Prepare for --sign-by-sq-fingerprint

Makefile

@@ -53,10 +53,9 @@ ifeq ($(GOOS), linux)
   endif
 endif
 
-# If $TESTFLAGS is set, it is passed as extra arguments to 'go test'.
+# If $TESTFLAGS is set, it is passed as extra arguments to 'go test' on integration tests.
 # You can select certain tests to run, with `-run <regex>` for example:
 #
-#     make test-unit TESTFLAGS='-run ^TestManifestDigest$'
 #     make test-integration TESTFLAGS='-run copySuite.TestCopy.*'
 export TESTFLAGS ?= -timeout=15m
 
@@ -205,7 +204,7 @@ test-integration:
 # Intended for CI, assumed to be running in quay.io/libpod/skopeo_cidev container.
 test-integration-local: bin/skopeo
 	hack/warn-destructive-tests.sh
-	hack/test-integration.sh
+	hack/test-integration.sh $(SKOPEO_LDFLAGS) $(TESTFLAGS)
 
 # complicated set of options needed to run podman-in-podman
 test-system:
@@ -222,7 +221,7 @@ test-system:
 # Intended for CI, assumed to already be running in quay.io/libpod/skopeo_cidev container.
 test-system-local: bin/skopeo
 	hack/warn-destructive-tests.sh
-	hack/test-system.sh
+	hack/test-system.sh SKOPEO_LDFLAGS="$(SKOPEO_LDFLAGS)" BUILDTAGS="$(BUILDTAGS)"
 
 test-unit:
 	# Just call (make test unit-local) here instead of worrying about environment differences

hack/test-integration.sh

@@ -3,6 +3,6 @@ set -e
 
 make PREFIX=/usr install
 
-echo "cd ./integration;" go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
+echo "cd ./integration;" go test "$@" ${BUILDTAGS:+-tags "$BUILDTAGS"}
 cd ./integration
-go test $TESTFLAGS ${BUILDTAGS:+-tags "$BUILDTAGS"}
+go test "$@" ${BUILDTAGS:+-tags "$BUILDTAGS"}

hack/test-system.sh

@@ -38,7 +38,7 @@ EOF
 fi
 
 # Build skopeo, install into /usr/bin
-make PREFIX=/usr install
+make PREFIX=/usr install "$@"
 
 # Run tests
 SKOPEO_BINARY=/usr/bin/skopeo bats --tap systemtest

integration/copy_test.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io/fs"
 	"log"
+	"maps"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -101,6 +102,16 @@ func (s *copySuite) TearDownSuite() {
 	}
 }
 
+// policyFixture applies the general edits, as well as extraSubstitutions, to the policy.json fixture,
+// and returns a path to a policy, which will be automatically removed when the test completes.
+func (s *copySuite) policyFixture(extraSubstitutions map[string]string) string {
+	t := s.T()
+	edits := map[string]string{"@keydir@": s.gpgHome}
+	maps.Copy(edits, extraSubstitutions)
+	policyPath := fileFromFixture(t, "fixtures/policy.json", edits)
+	return policyPath
+}
+
 func (s *copySuite) TestCopyWithManifestList() {
 	t := s.T()
 	dir := t.TempDir()
@@ -744,8 +755,7 @@ func (s *copySuite) TestCopySignatures() {
 	dir := t.TempDir()
 	dirDest := "dir:" + dir
 
-	policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
-	defer os.Remove(policy)
+	policy := s.policyFixture(nil)
 
 	// type: reject
 	assertSkopeoFails(t, fmt.Sprintf(".*Source image rejected: Running image %s:latest is rejected by policy.*", testFQIN),
@@ -808,8 +818,7 @@ func (s *copySuite) TestCopyDirSignatures() {
 
 	// Note the "/@dirpath@": The value starts with a slash so that it is not rejected in other tests which do not replace it,
 	// but we must ensure that the result is a canonical path, not something starting with a "//".
-	policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome, "/@dirpath@": topDir + "/restricted"})
-	defer os.Remove(policy)
+	policy := s.policyFixture(map[string]string{"/@dirpath@": topDir + "/restricted"})
 
 	// Get some images.
 	assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", testFQIN+":armfh", topDirDest+"/dir1")
@@ -916,8 +925,7 @@ func (s *copySuite) TestCopyDockerLookaside() {
 	}))
 	defer splitLookasideReadServer.Close()
 
-	policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
-	defer os.Remove(policy)
+	policy := s.policyFixture(nil)
 	registriesDir := filepath.Join(tmpDir, "registries.d")
 	err = os.Mkdir(registriesDir, 0755)
 	require.NoError(t, err)
@@ -977,8 +985,7 @@ func (s *copySuite) TestCopyAtomicExtension() {
 	}
 	registriesDir := filepath.Join(topDir, "registries.d")
 	dirDest := "dir:" + topDir
-	policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
-	defer os.Remove(policy)
+	policy := s.policyFixture(nil)
 
 	// Get an image to work with to an atomic: destination.  Also verifies that we can use Docker repositories without X-Registry-Supports-Signatures
 	assertSkopeoSucceeds(t, "", "--tls-verify=false", "--registries.d", registriesDir, "copy", "--retry-times", "3",
@@ -1035,8 +1042,7 @@ func (s *copySuite) TestCopyVerifyingMirroredSignatures() {
 	registriesDir := filepath.Join(topDir, "registries.d") // An empty directory to disable lookaside use
 	dirDest := "dir:" + filepath.Join(topDir, "unused-dest")
 
-	policy := fileFromFixture(t, "fixtures/policy.json", map[string]string{"@keydir@": s.gpgHome})
-	defer os.Remove(policy)
+	policy := s.policyFixture(nil)
 
 	// We use X-R-S-S for this testing to avoid having to deal with the lookasides.
 	// A downside is that OpenShift records signatures per image, so the error messages below

integration/utils_test.go

@@ -174,8 +174,8 @@ func modifyEnviron(env []string, name, value string) []string {
 	return append(res, prefix+value)
 }
 
-// fileFromFixture applies edits to inputPath and returns a path to the temporary file.
-// Callers should defer os.Remove(the_returned_path)
+// fileFromFixture applies edits to inputPath and returns a path to the temporary file with the edits,
+// which will be automatically removed when the test completes.
 func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) string {
 	contents, err := os.ReadFile(inputPath)
 	require.NoError(t, err)
@@ -188,6 +188,7 @@ func fileFromFixture(t *testing.T, inputPath string, edits map[string]string) st
 	file, err := os.CreateTemp("", "policy.json")
 	require.NoError(t, err)
 	path := file.Name()
+	t.Cleanup(func() { os.Remove(path) })
 
 	_, err = file.Write(contents)
 	require.NoError(t, err)