Initial Sigstore bundle support #465
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Woodruff <[email protected]>
woodruffw
added
component:cli
Signed-off-by: William Woodruff <[email protected]>
|
Example generated bundle: {
"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
"verificationMaterial": {
"x509CertificateChain": {
"certificates": [
{
"rawBytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWtlZ0F3SUJBZ0lVU0NpWUVuTzVLa0g0YWxaNTlDNmEyMUVwUENZd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpNd01USXdNVFkxTkRBeVdoY05Nak13TVRJd01UY3dOREF5V2pBQU1IWXdFQVlICktvWkl6ajBDQVFZRks0RUVBQ0lEWWdBRW5RRUZsMmUzdzdySjQ5eHdGbWVheWN3ZnZTajBMWXB1WFZ1d3R0aE4KaTF3TWY0ZGF0SGNSeFpMN3ZTaXp1VHY5M2twZEZ5UTBhOGJYeTBTYUpia2NBUFVEVDFTY05VVkZwOEVOOTdTTApBbmJ2dzJLRlk1YjF4QmtwR0VwajMwNmVvNElCU1RDQ0FVVXdEZ1lEVlIwUEFRSC9CQVFEQWdlQU1CTUdBMVVkCkpRUU1NQW9HQ0NzR0FRVUZCd01ETUIwR0ExVWREZ1FXQkJUdFpicTBIYmk5RWc3eThIaXZQKzFvV2NNNzh6QWYKQmdOVkhTTUVHREFXZ0JSeGhqQ21GSHhpYi9uMzF2UUZHbjlmLyt0dnJEQWpCZ05WSFJFQkFmOEVHVEFYZ1JWMwphV3hzYVdGdFFIbHZjM05oY21saGJpNXVaWFF3TEFZS0t3WUJCQUdEdnpBQkFRUWVhSFIwY0hNNkx5OW5hWFJvCmRXSXVZMjl0TDJ4dloybHVMMjloZFhSb01JR0tCZ29yQmdFRUFkWjVBZ1FDQkh3RWVnQjRBSFlBS3pDODNHaUkKeWVMaDJDWXBYblFmU0RreGxnTHluRFBMWGtOQS9yS3Nobm9BQUFHRjBCbitCZ0FBQkFNQVJ6QkZBaUJ6TENLbwpOUzlqS01iaHYwU2FteGdoWUJQK3RlbExGRzlYcDBBVXlQQmlpUUloQUxXTXpzU1pBaVdYZHN6S0xXQU15b01LClBNcjVOWndTM1Q4SmE0ZFhWbUJWTUFvR0NDcUdTTTQ5QkFNREEya0FNR1lDTVFDNGU1cktGcWRHbEZkTzJEemkKR3k3ajZJVkpZdENhQStraitUL0MwVWhwZ0xON2h2dGVXOXdkSUwrU1l0bjRvVG9DTVFDMmswNDVFdktBcTdHRwpEbngwaEhrTWJmS2ZKK0NCZjV1bjZSODkxOWpST1ZVdUdEeUlLUWhFSi9RQjBhaVV3bDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
]
},
"tlogEntries": [
{
"logIndex": "2242969",
"logId": {
"keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
},
"kindVersion": {
"kind": "hashedrekord",
"version": "0.0.1"
},
"integratedTime": "1674233642",
"inclusionPromise": {
"signedEntryTimestamp": "MEUCIQD31VsczBNtApPFNW31nn20hzxULvVCtLTe7BnAjJCQiwIgN4RlYRkfRSdC7A8E6FufttvH53L5GCE+gmuh2TKVx+I="
},
"inclusionProof": {
"logIndex": "2228150",
"rootHash": "sxhOFoisbFXhJmKOSlimQWBpgkrDT5eCaSaUcydRGEg=",
"treeSize": "2228151",
"hashes": [
