Initial Sigstore bundle support #465
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
|
Example generated bundle: {
"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
"verificationMaterial": {
"x509CertificateChain": {
"certificates": [
{
"rawBytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWtlZ0F3SUJBZ0lVU0NpWUVuTzVLa0g0YWxaNTlDNmEyMUVwUENZd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpNd01USXdNVFkxTkRBeVdoY05Nak13TVRJd01UY3dOREF5V2pBQU1IWXdFQVlICktvWkl6ajBDQVFZRks0RUVBQ0lEWWdBRW5RRUZsMmUzdzdySjQ5eHdGbWVheWN3ZnZTajBMWXB1WFZ1d3R0aE4KaTF3TWY0ZGF0SGNSeFpMN3ZTaXp1VHY5M2twZEZ5UTBhOGJYeTBTYUpia2NBUFVEVDFTY05VVkZwOEVOOTdTTApBbmJ2dzJLRlk1YjF4QmtwR0VwajMwNmVvNElCU1RDQ0FVVXdEZ1lEVlIwUEFRSC9CQVFEQWdlQU1CTUdBMVVkCkpRUU1NQW9HQ0NzR0FRVUZCd01ETUIwR0ExVWREZ1FXQkJUdFpicTBIYmk5RWc3eThIaXZQKzFvV2NNNzh6QWYKQmdOVkhTTUVHREFXZ0JSeGhqQ21GSHhpYi9uMzF2UUZHbjlmLyt0dnJEQWpCZ05WSFJFQkFmOEVHVEFYZ1JWMwphV3hzYVdGdFFIbHZjM05oY21saGJpNXVaWFF3TEFZS0t3WUJCQUdEdnpBQkFRUWVhSFIwY0hNNkx5OW5hWFJvCmRXSXVZMjl0TDJ4dloybHVMMjloZFhSb01JR0tCZ29yQmdFRUFkWjVBZ1FDQkh3RWVnQjRBSFlBS3pDODNHaUkKeWVMaDJDWXBYblFmU0RreGxnTHluRFBMWGtOQS9yS3Nobm9BQUFHRjBCbitCZ0FBQkFNQVJ6QkZBaUJ6TENLbwpOUzlqS01iaHYwU2FteGdoWUJQK3RlbExGRzlYcDBBVXlQQmlpUUloQUxXTXpzU1pBaVdYZHN6S0xXQU15b01LClBNcjVOWndTM1Q4SmE0ZFhWbUJWTUFvR0NDcUdTTTQ5QkFNREEya0FNR1lDTVFDNGU1cktGcWRHbEZkTzJEemkKR3k3ajZJVkpZdENhQStraitUL0MwVWhwZ0xON2h2dGVXOXdkSUwrU1l0bjRvVG9DTVFDMmswNDVFdktBcTdHRwpEbngwaEhrTWJmS2ZKK0NCZjV1bjZSODkxOWpST1ZVdUdEeUlLUWhFSi9RQjBhaVV3bDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
]
},
"tlogEntries": [
{
"logIndex": "2242969",
"logId": {
"keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
},
"kindVersion": {
"kind": "hashedrekord",
"version": "0.0.1"
},
"integratedTime": "1674233642",
"inclusionPromise": {
"signedEntryTimestamp": "MEUCIQD31VsczBNtApPFNW31nn20hzxULvVCtLTe7BnAjJCQiwIgN4RlYRkfRSdC7A8E6FufttvH53L5GCE+gmuh2TKVx+I="
},
"inclusionProof": {
"logIndex": "2228150",
"rootHash": "sxhOFoisbFXhJmKOSlimQWBpgkrDT5eCaSaUcydRGEg=",
"treeSize": "2228151",
"hashes": [
"TwqHCU5ELTQy/KKeu+0+Qlnjr0zzPziKXjE5TGXeRT0=",
"HtGiDzArXW02VJtZKJVYEIW1cyB7jR0d9c60io54x8s=",
"Wjgnj5IgRwHKGVnpu6DKjZWP2ZDRyIvXC2OKO437mQ8=",
"ZXWmnfXIqBNf4a2+MosY2T0zeCGACcqlYxrYXdY5INU=",
"rkq9/Kqf8fYE4vhLb5vzhhbcsI5kT2JNY06JZmLMlC0=",
"O8GhxttbaSwc3hOClnMY2tliEqlpXiUKhuUKPbPYZbA=",
"UaBSu2yb0gg+mg7gWVuQViCWJroP3wAo9sm+70DtT94=",
"hbzBh170Y7wu6HE4gFaJX1m3tcnffbIbneNVNitxEQ8=",
"7RquioMcFFcBwp8L9WgAYvNdmFIX2PLFRO3Ig3I4aG4=",
"sEdlyfBp6l2RMcB1BIr7PJyI8d6jWYNBbz4EO0ocBH0=",
"PbBHHJ1PoLFq1tjP/Z4nE7yCxtIxUhtqkSdpbkLmrE4=",
"d8Hx9AnJ483YnmugSNyUJyzV+dWJfK4wEcn9d9Q+4hM=",
"KCciPEwSUhXM04e8244YynDhwh+722/pabo6ZAtt0fc=",
"cfT2nw0gal6i8QktNkaFsq6w3Aeu62pnB6sDRzKkAZw=",
"VwBj5hN1tw74kRJeHAQaqdSWrXWk7Zb4c1PJfrpiKNw="
]
},
"canonicalizedBody": "eyJib2R5IjoiZXlKaGNHbFdaWEp6YVc5dUlqb2lNQzR3TGpFaUxDSnJhVzVrSWpvaWFHRnphR1ZrY21WcmIzSmtJaXdpYzNCbFl5STZleUprWVhSaElqcDdJbWhoYzJnaU9uc2lZV3huYjNKcGRHaHRJam9pYzJoaE1qVTJJaXdpZG1Gc2RXVWlPaUl5TVdKbU9XRmxNR1F5WkRsaFpETmlOMlppTmpSbU1tUTJNV0prTWpFeU1XSXhZemMxWldWaU1UaGlNekJqWmpjeVptRm1NVEV3TW1aa01tRm1ZMlkzSW4xOUxDSnphV2R1WVhSMWNtVWlPbnNpWTI5dWRHVnVkQ0k2SWsxSFdVTk5VVU5IZEdnck1tWjRlRVkxZWpWNVIwVTVaSEZrVVhwWFFXTTJWMFoxVUhCV1ExcEljakF6UTJSM2F6UXpaV2RRVmpWRU9GaE9Wak51WjA5dlJqUkdWMWx2UTAxUlEwd3hkVFZTWVhGTUwwUXlSMGw0ZUdOQ2JHTkVjREJMZEhVcllUQTVhVlZMYlRCUlFVZDFVR1pLTUVZeGVraDFRMmxTVWxndk0zWXdLMWcxVTNOcFNWVTlJaXdpY0hWaWJHbGpTMlY1SWpwN0ltTnZiblJsYm5RaU9pSk1VekIwVEZNeFExSlZaRXBVYVVKRVVsWktWVk5WV2twUk1FWlZVbE13ZEV4VE1IUkRhekZLVTFWT00yRnJUa1JSVjNSc1dqQkdNMU5WU2tKYU1HeFdWVEJPY0ZkVlZuVlVlbFpNWVRCbk1GbFhlR0ZPVkd4RVRtMUZlVTFWVm5kVlJVNWFaREJPYmxkVmJFeGlNWEJLWlcxdmQxSlZSak5VV0dOTFZHNXdSbFpyTVVOVVZXUkNUVlpXUmxFeWFFNVVWMDE1WWtjMWFrMHhTakpaTWpGV1pGWndTRlpxU2s1VmFsSXpVMFZHV2xKR1dsSlZWVkpHWlVaYU5sbFdaR3RsYlZKSVQxaHNZVlY2Um5kWmJUVlRZa0Z3YW1KVVJuTlhhMlJ6WVVkU1NGWllaRWxoUjA1UFZGZHdUbVF3TVZWVFdHUk9Wa1pyZUZSclVrSmxWbVJ2V1RBMVRtRnJNVE5VVmxKS1pEQXhWVmt6WkU5U1JVWTFWakp3UWxGVk1VbFhXR1JHVVZac1NVTnJkSFpYYTJ3MllXcENSRkZXUmxwU2EzTXdVbFZXUWxFd2JFVlhWMlJDVWxjMVVsSlZXbk5OYlZWNlpIcGtlVk5xVVRWbFNHUkhZbGRXYUdWWFRqTmFibHBVWVdwQ1RWZFlRakZYUmxveFpETlNNR0ZGTkV0aFZFWXpWRmRaTUZwSFJqQlRSMDVUWlVad1RVNHpXbFJoV0hBeFZraFpOVTB5ZEhkYVJWbzFWVlJDYUU5SFNsbGxWRUpVV1ZWd2FXRXlUa0pWUmxaRlZrUkdWRmt3TlZaV2ExcDNUMFZXVDA5VVpGUlVRWEJDWW0xS01tUjZTa3hTYkdzeFdXcEdORkZ0ZEhkU01GWjNZV3BOZDA1dFZuWk9SV3hEVlRGU1JGRXdSbFpXV0dSRldqRnNSVlpzU1hkVlJVWlNVME01UTFGV1JrVlJWMlJzVVZVeFExUlZaRUpOVmxaclEydHdVbFZWTVU1UlZ6bElVVEJPZWxJd1JsSldWVnBEWkRBeFJWUlZTWGRTTUVWNFZsZFNSVm94UmxoUmEwcFZaRVp3YVdOVVFrbFpiV3MxVWxkak0yVlVhRWxoV0ZwUlMzcEdkbFl5VGs1T2VtZzJVVmRaUzFGdFpFOVdhMmhVVkZWV1NGSkZSbGhhTUVwVFpVZG9jVkV5TVVkVFNHaHdXV2s1ZFUxNlJqSlZWVnBJWW1wc2JVeDVkREJrYmtwRlVWZHdRMW93TlZkVFJrcEdVV3RHYlU5RlZraFdSVVpaV2pGS1YwMTNjR2hXTTJoNldWWmtSMlJHUmtsaVNGcHFUVEExYjFreU1YTmhSMHB3VGxoV1lWZEdSak5VUlVaYVV6QjBNMWRWU2tOUlZXUkZaRzV3UWxGclJsSlZWMVpvVTBaSmQxa3dhRTVPYTNnMVQxYzFhRmRHU25aRGJWSllVMWhXV2sxcWJEQlVSRW8wWkd4dmVXSklWazFOYW14dldrWm9VMkl3TVVwU01IUkRXakk1ZVZGdFpFWlNWVVpyVjJwV1Fsb3hSa1JSYTJnelVsZFdibEZxVWtKVFJteENVek53UkU5RVRraGhWV3RMWlZkV1RXRkVTa1JYV0VKWllteEdiVlV3VW5KbFIzaHVWRWhzZFZKR1FrMVhSM1JQVVZNNWVWTXpUbTlpYlRsQ1VWVkdTRkpxUWtOaWFYUkRXakJHUWxGclJrNVJWa28yVVd0YVFtRlZTalpVUlU1TVluZHdUMVY2YkhGVE1ERnBZVWhaZDFVeVJuUmxSMlJ2VjFWS1VVc3pVbXhpUlhoSFVucHNXV05FUWtKV1dHeFJVVzFzY0ZWVmJHOVJWWGhZVkZod2VsVXhjRUpoVm1SWldraE9ObE13ZUZoUlZURTFZakF4VEVOc1FrNWphbFpQVjI1a1ZFMHhVVFJUYlVVd1drWm9WMkpWU2xkVVZVWjJVakJPUkdOVlpGUlVWRkUxVVd0R1RsSkZSWGxoTUVaT1VqRnNSRlJXUmtST1IxVXhZMnQwUjJOWFVraGlSVnByVkhwS1JXVnRhMHRTTTJzellXcGFTbFpyY0Zwa1JVNW9VVk4wY21GcGRGVk1NRTEzVmxkb2Qxb3dlRTlPTW1neVpFZFdXRTlZWkd0VFZYZHlWVEZzTUdKcVVuWldSemxFVkZaR1JFMXRjM2RPUkZaR1pHdDBRbU5VWkVoU2QzQkZZbTVuZDJGRmFISlVWMHB0VXpKYVMwc3dUa05hYWxZeFltcGFVMDlFYTNoUFYzQlRWREZhVm1SVlpFVmxWV3hNVlZkb1JsTnBPVkpSYWtKb1lWWldNMkpFWnpsRGFUQjBURk13ZEZKVk5VVkpSVTVHVld4U1NsSnJiRVJSVmxKR1RGTXdkRXhUTUVzaWZYMTlmUT09IiwiaW50ZWdyYXRlZFRpbWUiOjE2NzQyMzM2NDIsImxvZ0lEIjoiZDMyZjMwYTNjMzJkNjM5YzJiNzYyMjA1YTIxYzdiYjA3Nzg4ZTY4MjgzYTRhZTZmNDIxMTg3MjNhMWJlYTQ5NiIsImxvZ0luZGV4IjoyMjQyOTY5fQ=="
}
]
},
"messageSignature": {
"messageDigest": {
"algorithm": "SHA2_256",
"digest": "Ib+a4NLZrTt/tk8tYb0hIbHHXusYswz3L68RAv0q/Pc="
},
"signature": "MGYCMQCGth+2fxxF5z5yGE9dqdQzWAc6WFuPpVCZHr03Cdwk43egPV5D8XNV3ngOoF4FWYoCMQCL1u5RaqL/D2GIxxcBlcDp0Ktu+a09iUKm0QAGuPfJ0F1zHuCiRRX/3v0+X5SsiIU="
}
}That bundle signs for |
|
cc @znewman01 and @kommendorkapten for visibility 🙂 |
