From 903e435d7b196922341431b003b65a7c6aea5ce4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Thu, 4 Mar 2021 15:15:36 +0100
Subject: [PATCH 1/2] Don't use atomic: in test/extended/images/signatures.go
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Use docker:// instead of atomic:, as recommended back in
  https://github.com/openshift/origin/pull/21782#issuecomment-459077188
  https://github.com/openshift/origin/pull/21782#discussion_r253249564

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 test/extended/images/signatures.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/test/extended/images/signatures.go b/test/extended/images/signatures.go
index 6781c00fa058..7daf9e7ba849 100644
--- a/test/extended/images/signatures.go
+++ b/test/extended/images/signatures.go
@@ -83,24 +83,27 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 		o.Expect(err).NotTo(o.HaveOccurred())
 		o.Expect(out).To(o.ContainSubstring("keyring `/var/lib/origin/gnupg/secring.gpg' created"))
 
-		// Create kubeconfig for skopeo
+		// Create kubeconfig for oc
 		g.By("logging as a test user")
 		out, err = pod.Exec("oc login https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT --token=" + token + " --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt")
 		o.Expect(err).NotTo(o.HaveOccurred())
 		o.Expect(out).To(o.ContainSubstring("Logged in"))
 
 		// Sign and copy the memcached image into target image stream tag
-		// TODO: Fix skopeo to pickup the Kubernetes environment variables (remove the $KUBERNETES_MASTER)
 		g.By("signing the memcached:latest image and pushing it into openshift registry")
 		out, err = pod.Exec(strings.Join([]string{
-			"KUBERNETES_MASTER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT",
 			"GNUPGHOME=/var/lib/origin/gnupg",
-			"skopeo", "--debug", "copy", "--sign-by", "joe@foo.bar",
+			"skopeo", "--debug",
+			// Disable the default-docker: file sigstore default in /etc/containers/registries.d, so that the X-Registry-Supports-Signatures protocol is used.
+			// Newer versions of Skopeo default to X-R-S-S if present, this test (as of 2021-02) uses skopeo-0.1.40-11.el7_8.x86_64, which defaults to sigstore.
+			"--registries.d", "/this/does/not/exist",
+
+			"copy", "--sign-by", "joe@foo.bar",
 			"--dest-creds=" + user + ":" + token,
 			// TODO: test with this turned to true as well
 			"--dest-tls-verify=false",
 			"docker://docker.io/library/memcached:latest",
-			"atomic:" + signedImage,
+			"docker://" + signedImage,
 		}, " "))
 		fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out)
 		o.Expect(err).NotTo(o.HaveOccurred())

From 922ee64f83ea26e203abfdf8e7e4b8b5e6238416 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Thu, 11 Feb 2021 14:11:49 +0100
Subject: [PATCH 2/2] Re-enable test/extended/images/signatures.go
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don't read the image to be signed from docker.io.
Instead, sign the just-built signer image (which is unique, so
there always should be enough free signature slots left).

Send the required credentials to the source registry.

Also use the injected service CA instead of disabling TLS.  I don't know
whether it is supposed to work like that (per
https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes
the path is deprecated) but the same path is already assumed to exist
by the preceding (oc login).

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
---
 test/extended/images/signatures.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/test/extended/images/signatures.go b/test/extended/images/signatures.go
index 7daf9e7ba849..de4a0c814173 100644
--- a/test/extended/images/signatures.go
+++ b/test/extended/images/signatures.go
@@ -22,7 +22,6 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 	)
 
 	g.It("can push a signed image to openshift registry and verify it", func() {
-		g.Skip("disable because containers/image: https://github.com/containers/image/pull/570")
 		g.By("building a signer image that knows how to sign images")
 		output, err := oc.Run("create").Args("-f", signerBuildFixture).Output()
 		if err != nil {
@@ -90,7 +89,7 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 		o.Expect(out).To(o.ContainSubstring("Logged in"))
 
 		// Sign and copy the memcached image into target image stream tag
-		g.By("signing the memcached:latest image and pushing it into openshift registry")
+		g.By("signing a just-built image and pushing it into openshift registry")
 		out, err = pod.Exec(strings.Join([]string{
 			"GNUPGHOME=/var/lib/origin/gnupg",
 			"skopeo", "--debug",
@@ -99,10 +98,14 @@ var _ = g.Describe("[sig-imageregistry][Serial][Suite:openshift/registry/serial]
 			"--registries.d", "/this/does/not/exist",
 
 			"copy", "--sign-by", "joe@foo.bar",
+			"--src-creds=" + user + ":" + token,
 			"--dest-creds=" + user + ":" + token,
-			// TODO: test with this turned to true as well
-			"--dest-tls-verify=false",
-			"docker://docker.io/library/memcached:latest",
+
+			// Expect to use /run/secrets/kubernetes.io/serviceaccount/ca.crt
+			"--src-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+			"--dest-cert-dir=/run/secrets/kubernetes.io/serviceaccount",
+
+			"docker://" + signerImage,
 			"docker://" + signedImage,
 		}, " "))
 		fmt.Fprintf(g.GinkgoWriter, "output: %s\n", out)