fix: fixed trust store logic in verify (#38)

notaryproject · Aug 21, 2023 · 879f728 · 879f728
1 parent 7ea89f5
commit 879f728
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 5 deletions.
diff --git a/.github/workflows/e2e-test-verify.yml b/.github/workflows/e2e-test-verify.yml
@@ -75,6 +75,13 @@ jobs:
             target_artifact_reference: ${{ env.target_artifact_reference }}
             trust_policy: ./tests/e2e/trustpolicy/trustpolicy.json
             trust_store: ./tests/e2e/truststore
+
+      - name: Verify released artifact again with the same notation configuration
+        uses: ./verify
+        with:
+            target_artifact_reference: ${{ env.target_artifact_reference }}
+            trust_policy: ./tests/e2e/trustpolicy/trustpolicy.json
+            trust_store: ./tests/e2e/truststore
 
       - name: Verify released artifact missing target artifact reference
         continue-on-error: true
@@ -143,8 +150,6 @@ jobs:
             echo "Verify released artifact with invalid trust store structure should fail, but succeeded."
             exit 1
       
-      - name: Clean up notation trust store
-        run: notation cert delete --type ca --store e2e-test -y --all
       - name: Verify released artifact without valid cert in trust store
         continue-on-error: true
         id: invalid-cert

diff --git a/dist/verify.js b/dist/verify.js
diff --git a/dist/verify.js.map b/dist/verify.js.map
diff --git a/src/verify.ts b/src/verify.ts
@@ -17,6 +17,7 @@ import * as core from '@actions/core';
 import * as exec from '@actions/exec';
 import * as fs from 'fs';
 import * as path from 'path';
+import {getConfigHome} from './lib/install'
 
 const X509 = "x509";
 
@@ -72,6 +73,10 @@ async function configTrustStore(dir: string) {
     if (!fs.existsSync(trustStoreX509)) {
         throw new Error(`cannot find trust store dir: ${trustStoreX509}`);
     }
+    const trustStorePath = path.join(getConfigHome(), 'notation', 'truststore');
+    if (fs.existsSync(trustStorePath)) {
+        fs.rmSync(trustStorePath, {recursive: true});
+    }
     let trustStoreTypes = getSubdir(trustStoreX509); // [.github/truststore/x509/ca, .github/truststore/x509/signingAuthority, ...]
     for (let i = 0; i < trustStoreTypes.length; ++i) {
         let trustStoreType = path.basename(trustStoreTypes[i]);
@@ -80,7 +85,7 @@ async function configTrustStore(dir: string) {
             let trustStore = trustStores[j]; // .github/truststore/x509/ca/<my_store>
             let trustStoreName = path.basename(trustStore); // <my_store>
             let certFile = getFileFromDir(trustStore); // [.github/truststore/x509/ca/<my_store>/<my_cert1>, .github/truststore/x509/ca/<my_store>/<my_cert2>, ...]
-            exec.getExecOutput('notation', ['cert', 'add', '-t', trustStoreType, '-s', trustStoreName, ...certFile]);
+            await exec.getExecOutput('notation', ['cert', 'add', '-t', trustStoreType, '-s', trustStoreName, ...certFile]);
         }
     }
 }