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 20, 2023
|
Currently evaluating against Edit: Unblocked; #465 (comment) was incorrect. |
Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <william@trailofbits.com>
woodruffw
commented
Jan 20, 2023
woodruffw
commented
Jan 21, 2023
| ) | ||
|
|
||
| bundle = Bundle( | ||
| media_type="application/vnd.dev.sigstore.bundle+json;version=0.1", |
There was a problem hiding this comment.
It'd be nice if there was some way to default to this media_type, but I have no idea if that's possible 🙂
There was a problem hiding this comment.
IIUC no :(
That said, I think that's sort-of by design? You should only set that media_type if you immediately plan to serialize to JSON
There was a problem hiding this comment.
Aha, I missed that detail! That makes sense, then, and it's not a huge deal here.
There was a problem hiding this comment.
Yeah, it would be nice to have const values in the language bindings that would capture the current media type used.
There was a problem hiding this comment.
100% agreed -- I'm not sure how best to accomplish that without hacky patches to the codegen, though...
There was a problem hiding this comment.
Yes, would be messy. I would love for Protobufs to support that natively, so many use-cases I have seen where it would make our lives easier.
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
tetsuo-cpp
reviewed
Jan 25, 2023
| @@ -669,11 +739,16 @@ def _sign(args: argparse.Namespace) -> None: | |||
| print(result.cert_pem, file=io) | |||
| print(f"Certificate written to {outputs['cert']}") | |||
|
|
|||
| if outputs["rekor_bundle"] is not None: | |||
There was a problem hiding this comment.
I changed these back from:
if "rekor_bundle" in outputs:This is because when we don't write to an output, the entry still gets added to the map, the file is just set to None. Previously, if specified some outputs but not all, we'd crash.
There was a problem hiding this comment.
Makes sense! I've re-fixed #465 (comment) based on that.
tetsuo-cpp
previously approved these changes
Jan 25, 2023
There was a problem hiding this comment.
LGTM!