"TwqHCU5ELTQy/KKeu+0+Qlnjr0zzPziKXjE5TGXeRT0=",
"HtGiDzArXW02VJtZKJVYEIW1cyB7jR0d9c60io54x8s=",
"Wjgnj5IgRwHKGVnpu6DKjZWP2ZDRyIvXC2OKO437mQ8=",
"ZXWmnfXIqBNf4a2+MosY2T0zeCGACcqlYxrYXdY5INU=",
"rkq9/Kqf8fYE4vhLb5vzhhbcsI5kT2JNY06JZmLMlC0=",
"O8GhxttbaSwc3hOClnMY2tliEqlpXiUKhuUKPbPYZbA=",
"UaBSu2yb0gg+mg7gWVuQViCWJroP3wAo9sm+70DtT94=",
"hbzBh170Y7wu6HE4gFaJX1m3tcnffbIbneNVNitxEQ8=",
"7RquioMcFFcBwp8L9WgAYvNdmFIX2PLFRO3Ig3I4aG4=",
"sEdlyfBp6l2RMcB1BIr7PJyI8d6jWYNBbz4EO0ocBH0=",
"PbBHHJ1PoLFq1tjP/Z4nE7yCxtIxUhtqkSdpbkLmrE4=",
"d8Hx9AnJ483YnmugSNyUJyzV+dWJfK4wEcn9d9Q+4hM=",
"KCciPEwSUhXM04e8244YynDhwh+722/pabo6ZAtt0fc=",
"cfT2nw0gal6i8QktNkaFsq6w3Aeu62pnB6sDRzKkAZw=",
"VwBj5hN1tw74kRJeHAQaqdSWrXWk7Zb4c1PJfrpiKNw="
]
},
"canonicalizedBody": "eyJib2R5IjoiZXlKaGNHbFdaWEp6YVc5dUlqb2lNQzR3TGpFaUxDSnJhVzVrSWpvaWFHRnphR1ZrY21WcmIzSmtJaXdpYzNCbFl5STZleUprWVhSaElqcDdJbWhoYzJnaU9uc2lZV3huYjNKcGRHaHRJam9pYzJoaE1qVTJJaXdpZG1Gc2RXVWlPaUl5TVdKbU9XRmxNR1F5WkRsaFpETmlOMlppTmpSbU1tUTJNV0prTWpFeU1XSXhZemMxWldWaU1UaGlNekJqWmpjeVptRm1NVEV3TW1aa01tRm1ZMlkzSW4xOUxDSnphV2R1WVhSMWNtVWlPbnNpWTI5dWRHVnVkQ0k2SWsxSFdVTk5VVU5IZEdnck1tWjRlRVkxZWpWNVIwVTVaSEZrVVhwWFFXTTJWMFoxVUhCV1ExcEljakF6UTJSM2F6UXpaV2RRVmpWRU9GaE9Wak51WjA5dlJqUkdWMWx2UTAxUlEwd3hkVFZTWVhGTUwwUXlSMGw0ZUdOQ2JHTkVjREJMZEhVcllUQTVhVlZMYlRCUlFVZDFVR1pLTUVZeGVraDFRMmxTVWxndk0zWXdLMWcxVTNOcFNWVTlJaXdpY0hWaWJHbGpTMlY1SWpwN0ltTnZiblJsYm5RaU9pSk1VekIwVEZNeFExSlZaRXBVYVVKRVVsWktWVk5WV2twUk1FWlZVbE13ZEV4VE1IUkRhekZLVTFWT00yRnJUa1JSVjNSc1dqQkdNMU5WU2tKYU1HeFdWVEJPY0ZkVlZuVlVlbFpNWVRCbk1GbFhlR0ZPVkd4RVRtMUZlVTFWVm5kVlJVNWFaREJPYmxkVmJFeGlNWEJLWlcxdmQxSlZSak5VV0dOTFZHNXdSbFpyTVVOVVZXUkNUVlpXUmxFeWFFNVVWMDE1WWtjMWFrMHhTakpaTWpGV1pGWndTRlpxU2s1VmFsSXpVMFZHV2xKR1dsSlZWVkpHWlVaYU5sbFdaR3RsYlZKSVQxaHNZVlY2Um5kWmJUVlRZa0Z3YW1KVVJuTlhhMlJ6WVVkU1NGWllaRWxoUjA1UFZGZHdUbVF3TVZWVFdHUk9Wa1pyZUZSclVrSmxWbVJ2V1RBMVRtRnJNVE5VVmxKS1pEQXhWVmt6WkU5U1JVWTFWakp3UWxGVk1VbFhXR1JHVVZac1NVTnJkSFpYYTJ3MllXcENSRkZXUmxwU2EzTXdVbFZXUWxFd2JFVlhWMlJDVWxjMVVsSlZXbk5OYlZWNlpIcGtlVk5xVVRWbFNHUkhZbGRXYUdWWFRqTmFibHBVWVdwQ1RWZFlRakZYUmxveFpETlNNR0ZGTkV0aFZFWXpWRmRaTUZwSFJqQlRSMDVUWlVad1RVNHpXbFJoV0hBeFZraFpOVTB5ZEhkYVJWbzFWVlJDYUU5SFNsbGxWRUpVV1ZWd2FXRXlUa0pWUmxaRlZrUkdWRmt3TlZaV2ExcDNUMFZXVDA5VVpGUlVRWEJDWW0xS01tUjZTa3hTYkdzeFdXcEdORkZ0ZEhkU01GWjNZV3BOZDA1dFZuWk9SV3hEVlRGU1JGRXdSbFpXV0dSRldqRnNSVlpzU1hkVlJVWlNVME01UTFGV1JrVlJWMlJzVVZVeFExUlZaRUpOVmxaclEydHdVbFZWTVU1UlZ6bElVVEJPZWxJd1JsSldWVnBEWkRBeFJWUlZTWGRTTUVWNFZsZFNSVm94UmxoUmEwcFZaRVp3YVdOVVFrbFpiV3MxVWxkak0yVlVhRWxoV0ZwUlMzcEdkbFl5VGs1T2VtZzJVVmRaUzFGdFpFOVdhMmhVVkZWV1NGSkZSbGhhTUVwVFpVZG9jVkV5TVVkVFNHaHdXV2s1ZFUxNlJqSlZWVnBJWW1wc2JVeDVkREJrYmtwRlVWZHdRMW93TlZkVFJrcEdVV3RHYlU5RlZraFdSVVpaV2pGS1YwMTNjR2hXTTJoNldWWmtSMlJHUmtsaVNGcHFUVEExYjFreU1YTmhSMHB3VGxoV1lWZEdSak5VUlVaYVV6QjBNMWRWU2tOUlZXUkZaRzV3UWxGclJsSlZWMVpvVTBaSmQxa3dhRTVPYTNnMVQxYzFhRmRHU25aRGJWSllVMWhXV2sxcWJEQlVSRW8wWkd4dmVXSklWazFOYW14dldrWm9VMkl3TVVwU01IUkRXakk1ZVZGdFpFWlNWVVpyVjJwV1Fsb3hSa1JSYTJnelVsZFdibEZxVWtKVFJteENVek53UkU5RVRraGhWV3RMWlZkV1RXRkVTa1JYV0VKWllteEdiVlV3VW5KbFIzaHVWRWhzZFZKR1FrMVhSM1JQVVZNNWVWTXpUbTlpYlRsQ1VWVkdTRkpxUWtOaWFYUkRXakJHUWxGclJrNVJWa28yVVd0YVFtRlZTalpVUlU1TVluZHdUMVY2YkhGVE1ERnBZVWhaZDFVeVJuUmxSMlJ2VjFWS1VVc3pVbXhpUlhoSFVucHNXV05FUWtKV1dHeFJVVzFzY0ZWVmJHOVJWWGhZVkZod2VsVXhjRUpoVm1SWldraE9ObE13ZUZoUlZURTFZakF4VEVOc1FrNWphbFpQVjI1a1ZFMHhVVFJUYlVVd1drWm9WMkpWU2xkVVZVWjJVakJPUkdOVlpGUlVWRkUxVVd0R1RsSkZSWGxoTUVaT1VqRnNSRlJXUmtST1IxVXhZMnQwUjJOWFVraGlSVnByVkhwS1JXVnRhMHRTTTJzellXcGFTbFpyY0Zwa1JVNW9VVk4wY21GcGRGVk1NRTEzVmxkb2Qxb3dlRTlPTW1neVpFZFdXRTlZWkd0VFZYZHlWVEZzTUdKcVVuWldSemxFVkZaR1JFMXRjM2RPUkZaR1pHdDBRbU5VWkVoU2QzQkZZbTVuZDJGRmFISlVWMHB0VXpKYVMwc3dUa05hYWxZeFltcGFVMDlFYTNoUFYzQlRWREZhVm1SVlpFVmxWV3hNVlZkb1JsTnBPVkpSYWtKb1lWWldNMkpFWnpsRGFUQjBURk13ZEZKVk5VVkpSVTVHVld4U1NsSnJiRVJSVmxKR1RGTXdkRXhUTUVzaWZYMTlmUT09IiwiaW50ZWdyYXRlZFRpbWUiOjE2NzQyMzM2NDIsImxvZ0lEIjoiZDMyZjMwYTNjMzJkNjM5YzJiNzYyMjA1YTIxYzdiYjA3Nzg4ZTY4MjgzYTRhZTZmNDIxMTg3MjNhMWJlYTQ5NiIsImxvZ0luZGV4IjoyMjQyOTY5fQ=="
}
]
},
"messageSignature": {
"messageDigest": {
"algorithm": "SHA2_256",
"digest": "Ib+a4NLZrTt/tk8tYb0hIbHHXusYswz3L68RAv0q/Pc="
},
"signature": "MGYCMQCGth+2fxxF5z5yGE9dqdQzWAc6WFuPpVCZHr03Cdwk43egPV5D8XNV3ngOoF4FWYoCMQCL1u5RaqL/D2GIxxcBlcDp0Ktu+a09iUKm0QAGuPfJ0F1zHuCiRRX/3v0+X5SsiIU="
}
}That bundle signs for |
|
cc @znewman01 and @kommendorkapten for visibility 🙂 |
