sigstore-conformance
is a conformance testing suite for Sigstore clients.
This suite provides a high-level view of client behaviour as a whole and sets out to answer questions such as:
An official Sigstore client specification is being worked on at the moment as
part of the Sigstore Architecture Documentation.
Once it's complete, sigstore-conformance
aims to be able to test a client's
adherence to the specification.
Some general testing principles for this suite are:
Use the sigstore/sigstore-conformance
action in your test workflow:
jobs:
conformance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# insert your client installation steps here
# Run tests against production Sigstore environment
- uses: sigstore/sigstore-conformance@v0.0.11
with:
entrypoint: my-conformance-client
# Run tests against staging Sigstore environment
- uses: sigstore/sigstore-conformance@v0.0.11
with:
entrypoint: my-conformance-client
environment: staging
See sigstore-python conformance test for a complete example.
sigstore/sigstore-conformance
action inputsThe important action inputs are
entrypoint
: required string. A command that implements the client-under-test
CLI protocolenvironment
: 'production' (default) or 'staging'. This selects the Sigstore environment to
run againstxfail
: optional string. Whitespace separated test names that are expected to fail.See action.yml for full list of inputs.
Easiest way to run the conformance suite locally is with the provided virtual environment:
$ make dev
$ source env/bin/activate
(env) $
The test suite can be configured with
--entrypoint=$SIGSTORE_CLIENT
where SIGSTORE_CLIENT is path to a script that implements the
CLI specification--staging
: This instructs the test suite to run against Sigstore staging infrastructure--skip-signing
: Runs verification tests onlyGHA_SIGSTORE_CONFORMANCE_XFAIL
can be used to
set expected failures(env) $ # run all tests
(env) $ pytest test --entrypoint=$SIGSTORE_CLIENT
(env) $ # run verification tests only
(env) $ pytest test --entrypoint=$SIGSTORE_CLIENT --skip-signing
Following example runs the test suite with the included sigstore-python-conformance client script:
(env) $ # run all tests
(env) $ GHA_SIGSTORE_CONFORMANCE_XFAIL="test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" \
pytest test --entrypoint=sigstore-python-conformance
sigstore-conformance
is licensed under the Apache 2.0 License.
Everyone interacting with this project is expected to follow the sigstore Code of Conduct
Should you discover any security issues, please refer to sigstore's security process.