sigstore/cosign
Testing
The cosign repo carries three layers of automated tests plus fuzz harnesses.
Unit tests
make test
# expands to:
# go test $(go list ./... | grep -v third_party/)Unit tests live next to source as *_test.go. The pkg/cosign/ package has the densest coverage — verify_test.go (~2,400 lines) is the project's largest test file and exercises both legacy and new bundle-format verification paths.
Some tests need build tags:
go test -tags=pivkey,pkcs11key ./... # PIV/PKCS#11 unit testsEnd-to-end tests
Live under test/ and require Docker + a registry. Drivers:
test/e2e_test.sh— bring up scaffolding, runtest/e2e_test.goandtest/e2e_attach_test.go, etc.test/e2e_test.ps1— Windows variant.test/e2e_test_pkcs11.sh— same idea, behind thepkcs11keytag.
The big payload is test/e2e_test.go (143 KB) which orchestrates real sign/verify flows against a registry. 25 KB) holds the shared fixture machinery.helpers.go (
The same flows run in CI via .github/workflows/e2e-tests.yml (uses the ghcr.io/sigstore/scaffolding images for an ephemeral Sigstore stack inside KinD).
Conformance tests
make conformance builds cmd/conformance/ — a small shim that adapts the cosign Go API to the sigstore-conformance Python test runner. The runner exercises every Sigstore client (cosign, sigstore-python, sigstore-js, etc.) against the same set of test vectors.
make conformance-runner # clone + build sigstore-conformance
make cosign conformance # build both binaries
make conformance-tests # run the suiteFuzzing
Native Go fuzz tests are scattered through the codebase as Fuzz* functions:
pkg/cosign/fuzz_test.gopkg/cosign/attestation/fuzz_test.gopkg/policy/fuzz_test.go
There's also a test/fuzz/ directory with OSS-Fuzz integration. To run a single fuzzer locally:
go test -fuzz=FuzzSignaturesAccessor ./pkg/cosign -fuzztime=30sHelpful tips
- The
pkg/cosign/testdata/andpkg/policy/testdata/directories carry pre-generated keys, certs, and signatures used by the unit tests — don't regenerate them lightly, since several tests assert exact bytes. - Tests that hit the Sigstore public-good infrastructure are skipped if
INTEGRATION(or similar) env vars are unset; check thehelpers.goflow before adding new ones. - Conformance failures are easier to diagnose with
--debugpassed through thecosignCLI (-dflag, seecmd/cosign/cli/options/root.go).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.