From c43f4fb416c34c1c4b3997373689d8d4c0fb9b36 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 10 Jun 2024 11:29:53 -0400 Subject: [PATCH] add signature verification to install.sh (#2941) Signed-off-by: Alex Goodman --- .github/workflows/release.yaml | 8 + .github/workflows/validations.yaml | 3 + README.md | 9 +- install.sh | 261 ++++++++++++++---- ..._for_asset_test.sh => 0_checksums_test.sh} | 46 +++ .../install/1_download_snapshot_asset_test.sh | 2 +- test/install/2_download_release_asset_test.sh | 4 + .../4_prep_signature_verification_test.sh | 89 ++++++ test/install/Makefile | 37 ++- .../environments/Dockerfile-alpine-3.6 | 7 +- .../environments/Dockerfile-busybox-1.36 | 21 ++ .../environments/Dockerfile-ubuntu-20.04 | 7 +- .../test-fixtures/assets/invalid/.gitignore | 1 + .../assets/invalid/checksums.txt | 22 ++ .../invalid/syft_1.5.0_linux_arm64.tar.gz | 1 + .../test-fixtures/assets/valid/.gitignore | 1 + .../test-fixtures/assets/valid/checksums.txt | 22 ++ .../valid/syft_1.5.0_linux_arm64.tar.gz | 1 + 18 files changed, 471 insertions(+), 71 deletions(-) rename test/install/{0_search_for_asset_test.sh => 0_checksums_test.sh} (54%) create mode 100755 test/install/4_prep_signature_verification_test.sh create mode 100644 test/install/environments/Dockerfile-busybox-1.36 create mode 100644 test/install/test-fixtures/assets/invalid/.gitignore create mode 100644 test/install/test-fixtures/assets/invalid/checksums.txt create mode 100644 test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz create mode 100644 test/install/test-fixtures/assets/valid/.gitignore create mode 100644 test/install/test-fixtures/assets/valid/checksums.txt create mode 100644 test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 09ce1d5a572..1b6f94d4eb1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,6 +17,14 @@ jobs: steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 + - name: Check if running on main + if: github.ref != 'refs/heads/main' + # we are using the following flag when running `cosign blob-verify` for checksum signature verification: + # --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main" + # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch + # at the time of when the OIDC token was issued on the Github Actions runner. + run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1 + - name: Check if tag already exists # note: this will fail if the tag already exists run: | diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index 417d89bad7f..2a29a4858bc 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -187,6 +187,9 @@ jobs: needs: [Build-Snapshot-Artifacts] runs-on: macos-latest steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 - name: Bootstrap environment diff --git a/README.md b/README.md index 565f44be269..b36ab288d5d 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,10 @@ Syft binaries are provided for Linux, macOS and Windows. > curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin > ``` -... or, you can specify a release version and destination directory for the installation: - -> ```bash -> curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b -> ``` +Install script options: +- `-b`: Specify a custom installation directory (defaults to `./bin`) +- `-d`: More verbose logging levels (`-d` for debug, `-dd` for trace) +- `-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed) ### Homebrew ```bash diff --git a/install.sh b/install.sh index f5680271eac..1c2f49f0f5d 100755 --- a/install.sh +++ b/install.sh @@ -2,33 +2,25 @@ # note: we require errors to propagate (don't set -e) set -u -PROJECT_NAME="syft" +PROJECT_NAME=syft OWNER=anchore REPO="${PROJECT_NAME}" GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME} PROGRAM_ARGS=$@ -# do not change the name of this parameter (this must always be backwards compatible) -DOWNLOAD_TAG_INSTALL_SCRIPT=${DOWNLOAD_TAG_INSTALL_SCRIPT:-true} +# signature verification options -# -# usage [script-name] -# -usage() ( - this=$1 - cat </dev/null | tr '\t' ' ' | cut -d ' ' -f 1) + target_basename=${target##*/} + want=$(grep "${target_basename}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) if [ -z "$want" ]; then - log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" + log_err "hash_sha256_verify unable to find checksum for '${target}' in '${checksums}'" return 1 fi - got=$(hash_sha256 "$TARGET") + got=$(hash_sha256 "$target") if [ "$want" != "$got" ]; then - log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" + log_err "hash_sha256_verify checksum for '$target' did not verify ${want} vs $got" return 1 fi ) @@ -358,30 +350,71 @@ github_release_tag() ( echo "$tag" ) -# download_github_release_checksums [release-url-prefix] [name] [version] [output-dir] +# github_release_asset_url [release-url-prefix] [name] [version] [output-dir] [filename] # -# outputs path to the downloaded checksums file +# outputs the url to the release asset # -download_github_release_checksums() ( +github_release_asset_url() ( + download_url="$1" + name="$2" + version="$3" + filename="$4" + + complete_filename="${name}_${version}_${filename}" + complete_url="${download_url}/${complete_filename}" + + echo "${complete_url}" +) + +# download_github_release_checksums_files [release-url-prefix] [name] [version] [output-dir] [filename] +# +# outputs path to the downloaded checksums related file +# +download_github_release_checksums_files() ( download_url="$1" name="$2" version="$3" output_dir="$4" + filename="$5" - log_trace "download_github_release_checksums(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir})" + log_trace "download_github_release_checksums_files(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir}, filename=${filename})" - checksum_filename=${name}_${version}_checksums.txt - checksum_url=${download_url}/${checksum_filename} - output_path="${output_dir}/${checksum_filename}" + complete_filename="${name}_${version}_${filename}" + complete_url=$(github_release_asset_url "${download_url}" "${name}" "${version}" "${filename}") + output_path="${output_dir}/${complete_filename}" - http_download "${output_path}" "${checksum_url}" "" + http_download "${output_path}" "${complete_url}" "" asset_file_exists "${output_path}" - log_trace "download_github_release_checksums() returned '${output_path}'" + log_trace "download_github_release_checksums_files() returned '${output_path}' for file '${complete_filename}'" echo "${output_path}" ) +# download_github_release_checksums [release-url-prefix] [name] [version] [output-dir] +# +# outputs path to the downloaded checksums file +# +download_github_release_checksums() ( + download_github_release_checksums_files "$@" "checksums.txt" +) + +# github_release_checksums_sig_url [release-url-prefix] [name] [version] +# +# outputs the url to the release checksums signature file +# +github_release_checksums_sig_url() ( + github_release_asset_url "$@" "checksums.txt.sig" +) + +# github_release_checksums_cert_url [release-url-prefix] [name] [version] +# +# outputs the url to the release checksums certificate file +# +github_release_checksums_cert_url() ( + github_release_asset_url "$@" "checksums.txt.pem" +) + # search_for_asset [checksums-file-path] [name] [os] [arch] [format] # # outputs name of the asset to download @@ -535,7 +568,10 @@ download_and_install_asset() ( format="$8" binary="$9" - asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}") + if ! asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}"); then + log_err "could not download asset for os='${os}' arch='${arch}' format='${format}'" + return 1 + fi # don't continue if we couldn't download an asset if [ -z "${asset_filepath}" ]; then @@ -546,6 +582,36 @@ download_and_install_asset() ( install_asset "${asset_filepath}" "${install_path}" "${binary}" ) +# verify_sign [checksums-file-path] [certificate-reference] [signature-reference] [version] +# +# attempts verify the signature of the checksums file from the release workflow in Github Actions run against the main branch. +# +verify_sign() { + checksums_file=$1 + cert_reference=$2 + sig_reference=$3 + + log_trace "verifying artifact $1" + + log_file=$(mktemp) + + ${COSIGN_BINARY} \ + verify-blob "$checksums_file" \ + --certificate "$cert_reference" \ + --signature "$sig_reference" \ + --certificate-identity "https://github.com/${OWNER}/${REPO}/.github/workflows/release.yaml@refs/heads/main" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" > "${log_file}" 2>&1 + + if [ $? -ne 0 ]; then + log_err "$(cat "${log_file}")" + rm -f "${log_file}" + return 1 + fi + + rm -f "${log_file}" +} + + # download_asset [release-url-prefix] [download-path] [name] [os] [arch] [version] [format] [binary] # # outputs