Skip to content

Integration-test KMS-backed bundle signing via LocalStack (AWS) #1214

Description

@lockwobr

Goal

Add end-to-end test coverage for KMS-backed bundle signing (shipped in #407 / PR #1205) against a local AWS KMS emulator, so the full provider-resolution → sign → verify round-trip runs in CI with no cloud credentials.

Context

#407 added aicr bundle --attest --signing-key <kms-uri> for AWS/GCP/Azure KMS. Its unit tests deliberately stub the KMS at the kmsSigner seam (a local ECDSA signer), so the real provider path — kms.Get(awskms://…)SignerVerifier.PublicKeySignMessage — is not exercised end to end. LocalStack's OSS/community edition emulates AWS KMS, which makes an automated awskms:// round-trip feasible without real AWS.

Starting AWS-only is intentional: it exercises the bulk of the shared signing surface (the composer, the kmsKeypair adapter, public-key bundle assembly, digest/no-double-hash handling) while keeping the first increment small. Other providers can be added later (see below).

Scope (phase 1 — AWS / LocalStack)

  • Stand up LocalStack (KMS service) in the e2e harness / a CI job.
  • Provision an asymmetric signing key (ECDSA P-256, and ideally RSA-2048 to cover both classifyPublicKey branches).
  • Run aicr bundle --attest --signing-key awskms://… pointed at the LocalStack endpoint (confirm sigstore's AWS KMS provider honors a custom endpoint via AWS_ENDPOINT_URL / SDK config).
  • Assert the output bundle carries public-key verification material (no Fulcio cert) and verifies against the emulated key's public key (cosign verify --key, or programmatic verify).
  • Handle transparency log appropriately (no real Rekor in CI — pair with the no-tlog path; coordinate with feat(bundle): air-gapped signing with --tlog-upload=false for restricted networks #409).

Future increments (later tickets, not this one)

  • Azure Key Vault via the community lowkey-vault emulator. Note: Azurite is storage-only and does not emulate Key Vault.
  • GCP Cloud KMS — no official emulator exists today; revisit when tooling lands.

Related #407 follow-ups (non-blocking; could fold here or split out)

These were raised in PR #1205 review and explicitly marked non-blocking:

Acceptance

  • A CI job signs a bundle via emulated AWS KMS and verifies it — deterministic, no cloud credentials.
  • Local run instructions documented.

Part of epic #1149. Follow-up to #407 (PR #1205).

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions