Skip to content

Acceptance tests for supply-chain flows #110

Description

@michael-herwig

Part of #24.

What

Add to test/tests/:

  1. test_trust_policy.py — identity pin match / mismatch.
  2. test_install_auto_verify.py — install respects [trust.policy].
  3. test_sbom_attach_discover.py — push with --sbom, fetch via ocx sbom.
  4. test_slsa_provenance.py — attach + verify SLSA referrer.
  5. test_osv_scan.py — install of binary with cargo-auditable data triggers expected scan path.
  6. test_mirror_signing.py — mirror bundle is signed end-to-end.
  7. test_referrers_capability.py — clear error against non-referrers registry.
  8. test_cosign_interop.pycosign verify accepts signatures produced by ocx sign and vice versa (regression suite).

All tests reuse the fake Fulcio + Rekor + OIDC fixture from PR #87 (test/tests/fixtures/fake_sigstore.py).

Acceptance criteria

  • All tests green in task test.
  • Cosign-interop test runs against real cosign binary (installed via ocx install cosign:2.6+).
  • Fixture extensions kept minimal — reuse over duplication.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/testsSubsystem: testssecuritySecurity-relevant change or hardening

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions