add signature verification to install.sh (#2941)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

.github/workflows/release.yaml

@@ -17,6 +17,14 @@ jobs:
     steps:
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
+      - name: Check if running on main
+        if: github.ref != 'refs/heads/main'
+        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
+        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
+        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
+        # at the time of when the OIDC token was issued on the Github Actions runner.
+        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
+
       - name: Check if tag already exists
         # note: this will fail if the tag already exists
         run: |

.github/workflows/validations.yaml

@@ -187,6 +187,9 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: macos-latest
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Bootstrap environment

README.md

@@ -40,11 +40,10 @@ Syft binaries are provided for Linux, macOS and Windows.
 > curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 > ```
 
-... or, you can specify a release version and destination directory for the installation:
-
-> ```bash
-> curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
-> ```
+Install script options:
+-	`-b`: Specify a custom installation directory (defaults to `./bin`)
+-	`-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)
+-	`-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)
 
 ### Homebrew
 ```bash

install.sh

@@ -2,34 +2,26 @@
 # note: we require errors to propagate (don't set -e)
 set -u
 
-PROJECT_NAME="syft"
+PROJECT_NAME=syft
 OWNER=anchore
 REPO="${PROJECT_NAME}"
 GITHUB_DOWNLOAD_PREFIX=https://github.com/${OWNER}/${REPO}/releases/download
 INSTALL_SH_BASE_URL=https://raw.githubusercontent.com/${OWNER}/${PROJECT_NAME}
 PROGRAM_ARGS=$@
 
+# signature verification options
+
+# the location to the cosign binary (allowed to be overridden by the user)
+COSIGN_BINARY=${COSIGN_BINARY:-cosign}
+VERIFY_SIGN=false
+# this is the earliest tag in the repo where cosign sign-blob was introduced in the release process (see the goreleaser config)
+VERIFY_SIGN_SUPPORTED_VERSION=v0.104.0
+# this is the earliest tag in the repo where the -v flag was introduced to this install.sh script
+VERIFY_SIGN_FLAG_VERSION=v1.6.0
+
 # do not change the name of this parameter (this must always be backwards compatible)
 DOWNLOAD_TAG_INSTALL_SCRIPT=${DOWNLOAD_TAG_INSTALL_SCRIPT:-true}
 
-#
-# usage [script-name]
-#
-usage() (
-  this=$1
-  cat <<EOF
-$this: download go binaries for anchore/syft
-
-Usage: $this [-b] dir [-d] [tag]
-  -b  the installation directory (dDefaults to ./bin)
-  -d  turns on debug logging
-  -dd turns on trace logging
-  [tag] the specific release to use (if missing, then the latest will be used)
-EOF
-  exit 2
-)
-
-
 # ------------------------------------------------------------------------
 # https://github.com/client9/shlib - portable posix shell functions
 # Public domain - http://unlicense.org
@@ -270,21 +262,21 @@ hash_sha256() (
 )
 
 hash_sha256_verify() (
-  TARGET=$1
+  target=$1
   checksums=$2
   if [ -z "$checksums" ]; then
-    log_err "hash_sha256_verify checksum file not specified in arg2"
+    log_err "hash_sha256_verify checksum file not specified as argument"
     return 1
   fi
-  BASENAME=${TARGET##*/}
-  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
+  target_basename=${target##*/}
+  want=$(grep "${target_basename}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
   if [ -z "$want" ]; then
-    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
+    log_err "hash_sha256_verify unable to find checksum for '${target}' in '${checksums}'"
     return 1
   fi
