Goal
Add end-to-end test coverage for private/self-hosted Sigstore signing (the --fulcio-url / --rekor-url support added in #408) by standing up a local Sigstore stack in CI, so the keyless sign → log → verify round-trip is exercised against a non-public-good instance with no external network.
Context
#408 added aicr bundle --attest --fulcio-url … --rekor-url … to point keyless signing at a private Fulcio CA and/or Rekor transparency log. Today that path is only unit-tested at the seam; there is no automated test that actually issues a Fulcio cert and writes a Rekor entry against a real (local) instance.
sigstore/scaffolding stands up a full local Sigstore stack (Fulcio + Rekor + CT log + TUF) in a kind cluster, built specifically for this kind of e2e testing. It pairs naturally with the existing kind-based e2e harness.
This is a sibling to #1214 (KMS-emulator e2e); together they cover the two non-public-good signing paths and open the door to automated testing across the full signing/verification matrix.
Scope (phase 1 — keyless signing against local Sigstore)
- Stand up
sigstore/scaffolding (Fulcio + Rekor + CT + TUF) in the e2e/kind harness or a dedicated CI job.
- Run
aicr bundle --attest --fulcio-url <local-fulcio> --rekor-url <local-rekor> against it, supplying an OIDC token from the scaffolding's local issuer (or the device/ambient flow as appropriate).
- Assert a valid Sigstore bundle is produced with a Fulcio certificate and a Rekor inclusion proof from the local instances.
Future increments (later tickets, not this one)
Acceptance
- A CI job signs a bundle against a local Fulcio + Rekor (no public-good Sigstore, no external network beyond pulling images) and asserts the resulting bundle's structure.
- Local run instructions documented.
Part of epic #1149. Exercises the #408 private-Sigstore signing surface; sibling to #1214 (KMS-emulator e2e).
Goal
Add end-to-end test coverage for private/self-hosted Sigstore signing (the
--fulcio-url/--rekor-urlsupport added in #408) by standing up a local Sigstore stack in CI, so the keyless sign → log → verify round-trip is exercised against a non-public-good instance with no external network.Context
#408 added
aicr bundle --attest --fulcio-url … --rekor-url …to point keyless signing at a private Fulcio CA and/or Rekor transparency log. Today that path is only unit-tested at the seam; there is no automated test that actually issues a Fulcio cert and writes a Rekor entry against a real (local) instance.sigstore/scaffoldingstands up a full local Sigstore stack (Fulcio + Rekor + CT log + TUF) in a kind cluster, built specifically for this kind of e2e testing. It pairs naturally with the existing kind-based e2e harness.This is a sibling to #1214 (KMS-emulator e2e); together they cover the two non-public-good signing paths and open the door to automated testing across the full signing/verification matrix.
Scope (phase 1 — keyless signing against local Sigstore)
sigstore/scaffolding(Fulcio + Rekor + CT + TUF) in the e2e/kind harness or a dedicated CI job.aicr bundle --attest --fulcio-url <local-fulcio> --rekor-url <local-rekor>against it, supplying an OIDC token from the scaffolding's local issuer (or the device/ambient flow as appropriate).Future increments (later tickets, not this one)
Acceptance
Part of epic #1149. Exercises the #408 private-Sigstore signing surface; sibling to #1214 (KMS-emulator e2e).