From 64e4197ce5807028ec8798a156bcd90a2ac22802 Mon Sep 17 00:00:00 2001
From: Toddy Mladenov <toddysm@gmail.com>
Date: Fri, 15 Mar 2024 10:46:47 -0700
Subject: [PATCH] Added demo script for KubeCon EU 2024

Signed-off-by: Toddy Mladenov <toddysm@gmail.com>
---
 demos/kubecon-eu-2024/signing-dh-image.sh | 162 ++++++++++++++++++++++
 1 file changed, 162 insertions(+)
 create mode 100755 demos/kubecon-eu-2024/signing-dh-image.sh

diff --git a/demos/kubecon-eu-2024/signing-dh-image.sh b/demos/kubecon-eu-2024/signing-dh-image.sh
new file mode 100755
index 0000000..1b8ecea
--- /dev/null
+++ b/demos/kubecon-eu-2024/signing-dh-image.sh
@@ -0,0 +1,162 @@
+#!/bin/zsh
+
+# This script uses the slow() function from Brandon Mitchell available at 
+# https://github.com/sudo-bmitch/presentations/blob/main/oci-referrers-2023/demo-script.sh#L23
+# to simulate typing the commands
+
+# NOTE: Prep steps and cleanup
+# - Notation keys are removed
+# - Notation certs are removed
+export TRUST_STORE_NAME=docker.io
+export TEST_KEY_NAME=wabbit-networks.io
+notation key delete $TEST_KEY_NAME
+notation key ls
+rm /Users/toddysm/Library/Application\ Support/notation/localkeys/wabbit-networks.io.key
+rm /Users/toddysm/Library/Application\ Support/notation/localkeys/wabbit-networks.io.crt
+notation cert delete --type ca --store $TEST_KEY_NAME --all
+notation cert delete --type ca --store $TRUST_STORE_NAME --all
+notation cert ls
+
+opt_a=0
+opt_s=25
+
+while getopts 'ahs:' option; do
+  case $option in
+    a) opt_a=1;;
+    h) opt_h=1;;
+    s) opt_s="$OPTARG";;
+  esac
+done
+set +e
+shift `expr $OPTIND - 1`
+
+if [ $# -gt 0 -o "$opt_h" = "1" ]; then
+  echo "Usage: $0 [opts]"
+  echo " -h: this help message"
+  echo " -s bps: speed (default $opt_s)"
+  exit 1
+fi
+
+slow() {
+  echo -n "\$ $@" | pv -qL $opt_s
+  if [ "$opt_a" = "0" ]; then
+    read lf
+  else
+    echo
+  fi
+}
+
+clear
+slow
+
+# Set the env variables for the images
+slow 'export TEST_REPO='docker.io/toddysm/python'
+$ export TEST_IMAGE="${TEST_REPO}:3.12"'
+export TEST_REPO='docker.io/toddysm/python'
+export TEST_IMAGE="${TEST_REPO}:3.12"
+
+# Show notation version
+slow 'notation version'
+notation version
+
+# List the tags for the netmonitor image (un-trusted)
+# NOTE: Make sure the image is available
+slow 'oras repo tags $TEST_IMAGE'
+oras repo tags $TEST_REPO
+
+# Show the keys (there shouldn't be any)
+slow 'notation key list'
+notation key list
+
+slow
+clear
+
+echo ' ______________________________ '
+echo '|  __________________________  |'
+echo '| | Signing with test key... | |'
+echo '| |__________________________| |'
+echo '|______________________________|'
+
+# Set the test key name in env variable
+slow 'export TEST_KEY_NAME=wabbit-networks.io'
+export TEST_KEY_NAME=wabbit-networks.io
+
+# Set up the TEST_KEY
+slow 'notation cert generate-test --default $TEST_KEY_NAME'
+notation cert generate-test --default $TEST_KEY_NAME
+
+slow 'notation key list'
+notation key list
+
+slow 'notation cert list'
+notation cert list
+
+slow
+clear
+
+# Sign into Docker Hub
+slow 'docker login'
+docker login
+
+# Sign the net-monitor image
+slow 'notation sign --signature-format cose --key $TEST_KEY_NAME $TEST_IMAGE'
+notation sign --signature-format cose --key $TEST_KEY_NAME $TEST_IMAGE
+slow 'notation ls $TEST_IMAGE'
+notation ls $TEST_IMAGE
+
+slow
+clear
+
+echo ' ___________________________________ '
+echo '|  _______________________________  |'
+echo '| | Validating the signature...   | |'
+echo '| |_______________________________| |'
+echo '|___________________________________|'
+
+slow 'export TRUST_POLICY_LOCATION=~/Library/Application\ Support/notation/'
+export TRUST_POLICY_LOCATION=~/Library/Application\ Support/notation
+
+slow
+slow 'cat <<EOF > ${TRUST_POLICY_LOCATION}/trustpolicy.json
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "python-images",
+            "registryScopes": [ "${TEST_REPO}" ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:wabbit-networks.io" ],
+            "trustedIdentities": [
+                "*"
+            ]
+        }
+    ]
+}
+EOF'
+cat <<EOF > ${TRUST_POLICY_LOCATION}/trustpolicy.json
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "flasksample-application",
+            "registryScopes": [ "${TEST_REPO}" ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:wabbit-networks.io" ],
+            "trustedIdentities": [
+                "*"
+            ]
+        }
+    ]
+}
+EOF
+
+slow 'notation verify $TEST_IMAGE'
+notation verify $TEST_IMAGE
+
+slow
+slow
+# The END
\ No newline at end of file