From 9bc847e656b4f1339ad5d71b8f1bd9733c89de49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Thu, 4 May 2017 23:38:19 +0200 Subject: [PATCH] Use a schema2 server in TestCopySignatures TestCopySignatures, among other things, tests handling of a correctly signed image to a different name without breaking the signature, which will be impossible with schema1 after we start updating the names embedded in the schema1 manifest. So, use the schema2 server binary, and docker://busybox image versions which use schema2. --- integration/copy_test.go | 34 ++++++++++++++++---------------- integration/fixtures/policy.json | 14 ++++++------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/integration/copy_test.go b/integration/copy_test.go index a55551d0..f7b6d0eb 100644 --- a/integration/copy_test.go +++ b/integration/copy_test.go @@ -274,34 +274,34 @@ func (s *CopySuite) TestCopySignatures(c *check.C) { // type: signedBy // Sign the images - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.23", "atomic:localhost:5000/myns/personal:personal") - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.23.2", "atomic:localhost:5000/myns/official:official") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "docker://busybox:1.26", "atomic:localhost:5006/myns/personal:personal") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "official@example.com", "docker://busybox:1.26.1", "atomic:localhost:5006/myns/official:official") // Verify that we can pull them - assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:personal", dirDest) - assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:official", dirDest) + assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:personal", dirDest) + assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:official", dirDest) // Verify that mis-signed images are rejected - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/personal:personal", "atomic:localhost:5000/myns/official:attack") - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/personal:attack") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/personal:personal", "atomic:localhost:5006/myns/official:attack") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/personal:attack") assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*", - "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/personal:attack", dirDest) + "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/personal:attack", dirDest) assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*", - "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/official:attack", dirDest) + "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/official:attack", dirDest) // Verify that signed identity is verified. - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:test1") - assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5000/myns/official:official is not accepted.*", - "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:test1", dirDest) + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:test1") + assertSkopeoFails(c, ".*Source image rejected: Signature for identity localhost:5006/myns/official:official is not accepted.*", + "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:test1", dirDest) // signedIdentity works - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/naming:naming") - assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/naming:naming", dirDest) + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/naming:naming") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/naming:naming", dirDest) // Verify that cosigning requirements are enforced - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned") assertSkopeoFails(c, ".*Source image rejected: Invalid GPG signature.*", - "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest) + "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest) - assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5000/myns/official:official", "atomic:localhost:5000/myns/cosigned:cosigned") - assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5000/myns/cosigned:cosigned", dirDest) + assertSkopeoSucceeds(c, "", "--tls-verify=false", "copy", "--sign-by", "personal@example.com", "atomic:localhost:5006/myns/official:official", "atomic:localhost:5006/myns/cosigned:cosigned") + assertSkopeoSucceeds(c, "", "--tls-verify=false", "--policy", policy, "copy", "atomic:localhost:5006/myns/cosigned:cosigned", dirDest) } // --policy copy for dir: sources diff --git a/integration/fixtures/policy.json b/integration/fixtures/policy.json index eb68d7f2..2ba1c2a2 100644 --- a/integration/fixtures/policy.json +++ b/integration/fixtures/policy.json @@ -45,46 +45,46 @@ ] }, "atomic": { - "localhost:5000/myns/personal": [ + "localhost:5006/myns/personal": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "@keydir@/personal-pubkey.gpg" } ], - "localhost:5000/myns/official": [ + "localhost:5006/myns/official": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "@keydir@/official-pubkey.gpg" } ], - "localhost:5000/myns/naming:test1": [ + "localhost:5006/myns/naming:test1": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "@keydir@/official-pubkey.gpg" } ], - "localhost:5000/myns/naming:naming": [ + "localhost:5006/myns/naming:naming": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "@keydir@/official-pubkey.gpg", "signedIdentity": { "type": "exactRepository", - "dockerRepository": "localhost:5000/myns/official" + "dockerRepository": "localhost:5006/myns/official" } } ], - "localhost:5000/myns/cosigned:cosigned": [ + "localhost:5006/myns/cosigned:cosigned": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "@keydir@/official-pubkey.gpg", "signedIdentity": { "type": "exactRepository", - "dockerRepository": "localhost:5000/myns/official" + "dockerRepository": "localhost:5006/myns/official" } }, {