@woodruffw I pushed a few commits to make the CLI work as we described, so please take a look at that when you get a moment. Other than that, this looks great. 🎉
di
requested changes
Jan 25, 2023
Signed-off-by: William Woodruff <william@trailofbits.com>
Sounds good! |
Signed-off-by: William Woodruff <william@trailofbits.com>
di
approved these changes
Jan 25, 2023
This was referenced Jan 25, 2023
jleightcap
pushed a commit
that referenced
this pull request
Jan 31, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `--help` texts Signed-off-by: William Woodruff <william@trailofbits.com> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <william@trailofbits.com> * sign: remove TODO Signed-off-by: William Woodruff <william@trailofbits.com> * sign: update TODO Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix sign example Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Update verify invocations Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix line breaks Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: fix sig output Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Cameron <asc@tetsuo.sh>
jleightcap
pushed a commit
that referenced
this pull request
Jan 31, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `--help` texts Signed-off-by: William Woodruff <william@trailofbits.com> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <william@trailofbits.com> * sign: remove TODO Signed-off-by: William Woodruff <william@trailofbits.com> * sign: update TODO Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix sign example Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Update verify invocations Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix line breaks Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: fix sig output Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Signed-off-by: Jack Leightcap <jack.leightcap@trailofbits.com>
emboman13
pushed a commit
to emilejbm/sigstore-python
that referenced
this pull request
Feb 2, 2023
* Initial Sigstore bundle support Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `--help` texts Signed-off-by: William Woodruff <william@trailofbits.com> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <william@trailofbits.com> * sign: remove TODO Signed-off-by: William Woodruff <william@trailofbits.com> * sign: update TODO Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix sign example Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Update verify invocations Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix line breaks Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: fix sig output Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Signed-off-by: emboman13 <embo1013@yahoo.com>
woodruffw
added a commit
that referenced
this pull request
Feb 14, 2023
* class prototype and script to find instances to change * script added * Set up newtype file with example newTypes * added newtypes to _util.py * renamed newtypes, added keyID * deletion of old file * added hexstr newtype and implemented newtypes for SigningResults * added newtypes to verify/models.py * renamed newtypes to follow standardized format * moved newtypes into _util * deleted newtypes.py * Changed sign.py to use _utils and set up basic implementation in verifier * build(deps-dev): update ruff requirement from <0.0.226 to <0.0.229 (#466) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.228) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <embo1013@yahoo.com> * build(deps-dev): update ruff requirement from <0.0.229 to <0.0.231 (#468) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.230) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <embo1013@yahoo.com> * build(deps-dev): update ruff requirement from <0.0.231 to <0.0.232 (#469) Updates the requirements on [ruff](https://github.com/charliermarsh/ruff) to permit the latest version. - [Release notes](https://github.com/charliermarsh/ruff/releases) - [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md) - [Commits](astral-sh/ruff@v0.0.18...v0.0.231) --- updated-dependencies: - dependency-name: ruff dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: emboman13 <embo1013@yahoo.com> * Initial Sigstore bundle support (#465) * Initial Sigstore bundle support Signed-off-by: William Woodruff <william@trailofbits.com> * README: update `--help` texts Signed-off-by: William Woodruff <william@trailofbits.com> * sign: fix bundle generation Certs are base64'd DER, not PEM, and the canonicalized_body is the log entry body, not the canonicalized contents that the SET is signed over. Signed-off-by: William Woodruff <william@trailofbits.com> * sign: remove TODO Signed-off-by: William Woodruff <william@trailofbits.com> * sign: update TODO Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: Make `--bundle` refer to a path and create a `--no-bundle` flag to control whether Sigstore bundles are emitted by default Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Move variable to correct scope Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: Reword warnings for bundle flags Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix sign example Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Update verify invocations Signed-off-by: Alex Cameron <asc@tetsuo.sh> * README: Fix line breaks Signed-off-by: Alex Cameron <asc@tetsuo.sh> * _cli: fix sig output Signed-off-by: William Woodruff <william@trailofbits.com> * _cli: fix sig check, take 2 Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Signed-off-by: emboman13 <embo1013@yahoo.com> * CHANGELOG: record changes (#470) Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: emboman13 <embo1013@yahoo.com> * class prototype and script to find instances to change Signed-off-by: emboman13 <embo1013@yahoo.com> * script added Signed-off-by: emboman13 <embo1013@yahoo.com> * Set up newtype file with example newTypes Signed-off-by: emboman13 <embo1013@yahoo.com> * renamed newtypes, added keyID Signed-off-by: emboman13 <embo1013@yahoo.com> * deletion of old file Signed-off-by: emboman13 <embo1013@yahoo.com> * added hexstr newtype and implemented newtypes for SigningResults Signed-off-by: emboman13 <embo1013@yahoo.com> * added newtypes to _util.py Signed-off-by: emboman13 <embo1013@yahoo.com> * renamed newtypes to follow standardized format Signed-off-by: emboman13 <embo1013@yahoo.com> * added newtypes to verify/models.py Signed-off-by: emboman13 <embo1013@yahoo.com> * moved newtypes into _util Signed-off-by: emboman13 <embo1013@yahoo.com> * deleted newtypes.py Signed-off-by: emboman13 <embo1013@yahoo.com> * Changed sign.py to use _utils and set up basic implementation in verifier Signed-off-by: emboman13 <embo1013@yahoo.com> * added newtypes to sigstore/veriry/models.py * updated newtypes in verify/models.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * Revert "updated newtypes in verify/models.py" This reverts commit f767d7a. * Encapsulation of NewTypes in my share of files Creation of new type 'dercert' that masks DER encoded bytes. Focus on changing types in files within sigstore/_internal/. Reformat, lint lint is successful. 103 Tests pass, 8 are skipped, 2 fail. * Removed an incorrect b64str newtype in models.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * "added newtypes to _internal/rekor/client.py" Signed-off-by: omartounsi7 <otounsi@purdue.edu> * "fixed type errors in sign.py" Signed-off-by: omartounsi7 <otounsi@purdue.edu> * Added a b64str newtype in verify/models.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * added a b64str newtype in verify/verifier.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * added a b64str newtype to _internal/fulcio/client.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * added a b64str newtype in _internal/oidc/oauth.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * added a b64str newtype in _internal/rekor/client.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * deleted script Signed-off-by: omartounsi7 <otounsi@purdue.edu> * fixed some type errors * changed keyid to KeyID Signed-off-by: omartounsi7 <otounsi@purdue.edu> * anged hexstr to HexStr Signed-off-by: omartounsi7 <otounsi@purdue.edu> * changed b64str to B64Str Signed-off-by: omartounsi7 <otounsi@purdue.edu> * changed pemcert to PEMCert Signed-off-by: omartounsi7 <otounsi@purdue.edu> * changed dercert to DERCert Signed-off-by: omartounsi7 <otounsi@purdue.edu> * added docstrings to newtypes in _utils.py Signed-off-by: omartounsi7 <otounsi@purdue.edu> * Update sigstore/_utils.py Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: omartounsi7 <62721212+omartounsi7@users.noreply.github.com> * Update sigstore/_utils.py Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: omartounsi7 <62721212+omartounsi7@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: emboman13 <embo1013@yahoo.com> Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Signed-off-by: omartounsi7 <otounsi@purdue.edu> Signed-off-by: omartounsi7 <62721212+omartounsi7@users.noreply.github.com> Co-authored-by: emboman13 <embo1013@yahoo.com> Co-authored-by: omartounsi7 <otounsi@purdue.edu> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: omartounsi7 <62721212+omartounsi7@users.noreply.github.com> Co-authored-by: William Woodruff <william@yossarian.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds initial support for Sigstore bundles during signing, in the form of the
--bundleflag. When passed,sigstore signwill generate a single{input}.sigstoreinstead of separate.crt,.sig, and.rekorfiles.I haven't included
sigstore verifysupport in the initial changeset, in an effort to keep the diff small. But adding it shouldn't be difficult, and will provide a good dogfood/smoke test for round-tripping through the bundle format.See #251.
Signed-off-by: William Woodruff william@trailofbits.com