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 20, 2023
|
Currently evaluating against Edit: Unblocked; #465 (comment) was incorrect. |
Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <[email protected]>
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 21, 2023
| ) | ||
|
|
||
| bundle = Bundle( | ||
| media_type="application/vnd.dev.sigstore.bundle+json;version=0.1", |
There was a problem hiding this comment.
It'd be nice if there was some way to default to this media_type, but I have no idea if that's possible 🙂
There was a problem hiding this comment.
IIUC no :(
That said, I think that's sort-of by design? You should only set that media_type if you immediately plan to serialize to JSON
There was a problem hiding this comment.
Aha, I missed that detail! That makes sense, then, and it's not a huge deal here.
There was a problem hiding this comment.
Yeah, it would be nice to have const values in the language bindings that would capture the current media type used.
There was a problem hiding this comment.
100% agreed -- I'm not sure how best to accomplish that without hacky patches to the codegen, though...
There was a problem hiding this comment.
Yes, would be messy. I would love for Protobufs to support that natively, so many use-cases I have seen where it would make our lives easier.
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: Alex Cameron <[email protected]>
tetsuo-cpp
reviewed
Jan 25, 2023
| @@ -669,11 +739,16 @@ def _sign(args: argparse.Namespace) -> None: | |||
| print(result.cert_pem, file=io) | |||
| print(f"Certificate written to {outputs['cert']}") | |||
|
|
|||
| if outputs["rekor_bundle"] is not None: | |||
There was a problem hiding this comment.
I changed these back from:
if "rekor_bundle" in outputs:This is because when we don't write to an output, the entry still gets added to the map, the file is just set to None. Previously, if specified some outputs but not all, we'd crash.
There was a problem hiding this comment.
Makes sense! I've re-fixed #465 (comment) based on that.
tetsuo-cpp
previously approved these changes
Jan 25, 2023
There was a problem hiding this comment.
LGTM!
