Support verifying Sigstore bundles (#478)

* _cli: Add support for verifying Sigstore bundles Signed-off-by: Alex Cameron <[email protected]> * treewide: Verify inclusion proof for Sigstore bundles Signed-off-by: Alex Cameron <[email protected]> * _cli: Clean up comments Signed-off-by: Alex Cameron <[email protected]> * CHANGELOG: Add changelog entry Signed-off-by: Alex Cameron <[email protected]> * _cli: Comment formatting Signed-off-by: Alex Cameron <[email protected]> * _cli: Rename to a private field Signed-off-by: Alex Cameron <[email protected]> * CHANGELOG: Add PR link Signed-off-by: Alex Cameron <[email protected]> * sigstore: remove "rekor bundle" support Vestigial now that we have Sigstore bundle support. Signed-off-by: William Woodruff <[email protected]> * docs, sigstore: more pruning Signed-off-by: William Woodruff <[email protected]> * sigstore, test: devolve bundle handling, fix tests Signed-off-by: William Woodruff <[email protected]> * sigstore, test: lintage Signed-off-by: William Woodruff <[email protected]> * verify/models: docstring Signed-off-by: William Woodruff <[email protected]> * test: fix offline test Signed-off-by: William Woodruff <[email protected]> * assets: remove old rekor bundle Signed-off-by: William Woodruff <[email protected]> * test: Add more test coverage for `InvalidMaterials` error cases Signed-off-by: Alex Cameron <[email protected]> * sigstore, test: docs, API cleanup Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: Alex Cameron <[email protected]> Signed-off-by: William Woodruff <[email protected]> Co-authored-by: William Woodruff <[email protected]>
sigstore · Jan 31, 2023 · fc4e9b3 · fc4e9b3
1 parent 19d2fd6
commit fc4e9b3
Show file tree

Hide file tree

Showing 20 changed files with 299 additions and 310 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,12 +17,31 @@ All versions prior to 0.9.0 are untracked.
   `--bundle <FILE>`
   ([#465](https://github.com/sigstore/sigstore-python/pull/465))
 
+* `sigstore verify` now supports Sigstore bundles. By default, `sigstore` looks
+  for an `{input}.sigstore`; this can be changed with `--bundle <FILE>` or the
+  legacy method of verification can be used instead via the `--signature` and
+  `--certificate` flags
+  ([#478](https://github.com/sigstore/sigstore-python/pull/478))
+
+* `sigstore verify identity` and `sigstore verify github` now support the
+  `--offline` flag, which tells `sigstore` to do offline transparency log
+  entry verification. This option replaces the unstable
+  `--require-rekor-offline` option, which has been removed
+  ([#478](https://github.com/sigstore/sigstore-python/pull/478))
+
 ### Fixed
 
 * Constrained our dependency on `pyOpenSSL` to `>= 23.0.0` to prevent
   a runtime error caused by incompatible earlier versions
   ([#448](https://github.com/sigstore/sigstore-python/pull/448))
 
+### Removed
+
+* `--rekor-bundle` and `--require-rekor-offline` have been removed entirely,
+  as their functionality have been wholly supplanted by Sigstore bundle support
+  and the new `sigstore verify --offline` flag
+  ([#478](https://github.com/sigstore/sigstore-python/pull/478))
+
 ## [1.0.0]
 
 ### Changed

diff --git a/README.md b/README.md
@@ -131,10 +131,10 @@ usage: sigstore sign [-h] [--identity-token TOKEN] [--oidc-client-id ID]
                      [--oidc-client-secret SECRET]
                      [--oidc-disable-ambient-providers] [--oidc-issuer URL]
                      [--no-default-files] [--signature FILE]
-                     [--certificate FILE] [--rekor-bundle FILE]
-                     [--bundle FILE] [--no-bundle] [--overwrite] [--staging]
-                     [--rekor-url URL] [--rekor-root-pubkey FILE]
-                     [--fulcio-url URL] [--ctfe FILE]
+                     [--certificate FILE] [--bundle FILE] [--no-bundle]
+                     [--overwrite] [--staging] [--rekor-url URL]
+                     [--rekor-root-pubkey FILE] [--fulcio-url URL]
+                     [--ctfe FILE]
                      FILE [FILE ...]
 