-  got=$(hash_sha256 "$TARGET")
+  got=$(hash_sha256 "$target")
   if [ "$want" != "$got" ]; then
-    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
+    log_err "hash_sha256_verify checksum for '$target' did not verify ${want} vs $got"
     return 1
   fi
 )
@@ -358,28 +350,69 @@ github_release_tag() (
   echo "$tag"
 )
 
+# github_release_asset_url [release-url-prefix] [name] [version] [output-dir] [filename]
+#
+# outputs the url to the release asset
+#
+github_release_asset_url() (
+  download_url="$1"
+  name="$2"
+  version="$3"
+  filename="$4"
+
+  complete_filename="${name}_${version}_${filename}"
+  complete_url="${download_url}/${complete_filename}"
+
+  echo "${complete_url}"
+)
+
+# download_github_release_checksums_files [release-url-prefix] [name] [version] [output-dir] [filename]
+#
+# outputs path to the downloaded checksums related file
+#
+download_github_release_checksums_files() (
+  download_url="$1"
+  name="$2"
+  version="$3"
+  output_dir="$4"
+  filename="$5"
+
+  log_trace "download_github_release_checksums_files(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir}, filename=${filename})"
+
+  complete_filename="${name}_${version}_${filename}"
+  complete_url=$(github_release_asset_url "${download_url}" "${name}" "${version}" "${filename}")
+  output_path="${output_dir}/${complete_filename}"
+
+  http_download "${output_path}" "${complete_url}" ""
+  asset_file_exists "${output_path}"
+
+  log_trace "download_github_release_checksums_files() returned '${output_path}' for file '${complete_filename}'"
+
+  echo "${output_path}"
+)
+
 # download_github_release_checksums [release-url-prefix] [name] [version] [output-dir]
 #
 # outputs path to the downloaded checksums file
 #
 download_github_release_checksums() (
-  download_url="$1"
-  name="$2"
-  version="$3"
-  output_dir="$4"
+  download_github_release_checksums_files "$@" "checksums.txt"
+)
 
-  log_trace "download_github_release_checksums(url=${download_url}, name=${name}, version=${version}, output_dir=${output_dir})"
+# github_release_checksums_sig_url [release-url-prefix] [name] [version]
+#
+# outputs the url to the release checksums signature file
+#
+github_release_checksums_sig_url() (
+  github_release_asset_url "$@" "checksums.txt.sig"
+)
 
-  checksum_filename=${name}_${version}_checksums.txt
-  checksum_url=${download_url}/${checksum_filename}
-  output_path="${output_dir}/${checksum_filename}"
-
-  http_download "${output_path}" "${checksum_url}" ""
-  asset_file_exists "${output_path}"
-
-  log_trace "download_github_release_checksums() returned '${output_path}'"
-
-  echo "${output_path}"
+# github_release_checksums_cert_url [release-url-prefix] [name] [version]
+#
+# outputs the url to the release checksums certificate file
+#
+github_release_checksums_cert_url() (
+  github_release_asset_url "$@" "checksums.txt.pem"
 )
 
 # search_for_asset [checksums-file-path] [name] [os] [arch] [format]
@@ -535,7 +568,10 @@ download_and_install_asset() (
   format="$8"
   binary="$9"
 
-  asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}")
+  if ! asset_filepath=$(download_asset "${download_url}" "${download_path}" "${name}" "${os}" "${arch}" "${version}" "${format}"); then
+      log_err "could not download asset for os='${os}' arch='${arch}' format='${format}'"
+      return 1
+  fi
 
   # don't continue if we couldn't download an asset
   if [ -z "${asset_filepath}" ]; then
@@ -546,6 +582,36 @@ download_and_install_asset() (
   install_asset "${asset_filepath}" "${install_path}" "${binary}"
 )
 
+# verify_sign [checksums-file-path] [certificate-reference] [signature-reference] [version]
+#
+# attempts verify the signature of the checksums file from the release workflow in Github Actions run against the main branch.