the path to the downloaded asset asset_filepath @@ -572,6 +638,20 @@ download_asset() ( return 1 fi + if [ "$VERIFY_SIGN" = true ]; then + checksum_sig_file_url=$(github_release_checksums_sig_url "${download_url}" "${name}" "${version}") + log_trace "checksums signature url: ${checksum_sig_file_url}" + + checksums_cert_file_url=$(github_release_checksums_cert_url "${download_url}" "${name}" "${version}") + log_trace "checksums certificate url: ${checksums_cert_file_url}" + + if ! verify_sign "${checksums_filepath}" "${checksums_cert_file_url}" "${checksum_sig_file_url}"; then + log_err "signature verification failed" + return 1 + fi + log_info "signature verification succeeded" + fi + asset_url="${download_url}/${asset_filename}" asset_filepath="${destination}/${asset_filename}" http_download "${asset_filepath}" "${asset_url}" "" @@ -609,6 +689,79 @@ install_asset() ( install "${archive_dir}/${binary}" "${destination}/" ) +# compare two semver strings. Returns 0 if version1 >= version2, 1 otherwise. +# Note: pre-release (-) and metadata (+) are not supported. +compare_semver() { + # remove leading 'v' if present + version1=${1#v} + version2=${2#v} + + IFS=. read -r major1 minor1 patch1 <= '$VERIFY_SIGN_SUPPORTED_VERSION')" + log_err "aborting installation" + return 1 + else + log_trace "${PROJECT_NAME} release '$version' supports signature verification (>= '$VERIFY_SIGN_SUPPORTED_VERSION')" + fi + + # will invoking an earlier version of this script work (considering the -v flag)? + if ! compare_semver "$version" "$VERIFY_SIGN_FLAG_VERSION"; then + # the -v argument did not always exist, so we cannot be guaranteed that invoking an earlier version of this script + # will work (error with "illegal option -v"). However, the user requested signature verification, so we will + # attempt to install the application with this version of the script (keeping signature verification). + DOWNLOAD_TAG_INSTALL_SCRIPT=false + log_debug "provided version install script does not support -v flag (>= '$VERIFY_SIGN_FLAG_VERSION'), using current script for installation" + else + log_trace "provided version install script supports -v flag (>= '$VERIFY_SIGN_FLAG_VERSION')" + fi + + # check to see if the cosign binary is installed + if is_command "${COSIGN_BINARY}"; then + log_trace "${COSIGN_BINARY} binary is installed" + else + log_err "signature verification is requested but ${COSIGN_BINARY} binary is not installed (see https://docs.sigstore.dev/system_config/installation/ to install it)" + return 1 + fi +} + main() ( # parse arguments @@ -616,7 +769,7 @@ main() ( install_dir=${install_dir:-./bin} # note: never change the program flags or arguments (this must always be backwards compatible) - while getopts "b:dh?x" arg; do + while getopts "b:dvh?x" arg; do case "$arg" in b) install_dir="$OPTARG" ;; d) @@ -628,25 +781,37 @@ main() ( log_set_priority $log_trace_priority fi ;; - h | \?) usage "$0" ;; + v) VERIFY_SIGN=true;; + h | \?) + cat <= version2) + compare_semver "0.32.0" "0.32.0" + assertEquals "0" "$?" "+ versions should equal" + + compare_semver "0.32.1" "0.32.0" + assertEquals "0" "$?" "+ patch version should be greater" + + compare_semver "0.33.0" "0.32.0" + assertEquals "0" "$?" "+ minor version should be greater" + + compare_semver "0.333.0" "0.32.0" + assertEquals "0" "$?" "+ minor version should be greater (different length)" + + compare_semver "00.33.00" "0.032.0" + assertEquals "0" "$?" "+ minor version should be greater (different length reversed)" + + compare_semver "1.0.0" "0.9.9" + assertEquals "0" "$?" "+ major version should be greater" + + compare_semver "v1.0.0" "1.0.0" + assertEquals "0" "$?" "+ can remove leading 'v' from version" + + # negative cases (version1 < version2) + compare_semver "0.32.0" "0.32.1" + assertEquals "1" "$?" "- patch version should be less" + + compare_semver "0.32.7" "0.33.0" + assertEquals "1" "$?" "- minor version should be less" + + compare_semver "00.00032.070" "0.33.0" + assertEquals "1" "$?" "- minor version should be less (different length)" + + compare_semver "0.32.7" "00.0033.000" + assertEquals "1" "$?" "- minor version should be less (different length reversed)" + + compare_semver "1.9.9" "2.0.1" + assertEquals "1" "$?" "- major version should be less" + + compare_semver "1.0.0" "v2.0.0" + assertEquals "1" "$?" "- can remove