+	uuidB := util.GetUUIDFromUploadOutput(t, out)
+
+	tests := []struct {
+		name               string
+		expectedUuidACount int
+		expectedUuidBCount int
+		artifact           string
+		operator           string
+	}{
+		{
+			name:               "artifact A AND signature should return artifact A",
+			expectedUuidACount: 1,
+			expectedUuidBCount: 0,
+			artifact:           artifactPath,
+			operator:           "and",
+		},
+		{
+			name:               "artifact A OR signature should return artifact A and B",
+			expectedUuidACount: 1,
+			expectedUuidBCount: 1,
+			artifact:           artifactPath,
+			operator:           "or",
+		},
+		{
+			name:               "artifact B AND signature should return artifact B",
+			expectedUuidACount: 0,
+			expectedUuidBCount: 1,
+			artifact:           artifactPath_B,
+			operator:           "and",
+		},
+		{
+			name:               "artifact B OR signature should return artifact A and B",
+			expectedUuidACount: 1,
+			expectedUuidBCount: 1,
+			artifact:           artifactPath_B,
+			operator:           "or",
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			out = util.RunCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign",
+				"--operator", test.operator, "--artifact", test.artifact)
+
+			expected := map[string]int{uuidA: test.expectedUuidACount, uuidB: test.expectedUuidBCount}
+			actual := map[string]int{
+				uuidA: strings.Count(out, uuidA),
+				uuidB: strings.Count(out, uuidB),
+			}
+			if !reflect.DeepEqual(expected, actual) {
+				t.Errorf("expected to find %v, found %v", expected, actual)
+			}
+		})
+	}
+}
@@ -0,0 +1,64 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e
+
+package ssh
+
+import (
+	"github.com/sigstore/rekor/pkg/util"
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestSSH(t *testing.T) {
+	td := t.TempDir()
+	// Create a keypair
+	keyPath := filepath.Join(td, "id_rsa")
+	pubPath := filepath.Join(td, "id_rsa.pub")
+
+	if err := ioutil.WriteFile(pubPath, []byte(publicKey), 0600); err != nil {
+		t.Fatal(err)
+	}
+	if err := ioutil.WriteFile(keyPath, []byte(privateKey), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a random artifact and sign it.
+	artifactPath := filepath.Join(td, "artifact")
+	sigPath := filepath.Join(td, "signature.sig")
+	artifact := util.CreateArtifact(t, artifactPath)
+
+	sig := SSHSign(t, strings.NewReader(artifact))
+	if err := ioutil.WriteFile(sigPath, []byte(sig), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Now upload to the log!
+	out := util.RunCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath,
+		"--public-key", pubPath, "--pki-format", "ssh")
+	util.OutputContains(t, out, "Created entry at")
+
+	uuid := util.GetUUIDFromUploadOutput(t, out)
+
+	out = util.RunCli(t, "verify", "--artifact", artifactPath, "--signature", sigPath,
+		"--public-key", pubPath, "--pki-format", "ssh")
+	util.OutputContains(t, out, "Inclusion Proof")
+
+	out = util.RunCli(t, "search", "--public-key", pubPath, "--pki-format", "ssh")
+	util.OutputContains(t, out, uuid)
+}
@@ -14,22 +14,19 @@
 // limitations under the License.
 
 //go:build e2e
-// +build e2e
 
-package e2e
+package ssh
 
 import (
 	"bytes"
 	"io"
 	"io/ioutil"
 	"testing"
-
-	"github.com/sigstore/rekor/pkg/pki/ssh"
 )
 
