ci: add sigstore e2e test suite

.github/workflows/e2e.yaml

@@ -33,3 +33,34 @@ jobs:
         continue-on-error: true
         run: |
           kubectl -n source-system logs -l app=source-controller
+
+  sigstore-linux-amd64:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Test suite setup
+        uses: fluxcd/gha-workflows/.github/actions/setup-kubernetes@v0.12.0
+        with:
+          go-version: 1.26.x
+          cluster-name: sigstore-test
+          kind-config: hack/sigstore-test/kind-cluster.yaml
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@v2.8.8
+      - name: Start registries
+        run: make -C hack/sigstore-test registries
+      - name: Install sigstore stack
+        run: make -C hack/sigstore-test sigstore
+      - name: Install timestamp authority
+        run: make -C hack/sigstore-test tsa
+      - name: Build and deploy source-controller
+        run: BUILD_PLATFORM=linux/amd64 make -C hack/sigstore-test build
+      - name: Run sigstore verification tests
+        run: make -C hack/sigstore-test test
+      - name: Print controller logs
+        if: always()
+        continue-on-error: true
+        run: |
+          kubectl -n source-system logs deploy/source-controller

api/v1/ociverification_types.go

@@ -40,9 +40,14 @@ type OCIRepositoryVerification struct {
 	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
 
 	// TrustedRootSecretRef specifies the Kubernetes Secret containing a
-	// Sigstore trusted_root.json file. This enables verification against
-	// self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted
-	// Rekor instance). The Secret must contain a key named "trusted_root.json".
+	// Sigstore trusted_root.json file. This enables verification against custom
+	// Sigstore trust material, including private Fulcio CAs, Rekor logs, CT
+	// logs and TSAs. The Secret must contain a key named "trusted_root.json".
+	// Verification policy is auto-detected from the trusted root contents:
+	// Rekor entries require tlog inclusion proofs, TSA entries require signed
+	// timestamps, and CT log entries require SCT verification for keyless
+	// signatures. Keyless verification requires Fulcio and at least one of
+	// Rekor or TSA material.
 	// +optional
 	TrustedRootSecretRef *meta.LocalObjectReference `json:"trustedRootSecretRef,omitempty"`
 }

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -187,9 +187,14 @@ spec:
                   trustedRootSecretRef:
                     description: |-
                       TrustedRootSecretRef specifies the Kubernetes Secret containing a
-                      Sigstore trusted_root.json file. This enables verification against
-                      self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted
-                      Rekor instance). The Secret must contain a key named "trusted_root.json".
+                      Sigstore trusted_root.json file. This enables verification against custom
+                      Sigstore trust material, including private Fulcio CAs, Rekor logs, CT
+                      logs and TSAs. The Secret must contain a key named "trusted_root.json".
+                      Verification policy is auto-detected from the trusted root contents:
+                      Rekor entries require tlog inclusion proofs, TSA entries require signed
+                      timestamps, and CT log entries require SCT verification for keyless
+                      signatures. Keyless verification requires Fulcio and at least one of
+                      Rekor or TSA material.
                     properties:
                       name:
                         description: Name of the referent.

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -249,9 +249,14 @@ spec:
                   trustedRootSecretRef:
                     description: |-
                       TrustedRootSecretRef specifies the Kubernetes Secret containing a
-                      Sigstore trusted_root.json file. This enables verification against
-                      self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted
-                      Rekor instance). The Secret must contain a key named "trusted_root.json".
+                      Sigstore trusted_root.json file. This enables verification against custom
+                      Sigstore trust material, including private Fulcio CAs, Rekor logs, CT
+                      logs and TSAs. The Secret must contain a key named "trusted_root.json".
+                      Verification policy is auto-detected from the trusted root contents:
+                      Rekor entries require tlog inclusion proofs, TSA entries require signed
+                      timestamps, and CT log entries require SCT verification for keyless
+                      signatures. Keyless verification requires Fulcio and at least one of
+                      Rekor or TSA material.
                     properties:
                       name:
                         description: Name of the referent.

