Skip to content

feat: Add Sigstore v2/v3 compatibility verification workflow #1725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
morri-son wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: Add Sigstore v2/v3 compatibility verification workflow #1725

morri-son wants to merge 1 commit into from
+154 −0

Conversation

@morri-son
Copy link
Contributor

@morri-son morri-son commented Dec 5, 2025

On-behalf-of: Gerald Morrison (SAP) [email protected]

What this PR does / why we need it

Add automated workflow to verify Sigstore v2/v3 signature compatibility using a pre-signed OCM component from a public registry.

Workflow: sigstore-verify-compatibility.yml

Tests all 4 verification combinations:

  • v2 CLI verifies v2 signature (baseline)
  • v2 CLI verifies v3 signature (forward compatibility)
  • v3 CLI verifies v2 signature (backward compatibility)
  • v3 CLI verifies v3 signature (v3 functionality)

Uses pre-signed component:
ghcr.io/morri-son/ocm-test//ocm.software/sigstore-test-comp:1.0.0

This component contains two keyless signatures:

  • sigstore-v2: Signed with OCM CLI using Sigstore v2.6.1
  • sigstore-v3: Signed with OCM CLI using Sigstore v3.0.2

@morrison-sap
feat: Add Sigstore v2/v3 compatibility verification workflow
722f2af 
Add automated workflow to verify Sigstore v2/v3 signature compatibility
using a pre-signed OCM component from a public registry.

## Workflow: sigstore-verify-compatibility.yml

Tests all 4 verification combinations:
- v2 CLI verifies v2 signature (baseline)
- v2 CLI verifies v3 signature (forward compatibility)
- v3 CLI verifies v2 signature (backward compatibility)
- v3 CLI verifies v3 signature (v3 functionality)

Uses pre-signed component:
ghcr.io/morri-son/ocm-test//ocm.software/sigstore-test-comp:1.0.0

This component contains two keyless signatures:
- sigstore-v2: Signed with OCM CLI using Sigstore v2.6.1
- sigstore-v3: Signed with OCM CLI using Sigstore v3.0.2

## Why verify-only?

Keyless signing requires OIDC authentication (browser-based device flow):
- ✅ Works locally
- ❌ Does NOT work in GitHub Actions (no browser)

Verification does NOT require OIDC:
- ✅ Works everywhere (public key embedded in signature)
- ✅ Only needs anonymous Rekor access

This allows automated testing of signature verification compatibility
while signing must be done manually.

## Purpose

This workflow enables testing whether OCM can safely upgrade from
Sigstore v2 to v3 without breaking signature compatibility.

If all 4 tests pass, it proves:
- Signatures created with v2 can be verified with v3 (backward compatible)
- Signatures created with v3 can be verified with v2 (forward compatible)
- The signature format is stable across versions

On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>
@morri-son morri-son added the kind/feature new feature, enhancement, improvement, extension label Dec 5, 2025
@morri-son morri-son requested a review from a team as a code owner December 5, 2025 15:21
@github-actions github-actions bot added component/github-actions Changes on GitHub Actions or within `.github/` directory size/m Medium labels Dec 5, 2025
@morri-son morri-son linked an issue Dec 5, 2025 that may be closed by this pull request
Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content #1535
Open
3 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 5, 2025
View reviewed changes
.github/workflows/sigstore-verify-compatibility.yml
Comment on lines +30 to +122
runs-on: ubuntu-latest
strategy:
matrix:
include:
# v2 CLI verifies v2 signature
- cli_repo: ${{ inputs.v2_repository }}
cli_ref: ${{ inputs.v2_ref }}
signature_name: "sigstore-v2"
test_name: "v2_cli_verifies_v2_signature"

# v2 CLI verifies v3 signature
- cli_repo: ${{ inputs.v2_repository }}
cli_ref: ${{ inputs.v2_ref }}
signature_name: "sigstore-v3"
test_name: "v2_cli_verifies_v3_signature"

# v3 CLI verifies v2 signature
- cli_repo: ${{ inputs.v3_repository }}
cli_ref: ${{ inputs.v3_ref }}
signature_name: "sigstore-v2"
test_name: "v3_cli_verifies_v2_signature"