+#
+verify_sign() {
+  checksums_file=$1
+  cert_reference=$2
+  sig_reference=$3
+
+  log_trace "verifying artifact $1"
+
+  log_file=$(mktemp)
+
+  ${COSIGN_BINARY} \
+    verify-blob "$checksums_file" \
+      --certificate "$cert_reference" \
+      --signature "$sig_reference" \
+      --certificate-identity "https://github.com/${OWNER}/${REPO}/.github/workflows/release.yaml@refs/heads/main" \
+      --certificate-oidc-issuer "https://token.actions.githubusercontent.com" > "${log_file}" 2>&1
+
+  if [ $? -ne 0 ]; then
+    log_err "$(cat "${log_file}")"
+    rm -f "${log_file}"
+    return 1
+  fi
+
+  rm -f "${log_file}"
+}
+
+
 # download_asset [release-url-prefix] [download-path] [name] [os] [arch] [version] [format] [binary]
 #
 # outputs the path to the downloaded asset asset_filepath
@@ -572,6 +638,20 @@ download_asset() (
       return 1
   fi
 
+  if [ "$VERIFY_SIGN" = true ]; then
+    checksum_sig_file_url=$(github_release_checksums_sig_url "${download_url}" "${name}" "${version}")
+    log_trace "checksums signature url: ${checksum_sig_file_url}"
+
+    checksums_cert_file_url=$(github_release_checksums_cert_url "${download_url}" "${name}" "${version}")
+    log_trace "checksums certificate url: ${checksums_cert_file_url}"
+
+    if ! verify_sign "${checksums_filepath}" "${checksums_cert_file_url}" "${checksum_sig_file_url}"; then
+      log_err "signature verification failed"
+      return 1
+    fi
+    log_info "signature verification succeeded"
+  fi
+
   asset_url="${download_url}/${asset_filename}"
   asset_filepath="${destination}/${asset_filename}"
   http_download "${asset_filepath}" "${asset_url}" ""
@@ -609,6 +689,79 @@ install_asset() (
   install "${archive_dir}/${binary}" "${destination}/"
 )
 
+# compare two semver strings. Returns 0 if version1 >= version2, 1 otherwise.
+# Note: pre-release (-) and metadata (+) are not supported.
+compare_semver() {
+    # remove leading 'v' if present
+    version1=${1#v}
+    version2=${2#v}
+
+    IFS=. read -r major1 minor1 patch1 <<EOF
+$version1
+EOF
+    IFS=. read -r major2 minor2 patch2 <<EOF
+$version2
+EOF
+
+    if [ "$major1" -gt "$major2" ]; then
+        return 0
+    elif [ "$major1" -lt "$major2" ]; then
+        return 1
+    fi
+
+    if [ "$minor1" -gt "$minor2" ]; then
+        return 0
+    elif [ "$minor1" -lt "$minor2" ]; then
+        return 1
+    fi
+
+    if [ "$patch1" -gt "$patch2" ]; then
+        return 0
+    elif [ "$patch1" -lt "$patch2" ]; then
+        return 1
+    fi
+
+    # versions are equal
+    return 0
+}
+
+prep_signature_verification() {
+  version="$1"
+
+  if [ "$VERIFY_SIGN" != true ]; then
+    return 0
+  fi
+
+  # is there any cryptographic material produced at release that we can use for signature verification?
+  if ! compare_semver "$version" "$VERIFY_SIGN_SUPPORTED_VERSION"; then
+    log_err "${PROJECT_NAME} release '$version' does not support signature verification"
+    log_err "you can still install ${PROJECT_NAME} by removing the -v flag or using a release that supports signature verification (>= '$VERIFY_SIGN_SUPPORTED_VERSION')"
+    log_err "aborting installation"
+    return 1
+  else
+    log_trace "${PROJECT_NAME} release '$version' supports signature verification (>= '$VERIFY_SIGN_SUPPORTED_VERSION')"
+  fi
+
+  # will invoking an earlier version of this script work (considering the -v flag)?
+  if ! compare_semver "$version" "$VERIFY_SIGN_FLAG_VERSION"; then
+    # the -v argument did not always exist, so we cannot be guaranteed that invoking an earlier version of this script
+    # will work (error with "illegal option -v"). However, the user requested signature verification, so we will
+    # attempt to install the application with this version of the script (keeping signature verification).
+    DOWNLOAD_TAG_INSTALL_SCRIPT=false
+    log_debug "provided version install script does not support -v flag (>= '$VERIFY_SIGN_FLAG_VERSION'), using current script for installation"
+  else
+    log_trace "provided version install script supports -v flag (>= '$VERIFY_SIGN_FLAG_VERSION')"
+  fi
+
+  # check to see if the cosign binary is installed
+  if is_command "${COSIGN_BINARY}"; then
+    log_trace "${COSIGN_BINARY} binary is installed"
+  else
+    log_err "signature verification is requested but ${COSIGN_BINARY} binary is not installed (see https://docs.sigstore.dev/system_config/installation/ to install it)"
+    return 1
+  fi
+}
+
 main() (
   # parse arguments
 
@@ -616,7 +769,7 @@ main() (
   install_dir=${install_dir:-./bin}
 
   # note: never change the program flags or arguments (this must always be backwards compatible)
-  while getopts "b:dh?x" arg; do
+  while getopts "b:dvh?x" arg; do
     case "$arg" in
       b) install_dir="$OPTARG" ;;
       d)
@@ -628,25 +781,37 @@ main() (
           log_set_priority $log_trace_priority
         fi
         ;;
-      h | \?) usage "$0" ;;
+      v) VERIFY_SIGN=true;;
+      h | \?)