docs/api/v1/source.md

@@ -3673,9 +3673,14 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
 <td>
 <em>(Optional)</em>
 <p>TrustedRootSecretRef specifies the Kubernetes Secret containing a
-Sigstore trusted_root.json file. This enables verification against
-self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted
-Rekor instance). The Secret must contain a key named &ldquo;trusted_root.json&rdquo;.</p>
+Sigstore trusted_root.json file. This enables verification against custom
+Sigstore trust material, including private Fulcio CAs, Rekor logs, CT
+logs and TSAs. The Secret must contain a key named &ldquo;trusted_root.json&rdquo;.
+Verification policy is auto-detected from the trusted root contents:
+Rekor entries require tlog inclusion proofs, TSA entries require signed
+timestamps, and CT log entries require SCT verification for keyless
+signatures. Keyless verification requires Fulcio and at least one of
+Rekor or TSA material.</p>
 </td>
 </tr>
 </tbody>

docs/spec/v1/ocirepositories.md

@@ -644,16 +644,37 @@ spec:
 By default, the controller verifies the signatures using the Fulcio root CA and
 the Rekor instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
 
-##### Custom Sigstore infrastructure (self-hosted Rekor / Fulcio)
+##### Custom Sigstore infrastructure
 
-To verify artifacts signed with a self-hosted Sigstore deployment, provide a
-Sigstore `trusted_root.json` via the `.spec.verify.trustedRootSecretRef` field.
-The trusted root bundles the Fulcio root CA chain, Rekor public key and URL,
-CT log keys, and optionally TSA certificates. The Rekor URL is extracted
-automatically from the `baseUrl` field in the transparency log entries.
+To verify artifacts signed with private or self-hosted Sigstore components,
+provide a Sigstore `trusted_root.json` via the
+`.spec.verify.trustedRootSecretRef` field. The trusted root can contain Fulcio
+root CA chains, Rekor transparency logs, CT logs and timestamping authorities
+(TSAs). The Secret must contain a key named `trusted_root.json`.
 
 The `trusted_root.json` file follows the
 [Sigstore trusted root format](https://github.com/sigstore/protobuf-specs).
+Its Fulcio CAs, Rekor logs, CT logs and TSAs are sets of trust material. A
+trusted root can include multiple entries of each type, for example during log
+or CA rotation.
+
+The controller auto-detects verification policy from the trusted root contents:
+
+| Trusted root contents | Verification behavior |
+| --- | --- |
+| Rekor transparency logs | Rekor inclusion proof is required. Bundled signatures are verified against the Rekor log IDs and public keys in the trusted root. For legacy online lookup, all non-empty Rekor `baseUrl` values are tried deterministically. |
+| No Rekor transparency logs | Rekor inclusion proof verification is skipped. |
+| Timestamping authorities | RFC3161 signed timestamps are required. Existing signatures without a valid timestamp from one of the trusted TSAs will fail verification. |
+| No timestamping authorities | Signed timestamps are not required. |
+| CT logs | Keyless signatures require an embedded SCT that verifies against one of the trusted CT logs. CT logs are ignored for public-key signatures. |
+| No CT logs | SCT verification is skipped. |
+
+For keyless verification, the trusted root must contain Fulcio and at least one
+durable time source, either Rekor or TSA. This prevents accepting a keyless
+signature with only an identity certificate and no transparency log inclusion or
+trusted timestamp. For public-key signatures, Fulcio and CT log material are not
+used, but Rekor and TSA material can be used to require tlog inclusion and
+signed timestamps in addition to the public-key check.
 
 Generate the file using `cosign trusted-root create`:
 
@@ -665,7 +686,11 @@ cosign trusted-root create \
   --out trusted_root.json
 ```
 
-The `--tsa` flag can also be used if a custom timestamp authority is deployed:
+The `--rekor`, `--fulcio`, `--ctfe`, and `--tsa` flags may be repeated when the
+trusted root needs to contain multiple instances. Include older trust material
+while existing signed artifacts depend on it.
+
+The `--tsa` flag can be used when a custom timestamp authority is deployed:
 
 ```sh
 cosign trusted-root create \

hack/ci/e2e.sh

@@ -5,7 +5,8 @@ set -eoux pipefail
 CREATE_CLUSTER="${CREATE_CLUSTER:-true}"
 KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"
 LOAD_IMG_INTO_KIND="${LOAD_IMG_INTO_KIND:-true}"
-BUILD_PLATFORM="${BUILD_PLATFORM:-linux/amd64}"
+ARCH=$(uname -m | sed 's/aarch64/arm64/;s/x86_64/amd64/')
+BUILD_PLATFORM="${BUILD_PLATFORM:-linux/${ARCH}}"
 
