Open-Source Wikis

/

Cosign

/

How to contribute

/

Testing

sigstore/cosign

Testing

The cosign repo carries three layers of automated tests plus fuzz harnesses.

Unit tests

make test
# expands to:
# go test $(go list ./... | grep -v third_party/)

Unit tests live next to source as *_test.go. The pkg/cosign/ package has the densest coverage — verify_test.go (~2,400 lines) is the project's largest test file and exercises both legacy and new bundle-format verification paths.

Some tests need build tags:

go test -tags=pivkey,pkcs11key ./...   # PIV/PKCS#11 unit tests

End-to-end tests

Live under test/ and require Docker + a registry. Drivers:

  • test/e2e_test.sh — bring up scaffolding, run test/e2e_test.go and test/e2e_attach_test.go, etc.
  • test/e2e_test.ps1 — Windows variant.
  • test/e2e_test_pkcs11.sh — same idea, behind the pkcs11key tag.

The big payload is test/e2e_test.go (143 KB) which orchestrates real sign/verify flows against a registry. helpers.go (25 KB) holds the shared fixture machinery.

The same flows run in CI via .github/workflows/e2e-tests.yml (uses the ghcr.io/sigstore/scaffolding images for an ephemeral Sigstore stack inside KinD).

Conformance tests

make conformance builds cmd/conformance/ — a small shim that adapts the cosign Go API to the sigstore-conformance Python test runner. The runner exercises every Sigstore client (cosign, sigstore-python, sigstore-js, etc.) against the same set of test vectors.

make conformance-runner   # clone + build sigstore-conformance
make cosign conformance   # build both binaries
make conformance-tests    # run the suite

Fuzzing

Native Go fuzz tests are scattered through the codebase as Fuzz* functions:

  • pkg/cosign/fuzz_test.go
  • pkg/cosign/attestation/fuzz_test.go
  • pkg/policy/fuzz_test.go

There's also a test/fuzz/ directory with OSS-Fuzz integration. To run a single fuzzer locally:

go test -fuzz=FuzzSignaturesAccessor ./pkg/cosign -fuzztime=30s

Helpful tips

  • The pkg/cosign/testdata/ and pkg/policy/testdata/ directories carry pre-generated keys, certs, and signatures used by the unit tests — don't regenerate them lightly, since several tests assert exact bytes.
  • Tests that hit the Sigstore public-good infrastructure are skipped if INTEGRATION (or similar) env vars are unset; check the helpers.go flow before adding new ones.
  • Conformance failures are easier to diagnose with --debug passed through the cosign CLI (-d flag, see cmd/cosign/cli/options/root.go).

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Testing – Cosign wiki | Factory