Skip to content

fix: upgrade sigstore Signer to use sigstore v4#532

Merged
mihaimaruseac merged 2 commits intosigstore:mainfrom
spencerschrock:protobuf-specs
Sep 26, 2025
Merged

fix: upgrade sigstore Signer to use sigstore v4#532
mihaimaruseac merged 2 commits intosigstore:mainfrom
spencerschrock:protobuf-specs

Conversation

@spencerschrock
Copy link
Contributor

@spencerschrock spencerschrock commented Sep 24, 2025
edited
Loading

Summary

  1. Manually specify sigstore_protobuf_specs as a dependency as sigstore no longer includes it.

  2. Handle the sigstore_signer breaking changes based on: https://www.github.com/sigstore/sigstore-python/pull/1363

Fixes #531

Checklist
  • All commits are signed-off, using DCO
  • All new code has docstrings and type annotations
  • All new code is covered by tests. Aim for at least 90% coverage. CI is configured to highlight lines not covered by tests.
  • Public facing changes are paired with documentation changes
  • Release note has been added to CHANGELOG.md if needed

@spencerschrock spencerschrock requested review from a team as code owners September 24, 2025 19:33
spencerschrock
spencerschrock commented Sep 24, 2025
View reviewed changes
mihaimaruseac
mihaimaruseac previously approved these changes Sep 24, 2025
View reviewed changes
Copy link
Member

@mihaimaruseac mihaimaruseac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing! Thank you!

@mihaimaruseac
Copy link
Member

mihaimaruseac commented Sep 24, 2025

Oh, it seems verification fails for non sigstore paths :( I was afraid of this

@spencerschrock
Copy link
Contributor Author

spencerschrock commented Sep 24, 2025

Oh, it seems verification fails for non sigstore paths :( I was afraid of this

Still diving into the tests, but I forgot to fix the unit test mocks.

@spencerschrock spencerschrock force-pushed the protobuf-specs branch 3 times, most recently from 4233c5a to bfa89df Compare September 24, 2025 20:54
@spencerschrock
Copy link
Contributor Author

spencerschrock commented Sep 24, 2025

Fixed the unit tests, but signing/verifying between Windows and Linux/macOS seems to be broken still.

@spencerschrock spencerschrock mentioned this pull request Sep 24, 2025
Merged
5 tasks
@jku jku mentioned this pull request Sep 25, 2025
Closed
@jku
Copy link
Member

jku commented Sep 25, 2025

It looks like sigstore-python has been just getting lucky on Windows so far... I admit I didn't know that encoding is still guesswork on Python in Windows. This clearly looks like a bug that is now very prominent because rekor2 entries all trigger it

The cross os test is a neat idea, I will steal that.

@spencerschrock
fix: upgrade sigstore Signer to use sigstore v4
5534cc5 
1. Manually specify `sigstore_protobuf_specs` as a dependency as
   `sigstore` no longer includes it.

2. Handle the sigstore_signer breaking changes based on:
   https://www.github.com/sigstore/sigstore-python/pull/1363

Signed-off-by: Spencer Schrock <sschrock@google.com>
@spencerschrock spencerschrock force-pushed the protobuf-specs branch 2 times, most recently from 3484e67 to cd4039e Compare September 25, 2025 15:39
spencerschrock
spencerschrock commented Sep 25, 2025
View reviewed changes
src/model_signing/_signing/sign_sigstore_pb.py
Comment on lines 106 to -113
@override
def write(self, path: pathlib.Path) -> None:
path.write_text(self.bundle.to_json())
path.write_text(self.bundle.to_json(), encoding="utf-8")

@classmethod
@override
def read(cls, path: pathlib.Path) -> Self:
content = path.read_text()
Copy link
Contributor Author

@spencerschrock spencerschrock Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming we may need to handle backwards compatibility depending on if NVIDIA has signed on windows or not.

But also, we should follow along to see if we should write sigs as text or bytes
sigstore/sigstore-python#1553 (comment)

Copy link
Member

@mihaimaruseac mihaimaruseac Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think it's a great idea to switch everything to be UTF-8 by default.

@spencerschrock
specify utf-8 encoding for signatures
55d941e 
Rekor v2 makes use of an em dash `—` in its checkpoint format, which was
causing issues when writing the JSON bundle to disk. Linux and macOS
default to "utf-8" when writing text files without a provided encoding,
while Windows defaults to "cp1252".

RFC8259 states JSON text must be "utf-8":
https://datatracker.ietf.org/doc/html/rfc8259#section-8.1

Signed-off-by: Spencer Schrock <sschrock@google.com>
@mihaimaruseac mihaimaruseac merged commit 8d54db8 into sigstore:main Sep 26, 2025
65 of 66 checks passed
@spencerschrock spencerschrock deleted the protobuf-specs branch September 26, 2025 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

library not working anymore due to sigstore 4.0.0 being used and missing sigstore_protobuf_spec

3 participants

@spencerschrock @mihaimaruseac @jku