 var (
 	// Generated with "ssh-keygen -C test@rekor.dev -f id_rsa"
-	sshPrivateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
+	privateKey = `-----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEA16H5ImoRO7mr41r8Z8JFBdu6jIM+6XU8M0r9F81RuhLYqzr9zw1n
 LeGCqFxPXNBKm8ZyH2BCsBHsbXbwe85IMHM3SUh8X/9fI0Lpi5/xbqAproFUpNR+UJYv6s
@@ -68,7 +65,7 @@ lL4qHtXBEzaT8okkcGZBHdSx3gk4TzCsEDOP7ZZPLq42lpKMK10zFPTMd0maXtJDYKU/b4
 gAATvvPoylyYUAAAAOdGVzdEByZWtvci5kZXYBAgMEBQ==
 -----END OPENSSH PRIVATE KEY-----
 `
-	sshPublicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXofkiahE7uavjWvxnwkUF27qMgz7pdTwzSv0XzVG6EtirOv3PDWct4YKoXE9c0EqbxnIfYEKwEextdvB7zkgwczdJSHxf/18jQumLn/FuoCmugVSk1H5Qli/qzwBpaTnOk3WuakGuoYUl8ZAokKKgOKLA0aZJ1WRQ2ZCZggA3EkwNZiY17y9Q6HqdgQcH6XN8aAMADNVJdMAJb33hSRJjjsAPTmzBTishP8lYDoGRSsSE7/8XRBCEV5E4I8mI9GElcZwV/1KJx98mpH8QvMzXM1idFcwPRtt1NTAOshwgUU0Fu1x8lU5RQIa6ZKW36qNQLvLxy/BscC7B/mdLptoDs/ot9NimUXZcgCR1a2Q3o7Wi6jIgcgJcyV10Nba81ol4RdN4qPHnVZIzuo+dBkqwG3CMtB4Rj84+Qi+7zyU01hIPreoxQDXaayiGPBUUIiAlW9gsiuRWJzNnu3cvuWDLVfQIkjh7Wug58z+v2NOJ7IMdyERillhzDcvVHaq14+U= test@rekor.dev
+	publicKey = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXofkiahE7uavjWvxnwkUF27qMgz7pdTwzSv0XzVG6EtirOv3PDWct4YKoXE9c0EqbxnIfYEKwEextdvB7zkgwczdJSHxf/18jQumLn/FuoCmugVSk1H5Qli/qzwBpaTnOk3WuakGuoYUl8ZAokKKgOKLA0aZJ1WRQ2ZCZggA3EkwNZiY17y9Q6HqdgQcH6XN8aAMADNVJdMAJb33hSRJjjsAPTmzBTishP8lYDoGRSsSE7/8XRBCEV5E4I8mI9GElcZwV/1KJx98mpH8QvMzXM1idFcwPRtt1NTAOshwgUU0Fu1x8lU5RQIa6ZKW36qNQLvLxy/BscC7B/mdLptoDs/ot9NimUXZcgCR1a2Q3o7Wi6jIgcgJcyV10Nba81ol4RdN4qPHnVZIzuo+dBkqwG3CMtB4Rj84+Qi+7zyU01hIPreoxQDXaayiGPBUUIiAlW9gsiuRWJzNnu3cvuWDLVfQIkjh7Wug58z+v2NOJ7IMdyERillhzDcvVHaq14+U= test@rekor.dev
 `
 )
 
@@ -78,7 +75,7 @@ func SSHSign(t *testing.T, m io.Reader) []byte {
 	if err != nil {
 		t.Fatal(err)
 	}
-	sig, err := ssh.Sign(sshPrivateKey, bytes.NewReader(data))
+	sig, err := Sign(privateKey, bytes.NewReader(data))
 	if err != nil {
 		t.Fatal(err)
 	}

@@ -37,7 +37,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
@@ -238,138 +237,6 @@ func TestSearchNoEntriesRC1(t *testing.T) {
 	runCliErr(t, "search", "--email", "noone@internetz.com")
 }
 
