Skip to content

Commit

Permalink
update conformance cli to support sigstore staging (#1084)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Mar 25, 2024
1 parent afa65a3 commit 345fe37
Show file tree
Hide file tree
Showing 7 changed files with 66 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .changeset/polite-crabs-perform.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
---
4 changes: 4 additions & 0 deletions .github/workflows/conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,7 @@ jobs:
with:
entrypoint: ${{ github.workspace }}/packages/conformance/bin/run
xfail: "test_verify_with_trust_root"
- uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
with:
entrypoint: ${{ github.workspace }}/packages/conformance/bin/run
environment: staging
10 changes: 10 additions & 0 deletions packages/conformance/src/commands/sign-bundle.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Args, Command, Flags } from '@oclif/core';
import fs from 'fs/promises';
import * as sigstore from 'sigstore';
import { FULCIO_STAGING_URL, REKOR_STAGING_URL } from '../staging';

export default class SignBundle extends Command {
static override flags = {
Expand All @@ -12,6 +13,10 @@ export default class SignBundle extends Command {
description: 'path to which the bundle will be written',
required: true,
}),
staging: Flags.boolean({
description: 'whether to use the staging environment',
default: false,
}),
};

static override args = {
Expand All @@ -29,6 +34,11 @@ export default class SignBundle extends Command {
identityToken: flags['identity-token'],
};

if (flags['staging']) {
options.fulcioURL = FULCIO_STAGING_URL;
options.rekorURL = REKOR_STAGING_URL;
}

const artifact = await fs.readFile(args.artifact);
const bundle = await sigstore.sign(artifact, options);

Expand Down
10 changes: 10 additions & 0 deletions packages/conformance/src/commands/sign.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Args, Command, Flags } from '@oclif/core';
import fs from 'fs/promises';
import * as sigstore from 'sigstore';
import { FULCIO_STAGING_URL, REKOR_STAGING_URL } from '../staging';

export default class Sign extends Command {
static override flags = {
Expand All @@ -16,6 +17,10 @@ export default class Sign extends Command {
description: 'path to which the certificate will be written',
required: true,
}),
staging: Flags.boolean({
description: 'whether to use the staging environment',
default: false,
}),
};

static override args = {
Expand All @@ -33,6 +38,11 @@ export default class Sign extends Command {
identityToken: flags['identity-token'],
};

if (flags['staging']) {
options.fulcioURL = FULCIO_STAGING_URL;
options.rekorURL = REKOR_STAGING_URL;
}

const artifact = await fs.readFile(args.artifact);
const bundle = await sigstore.sign(artifact, options);

Expand Down
17 changes: 17 additions & 0 deletions packages/conformance/src/commands/verify-bundle.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@ import { bundleFromJSON } from '@sigstore/bundle';
import { TrustedRoot } from '@sigstore/protobuf-specs';
import { Verifier, toSignedEntity, toTrustMaterial } from '@sigstore/verify';
import fs from 'fs/promises';
import os from 'os';
import path from 'path';
import * as sigstore from 'sigstore';
import { TUF_STAGING_ROOT, TUF_STAGING_URL } from '../staging';

export default class VerifyBundle extends Command {
static override flags = {
Expand All @@ -24,6 +27,10 @@ export default class VerifyBundle extends Command {
description: 'path to trusted root',
required: false,
}),
staging: Flags.boolean({
description: 'whether to use the staging environment',
default: false,
}),
};

static override args = {
Expand All @@ -49,6 +56,16 @@ export default class VerifyBundle extends Command {
certificateIssuer: flags['certificate-oidc-issuer'],
};

if (flags['staging']) {
// Write the initial root.json to a temporary directory
const tmpPath = await fs.mkdtemp(path.join(os.tmpdir(), 'sigstore-'));
const rootPath = path.join(tmpPath, 'root.json');
await fs.writeFile(rootPath, Buffer.from(TUF_STAGING_ROOT, 'base64'));

options.tufMirrorURL = TUF_STAGING_URL;
options.tufRootPath = rootPath;
}

sigstore.verify(bundle, artifact, options);
} else {
// Need to assemble the Verifier manually to pass in the trusted root
Expand Down
17 changes: 17 additions & 0 deletions packages/conformance/src/commands/verify.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
import { Args, Command, Flags } from '@oclif/core';
import crypto, { BinaryLike } from 'crypto';
import fs from 'fs/promises';
import os from 'os';
import path from 'path';
import * as sigstore from 'sigstore';
import { TUF_STAGING_ROOT, TUF_STAGING_URL } from '../staging';

export default class Verify extends Command {
static override flags = {
Expand All @@ -22,6 +25,10 @@ export default class Verify extends Command {
description: 'the expected OIDC issuer for the signing certificate',
required: true,
}),
staging: Flags.boolean({
description: 'whether to use the staging environment',
default: false,
}),
};

static override args = {
Expand Down Expand Up @@ -51,6 +58,16 @@ export default class Verify extends Command {
tlogThreshold: 0,
};

if (flags['staging']) {
// Write the initial root.json to a temporary directory
const tmpPath = await fs.mkdtemp(path.join(os.tmpdir(), 'sigstore-'));
const rootPath = path.join(tmpPath, 'root.json');
await fs.writeFile(rootPath, Buffer.from(TUF_STAGING_ROOT, 'base64'));

options.tufMirrorURL = TUF_STAGING_URL;
options.tufRootPath = rootPath;
}

sigstore.verify(bundle, artifact, options);
}
}
Expand Down
6 changes: 6 additions & 0 deletions packages/conformance/src/staging.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
export const FULCIO_STAGING_URL = 'https://fulcio.sigstage.dev';
export const REKOR_STAGING_URL = 'https://rekor.sigstage.dev';