+        cat <<EOF
+Download and install a released binary for ${OWNER}/${REPO} from the github releases page
+
+Usage: $0 [-v] [-b DIR] [-d] [TAG]
+  -b DIR  the installation directory (defaults to ./bin)
+  -d      turns on debug logging
+  -dd     turns on trace logging
+  -v      verify checksum signature (requires cosign binary to be installed).
+  TAG     the specific release to use (if missing, then the latest will be used)
+EOF
+        exit 0
+      ;;
       x) set -x ;;
     esac
   done
   shift $((OPTIND - 1))
+
   set +u
   tag=$1
 
   if [ -z "${tag}" ]; then
-    log_debug "checking github for the current release tag"
+    log_info "checking github for the current release tag"
     tag=""
   else
-    log_debug "checking github for release tag='${tag}'"
+    log_info "checking github for release tag='${tag}'"
   fi
   set -u
 
-  tag=$(get_release_tag "${OWNER}" "${REPO}" "${tag}")
-
-  if [ "$?" != "0" ]; then
+  if ! tag=$(get_release_tag "${OWNER}" "${REPO}" "${tag}"); then
       log_err "unable to find tag='${tag}'"
       log_err "do not specify a version or select a valid version from https://github.com/${OWNER}/${REPO}/releases"
       return 1
@@ -661,6 +826,10 @@ main() (
   binary=$(get_binary_name "${os}" "${arch}" "${PROJECT_NAME}")
   download_url="${GITHUB_DOWNLOAD_PREFIX}/${tag}"
 
+  if ! prep_signature_verification "$version"; then
+      return 1
+  fi
+
   # we always use the install.sh script that is associated with the tagged release. Why? the latest install.sh is not
   # guaranteed to be able to install every version of the application. We use the DOWNLOAD_TAG_INSTALL_SCRIPT env var
   # to indicate if we should continue processing with the existing script or to download the script from the given tag.
@@ -678,10 +847,8 @@ main() (
 
   log_debug "downloading files into ${download_dir}"
 
-  download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"
-
   # don't continue if we couldn't install the asset
-  if [ "$?" != "0" ]; then
+  if ! download_and_install_asset "${download_url}" "${download_dir}" "${install_dir}" "${PROJECT_NAME}" "${os}" "${arch}" "${version}" "${format}" "${binary}"; then
       log_err "failed to install ${PROJECT_NAME}"
       return 1
   fi
@@ -697,4 +864,4 @@ if [ -z "${TEST_INSTALL_SH}" ]; then
   main "$@"
   exit $?
 fi
-set -u
+set -u

test/install/0_checksums_test.sh

@@ -38,3 +38,49 @@ test_search_for_asset_snapshot() {
 }
 
 run_test_case test_search_for_asset_snapshot
+
+
+# verify 256 digest of a file
+test_hash_sha256() {
+  target=./test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz
+
+  # hash_sha256 [target]
+
+  # positive case
+  actual=$(hash_sha256 "${target}")
+  assertEquals "8d57abb57a0dae3ff23c8f0df1f51951b7772822e0d560e860d6f68c24ef6d3d" "${actual}" "mismatched checksum"
+}
+
+run_test_case test_hash_sha256
+
+# verify 256 digest of a file relative to the checksums file
+test_hash_sha256_verify() {
+
+  # hash_sha256_verify [target] [checksums]
+
+
+  # positive case
+
+  checksums=./test-fixtures/assets/valid/checksums.txt
+  target=./test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz
+
+  hash_sha256_verify "${target}" "${checksums}"
+  assertEquals "0" "$?" "mismatched checksum"
+
+
+  # negative case
+
+  # we are expecting error messages, which is confusing to look at in passing tests... disable logging for now
+  log_set_priority -1
+
+  checksums=./test-fixtures/assets/invalid/checksums.txt
+  target=./test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz
+
+  hash_sha256_verify "${target}" "${checksums}"
+  assertEquals "1" "$?" "verification did not catch mismatched checksum"
+
+  # restore logging...
