Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support verifying Sigstore bundles #478

Merged
merged 18 commits into from
Jan 31, 2023
Merged

Support verifying Sigstore bundles #478

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
638d632
_cli: Add support for verifying Sigstore bundles
tetsuo-cpp Jan 30, 2023
ce00d3c
treewide: Verify inclusion proof for Sigstore bundles
tetsuo-cpp Jan 30, 2023
8e37dc7
_cli: Clean up comments
tetsuo-cpp Jan 30, 2023
40a65c7
CHANGELOG: Add changelog entry
tetsuo-cpp Jan 30, 2023
fcd5a7d
_cli: Comment formatting
tetsuo-cpp Jan 30, 2023
a74fd8a
_cli: Rename to a private field
tetsuo-cpp Jan 30, 2023
a63c64d
CHANGELOG: Add PR link
tetsuo-cpp Jan 30, 2023
8546c1f
Merge branch 'main' into alex/verify-bundle
woodruffw Jan 30, 2023
cbb1e53
Merge branch 'main' into alex/verify-bundle
woodruffw Jan 30, 2023
03f7321
sigstore: remove "rekor bundle" support
woodruffw Jan 30, 2023
1b32fc1
docs, sigstore: more pruning
woodruffw Jan 30, 2023
c397f8d
sigstore, test: devolve bundle handling, fix tests
woodruffw Jan 30, 2023
24f291b
sigstore, test: lintage
woodruffw Jan 30, 2023
6d7adc1
verify/models: docstring
woodruffw Jan 30, 2023
f13d6b6
test: fix offline test
woodruffw Jan 30, 2023
36392d5
assets: remove old rekor bundle
woodruffw Jan 30, 2023
dc1cb3b
test: Add more test coverage for `InvalidMaterials` error cases
tetsuo-cpp Jan 31, 2023
4d8cb62
sigstore, test: docs, API cleanup
woodruffw Jan 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,31 @@ All versions prior to 0.9.0 are untracked.
`--bundle <FILE>`
([#465](https://github.com/sigstore/sigstore-python/pull/465))

* `sigstore verify` now supports Sigstore bundles. By default, `sigstore` looks
for an `{input}.sigstore`; this can be changed with `--bundle <FILE>` or the
legacy method of verification can be used instead via the `--signature` and
`--certificate` flags
([#478](https://github.com/sigstore/sigstore-python/pull/478))

* `sigstore verify identity` and `sigstore verify github` now support the
`--offline` flag, which tells `sigstore` to do offline transparency log
entry verification. This option replaces the unstable
`--require-rekor-offline` option, which has been removed
([#478](https://github.com/sigstore/sigstore-python/pull/478))

### Fixed

* Constrained our dependency on `pyOpenSSL` to `>= 23.0.0` to prevent
a runtime error caused by incompatible earlier versions
([#448](https://github.com/sigstore/sigstore-python/pull/448))

### Removed

* `--rekor-bundle` and `--require-rekor-offline` have been removed entirely,
as their functionality have been wholly supplanted by Sigstore bundle support
and the new `sigstore verify --offline` flag
([#478](https://github.com/sigstore/sigstore-python/pull/478))

## [1.0.0]

### Changed
Expand Down
55 changes: 18 additions & 37 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,10 +131,10 @@ usage: sigstore sign [-h] [--identity-token TOKEN] [--oidc-client-id ID]
[--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--no-default-files] [--signature FILE]
[--certificate FILE] [--rekor-bundle FILE]
[--bundle FILE] [--no-bundle] [--overwrite] [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
[--fulcio-url URL] [--ctfe FILE]
[--certificate FILE] [--bundle FILE] [--no-bundle]
[--overwrite] [--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE] [--fulcio-url URL]
[--ctfe FILE]
FILE [FILE ...]

positional arguments:
Expand Down Expand Up @@ -166,14 +166,8 @@ Output options:
--certificate FILE, --output-certificate FILE
Write a single certificate to the given file; does not
work with multiple input files (default: None)
--rekor-bundle FILE, --output-rekor-bundle FILE
Write a single offline Rekor bundle to the given file;
does not work with multiple input files (default:
None)
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files; this option is
experimental and may change between releases until
stabilized (default: None)
not work with multiple input files (default: None)
--no-bundle Don't emit {input}.sigstore files for each input; this
option is experimental and may change between releases
until stabilized (default: False)
Expand Down Expand Up @@ -213,11 +207,9 @@ to by a particular OIDC provider (like `https://github.com/login/oauth`).
<!-- @begin-sigstore-verify-identity-help@ -->
```
usage: sigstore verify identity [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE] [--bundle FILE]
--cert-identity IDENTITY
[--require-rekor-offline] --cert-oidc-issuer
URL [--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE]
[--bundle FILE] --cert-identity IDENTITY
[--offline] --cert-oidc-issuer URL [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
[--certificate-chain FILE]
FILE [FILE ...]

Expand All @@ -230,21 +222,16 @@ Verification inputs:
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs; this option is experimental and may
change between releases until stabilized (default:
None)
multiple inputs (default: None)
FILE The file to verify

Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--cert-oidc-issuer URL
The OIDC issuer URL to check for in the certificate's
OIDC issuer extension (default: None)
Expand Down Expand Up @@ -284,11 +271,10 @@ claims more precisely than `sigstore verify identity` allows:
<!-- @begin-sigstore-verify-github-help@ -->
```
usage: sigstore verify github [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE] [--bundle FILE]
--cert-identity IDENTITY
[--require-rekor-offline] [--trigger EVENT]
[--sha SHA] [--name NAME] [--repository REPO]
[--ref REF] [--staging] [--rekor-url URL]
[--bundle FILE] --cert-identity IDENTITY
[--offline] [--trigger EVENT] [--sha SHA]
[--name NAME] [--repository REPO] [--ref REF]
[--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE]
[--certificate-chain FILE]
FILE [FILE ...]
Expand All @@ -302,21 +288,16 @@ Verification inputs:
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
--bundle FILE The Sigstore bundle to verify with; not used with
multiple inputs; this option is experimental and may
change between releases until stabilized (default:
None)
multiple inputs (default: None)
FILE The file to verify

Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--offline Perform offline verification; requires a Sigstore
bundle (default: False)
--trigger EVENT The GitHub Actions event name that triggered the
workflow (default: None)
--sha SHA The `git` commit SHA that the workflow run was invoked
Expand Down
Loading