-func TestMinisign(t *testing.T) {
-	// Create a keypair
-	keyPath := filepath.Join(t.TempDir(), "minisign.key")
-	pubPath := filepath.Join(t.TempDir(), "minisign.pub")
-
-	// Set an empty password, we have to hit enter twice to confirm
-	run(t, "\n\n", "minisign", "-G", "-s", keyPath, "-p", pubPath)
-
-	// Create a random artifact and sign it.
-	artifactPath := filepath.Join(t.TempDir(), "artifact")
-	sigPath := filepath.Join(t.TempDir(), "signature.asc")
-	createArtifact(t, artifactPath)
-
-	// Send in one empty password over stdin
-	out := run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath, "-x", sigPath)
-	t.Log(out)
-
-	// Now upload to the log!
-	out = runCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath,
-		"--public-key", pubPath, "--pki-format", "minisign")
-	outputContains(t, out, "Created entry at")
-
-	uuidA := getUUIDFromUploadOutput(t, out)
-
-	out = runCli(t, "verify", "--artifact", artifactPath, "--signature", sigPath,
-		"--public-key", pubPath, "--pki-format", "minisign")
-	outputContains(t, out, "Inclusion Proof")
-
-	out = runCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign")
-	outputContains(t, out, uuidA)
-
-	// crease a second artifact and sign it
-	artifactPath_B := filepath.Join(t.TempDir(), "artifact2")
-	createArtifact(t, artifactPath_B)
-	out = run(t, "\n", "minisign", "-S", "-s", keyPath, "-m", artifactPath_B, "-x", sigPath)
-	// Now upload to the log!
-	out = runCli(t, "upload", "--artifact", artifactPath_B, "--signature", sigPath,
-		"--public-key", pubPath, "--pki-format", "minisign")
-	outputContains(t, out, "Created entry at")
-	uuidB := getUUIDFromUploadOutput(t, out)
-
-	tests := []struct {
-		name               string
-		expectedUuidACount int
-		expectedUuidBCount int
-		artifact           string
-		operator           string
-	}{
-		{
-			name:               "artifact A AND signature should return artifact A",
-			expectedUuidACount: 1,
-			expectedUuidBCount: 0,
-			artifact:           artifactPath,
-			operator:           "and",
-		},
-		{
-			name:               "artifact A OR signature should return artifact A and B",
-			expectedUuidACount: 1,
-			expectedUuidBCount: 1,
-			artifact:           artifactPath,
-			operator:           "or",
-		},
-		{
-			name:               "artifact B AND signature should return artifact B",
-			expectedUuidACount: 0,
-			expectedUuidBCount: 1,
-			artifact:           artifactPath_B,
-			operator:           "and",
-		},
-		{
-			name:               "artifact B OR signature should return artifact A and B",
-			expectedUuidACount: 1,
-			expectedUuidBCount: 1,
-			artifact:           artifactPath_B,
-			operator:           "or",
-		},
-	}
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			out = runCli(t, "search", "--public-key", pubPath, "--pki-format", "minisign",
-				"--operator", test.operator, "--artifact", test.artifact)
-
-			expected := map[string]int{uuidA: test.expectedUuidACount, uuidB: test.expectedUuidBCount}
-			actual := map[string]int{
-				uuidA: strings.Count(out, uuidA),
-				uuidB: strings.Count(out, uuidB),
-			}
-			if !reflect.DeepEqual(expected, actual) {
-				t.Errorf("expected to find %v, found %v", expected, actual)
-			}
-		})
-	}
-}
-
-func TestSSH(t *testing.T) {
-	td := t.TempDir()
-	// Create a keypair
-	keyPath := filepath.Join(td, "id_rsa")
-	pubPath := filepath.Join(td, "id_rsa.pub")
-
-	if err := ioutil.WriteFile(pubPath, []byte(sshPublicKey), 0600); err != nil {
-		t.Fatal(err)
-	}
-	if err := ioutil.WriteFile(keyPath, []byte(sshPrivateKey), 0600); err != nil {
-		t.Fatal(err)
-	}
-
-	// Create a random artifact and sign it.
-	artifactPath := filepath.Join(td, "artifact")
-	sigPath := filepath.Join(td, "signature.sig")
-	artifact := createArtifact(t, artifactPath)
-
-	sig := SSHSign(t, strings.NewReader(artifact))
-	if err := ioutil.WriteFile(sigPath, []byte(sig), 0600); err != nil {
-		t.Fatal(err)
-	}
-
-	// Now upload to the log!
-	out := runCli(t, "upload", "--artifact", artifactPath, "--signature", sigPath,
-		"--public-key", pubPath, "--pki-format", "ssh")
-	outputContains(t, out, "Created entry at")
-
-	uuid := getUUIDFromUploadOutput(t, out)
-
-	out = runCli(t, "verify", "--artifact", artifactPath, "--signature", sigPath,
-		"--public-key", pubPath, "--pki-format", "ssh")
-	outputContains(t, out, "Inclusion Proof")
-
-	out = runCli(t, "search", "--public-key", pubPath, "--pki-format", "ssh")
-	outputContains(t, out, uuid)
-}
-
 func TestIntoto(t *testing.T) {
 	td := t.TempDir()
 	attestationPath := filepath.Join(td, "attestation.json")