+  log_set_priority 0
+}
+
+run_test_case test_hash_sha256_verify

test/install/1_download_snapshot_asset_test.sh

@@ -63,7 +63,7 @@ test_negative_snapshot_download_asset() {
 test_sboms_have_packages() {
   find "$(snapshot_dir)/" -name "*.sbom" -print0 | while IFS= read -r -d '' file; do
       count=$(cat "$file" | jq ".artifacts | length")
-      if [ "$count" -gt 80 ]; then
+      if [ "$count" -lt 80 ]; then
           echo "not enough packages found for file: $file"
           exit 1
       fi

test/install/2_download_release_asset_test.sh

@@ -31,6 +31,10 @@ test_download_release_asset() {
 release=$(get_release_tag "${OWNER}" "${REPO}" "latest" )
 
 # exercise all possible assets against a real github release (based on asset listing from https://github.com/anchore/syft/releases/tag/v0.36.0)
+
+# verify all downloads against the checksums file + checksums file signature
+VERIFY_SIGN=true
+
 run_test_case test_download_release_asset "${release}" "darwin" "amd64" "tar.gz" "application/gzip"
 run_test_case test_download_release_asset "${release}" "darwin" "arm64" "tar.gz" "application/gzip"
 run_test_case test_download_release_asset "${release}" "linux" "amd64" "tar.gz" "application/gzip"

test/install/4_prep_signature_verification_test.sh

@@ -0,0 +1,89 @@
+. test_harness.sh
+
+test_compare_semver() {
+  # compare_semver [version1] [version2]
+
+  # positive cases (version1 >= version2)
+  compare_semver "0.32.0" "0.32.0"
+  assertEquals "0" "$?" "+ versions should equal"
+
+  compare_semver "0.32.1" "0.32.0"
+  assertEquals "0" "$?" "+ patch version should be greater"
+
+  compare_semver "0.33.0" "0.32.0"
+  assertEquals "0" "$?" "+ minor version should be greater"
+
+  compare_semver "0.333.0" "0.32.0"
+  assertEquals "0" "$?" "+ minor version should be greater (different length)"
+
+  compare_semver "00.33.00" "0.032.0"
+  assertEquals "0" "$?" "+ minor version should be greater (different length reversed)"
+
+  compare_semver "1.0.0" "0.9.9"
+  assertEquals "0" "$?" "+ major version should be greater"
+
+  compare_semver "v1.0.0" "1.0.0"
+  assertEquals "0" "$?" "+ can remove leading 'v' from version"
+
+  # negative cases (version1 < version2)
+  compare_semver "0.32.0" "0.32.1"
+  assertEquals "1" "$?" "- patch version should be less"
+
+  compare_semver "0.32.7" "0.33.0"
+  assertEquals "1" "$?" "- minor version should be less"
+
+  compare_semver "00.00032.070" "0.33.0"
+  assertEquals "1" "$?" "- minor version should be less (different length)"
+
+  compare_semver "0.32.7" "00.0033.000"
+  assertEquals "1" "$?" "- minor version should be less (different length reversed)"
+
+  compare_semver "1.9.9" "2.0.1"
+  assertEquals "1" "$?" "- major version should be less"
+
+  compare_semver "1.0.0" "v2.0.0"
+  assertEquals "1" "$?" "- can remove leading 'v' from version"
+}
+
+run_test_case test_compare_semver
+
+# ensure that various signature verification pre-requisites are correctly checked for
+test_prep_signature_verification() {
+  # prep_sign_verification [version]
+
+  # we are expecting error messages, which is confusing to look at in passing tests... disable logging for now
+  log_set_priority -1
+
+  # backup original values...
+  OG_COSIGN_BINARY=${COSIGN_BINARY}
+
+  # check the verification path...
+  VERIFY_SIGN=true
+
+  # release does not support signature verification
+  prep_signature_verification "0.103.0"
+  assertEquals "1" "$?" "release does not support signature verification"
+
+  # check that the COSIGN binary exists
+  COSIGN_BINARY=fake-cosign-that-doesnt-exist
+  prep_signature_verification "0.105.0"
+  assertEquals "1" "$?" "cosign binary verification failed"
+  # restore original values...