leading 'v' from version" +} + +run_test_case test_compare_semver + +# ensure that various signature verification pre-requisites are correctly checked for +test_prep_signature_verification() { + # prep_sign_verification [version] + + # we are expecting error messages, which is confusing to look at in passing tests... disable logging for now + log_set_priority -1 + + # backup original values... + OG_COSIGN_BINARY=${COSIGN_BINARY} + + # check the verification path... + VERIFY_SIGN=true + + # release does not support signature verification + prep_signature_verification "0.103.0" + assertEquals "1" "$?" "release does not support signature verification" + + # check that the COSIGN binary exists + COSIGN_BINARY=fake-cosign-that-doesnt-exist + prep_signature_verification "0.105.0" + assertEquals "1" "$?" "cosign binary verification failed" + # restore original values... + COSIGN_BINARY=${OG_COSIGN_BINARY} + + # ignore any failing conditions since we are not verifying the signature + VERIFY_SIGN=false + prep_signature_verification "0.103.0" + assertEquals "0" "$?" "release support verification should not have been triggered" + + COSIGN_BINARY=fake-cosign-that-doesnt-exist + prep_signature_verification "0.105.0" + assertEquals "0" "$?" "cosign binary verification should not have been triggered" + # restore original values... + COSIGN_BINARY=${OG_COSIGN_BINARY} + + # restore logging... + log_set_priority 0 +} + +run_test_case test_prep_signature_verification diff --git a/test/install/Makefile b/test/install/Makefile index fd85884181c..2a632cd2825 100644 --- a/test/install/Makefile +++ b/test/install/Makefile @@ -1,18 +1,22 @@ NAME=syft +# for local testing (not testing within containers) use the binny-managed version of cosign. +# this also means that the user does not need to install cosign on their system to run tests. +COSIGN_BINARY=../../.tool/cosign + IMAGE_NAME=$(NAME)-install.sh-env UBUNTU_IMAGE=$(IMAGE_NAME):ubuntu-20.04 ALPINE_IMAGE=$(IMAGE_NAME):alpine-3.6 -BUSYBOX_IMAGE=busybox:1.36.1-musl +BUSYBOX_IMAGE=$(IMAGE_NAME):busybox-1.36 ENVS=./environments DOCKER_RUN=docker run --rm -t -w /project/test/install -v $(shell pwd)/../../:/project -UNIT=make unit-local +UNIT=make unit-run # acceptance testing is running the current install.sh against the latest release. Note: this could be a problem down # the line if there are breaking changes made that don't align with the latest release (but will be OK with the next -# release) -ACCEPTANCE_CMD=sh -c '../../install.sh -b /usr/local/bin && syft version' +# release). This tests both installing with signature verification and without. +ACCEPTANCE_CMD=sh -c '../../install.sh -v -b /usr/local/bin && syft version && rm /usr/local/bin/syft && ../../install.sh -b /usr/local/bin && syft version' # we also want to test against a previous release to ensure that install.sh defers execution to a former install.sh PREVIOUS_RELEASE=v0.33.0 ACCEPTANCE_PREVIOUS_RELEASE_CMD=sh -c "../../install.sh -b /usr/local/bin $(PREVIOUS_RELEASE) && syft version" @@ -28,17 +32,22 @@ endef test: unit acceptance .PHONY: ci-test-mac -ci-test-mac: unit-local acceptance-local +ci-test-mac: unit-run acceptance-local # note: do not add acceptance-local to this list .PHONY: acceptance -acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox +acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox-1.36 .PHONY: unit unit: unit-ubuntu-20.04 .PHONY: unit-local unit-local: + $(call title,unit tests) + @for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash -c "COSIGN_BINARY=$(COSIGN_BINARY) ./$${f}" || exit 1; done + +.PHONY: unit-run +unit-run: $(call title,unit tests) @for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash $${f} || exit 1; done @@ -55,7 +64,7 @@ acceptance-previous-release-local: syft version | grep $(shell echo $(PREVIOUS_RELEASE)| tr -d "v") .PHONY: save -save: ubuntu-20.04 alpine-3.6 pull-busybox +save: ubuntu-20.04 alpine-3.6 busybox-1.36 @mkdir cache || true docker image save -o cache/ubuntu-env.tar $(UBUNTU_IMAGE) docker image save -o cache/alpine-env.tar $(ALPINE_IMAGE) @@ -107,17 +116,17 @@ alpine-3.6: # note: busybox by default will not have cacerts, so you will get TLS warnings (we want to test under these conditions) -.PHONY: acceptance-busybox -acceptance-busybox: pull-busybox - $(call title,busybox - acceptance) +.PHONY: acceptance-busybox-1.36 +acceptance-busybox-1.36: busybox-1.36 + $(call title,busybox-1.36 - acceptance) $(DOCKER_RUN) $(BUSYBOX_IMAGE) \ $(ACCEPTANCE_CMD) @echo "\n*** test note: you should see syft spit out a 'x509: certificate signed by unknown authority' error --this is expected ***" -.PHONY: pull-busybox -pull-busybox: - $(call title,busybox - build environment) - docker pull $(BUSYBOX_IMAGE) +.PHONY: busybox-1.36 +busybox-1.36: + $(call title,busybox-1.36 - build environment) + docker build -t $(BUSYBOX_IMAGE) -f $(ENVS)/Dockerfile-busybox-1.36 . ## For CI ######################################################## diff --git a/test/install/environments/Dockerfile-alpine-3.6 b/test/install/environments/Dockerfile-alpine-3.6 index 90923d56653..51dc3d0eadb 100644 --- a/test/install/environments/Dockerfile-alpine-3.6 +++ b/test/install/environments/Dockerfile-alpine-3.6 @@ -1,2 +1,5 @@ -FROM alpine:3.6@sha256:66790a2b79e1ea3e1dabac43990c54aca5d1ddf268d9a5a0285e4167c8b24475 -RUN apk update && apk add python3 wget unzip make ca-certificates jq +FROM alpine:3.6 +RUN apk update && apk add python3 wget curl unzip make ca-certificates +RUN curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" && \ + mv cosign-linux-amd64 /usr/local/bin/cosign && \ + chmod +x /usr/local/bin/cosign diff --git a/test/install/environments/Dockerfile-busybox-1.36 b/test/install/environments/Dockerfile-busybox-1.36 new file mode 100644 index 00000000000..e2cf2d7224a --- /dev/null +++ b/test/install/environments/Dockerfile-busybox-1.36 @@ -0,0 +1,21 @@ +FROM alpine as certs +RUN apk update && apk add ca-certificates + +# note: using qemu with a multi-arch image results in redirects not working with wget +# so let docker pull the image that matches the hosts architecture first and then pull the correct asset +FROM busybox:1.36.1-musl + +RUN ARCH=$(uname -m) && \ + if [ "$ARCH" = "x86_64" ]; then \ + COSIGN_ARCH="amd64"; \ + elif [ "$ARCH" = "aarch64" ]; then \ + COSIGN_ARCH="arm64"; \ + else \ + echo "Unsupported architecture: $ARCH" && exit 1; \ + fi && \ + echo "Downloading cosign for $COSIGN_ARCH" && \ + wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-${COSIGN_ARCH} && \ + mv cosign-linux-${COSIGN_ARCH} /bin/cosign && \ + chmod +x /bin/cosign + +COPY --from=certs /etc/ssl/certs /etc/ssl/certs diff --git a/test/install/environments/Dockerfile-ubuntu-20.04 b/test/install/environments/Dockerfile-ubuntu-20.04 index 9de8d2a8288..d91d10fcadc 100644 --- a/test/install/environments/Dockerfile-ubuntu-20.04 +++ b/test/install/environments/Dockerfile-ubuntu-20.04 @@ -1,2 +1,5 @@ -FROM ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba -RUN apt update -y && apt install make python3 curl unzip jq -y +FROM --platform=linux/amd64 ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba +RUN apt update -y && apt install make python3 curl unzip -y +RUN LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") && \ + curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb" && \ + dpkg -i cosign_${LATEST_VERSION}_amd64.deb diff --git a/test/install/test-fixtures/assets/invalid/.gitignore b/test/install/test-fixtures/assets/invalid/.gitignore new file mode 100644 index 00000000000..653353c262e --- /dev/null +++ b/test/install/test-fixtures/assets/invalid/.gitignore @@ -0,0 +1 @@ +!syft_1.5.0_linux_arm64.tar.gz \ No newline at end of file diff --git a/test/install/test-fixtures/assets/invalid/checksums.txt b/test/install/test-fixtures/assets/invalid/checksums.txt new file mode 100644 index 00000000000..b383804860c --- /dev/null +++ b/test/install/test-fixtures/assets/invalid/checksums.txt @@ -0,0 +1,22 @@ +f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d syft_1.5.0_darwin_amd64.sbom +605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b syft_1.5.0_darwin_amd64.tar.gz +2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76 syft_1.5.0_darwin_arm64.sbom +fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a syft_1.5.0_darwin_arm64.tar.gz +40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090 syft_1.5.0_linux_amd64.deb +9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2 syft_1.5.0_linux_amd64.rpm +9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020 syft_1.5.0_linux_amd64.sbom +3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478 syft_1.5.0_linux_amd64.tar.gz +b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89 syft_1.5.0_linux_arm64.deb +5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d syft_1.5.0_linux_arm64.rpm +a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3 syft_1.5.0_linux_arm64.sbom +ee2b1289a1e4b0de9409c3a78867949ca42788a5f50072b8a6e6e04e6a269f9c syft_1.5.0_linux_arm64.tar.gz +599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80 syft_1.5.0_linux_ppc64le.deb +dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c syft_1.5.0_linux_ppc64le.rpm +392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4 syft_1.5.0_linux_ppc64le.sbom +551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0 syft_1.5.0_linux_ppc64le.tar.gz +98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21 syft_1.5.0_linux_s390x.deb +3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4 syft_1.5.0_linux_s390x.rpm +5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388 syft_1.5.0_linux_s390x.sbom +ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68 syft_1.5.0_linux_s390x.tar.gz +6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0 syft_1.5.0_windows_amd64.sbom +5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2 syft_1.5.0_windows_amd64.zip diff --git a/test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz b/test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz new file mode 100644 index 00000000000..c90127d2f6c --- /dev/null +++ b/test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz @@ -0,0 +1 @@ +fake archive \ No newline at end of file diff --git a/test/install/test-fixtures/assets/valid/.gitignore b/test/install/test-fixtures/assets/valid/.gitignore new file mode 100644 index 00000000000..653353c262e --- /dev/null +++ b/test/install/test-fixtures/assets/valid/.gitignore @@ -0,0 +1 @@ +!syft_1.5.0_linux_arm64.tar.gz \ No newline at end of file diff --git a/test/install/test-fixtures/assets/valid/checksums.txt b/test/install/test-fixtures/assets/valid/checksums.txt new file mode 100644 index 00000000000..b1dfe76b97d --- /dev/null +++ b/test/install/test-fixtures/assets/valid/checksums.txt @@ -0,0 +1,22 @@ +f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d syft_1.5.0_darwin_amd64.sbom +605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b syft_1.5.0_darwin_amd64.tar.gz +2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76 syft_1.5.0_darwin_arm64.sbom +fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a syft_1.5.0_darwin_arm64.tar.gz +40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090 syft_1.5.0_linux_amd64.deb +9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2 syft_1.5.0_linux_amd64.rpm +9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020 syft_1.5.0_linux_amd64.sbom +3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478 syft_1.5.0_linux_amd64.tar.gz +b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89 syft_1.5.0_linux_arm64.deb +5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d syft_1.5.0_linux_arm64.rpm +a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3 syft_1.5.0_linux_arm64.sbom +8d57abb57a0dae3ff23c8f0df1f51951b7772822e0d560e860d6f68c24ef6d3d syft_1.5.0_linux_arm64.tar.gz +599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80 syft_1.5.0_linux_ppc64le.deb +dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c syft_1.5.0_linux_ppc64le.rpm +392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4 syft_1.5.0_linux_ppc64le.sbom +551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0 syft_1.5.0_linux_ppc64le.tar.gz +98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21 syft_1.5.0_linux_s390x.deb +3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4 syft_1.5.0_linux_s390x.rpm +5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388 syft_1.5.0_linux_s390x.sbom +ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68 syft_1.5.0_linux_s390x.tar.gz +6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0 syft_1.5.0_windows_amd64.sbom +5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2 syft_1.5.0_windows_amd64.zip diff --git a/test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz b/test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz new file mode 100644 index 00000000000..c90127d2f6c --- /dev/null +++ b/test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz @@ -0,0 +1 @@ +fake archive \ No newline at end of file