feat(CLOUDDST-25034): run rh-sign-image-cosign signing in parallel

- Added missing --key "$PUBLIC_KEY_FILE" to cosign verify calls
- Removed string wrap from COSIGN_REKOR_ARGS

Signed-off-by: Jindrich Luza <[email protected]>

tasks/managed/rh-sign-image-cosign/rh-sign-image-cosign.yaml

@@ -122,7 +122,8 @@ spec:
           else
               COSIGN_REKOR_ARGS="--insecure-ignore-tlog=true"
           fi
-          verify_output=$(run_cosign verify "$COSIGN_REKOR_ARGS" "$reference")
+          # shellcheck disable=SC2119,SC2120
+          verify_output=$(run_cosign verify $COSIGN_REKOR_ARGS --key "$PUBLIC_KEY_FILE" "$reference")
           found_signatures=$(echo "$verify_output" | jq -j '['\
         '.[]|select(.critical.image."docker-manifest-digest"| contains("'"$digest"'"))'\
         '|select(.critical.identity."docker-reference"| contains("'"$identity"'"))'\
@@ -147,7 +148,8 @@ spec:
           fi
 
           if [ "$found_signatures" -eq 0 ]; then
-            run_cosign -t 3m0s sign "$COSIGN_REKOR_ARGS" \
+            # shellcheck disable=SC2119,SC2120
+            run_cosign -t 3m0s sign $COSIGN_REKOR_ARGS \
               --key "$SIGN_KEY" \
               --sign-container-identity "$identity" "$reference@$digest"
           else

tasks/managed/rh-sign-image-cosign/tests/mocks.sh

@@ -136,6 +136,10 @@ function skopeo() {
     fi
   fi
 }
+function mktemp() {
+  echo "temp_key_file"
+}
+
 function cosign () {
   # check if call should end successfully
   # mock_cosign_success_calls file is expected to contain lines with "1" or "0" where

tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-multiple-components.yaml

@@ -150,5 +150,46 @@ spec:
                 diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
                 exit 1
               fi
+
+              CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
+              COSIGN_COMMON="verify --rekor-url=https://fake-rekor-server --key temp_key_file"
+              EXPECTED=$(cat <<EOF
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO1}:t1
+              $COSIGN_COMMON ${_TEST_REPO1}:t2
+              $COSIGN_COMMON ${_TEST_REPO2}:t1
+              $COSIGN_COMMON ${_TEST_REPO2}:t2
+              $COSIGN_COMMON ${_TEST_REPO2}:t1
+              $COSIGN_COMMON ${_TEST_REPO2}:t2
+              $COSIGN_COMMON ${_TEST_REPO2}:t1
+              $COSIGN_COMMON ${_TEST_REPO2}:t2
+              $COSIGN_COMMON ${_TEST_REPO2}:t1
+              $COSIGN_COMMON ${_TEST_REPO2}:t2
+              EOF
+              )
+              echo "TESTING VERIFY CALLS"
+              if [ "$CALLS" != "$EXPECTED" ]; then
+                echo "Diff:"
+                CALLS_FILE=$(mktemp XXXXX.calls)
+                EXPECTED_FILE=$(mktemp XXXXX.expected)
+                echo "$CALLS" > "$CALLS_FILE"
+                echo "$EXPECTED" > "$EXPECTED_FILE"
+                diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
+                rm "$CALLS_FILE" "$EXPECTED_FILE"
+                exit 1
+              fi
       runAfter:
         - run-task

tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-retries.yaml

@@ -109,5 +109,24 @@ spec:
                 diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
                 exit 1
               fi
+
+              CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
+              COSIGN_COMMON="verify --insecure-ignore-tlog=true --key temp_key_file"
+              EXPECTED=$(cat <<EOF
+              $COSIGN_COMMON ${_TEST_REPO}:t1
+              $COSIGN_COMMON ${_TEST_REPO}:t2
+              EOF
+              )
+              echo "TESTING VERIFY CALLS"
+              if [ "$CALLS" != "$EXPECTED" ]; then
+                echo "Diff:"
+                CALLS_FILE=$(mktemp XXXXX.calls)
+                EXPECTED_FILE=$(mktemp XXXXX.expected)
+                echo "$CALLS" > "$CALLS_FILE"
+                echo "$EXPECTED" > "$EXPECTED_FILE"
+                diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
+                rm "$CALLS_FILE" "$EXPECTED_FILE"
+                exit 1
+              fi
       runAfter:
         - run-task

tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-single-component.yaml

@@ -107,5 +107,26 @@ spec:
                 diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
                 exit 1
               fi
+
+              CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
+              COSIGN_COMMON="verify --insecure-ignore-tlog=true --key temp_key_file"
+              EXPECTED=$(cat <<EOF
+              $COSIGN_COMMON ${_TEST_REPO}:t1
+              $COSIGN_COMMON ${_TEST_REPO}:t2
+              $COSIGN_COMMON ${_TEST_REPO}:t1
+              $COSIGN_COMMON ${_TEST_REPO}:t2
+              EOF
+              )
+              echo "TESTING VERIFY CALLS"
+              if [ "$CALLS" != "$EXPECTED" ]; then
+                echo "Diff:"
+                CALLS_FILE=$(mktemp XXXXX.calls)
+                EXPECTED_FILE=$(mktemp XXXXX.expected)
+                echo "$CALLS" > "$CALLS_FILE"
+                echo "$EXPECTED" > "$EXPECTED_FILE"
+                diff -Naur "$EXPECTED_FILE" "$CALLS_FILE"
+                rm "$CALLS_FILE" "$EXPECTED_FILE"
+                exit 1
+              fi
       runAfter:
         - run-task