You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add end-to-end test coverage for KMS-backed bundle signing (shipped in #407 / PR #1205) against a local AWS KMS emulator, so the full provider-resolution → sign → verify round-trip runs in CI with no cloud credentials.
Context
#407 added aicr bundle --attest --signing-key <kms-uri> for AWS/GCP/Azure KMS. Its unit tests deliberately stub the KMS at the kmsSigner seam (a local ECDSA signer), so the real provider path — kms.Get(awskms://…) → SignerVerifier.PublicKey → SignMessage — is not exercised end to end. LocalStack's OSS/community edition emulates AWS KMS, which makes an automated awskms:// round-trip feasible without real AWS.
Starting AWS-only is intentional: it exercises the bulk of the shared signing surface (the composer, the kmsKeypair adapter, public-key bundle assembly, digest/no-double-hash handling) while keeping the first increment small. Other providers can be added later (see below).
Scope (phase 1 — AWS / LocalStack)
Stand up LocalStack (KMS service) in the e2e harness / a CI job.
Provision an asymmetric signing key (ECDSA P-256, and ideally RSA-2048 to cover both classifyPublicKey branches).
Run aicr bundle --attest --signing-key awskms://… pointed at the LocalStack endpoint (confirm sigstore's AWS KMS provider honors a custom endpoint via AWS_ENDPOINT_URL / SDK config).
Assert the output bundle carries public-key verification material (no Fulcio cert) and verifies against the emulated key's public key (cosign verify --key, or programmatic verify).
Goal
Add end-to-end test coverage for KMS-backed bundle signing (shipped in #407 / PR #1205) against a local AWS KMS emulator, so the full provider-resolution → sign → verify round-trip runs in CI with no cloud credentials.
Context
#407 added
aicr bundle --attest --signing-key <kms-uri>for AWS/GCP/Azure KMS. Its unit tests deliberately stub the KMS at thekmsSignerseam (a local ECDSA signer), so the real provider path —kms.Get(awskms://…)→SignerVerifier.PublicKey→SignMessage— is not exercised end to end. LocalStack's OSS/community edition emulates AWS KMS, which makes an automatedawskms://round-trip feasible without real AWS.Starting AWS-only is intentional: it exercises the bulk of the shared signing surface (the composer, the
kmsKeypairadapter, public-key bundle assembly, digest/no-double-hash handling) while keeping the first increment small. Other providers can be added later (see below).Scope (phase 1 — AWS / LocalStack)
classifyPublicKeybranches).aicr bundle --attest --signing-key awskms://…pointed at the LocalStack endpoint (confirm sigstore's AWS KMS provider honors a custom endpoint viaAWS_ENDPOINT_URL/ SDK config).cosign verify --key, or programmatic verify).Future increments (later tickets, not this one)
Related #407 follow-ups (non-blocking; could fold here or split out)
These were raised in PR #1205 review and explicitly marked non-blocking:
sign.Keypair(sync.Once+ invalidate-on-auth-error) so the server/batch path (feat(server): bundle attestation for /v1/bundle (non-interactive signing) #1150) doesn't pay 2× KMS RPC per sign.defaults.KMSResolveTimeoutif the KMS-resolve vs sign budgets ever need to diverge (today both shareSigstoreSignTimeout).Acceptance
Part of epic #1149. Follow-up to #407 (PR #1205).