 positional arguments:
@@ -166,14 +166,8 @@ Output options:
   --certificate FILE, --output-certificate FILE
                         Write a single certificate to the given file; does not
                         work with multiple input files (default: None)
-  --rekor-bundle FILE, --output-rekor-bundle FILE
-                        Write a single offline Rekor bundle to the given file;
-                        does not work with multiple input files (default:
-                        None)
   --bundle FILE         Write a single Sigstore bundle to the given file; does
-                        not work with multiple input files; this option is
-                        experimental and may change between releases until
-                        stabilized (default: None)
+                        not work with multiple input files (default: None)
   --no-bundle           Don't emit {input}.sigstore files for each input; this
                         option is experimental and may change between releases
                         until stabilized (default: False)
@@ -213,11 +207,9 @@ to by a particular OIDC provider (like `https://github.com/login/oauth`).
 <!-- @begin-sigstore-verify-identity-help@ -->
 ```
 usage: sigstore verify identity [-h] [--certificate FILE] [--signature FILE]
-                                [--rekor-bundle FILE] [--bundle FILE]
-                                --cert-identity IDENTITY
-                                [--require-rekor-offline] --cert-oidc-issuer
-                                URL [--staging] [--rekor-url URL]
-                                [--rekor-root-pubkey FILE]
+                                [--bundle FILE] --cert-identity IDENTITY
+                                [--offline] --cert-oidc-issuer URL [--staging]
+                                [--rekor-url URL] [--rekor-root-pubkey FILE]
                                 [--certificate-chain FILE]
                                 FILE [FILE ...]
 
@@ -230,21 +222,16 @@ Verification inputs:
                         used with multiple inputs (default: None)
   --signature FILE      The signature to verify against; not used with
                         multiple inputs (default: None)
-  --rekor-bundle FILE   The offline Rekor bundle to verify with; not used with
-                        multiple inputs (default: None)
   --bundle FILE         The Sigstore bundle to verify with; not used with
-                        multiple inputs; this option is experimental and may
-                        change between releases until stabilized (default:
-                        None)
+                        multiple inputs (default: None)
   FILE                  The file to verify
 
 Verification options:
   --cert-identity IDENTITY
                         The identity to check for in the certificate's Subject
                         Alternative Name (default: None)
-  --require-rekor-offline
-                        Require offline Rekor verification with a bundle;
-                        implied by --rekor-bundle (default: False)
+  --offline             Perform offline verification; requires a Sigstore
+                        bundle (default: False)
   --cert-oidc-issuer URL
                         The OIDC issuer URL to check for in the certificate's
                         OIDC issuer extension (default: None)
@@ -284,11 +271,10 @@ claims more precisely than `sigstore verify identity` allows:
 <!-- @begin-sigstore-verify-github-help@ -->
 ```
 usage: sigstore verify github [-h] [--certificate FILE] [--signature FILE]
-                              [--rekor-bundle FILE] [--bundle FILE]
-                              --cert-identity IDENTITY
-                              [--require-rekor-offline] [--trigger EVENT]
-                              [--sha SHA] [--name NAME] [--repository REPO]
-                              [--ref REF] [--staging] [--rekor-url URL]
+                              [--bundle FILE] --cert-identity IDENTITY
+                              [--offline] [--trigger EVENT] [--sha SHA]
+                              [--name NAME] [--repository REPO] [--ref REF]
+                              [--staging] [--rekor-url URL]
                               [--rekor-root-pubkey FILE]
                               [--certificate-chain FILE]
                               FILE [FILE ...]
@@ -302,21 +288,16 @@ Verification inputs:
                         used with multiple inputs (default: None)
   --signature FILE      The signature to verify against; not used with
                         multiple inputs (default: None)
-  --rekor-bundle FILE   The offline Rekor bundle to verify with; not used with
-                        multiple inputs (default: None)
   --bundle FILE         The Sigstore bundle to verify with; not used with
-                        multiple inputs; this option is experimental and may
-                        change between releases until stabilized (default:
-                        None)
+                        multiple inputs (default: None)
   FILE                  The file to verify
 
 Verification options:
   --cert-identity IDENTITY
                         The identity to check for in the certificate's Subject
                         Alternative Name (default: None)
-  --require-rekor-offline
-                        Require offline Rekor verification with a bundle;
-                        implied by --rekor-bundle (default: False)
+  --offline             Perform offline verification; requires a Sigstore
+                        bundle (default: False)
   --trigger EVENT       The GitHub Actions event name that triggered the
                         workflow (default: None)
   --sha SHA             The `git` commit SHA that the workflow run was invoked