 IMG=test/source-controller
 TAG=latest

hack/sigstore-test/.gitignore

@@ -0,0 +1,2 @@
+keys/
+pki/

hack/sigstore-test/Makefile

@@ -0,0 +1,52 @@
+# Sigstore test harness
+# Usage:
+#   make -f hack/sigstore-test/Makefile up           # create cluster + registry
+#   make -f hack/sigstore-test/Makefile sigstore      # install sigstore stack
+#   make -f hack/sigstore-test/Makefile build         # build and load source-controller
+#   make -f hack/sigstore-test/Makefile cosign        # fetch cosign v2 and v3 binaries
+#   make -f hack/sigstore-test/Makefile test          # run signing/verification tests
+#   make -f hack/sigstore-test/Makefile all           # do everything
+#   make -f hack/sigstore-test/Makefile down          # tear down
+#
+# kind-cluster.yaml is committed with the default cluster name
+# (sigstore-test) and registry ports (5555, 5557). To target a different
+# cluster name or ports, render an override out-of-tree first:
+#
+#   make -f hack/sigstore-test/Makefile kind-config \
+#       CLUSTER_NAME=foo KIND_CONFIG_PATH=/tmp/foo.yaml
+#   KIND_CONFIG_PATH=/tmp/foo.yaml make -f hack/sigstore-test/Makefile up
+
+SCRIPT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+
+.PHONY: all kind-config up registries sigstore tsa down build cosign test
+
+all: up registries sigstore tsa cosign build test
+
+# Optional: re-render kind-cluster.yaml from the template. Only needed when
+# overriding CLUSTER_NAME / REG_LOCALHOST_PORT / REG2_LOCALHOST_PORT.
+kind-config:
+	bash $(SCRIPT_DIR)/render-kind-config.sh
+
+up:
+	bash $(SCRIPT_DIR)/kind-up.sh
+
+registries:
+	bash $(SCRIPT_DIR)/registries-up.sh
+
+sigstore:
+	bash $(SCRIPT_DIR)/setup-sigstore.sh
+
+tsa:
+	bash $(SCRIPT_DIR)/setup-tsa.sh
+
+down:
+	bash $(SCRIPT_DIR)/kind-down.sh
+
+build:
+	bash $(SCRIPT_DIR)/build-and-load.sh
+
+cosign:
+	bash $(SCRIPT_DIR)/fetch-cosign.sh
+
+test:
+	bash $(SCRIPT_DIR)/test-signing.sh

hack/sigstore-test/build-and-load.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# Build source-controller and load it into the kind cluster.
+set -euo pipefail
+
+CLUSTER_NAME="${CLUSTER_NAME:-sigstore-test}"
+IMG="${IMG:-test/source-controller}"
+TAG="${TAG:-latest}"
+ARCH=$(uname -m | sed 's/aarch64/arm64/;s/x86_64/amd64/')
+BUILD_PLATFORM="${BUILD_PLATFORM:-linux/${ARCH}}"
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+
+echo ">>> building source-controller image"
+cd "${REPO_ROOT}"
+make docker-build IMG="${IMG}" TAG="${TAG}" BUILD_PLATFORMS="${BUILD_PLATFORM}" BUILD_ARGS=--load
+
+echo ">>> loading image into kind cluster ${CLUSTER_NAME}"
+kind load docker-image --name "${CLUSTER_NAME}" "${IMG}:${TAG}"
+
+echo ">>> deploying source-controller"
+make dev-deploy IMG="${IMG}" TAG="${TAG}"
+
+# dev-deploy reapplies the same :latest tag, so the Deployment spec is
+# unchanged and an already-running pod will keep the old image. Force a
+# rollout so re-runs of this script pick up the freshly loaded binary.
+kubectl -n source-system rollout restart deploy/source-controller
+
+echo ">>> waiting for source-controller rollout"
+kubectl -n source-system rollout status deploy/source-controller --timeout=2m
+
+echo ">>> source-controller deployed"
+kubectl -n source-system get pods

