Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support verifying Sigstore bundles #478

Merged
merged 18 commits into from
Jan 31, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,31 @@ All versions prior to 0.9.0 are untracked.
`--bundle <FILE>`
([#465](https://github.com/sigstore/sigstore-python/pull/465))

* `sigstore verify` now supports Sigstore bundles. By default, `sigstore` looks
for an `{input}.sigstore`; this can be changed with `--bundle <FILE>` or the
legacy method of verification can be used instead via the `--signature` and
`--certificate` flags
([#478](https://github.com/sigstore/sigstore-python/pull/478))

* `sigstore verify identity` and `sigstore verify github` now support the
`--offline` flag, which tells `sigstore` to do offline transparency log
entry verification. This option replaces the unstable
`--require-rekor-offline` option, which has been removed
([#478](https://github.com/sigstore/sigstore-python/pull/478))

### Fixed

* Constrained our dependency on `pyOpenSSL` to `>= 23.0.0` to prevent
a runtime error caused by incompatible earlier versions
([#448](https://github.com/sigstore/sigstore-python/pull/448))

### Removed

* `--rekor-bundle` and `--require-rekor-offline` have been removed entirely,
as their functionality have been wholly supplanted by Sigstore bundle support
and the new `sigstore verify --offline` flag
([#478](https://github.com/sigstore/sigstore-python/pull/478))

## [1.0.0]

### Changed
Expand Down
55 changes: 18 additions & 37 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -131,10 +131,10 @@ usage: sigstore sign [-h] [--identity-token TOKEN] [--oidc-client-id ID]
[--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--no-default-files] [--signature FILE]
[--certificate FILE] [--rekor-bundle FILE]
[--bundle FILE] [--no-bundle] [--overwrite] [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
[--fulcio-url URL] [--ctfe FILE]
[--certificate FILE] [--bundle FILE] [--no-bundle]
[--overwrite] [--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE] [--fulcio-url URL]
[--ctfe FILE]
FILE [FILE ...]

positional arguments:
Expand Down Expand Up @@ -166,14 +166,8 @@ Output options:
--certificate FILE, --output-certificate FILE
Write a single certificate to the given file; does not
work with multiple input files (default: None)
--rekor-bundle FILE, --output-rekor-bundle FILE
Write a single offline Rekor bundle to the given file;
does not work with multiple input files (default:
None)
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files; this option is
experimental and may change between releases until
stabilized (default: None)
not work with multiple input files (default: None)
--no-bundle Don't emit {input}.sigstore files for each input; this
option is experimental and may change between releases
until stabilized (default: False)
Expand Down Expand Up @@ -213,11 +207,9 @@ to by a particular OIDC provider (like `https://github.com/login/oauth`).
<!-- @begin-sigstore-verify-identity-help@ -->
```
usage: sigstore verify identity [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE] [--bundle FILE]
--cert-identity IDENTITY
[--require-rekor-offline] --cert-oidc-issuer
URL [--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE]
[--bundle FILE] --cert-identity IDENTITY
[--offline] --cert-oidc-issuer URL [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
[--certificate-chain FILE]
FILE [FILE ...]

Expand All @@ -230,21 +222,16 @@ Verification inputs:
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs; this option is experimental and may
change between releases until stabilized (default:
None)
multiple inputs (default: None)
FILE The file to verify

Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--cert-oidc-issuer URL
The OIDC issuer URL to check for in the certificate's
OIDC issuer extension (default: None)
Expand Down Expand Up @@ -284,11 +271,10 @@ claims more precisely than `sigstore verify identity` allows:
<!-- @begin-sigstore-verify-github-help@ -->
```
usage: sigstore verify github [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE] [--bundle FILE]
--cert-identity IDENTITY
[--require-rekor-offline] [--trigger EVENT]
[--sha SHA] [--name NAME] [--repository REPO]
[--ref REF] [--staging] [--rekor-url URL]
[--bundle FILE] --cert-identity IDENTITY
[--offline] [--trigger EVENT] [--sha SHA]
[--name NAME] [--repository REPO] [--ref REF]
[--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE]
[--certificate-chain FILE]
FILE [FILE ...]
Expand All @@ -302,21 +288,16 @@ Verification inputs:
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs; this option is experimental and may
change between releases until stabilized (default:
None)
multiple inputs (default: None)
FILE The file to verify

Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--trigger EVENT The GitHub Actions event name that triggered the
workflow (default: None)
--sha SHA The `git` commit SHA that the workflow run was invoked
Expand Down
Loading