@woodruffw I pushed a few commits to make the CLI work as we described, so please take a look at that when you get a moment. Other than that, this looks great. 🎉
di
requested changes
Jan 25, 2023
Signed-off-by: William Woodruff <[email protected]>
Sounds good! |
Signed-off-by: William Woodruff <[email protected]>
di
approved these changes
Jan 25, 2023
This was referenced Jan 25, 2023
jleightcap
pushed a commit
that referenced
this pull request
Jan 31, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <[email protected]> * README: update `--help` texts Signed-off-by: William Woodruff <[email protected]> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <[email protected]> * sign: remove TODO Signed-off-by: William Woodruff <[email protected]> * sign: update TODO Signed-off-by: William Woodruff <[email protected]> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <[email protected]> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <[email protected]> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <[email protected]> * README: Fix sign example Signed-off-by: Alex Cameron <[email protected]> * README: Update verify invocations Signed-off-by: Alex Cameron <[email protected]> * README: Fix line breaks Signed-off-by: Alex Cameron <[email protected]> * _cli: fix sig output Signed-off-by: William Woodruff <[email protected]> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Alex Cameron <[email protected]> Co-authored-by: Alex Cameron <[email protected]>
jleightcap
pushed a commit
that referenced
this pull request
Jan 31, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <[email protected]> * README: update `--help` texts Signed-off-by: William Woodruff <[email protected]> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <[email protected]> * sign: remove TODO Signed-off-by: William Woodruff <[email protected]> * sign: update TODO Signed-off-by: William Woodruff <[email protected]> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <[email protected]> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <[email protected]> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <[email protected]> * README: Fix sign example Signed-off-by: Alex Cameron <[email protected]> * README: Update verify invocations Signed-off-by: Alex Cameron <[email protected]> * README: Fix line breaks Signed-off-by: Alex Cameron <[email protected]> * _cli: fix sig output Signed-off-by: William Woodruff <[email protected]> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Alex Cameron <[email protected]> Co-authored-by: Alex Cameron <[email protected]> Signed-off-by: Jack Leightcap <[email protected]>
emboman13
pushed a commit
to emilejbm/sigstore-python
that referenced
this pull request
Feb 2, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <[email protected]> * README: update `--help` texts Signed-off-by: William Woodruff <[email protected]> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <[email protected]> * sign: remove TODO Signed-off-by: William Woodruff <[email protected]> * sign: update TODO Signed-off-by: William Woodruff <[email protected]> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <[email protected]> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <[email protected]> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <[email protected]> * README: Fix sign example Signed-off-by: Alex Cameron <[email protected]> * README: Update verify invocations Signed-off-by: Alex Cameron <[email protected]> * README: Fix line breaks Signed-off-by: Alex Cameron <[email protected]> * _cli: fix sig output Signed-off-by: William Woodruff <[email protected]> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Alex Cameron <[email protected]> Co-authored-by: Alex Cameron <[email protected]> Signed-off-by: emboman13 <[email protected]>
woodruffw
added a commit
that referenced
this pull request
Feb 14, 2023
* class prototype and script to find instances to change * script added * Set up newtype file with example newTypes * added newtypes to _util.py * renamed newtypes, added keyID * deletion of old file * added hexstr newtype and implemented newtypes for SigningResults * added newtypes to verify/models.py * renamed newtypes to follow standardized format * moved newtypes into _util * deleted newtypes.py * Changed sign.py to use _utils and set up basic implementation in verifier * build(deps-dev): update ruff requirement from <0.0.226 to <0.0.229 (#466) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.228) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <[email protected]> * build(deps-dev): update ruff requirement from <0.0.229 to <0.0.231 (#468) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.230) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <[email protected]> * build(deps-dev): update ruff requirement from <0.0.231 to <0.0.232 (#469) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.231) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <[email protected]> * Initial Sigstore bundle support (#465) * Initial Sigstore bundle support Signed-off-by: William Woodruff <[email protected]> * README: update `--help` texts Signed-off-by: William Woodruff <[email