+  COSIGN_BINARY=${OG_COSIGN_BINARY}
+
+  # ignore any failing conditions since we are not verifying the signature
+  VERIFY_SIGN=false
+  prep_signature_verification "0.103.0"
+  assertEquals "0" "$?" "release support verification should not have been triggered"
+
+  COSIGN_BINARY=fake-cosign-that-doesnt-exist
+  prep_signature_verification "0.105.0"
+  assertEquals "0" "$?" "cosign binary verification should not have been triggered"
+  # restore original values...
+  COSIGN_BINARY=${OG_COSIGN_BINARY}
+
+  # restore logging...
+  log_set_priority 0
+}
+
+run_test_case test_prep_signature_verification

test/install/Makefile

@@ -1,18 +1,22 @@
 NAME=syft
 
+# for local testing (not testing within containers) use the binny-managed version of cosign.
+# this also means that the user does not need to install cosign on their system to run tests.
+COSIGN_BINARY=../../.tool/cosign
+
 IMAGE_NAME=$(NAME)-install.sh-env
 UBUNTU_IMAGE=$(IMAGE_NAME):ubuntu-20.04
 ALPINE_IMAGE=$(IMAGE_NAME):alpine-3.6
-BUSYBOX_IMAGE=busybox:1.36.1-musl
+BUSYBOX_IMAGE=$(IMAGE_NAME):busybox-1.36
 
 ENVS=./environments
 DOCKER_RUN=docker run --rm -t -w /project/test/install -v $(shell pwd)/../../:/project
-UNIT=make unit-local
+UNIT=make unit-run
 
 # acceptance testing is running the current install.sh against the latest release. Note: this could be a problem down
 # the line if there are breaking changes made that don't align with the latest release (but will be OK with the next
-# release)
-ACCEPTANCE_CMD=sh -c '../../install.sh -b /usr/local/bin  && syft version'
+# release). This tests both installing with signature verification and without.
+ACCEPTANCE_CMD=sh -c '../../install.sh -v -b /usr/local/bin && syft version && rm /usr/local/bin/syft && ../../install.sh -b /usr/local/bin && syft version'
 # we also want to test against a previous release to ensure that install.sh defers execution to a former install.sh
 PREVIOUS_RELEASE=v0.33.0
 ACCEPTANCE_PREVIOUS_RELEASE_CMD=sh -c "../../install.sh -b /usr/local/bin $(PREVIOUS_RELEASE) && syft version"
@@ -28,17 +32,22 @@ endef
 test: unit acceptance
 
 .PHONY: ci-test-mac
-ci-test-mac: unit-local acceptance-local
+ci-test-mac: unit-run acceptance-local
 
 # note: do not add acceptance-local to this list
 .PHONY: acceptance
-acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox
+acceptance: acceptance-ubuntu-20.04 acceptance-alpine-3.6 acceptance-busybox-1.36
 
 .PHONY: unit
 unit: unit-ubuntu-20.04
 
 .PHONY: unit-local
 unit-local:
+	$(call title,unit tests)
+	@for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash -c "COSIGN_BINARY=$(COSIGN_BINARY) ./$${f}" || exit 1; done
+
+.PHONY: unit-run
+unit-run:
 	$(call title,unit tests)
 	@for f in $(shell ls *_test.sh); do echo "Running unit test suite '$${f}'"; bash $${f} || exit 1; done
 
@@ -55,7 +64,7 @@ acceptance-previous-release-local:
 	syft version | grep $(shell echo $(PREVIOUS_RELEASE)| tr -d "v")
 
 .PHONY: save
-save: ubuntu-20.04 alpine-3.6 pull-busybox
+save: ubuntu-20.04 alpine-3.6 busybox-1.36
 	@mkdir cache || true
 	docker image save -o cache/ubuntu-env.tar $(UBUNTU_IMAGE)
 	docker image save -o cache/alpine-env.tar $(ALPINE_IMAGE)
@@ -107,17 +116,17 @@ alpine-3.6:
 
 # note: busybox by default will not have cacerts, so you will get TLS warnings (we want to test under these conditions)
 
-.PHONY: acceptance-busybox
-acceptance-busybox: pull-busybox
-	$(call title,busybox - acceptance)
+.PHONY: acceptance-busybox-1.36
+acceptance-busybox-1.36: busybox-1.36
+	$(call title,busybox-1.36 - acceptance)
 	$(DOCKER_RUN) $(BUSYBOX_IMAGE) \
 		$(ACCEPTANCE_CMD)
 	@echo "\n*** test note: you should see syft spit out a 'x509: certificate signed by unknown authority' error --this is expected ***"
 
-.PHONY: pull-busybox
-pull-busybox:
-	$(call title,busybox - build environment)
-	docker pull $(BUSYBOX_IMAGE)
+.PHONY: busybox-1.36
+busybox-1.36:
+	$(call title,busybox-1.36 - build environment)
+	docker build -t $(BUSYBOX_IMAGE) -f $(ENVS)/Dockerfile-busybox-1.36 .
