diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml new file mode 100644 index 0000000000..171620f059 --- /dev/null +++ b/.github/workflows/conformance.yml @@ -0,0 +1,21 @@ +on: [workflow_dispatch] + +name: Conformance Suite + +jobs: + conformance: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 + with: + profile: minimal + toolchain: stable + override: true + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 + with: + command: build + args: --manifest-path=tests/conformance/Cargo.toml + - uses: sigstore/sigstore-conformance@main + with: + entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore diff --git a/tests/conformance/Cargo.toml b/tests/conformance/Cargo.toml new file mode 100644 index 0000000000..6c0c5d16a9 --- /dev/null +++ b/tests/conformance/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "sigstore-conformance" +description = "sigstore conformance testing workflow" +version = "0.0.1" +edition = "2021" +authors = ["sigstore-rs developers"] +license = "Apache-2.0" + +[dependencies] +clap = { version = "4.0.8", features = ["derive"] } +sigstore = { path = "../../" } + +[[bin]] +name = "sigstore" +path = "conformance.rs" diff --git a/tests/conformance/conformance.rs b/tests/conformance/conformance.rs new file mode 100644 index 0000000000..c52c822fe1 --- /dev/null +++ b/tests/conformance/conformance.rs @@ -0,0 +1,109 @@ +// +// Copyright 2023 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// CLI implemented to specification: +// https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md + +use clap::{Parser, Subcommand}; + +#[derive(Parser, Debug)] +struct Cli { + #[command(subcommand)] + command: Commands, +} + +#[derive(Subcommand, Debug)] +enum Commands { + Sign(Sign), + SignBundle(SignBundle), + Verify(Verify), + VerifyBundle(VerifyBundle), +} + +#[derive(Parser, Debug)] +struct Sign { + // The OIDC identity token to use + #[clap(long)] + identity_token: String, + + // The path to write the signature to + #[clap(long)] + signature: String, + + // The path to write the signing certificate to + #[clap(long)] + certificate: String, + + // The artifact to sign + artifact: String, +} + +#[derive(Parser, Debug)] +struct SignBundle { + // The OIDC identity token to use + #[clap(long)] + identity_token: String, + + // The path to write the bundle to + #[clap(long)] + bundle: String, + + // The artifact to sign + artifact: String, +} + +#[derive(Parser, Debug)] +struct Verify { + // The path to the signature to verify + #[clap(long)] + signature: String, + + // The path to the signing certificate to verify + #[clap(long)] + certificate: String, + + // The expected identity in the signing certificate's SAN extension + #[clap(long)] + certificate_identity: String, + + // The expected OIDC issuer for the signing certificate + #[clap(long)] + certificate_oidc_issuer: String, + + // The path to the artifact to verify + artifact: String, +} + +#[derive(Parser, Debug)] +struct VerifyBundle { + // The path to the Sigstore bundle to verify + #[clap(long)] + bundle: String, + + // The expected identity in the signing certificate's SAN extension + #[clap(long)] + certificate_identity: String, + + // The expected OIDC issuer for the signing certificate + #[clap(long)] + certificate_oidc_issuer: String, + + // The path to the artifact to verify + artifact: String, +} + +fn main() { + let cli = Cli::parse(); +}