protected]> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <[email protected]> * sign: remove TODO Signed-off-by: William Woodruff <[email protected]> * sign: update TODO Signed-off-by: William Woodruff <[email protected]> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <[email protected]> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <[email protected]> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <[email protected]> * README: Fix sign example Signed-off-by: Alex Cameron <[email protected]> * README: Update verify invocations Signed-off-by: Alex Cameron <[email protected]> * README: Fix line breaks Signed-off-by: Alex Cameron <[email protected]> * _cli: fix sig output Signed-off-by: William Woodruff <[email protected]> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Alex Cameron <[email protected]> Co-authored-by: Alex Cameron <[email protected]> Signed-off-by: emboman13 <[email protected]> * CHANGELOG: record changes (#470) Signed-off-by: William Woodruff <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: emboman13 <[email protected]> * class prototype and script to find instances to change Signed-off-by: emboman13 <[email protected]> * script added Signed-off-by: emboman13 <[email protected]> * Set up newtype file with example newTypes Signed-off-by: emboman13 <[email protected]> * renamed newtypes, added keyID Signed-off-by: emboman13 <[email protected]> * deletion of old file Signed-off-by: emboman13 <[email protected]> * added hexstr newtype and implemented newtypes for SigningResults Signed-off-by: emboman13 <[email protected]> * added newtypes to _util.py Signed-off-by: emboman13 <[email protected]> * renamed newtypes to follow standardized format Signed-off-by: emboman13 <[email protected]> * added newtypes to verify/models.py Signed-off-by: emboman13 <[email protected]> * moved newtypes into _util Signed-off-by: emboman13 <[email protected]> * deleted newtypes.py Signed-off-by: emboman13 <[email protected]> * Changed sign.py to use _utils and set up basic implementation in verifier Signed-off-by: emboman13 <[email protected]> * added newtypes to sigstore/veriry/models.py * updated newtypes in verify/models.py Signed-off-by: omartounsi7 <[email protected]> * Revert "updated newtypes in verify/models.py" This reverts commit f767d7a. * Encapsulation of NewTypes in my share of files Creation of new type 'dercert' that masks DER encoded bytes. Focus on changing types in files within sigstore/_internal/. Reformat, lint lint is successful. 103 Tests pass, 8 are skipped, 2 fail. * Removed an incorrect b64str newtype in models.py Signed-off-by: omartounsi7 <[email protected]> * "added newtypes to _internal/rekor/client.py" Signed-off-by: omartounsi7 <[email protected]> * "fixed type errors in sign.py" Signed-off-by: omartounsi7 <[email protected]> * Added a b64str newtype in verify/models.py Signed-off-by: omartounsi7 <[email protected]> * added a b64str newtype in verify/verifier.py Signed-off-by: omartounsi7 <[email protected]> * added a b64str newtype to _internal/fulcio/client.py Signed-off-by: omartounsi7 <[email protected]> * added a b64str newtype in _internal/oidc/oauth.py Signed-off-by: omartounsi7 <[email protected]> * added a b64str newtype in _internal/rekor/client.py Signed-off-by: omartounsi7 <[email protected]> * deleted script Signed-off-by: omartounsi7 <[email protected]> * fixed some type errors * changed keyid to KeyID Signed-off-by: omartounsi7 <[email protected]> * anged hexstr to HexStr Signed-off-by: omartounsi7 <[email protected]> * changed b64str to B64Str Signed-off-by: omartounsi7 <[email protected]> * changed pemcert to PEMCert Signed-off-by: omartounsi7 <[email protected]> * changed dercert to DERCert Signed-off-by: omartounsi7 <[email protected]> * added docstrings to newtypes in _utils.py Signed-off-by: omartounsi7 <[email protected]> * Update sigstore/_utils.py Co-authored-by: William Woodruff <[email protected]> Signed-off-by: omartounsi7 <[email protected]> * Update sigstore/_utils.py Co-authored-by: William Woodruff <[email protected]> Signed-off-by: omartounsi7 <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: emboman13 <[email protected]> Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Alex Cameron <[email protected]> Signed-off-by: omartounsi7 <[email protected]> Signed-off-by: omartounsi7 <[email protected]> Co-authored-by: emboman13 <[email protected]> Co-authored-by: omartounsi7 <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: William Woodruff <[email protected]> Co-authored-by: Alex Cameron <[email protected]> Co-authored-by: omartounsi7 <[email protected]> Co-authored-by: William Woodruff <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds initial support for Sigstore bundles during signing, in the form of the
--bundleflag. When passed,sigstore signwill generate a single{input}.sigstoreinstead of separate.crt,.sig, and.rekorfiles.I haven't included
sigstore verifysupport in the initial changeset, in an effort to keep the diff small. But adding it shouldn't be difficult, and will provide a good dogfood/smoke test for round-tripping through the bundle format.See #251.
Signed-off-by: William Woodruff [email protected]