Integrity Failure Drill: Tamper and Verify Failure

What you’re proving

  • Integrity tamper checks are implemented as integration tests.

  • The drill is prereq-gated (registry + cosign), fail-closed when prerequisites are missing.

  • Verification failure paths are explicitly encoded in test scenarios.

Prereqs

  • Repo root: <repo-root>

  • Go toolchain

  • For full tamper execution: local registry (localhost:5000) and cosign in PATH

Steps

  1. Run tamper verification integration tests.

GOCACHE=/tmp/go-build go test ./oci/sign \
  -tags integration \
  -run 'TestVerify_TamperedAgentDigest|TestVerify_TamperedFingerprint|TestVerify_UnsignedMainImage' -v

  1. Inspect captured output.

sed -n '1,140p' docs/_generated/test-outputs/integrity-tamper-output.txt

Expected outputs (from real run)

=== RUN   TestVerify_TamperedAgentDigest
... registry not available at localhost:5000 ...
--- SKIP: TestVerify_TamperedAgentDigest
=== RUN   TestVerify_TamperedFingerprint
... registry not available at localhost:5000 ...
--- SKIP: TestVerify_TamperedFingerprint
=== RUN   TestVerify_UnsignedMainImage
... registry not available at localhost:5000 ...
--- SKIP: TestVerify_UnsignedMainImage
PASS

Verification

  • Command exits 0.

  • Tests are discovered and either execute or skip with explicit prereq reason.

  • Skip reason references real prerequisites (demo-up / demo-registry-test).

Failure modes

  • Missing registry/cosign causes expected skip behavior.

  • Go cache permission errors: use GOCACHE=/tmp/go-build.

Non-goals

  • This page does not claim tamper execution succeeded in this environment.

  • This page does not introduce new integrity features beyond existing integration tests.

Evidence

  • oci/sign/verify.go

  • oci/sign/verify_tamper_test.go (TestVerify_TamperedAgentDigest, TestVerify_TamperedFingerprint, TestVerify_UnsignedMainImage)

  • docs/_generated/test-outputs/integrity-tamper-output.txt