in-toto · lukpueh · May 21, 2024 · May 17, 2024 · May 17, 2024 · May 17, 2024
diff --git a/README.md b/README.md
@@ -106,7 +106,7 @@ directory and perform the step.
 
 ```shell
 cd ../functionary_bob
-in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --key bob -- git clone https://github.com/in-toto/demo-project.git
+in-toto-run --step-name clone --use-dsse --products demo-project/foo.py --signing-key bob -- git clone https://github.com/in-toto/demo-project.git
 ```
 
 Here is what happens behind the scenes:
@@ -124,7 +124,7 @@ So first Bob records the state of the files he will modify:
 
 ```shell
 # In functionary_bob directory
-in-toto-record start --step-name update-version --use-dsse --key bob --materials demo-project/foo.py
+in-toto-record start --step-name update-version --use-dsse --signing-key bob --materials demo-project/foo.py
 ```
 
 Then Bob uses an editor of his choice to update the version number in `demo-project/foo.py`, e.g.:
@@ -137,7 +137,7 @@ And finally he records the state of files after the modification and produces
 a link metadata file called `update-version.[Bob's keyid].link`.
 ```shell
 # In functionary_bob directory
-in-toto-record stop --step-name update-version --use-dsse --key bob --products demo-project/foo.py
+in-toto-record stop --step-name update-version --use-dsse --signing-key bob --products demo-project/foo.py
 ```
 
 Bob has done his work and can send over the sources to Carl, who will create
@@ -154,7 +154,7 @@ to change to Carl's directory and create a package of the software project
 
 ```shell
 cd ../functionary_carl
-in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
+in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
 ```
 
 This will create another step link metadata file, called `package.[Carl's keyid].link`.
@@ -175,7 +175,7 @@ cd final_product
 # Fetch Alice's public key from a trusted source to verify the layout signature
 # Note: The functionary public keys are fetched from the layout
 cp ../owner_alice/alice.pub .
-in-toto-verify --layout root.layout --layout-key alice.pub
+in-toto-verify --layout root.layout --verification-keys alice.pub
 ```
 This command will verify that
  1. the layout has not expired,
@@ -208,7 +208,7 @@ Carl thought that this is the genuine code he got from Bob and
 unwittingly packages the tampered version of foo.py
 
 ```shell
-in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
+in-toto-run --step-name package --use-dsse --materials demo-project/foo.py --products demo-project.tar.gz --signing-key carl -- tar --exclude ".git" -zcvf demo-project.tar.gz demo-project
 ```
 and ships everything out as final product to the client:
 ```shell
@@ -220,7 +220,7 @@ cp owner_alice/root.layout functionary_bob/clone.776a00e2.link functionary_bob/u
 
 ```shell
 cd final_product
-in-toto-verify --layout root.layout --layout-key alice.pub
+in-toto-verify --layout root.layout --verification-keys alice.pub
 ```
 This time, in-toto will detect that the product `foo.py` from Bob's `update-version`
 step was not used as material in Carl's `package` step (the verified hashes

diff --git a/owner_alice/create_layout.py b/owner_alice/create_layout.py
@@ -1,16 +1,39 @@
-from securesystemslib import interface
-from securesystemslib.signer import SSlibSigner
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.hazmat.primitives.serialization import  load_pem_public_key
+from securesystemslib.signer import CryptoSigner
 from in_toto.models.layout import Layout
 from in_toto.models.metadata import Envelope
+from securesystemslib.signer import SSlibKey
+from typing import Dict, Any
+
+def _load_public_key_from_file(path: str) -> Dict[str, Any]:
+    """Internal helper to load key from SubjectPublicKeyInfo/PEM file."""
+    with open(path, "rb") as f:
+        data = f.read()
+
+    crypto_public_key = load_pem_public_key(data)
+    key = SSlibKey.from_crypto(crypto_public_key)
+
+    # Create a key_dict, which is accepted by `verifylib.in_toto_verify` or `Metablock.verify_signature`
+    # NOTE: securesystemslib and in-toto key dicts differ:
+    # the former don't include the keyid, which the latter require
+    key_dict = key.to_dict()
+    key_dict["keyid"] = key.keyid
+
+    return key_dict
 
 def main():
   # Load Alice's private key to later sign the layout
-  key_alice = interface.import_rsa_privatekey_from_file("alice")
-  signer_alice = SSlibSigner(key_alice)
+  with open("alice", "rb") as f:
+    key_alice = load_pem_private_key(f.read(), None)
+
+  signer_alice = CryptoSigner(key_alice)
   # Fetch and load Bob's and Carl's public keys
   # to specify that they are authorized to perform certain step in the layout
-  key_bob = interface.import_rsa_publickey_from_file("../functionary_bob/bob.pub")
-  key_carl = interface.import_rsa_publickey_from_file("../functionary_carl/carl.pub")
+  # https://github.com/in-toto/in-toto/issues/663
+  key_bob  = _load_public_key_from_file("../functionary_bob/bob.pub")
+  key_carl  = _load_public_key_from_file("../functionary_carl/carl.pub")  
+
 
   layout = Layout.read({
       "_type": "layout",

diff --git a/requirements.txt b/requirements.txt
@@ -1 +1,2 @@
 in-toto==2.3.0
+cryptography==42.0.7
diff --git a/run_demo.py b/run_demo.py
@@ -33,7 +33,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name clone --products demo-project/foo.py"
-                    " --key bob -- git clone https://github.com/in-toto/demo-project.git")
+                    " --signing-key bob -- git clone https://github.com/in-toto/demo-project.git")
   print(clone_cmd)
   subprocess.call(shlex.split(clone_cmd))
 
@@ -43,7 +43,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name update-version"
-                    " --key bob"
+                    " --signing-key bob"
                     " --materials demo-project/foo.py")
 
   print(update_version_start_cmd)
@@ -58,7 +58,7 @@ def supply_chain():
                     " --verbose"
                     " --use-dsse"
                     " --step-name update-version"
-                    " --key bob"
+                    " --signing-key bob"
                     " --products demo-project/foo.py")
 
   print(update_version_stop_cmd)
@@ -73,7 +73,7 @@ def supply_chain():
                  " --use-dsse"
                  " --step-name package --materials demo-project/foo.py"
                  " --products demo-project.tar.gz"
-                 " --key carl --record-streams"
+                 " --signing-key carl --record-streams"
                  " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
   print(package_cmd)
   subprocess.call(shlex.split(package_cmd))
@@ -94,7 +94,7 @@ def supply_chain():
   verify_cmd = ("in-toto-verify"
                 " --verbose"
                 " --layout root.layout"
-                " --layout-key alice.pub")
+                " --verification-keys alice.pub")
   print(verify_cmd)
   retval = subprocess.call(shlex.split(verify_cmd))
   print("Return value: " + str(retval))
@@ -115,7 +115,7 @@ def supply_chain():
                  " --use-dsse"
                  " --step-name package --materials demo-project/foo.py"
                  " --products demo-project.tar.gz"
-                 " --key carl --record-streams"
+                 " --signing-key carl --record-streams"
                  " -- tar --exclude '.git' -zcvf demo-project.tar.gz demo-project")
   print(package_cmd)
   subprocess.call(shlex.split(package_cmd))
@@ -136,7 +136,7 @@ def supply_chain():
   verify_cmd = ("in-toto-verify"
                 " --verbose"
                 " --layout root.layout"
-                " --layout-key alice.pub")
+                " --verification-keys alice.pub")
 
   print(verify_cmd)
   retval = subprocess.call(shlex.split(verify_cmd))