 
 ## For CI ########################################################
 

test/install/environments/Dockerfile-alpine-3.6

@@ -1,2 +1,5 @@
-FROM alpine:3.6@sha256:66790a2b79e1ea3e1dabac43990c54aca5d1ddf268d9a5a0285e4167c8b24475
-RUN apk update && apk add python3 wget unzip make ca-certificates jq
+FROM alpine:3.6
+RUN apk update && apk add python3 wget curl unzip make ca-certificates
+RUN curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" && \
+    mv cosign-linux-amd64 /usr/local/bin/cosign && \
+    chmod +x /usr/local/bin/cosign

test/install/environments/Dockerfile-busybox-1.36

@@ -0,0 +1,21 @@
+FROM alpine as certs
+RUN apk update && apk add ca-certificates
+
+# note: using qemu with a multi-arch image results in redirects not working with wget
+# so let docker pull the image that matches the hosts architecture first and then pull the correct asset
+FROM busybox:1.36.1-musl
+
+RUN ARCH=$(uname -m) && \
+    if [ "$ARCH" = "x86_64" ]; then \
+        COSIGN_ARCH="amd64"; \
+    elif [ "$ARCH" = "aarch64" ]; then \
+        COSIGN_ARCH="arm64"; \
+    else \
+        echo "Unsupported architecture: $ARCH" && exit 1; \
+    fi && \
+    echo "Downloading cosign for $COSIGN_ARCH" && \
+    wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-${COSIGN_ARCH} && \
+    mv cosign-linux-${COSIGN_ARCH} /bin/cosign && \
+    chmod +x /bin/cosign
+
+COPY --from=certs /etc/ssl/certs /etc/ssl/certs

test/install/environments/Dockerfile-ubuntu-20.04

@@ -1,2 +1,5 @@
-FROM ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
-RUN apt update -y && apt install make python3 curl unzip jq -y
+FROM --platform=linux/amd64 ubuntu:20.04@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba
+RUN apt update -y && apt install make python3 curl unzip -y
+RUN LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") && \
+    curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb" && \
+    dpkg -i cosign_${LATEST_VERSION}_amd64.deb

test/install/test-fixtures/assets/invalid/.gitignore

@@ -0,0 +1 @@
+!syft_1.5.0_linux_arm64.tar.gz

test/install/test-fixtures/assets/invalid/checksums.txt

@@ -0,0 +1,22 @@
+f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d  syft_1.5.0_darwin_amd64.sbom
+605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b  syft_1.5.0_darwin_amd64.tar.gz
+2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76  syft_1.5.0_darwin_arm64.sbom
+fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a  syft_1.5.0_darwin_arm64.tar.gz
+40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090  syft_1.5.0_linux_amd64.deb
+9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2  syft_1.5.0_linux_amd64.rpm
+9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020  syft_1.5.0_linux_amd64.sbom
+3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478  syft_1.5.0_linux_amd64.tar.gz
+b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89  syft_1.5.0_linux_arm64.deb
+5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d  syft_1.5.0_linux_arm64.rpm
+a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3  syft_1.5.0_linux_arm64.sbom
+ee2b1289a1e4b0de9409c3a78867949ca42788a5f50072b8a6e6e04e6a269f9c  syft_1.5.0_linux_arm64.tar.gz
+599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80  syft_1.5.0_linux_ppc64le.deb
+dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c  syft_1.5.0_linux_ppc64le.rpm
+392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4  syft_1.5.0_linux_ppc64le.sbom
+551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0  syft_1.5.0_linux_ppc64le.tar.gz
+98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21  syft_1.5.0_linux_s390x.deb
+3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4  syft_1.5.0_linux_s390x.rpm
+5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388  syft_1.5.0_linux_s390x.sbom
+ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68  syft_1.5.0_linux_s390x.tar.gz
+6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0  syft_1.5.0_windows_amd64.sbom
+5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2  syft_1.5.0_windows_amd64.zip

test/install/test-fixtures/assets/invalid/syft_1.5.0_linux_arm64.tar.gz

@@ -0,0 +1 @@
+fake archive

test/install/test-fixtures/assets/valid/.gitignore

@@ -0,0 +1 @@
+!syft_1.5.0_linux_arm64.tar.gz

test/install/test-fixtures/assets/valid/checksums.txt

@@ -0,0 +1,22 @@
+f459ecbed6621933b4dee4a613a6bdca915631742083f77ab88752f3ae0c6a9d  syft_1.5.0_darwin_amd64.sbom
+605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b  syft_1.5.0_darwin_amd64.tar.gz
+2feb92f6a4d117a3eb0cc5d887ac4b8da9a959ca404986dbe76e81ac83569d76  syft_1.5.0_darwin_arm64.sbom
+fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a  syft_1.5.0_darwin_arm64.tar.gz
+40562766f99db7221dac4c82c44ccae4d9983a6795a96127f4da955d6797c090  syft_1.5.0_linux_amd64.deb
+9adc0c0a3bbbdb8ce66914ffde5e176373cf5ec70a2a88cc886dc6ec54db0cd2  syft_1.5.0_linux_amd64.rpm
+9de7f1c549020a25df12f07dd58330e6f6dd0c5363cf0de1157eb4f01fc41020  syft_1.5.0_linux_amd64.sbom
+3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478  syft_1.5.0_linux_amd64.tar.gz
+b661dd1be48b75b735717f9bedc4beea587968af8bf2d8c2752a302ae0a34f89  syft_1.5.0_linux_arm64.deb
+5c311f44cc73fcae58884f8ea3328fc120bdaf3d21f4fe40270a22c6bb981f6d  syft_1.5.0_linux_arm64.rpm
+a74549794fa5dac79ab9f6401ee7000db3bd9589435b302583c3ee4ca13fb8e3  syft_1.5.0_linux_arm64.sbom
+8d57abb57a0dae3ff23c8f0df1f51951b7772822e0d560e860d6f68c24ef6d3d  syft_1.5.0_linux_arm64.tar.gz
+599e66f0a00ba8b5cc7817f774c66c5f23de32e6b935ca9c03a185e4d2554d80  syft_1.5.0_linux_ppc64le.deb
+dc4b8c4a02ffd8dd394ab94695ed44ed2bfceb06bc239835c51e84dd9b84a68c  syft_1.5.0_linux_ppc64le.rpm
+392044f2951ca6522d0bc71de43763202a548d40bf836098caf286041a7c8fa4  syft_1.5.0_linux_ppc64le.sbom
+551d98b67f7476bc2e38453a588177b0b038933850a351a94c4bf360813f01d0  syft_1.5.0_linux_ppc64le.tar.gz
+98cd582d9484f428cccd7351031543038f26d4e3f1481c5916e08e65983f1e21  syft_1.5.0_linux_s390x.deb
+3a5197d43a469feaa87c723448a47a2312cf26456eef4580b59eac447baef9d4  syft_1.5.0_linux_s390x.rpm
+5805bfb3e30452c8860665ea88bfdf356e9536a35c1b8ba28ac5b4717f2e6388  syft_1.5.0_linux_s390x.sbom
+ff15f556660cc4c4279ce41e2475bffe2a0f72eb4423c21edf7380b2484fbf68  syft_1.5.0_linux_s390x.tar.gz
+6b22df07e992d8f4881901535c095d268f79924e10be34fab03dec2b4f9f9ca0  syft_1.5.0_windows_amd64.sbom
+5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2  syft_1.5.0_windows_amd64.zip

test/install/test-fixtures/assets/valid/syft_1.5.0_linux_arm64.tar.gz

@@ -0,0 +1 @@
+fake archive