# v3 CLI verifies v3 signature
- cli_repo: ${{ inputs.v3_repository }}
cli_ref: ${{ inputs.v3_ref }}
signature_name: "sigstore-v3"
test_name: "v3_cli_verifies_v3_signature"

fail-fast: false

name: ${{ matrix.test_name }}

steps:
- name: Checkout Repository (for pre-signed component)
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ocm-repo
fetch-depth: 1

- name: Setup Go
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: '1.25.4'

- name: Checkout OCM CLI
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ matrix.cli_repo }}
ref: ${{ matrix.cli_ref }}
path: ocm-cli
fetch-depth: 1

- name: Build OCM CLI
run: |
echo "Building OCM CLI for verification"
echo " Repository: ${{ matrix.cli_repo }}"
echo " Reference: ${{ matrix.cli_ref }}"
cd ocm-cli
make install
ocm version

- name: Verify Pre-signed Component
env:
COSIGN_EXPERIMENTAL: "1"
run: |
echo "Verifying signature: ${{ matrix.signature_name }}"
echo "Using CLI: ${{ matrix.cli_repo }}@${{ matrix.cli_ref }}"

ocm verify cv \
--signature ${{ matrix.signature_name }} \
--keyless \
ghcr.io/morri-son/ocm-test//ocm.software/sigstore-test-comp:1.0.0

echo "✅ Verification successful!"

- name: Display Component Info
if: always()
run: |
echo "=== Component Details ==="
ocm get cv ghcr.io/morri-son/ocm-test//ocm.software/sigstore-test-comp:1.0.0 -oyaml

- name: Test Result Summary
if: success()
run: |
echo "✅ SUCCESS: ${{ matrix.test_name }}"
echo ""
echo "CLI:"
echo " Repository: ${{ matrix.cli_repo }}"
echo " Reference: ${{ matrix.cli_ref }}"
echo ""
echo "Signature: ${{ matrix.signature_name }}"

summary:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
.github/workflows/sigstore-verify-compatibility.yml
Comment on lines +123 to +154
needs: verify-compatibility
runs-on: ubuntu-latest
if: always()
steps:
- name: Generate Test Summary
run: |
echo "# Sigstore Verify Compatibility Test Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Configuration" >> $GITHUB_STEP_SUMMARY
echo "- **v2 CLI**: \`${{ inputs.v2_repository }}@${{ inputs.v2_ref }}\`" >> $GITHUB_STEP_SUMMARY
echo "- **v3 CLI**: \`${{ inputs.v3_repository }}@${{ inputs.v3_ref }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Test Matrix" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Tests verification of pre-signed components:" >> $GITHUB_STEP_SUMMARY
echo "- **sigstore-v2**: Signed with Sigstore v2" >> $GITHUB_STEP_SUMMARY
echo "- **sigstore-v3**: Signed with Sigstore v3" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| CLI Version | Signature | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------------|-----------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| v2 | sigstore-v2 | ${{ needs.verify-compatibility.result == 'success' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
echo "| v2 | sigstore-v3 | ${{ needs.verify-compatibility.result == 'success' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
echo "| v3 | sigstore-v2 | ${{ needs.verify-compatibility.result == 'success' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
echo "| v3 | sigstore-v3 | ${{ needs.verify-compatibility.result == 'success' && '✅' || '❌' }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Note" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "This workflow tests **verification only** using pre-signed components." >> $GITHUB_STEP_SUMMARY
echo "Signing tests must be performed manually due to OIDC requirements." >> $GITHUB_STEP_SUMMARY
echo "See \`.github/test-data/README.md\` for manual signing instructions." >> $GITHUB_STEP_SUMMARY

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
@morri-son morri-son mentioned this pull request Dec 5, 2025
Closed
5 tasks
@morri-son morri-son enabled auto-merge (squash) December 5, 2025 15:32
@morri-son morri-son marked this pull request as draft January 8, 2026 07:56
auto-merge was automatically disabled January 8, 2026 07:56

Pull request was converted to draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component/github-actions Changes on GitHub Actions or within `.github/` directory kind/feature new feature, enhancement, improvement, extension size/m Medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keyless signing flow uses public key instead of Fulcio certificate in publicKey.content

2 participants

@morri-son @morrison-sap