hack/sigstore-test/fetch-cosign.sh

@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Fetch a cosign v3 binary for the local sigstore test harness.
+#
+# CI guidance: when running this harness from a GitHub Actions workflow, do
+# NOT run this script. Install cosign with the official action instead, which
+# puts `cosign` on PATH where test-signing.sh expects it:
+#
+#     - uses: sigstore/cosign-installer@v3
+#
+# sigstore/cosign-installer only accepts `cosign-release`, `install-dir`, and
+# `use-sudo` inputs. Each released version of the action hardcodes a default
+# `cosign-release` (v3.0.6 at time of writing), so letting dependabot's
+# github-actions ecosystem bump the action ref is what advances cosign. Avoid
+# pinning `cosign-release:` unless you need a specific version, because
+# dependabot does not edit `with:` input values.
+#
+# This script is a local-dev fallback that downloads cosign directly from
+# GitHub releases. If a `cosign` (or `cosign-v3`) is already on PATH the
+# download is skipped and the on-PATH binary is symlinked into ./bin.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+BIN_DIR="${SCRIPT_DIR}/bin"
+mkdir -p "${BIN_DIR}"
+
+OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
+ARCH="$(uname -m)"
+case "${ARCH}" in
+  x86_64|amd64) ARCH="amd64" ;;
+  aarch64|arm64) ARCH="arm64" ;;
+  *) echo "unsupported arch: ${ARCH}"; exit 1 ;;
+esac
+
+# cosign v3 (latest). Update via dependabot when invoked from CI through
+# sigstore/cosign-installer.
+COSIGN_V3_VERSION="${COSIGN_V3_VERSION:-v3.0.6}"
+COSIGN_V3_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_V3_VERSION}/cosign-${OS}-${ARCH}"
+
+# fetch_binary stages a binary at ${dest} unless one of the following is true:
+#  - a binary named like ${dest} (or one of the extra PATH aliases in $4..) is
+#    already on PATH (e.g. `cosign` installed by sigstore/cosign-installer)
+#  - the file already exists (cached local copy)
+# In the on-PATH cases the binary is symlinked into ./bin rather than fetched.
+fetch_binary() {
+  local name="$1" url="$2" dest="$3"
+  shift 3
+  local candidates=("$(basename "${dest}")" "$@")
+  local on_path=""
+  local c
+  for c in "${candidates[@]}"; do
+    on_path="$(command -v "${c}" || true)"
+    if [ -n "${on_path}" ] && [ "${on_path}" != "${dest}" ]; then
+      echo ">>> ${name} satisfied by '${c}' on PATH at ${on_path}; skipping download"
+      ln -sf "${on_path}" "${dest}"
+      break
+    fi
+    on_path=""
+  done
+  if [ -z "${on_path}" ]; then
+    if [ -f "${dest}" ]; then
+      echo ">>> ${name} already exists at ${dest}"
+    else
+      echo ">>> downloading ${name} from ${url}"
+      curl -fSL -o "${dest}" "${url}"
+      chmod +x "${dest}"
+    fi
+  fi
+  "${dest}" version 2>&1 | head -3
+  echo ""
+}
+
+# v3 is also satisfied by a plain `cosign` on PATH, which is what
+# sigstore/cosign-installer provides.
+fetch_binary "cosign-v3" "${COSIGN_V3_URL}" "${BIN_DIR}/cosign-v3" cosign
+
+echo "=== Cosign binary ready ==="
+echo "  v3: ${BIN_DIR}/cosign-v3"

hack/sigstore-test/kind-cluster.yaml

@@ -0,0 +1,20 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        service-account-jwks-uri: "https://kubernetes.default.svc.cluster.local/openid/v1/jwks"
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5555"]
+    endpoint = ["http://sigstore-test-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."sigstore-test-registry:5000"]
+    endpoint = ["http://sigstore-test-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5557"]
+    endpoint = ["http://sigstore-test-registry2:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."sigstore-test-registry2:5000"]
+    endpoint = ["http://sigstore-test-registry2:5000"]

hack/sigstore-test/kind-cluster.yaml.tpl

@@ -0,0 +1,20 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        service-account-jwks-uri: "https://kubernetes.default.svc.cluster.local/openid/v1/jwks"
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${REG_LOCALHOST_PORT}"]
+    endpoint = ["http://${CLUSTER_NAME}-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."${CLUSTER_NAME}-registry:5000"]
+    endpoint = ["http://${CLUSTER_NAME}-registry:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${REG2_LOCALHOST_PORT}"]
+    endpoint = ["http://${CLUSTER_NAME}-registry2:5000"]
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."${CLUSTER_NAME}-registry2:5000"]
+    endpoint = ["http://${CLUSTER_NAME}-registry2:5000"]