Today tests/integration/sign/test_{cosign_images,dsse_activities,rekor_transparency}.py
only check that SHACL profile gates fire AND that
OptionalDependencyMissing lazy-imports correctly. The actual
cryptographic verification is NOT exercised end-to-end.
oracle/signing/rekor.py is
currently a NotImplementedError stub — verification needs implementing
under the [cosign] extra. A live test of an empty stub would only
test rekor.sigstore.dev's API, not our code.
VC-DI cross-impl is already done at
tests/integration/sign/test_live_vc_di.py
(xfailing pending #2 resolution).
Blocked on flexo-rtm-research#26
decisions:
- Target OCI registry for Cosign (proposed:
ghcr.io/dynamicalsystemsgroup/flexo-rtm-test)
- DSSE: install
in-toto CLI as CI dep, or vendor fixtures into
examples/dsse/
Acceptance
Once decisions land:
tests/integration/sign/test_live_cosign.py — verify a real cosign
bundle against an OCI image in the target registry.tests/integration/sign/test_live_dsse.py — verify a DSSE envelope
produced by upstream in-toto-attestation.- Implement Rekor verifier in
oracle/signing/rekor.py
(verify_rekor_inclusion_proof using sigstore's Merkle proof
routines).
tests/integration/sign/test_live_rekor.py — fetch a real
rekor.sigstore.dev/api/v1/log/entries/{uuid} and verify the
inclusion proof.
Today
tests/integration/sign/test_{cosign_images,dsse_activities,rekor_transparency}.pyonly check that SHACL profile gates fire AND that
OptionalDependencyMissinglazy-imports correctly. The actualcryptographic verification is NOT exercised end-to-end.
oracle/signing/rekor.pyiscurrently a
NotImplementedErrorstub — verification needs implementingunder the
[cosign]extra. A live test of an empty stub would onlytest
rekor.sigstore.dev's API, not our code.VC-DI cross-impl is already done at
tests/integration/sign/test_live_vc_di.py(xfailing pending #2 resolution).
Blocked on flexo-rtm-research#26
decisions:
ghcr.io/dynamicalsystemsgroup/flexo-rtm-test)in-totoCLI as CI dep, or vendor fixtures intoexamples/dsse/Acceptance
Once decisions land:
tests/integration/sign/test_live_cosign.py— verify a real cosignbundle against an OCI image in the target registry.
tests/integration/sign/test_live_dsse.py— verify a DSSE envelopeproduced by upstream
in-toto-attestation.oracle/signing/rekor.py(
verify_rekor_inclusion_proofusingsigstore's Merkle proofroutines).
tests/integration/sign/test_live_rekor.py— fetch a realrekor.sigstore.dev/api/v1/log/entries/{uuid}and verify theinclusion proof.