export const TUF_STAGING_URL = 'https://tuf-repo-cdn.sigstage.dev';
export const TUF_STAGING_ROOT =
'ewoJInNpZ25lZCI6IHsKCQkiX3R5cGUiOiAicm9vdCIsCgkJInNwZWNfdmVyc2lvbiI6ICIxLjAiLAoJCSJ2ZXJzaW9uIjogNCwKCQkiZXhwaXJlcyI6ICIyMDI5LTAzLTA1VDIyOjUwOjIxWiIsCgkJImtleXMiOiB7CgkJCSIzMTRhZTczYWJkMzAxMmZjNzNiZmNjMzc4M2UzMWQwMzg1MjcxNjU5NzY0MmI4OTFkNmEzMzE1NWM0YmFmNjAwIjogewoJCQkJImtleXR5cGUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCgkJCQkic2NoZW1lIjogImVjZHNhLXNoYTItbmlzdHAyNTYiLAoJCQkJImtleWlkX2hhc2hfYWxnb3JpdGhtcyI6IFsKCQkJCQkic2hhMjU2IiwKCQkJCQkic2hhNTEyIgoJCQkJXSwKCQkJCSJrZXl2YWwiOiB7CgkJCQkJInB1YmxpYyI6ICItLS0tLUJFR0lOIFBVQkxJQyBLRVktLS0tLVxuTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWE1aN3JEOHRXREU0bEsvK25hSk43SU5NeE5DN1xuYk1NQU5EcVRRRTdXcHp5emZmV09nNTloYy9Nd2J2SnR2dXhoTzltRXUzR0QzQ24wSGZmRmxtVlJpQT09XG4tLS0tLUVORCBQVUJMSUMgS0VZLS0tLS1cbiIKCQkJCX0KCQkJfSwKCQkJImM4ZTA5YTY4YjU4MjFiNzU0NjJhZTBkZjUyMTUxYzgxZGViN2YxODM4MjQ2ZGMxZGE4YzM0Y2M5MWVjMTJiZGEiOiB7CgkJCQkia2V5dHlwZSI6ICJlY2RzYS1zaGEyLW5pc3RwMjU2IiwKCQkJCSJzY2hlbWUiOiAiZWNkc2Etc2hhMi1uaXN0cDI1NiIsCgkJCQkia2V5aWRfaGFzaF9hbGdvcml0aG1zIjogWwoJCQkJCSJzaGEyNTYiLAoJCQkJCSJzaGE1MTIiCgkJCQldLAoJCQkJImtleXZhbCI6IHsKCQkJCQkicHVibGljIjogIi0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVMM3ZML1ZlYUg2bkJibzRyZWt5TzRjYy9RdGhTXG4rbmx5SlhDWFNueUlNQXRMbVZUYThQZjBxRzZZSVZhUjBUbUxreWs5WW9TVnNaYWt4dU1UdWFFd3JnPT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLVxuIgoJCQkJfQoJCQl9CgkJfSwKCQkicm9sZXMiOiB7CgkJCSJyb290IjogewoJCQkJImtleWlkcyI6IFsKCQkJCQkiYzhlMDlhNjhiNTgyMWI3NTQ2MmFlMGRmNTIxNTFjODFkZWI3ZjE4MzgyNDZkYzFkYThjMzRjYzkxZWMxMmJkYSIKCQkJCV0sCgkJCQkidGhyZXNob2xkIjogMQoJCQl9LAoJCQkic25hcHNob3QiOiB7CgkJCQkia2V5aWRzIjogWwoJCQkJCSIzMTRhZTczYWJkMzAxMmZjNzNiZmNjMzc4M2UzMWQwMzg1MjcxNjU5NzY0MmI4OTFkNmEzMzE1NWM0YmFmNjAwIgoJCQkJXSwKCQkJCSJ0aHJlc2hvbGQiOiAxCgkJCX0sCgkJCSJ0YXJnZXRzIjogewoJCQkJImtleWlkcyI6IFsKCQkJCQkiYzhlMDlhNjhiNTgyMWI3NTQ2MmFlMGRmNTIxNTFjODFkZWI3ZjE4MzgyNDZkYzFkYThjMzRjYzkxZWMxMmJkYSIKCQkJCV0sCgkJCQkidGhyZXNob2xkIjogMQoJCQl9LAoJCQkidGltZXN0YW1wIjogewoJCQkJImtleWlkcyI6IFsKCQkJCQkiMzE0YWU3M2FiZDMwMTJmYzczYmZjYzM3ODNlMzFkMDM4NTI3MTY1OTc2NDJiODkxZDZhMzMxNTVjNGJhZjYwMCIKCQkJCV0sCgkJCQkidGhyZXNob2xkIjogMQoJCQl9CgkJfSwKCQkiY29uc2lzdGVudF9zbmFwc2hvdCI6IHRydWUKCX0sCgkic2lnbmF0dXJlcyI6IFsKCQl7CgkJCSJrZXlpZCI6ICJjOGUwOWE2OGI1ODIxYjc1NDYyYWUwZGY1MjE1MWM4MWRlYjdmMTgzODI0NmRjMWRhOGMzNGNjOTFlYzEyYmRhIiwKCQkJInNpZyI6ICIzMDQ0MDIyMDA2ZmU4ZmZmNTFkMTg3NTNhZWZmMTQxZjgxYTk2MmI4YWMzM2Y0OTgzMWJiYmVjMTMzNGIyNzMzZWE5Njg5MDAwMjIwNmU2ZjM0M2M5YzdiOThhMmViZDFmMGI1MWFhNTI4NmVkM2E0ZDQ4ZTI3MWM3N2Q4OGVhNzc0OTkyMzFiZmY1YyIKCQl9CgldCn0=';

0 comments on commit 345fe37

Please sign in to comment.