_internal/trust: Upgrade to SigningConfig 0.2

* Let's forget that v0.1 ever existed (it was not really used): We could
  try to support both but since 0.1 does not really work, I won't bother
* Support signing config v0.2 in a minimal way (see note on selectors below)

Things that could be improved:
* Rekor client is still a bit of a hack: that area likely needs a
  redesign
* The "service selectors" in SigningConfig are not all yet supported:
  Only the ANY selector works (this is the one staging will use soon)
* The CLI does not yet use the OIDC provider specified in SigningConfig
  (this should be a small refactor)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>

Author: jku

pyproject.toml

@@ -38,7 +38,7 @@ dependencies = [
   "rfc8785 ~= 0.1.2",
   "rfc3161-client >= 0.1.2,< 1.1.0",
   # NOTE(ww): Both under active development, so strictly pinned.
-  "sigstore-protobuf-specs == 0.3.5",
+  "sigstore-protobuf-specs == 0.4.1",
   "sigstore-rekor-types == 0.0.18",
   "tuf ~= 6.0",
   "platformdirs ~= 4.2",

sigstore/_internal/trust.py

@@ -45,8 +45,13 @@
     ClientTrustConfig as _ClientTrustConfig,
 )
 from sigstore_protobuf_specs.dev.sigstore.trustroot.v1 import (
+    Service,
+    ServiceSelector,
     TransparencyLogInstance,
 )
+from sigstore_protobuf_specs.dev.sigstore.trustroot.v1 import (
+    SigningConfig as _SigningConfig,
+)
 from sigstore_protobuf_specs.dev.sigstore.trustroot.v1 import (
     TrustedRoot as _TrustedRoot,
 )
@@ -278,6 +283,114 @@ def certificates(self, *, allow_expired: bool) -> list[Certificate]:
         return self._certificates
 
 
+class SigningConfig:
+    """
+    Signing configuration for a Sigstore instance.
+    """
+
+    class SigningConfigType(str, Enum):
+        """
+        Known Sigstore signing config media types.
+        """
+
+        SIGNING_CONFIG_0_2 = "application/vnd.dev.sigstore.signingconfig.v0.2+json"
+
+        def __str__(self) -> str:
+            """Returns the variant's string value."""
+            return self.value
+
+    def __init__(self, inner: _SigningConfig):
+        """
+        Construct a new `SigningConfig`.
+
+        @api private
+        """
+        self._inner = inner
+        self._verify()
+
+    def _verify(self) -> None:
+        """
+        Performs various feats of heroism to ensure that the signing config
+        is well-formed.
+        """
+
+        # must have a recognized media type.
+        try:
+            SigningConfig.SigningConfigType(self._inner.media_type)
+        except ValueError:
+            raise Error(f"unsupported signing config format: {self._inner.media_type}")
+
+        # currently not supporting other select modes
+        # TODO: Support other modes ensuring tsa_urls() and tlog_urls() work
+        if self._inner.rekor_tlog_config.selector != ServiceSelector.ANY:
+            raise Error(
+                f"unsupported tlog selector {self._inner.rekor_tlog_config.selector}"
+            )
+        if self._inner.tsa_config.selector != ServiceSelector.ANY:
+            raise Error(f"unsupported TSA selector {self._inner.tsa_config.selector}")
+
+    @classmethod
+    def from_file(
+        cls,
+        path: str,
+    ) -> SigningConfig:
+        """Create a new signing config from file"""
+        inner = _SigningConfig().from_json(Path(path).read_bytes())
+        return cls(inner)
+
+    @staticmethod
+    def _get_valid_service_url(services: list[Service]) -> str | None:
+        for service in services:
+            if service.major_api_version != 1:
+                continue
+
+            if not _is_timerange_valid(service.valid_for, allow_expired=False):
+                continue
+            return service.url
+        return None
+
+    def get_tlog_urls(self) -> list[str]:
+        """
+        Returns the rekor transparency logs that client should sign with.
+        Currently only returns a single one but could in future return several
+        """
+
+        url = self._get_valid_service_url(self._inner.rekor_tlog_urls)
+        if not url:
+            raise Error("No valid Rekor transparency log found in signing config")
+        return [url]
+
+    def get_fulcio_url(self) -> str:
+        """
+        Returns url for the fulcio instance that client should use to get a
+        signing certificate from
+        """
+        url = self._get_valid_service_url(self._inner.ca_urls)
+        if not url:
+            raise Error("No valid Fulcio CA found in signing config")
+        return url
+
+    def get_oidc_url(self) -> str:
+        """
+        Returns url for the OIDC provider that client should use to interactively
+        authenticate.
+        """
+        url = self._get_valid_service_url(self._inner.oidc_urls)
+        if not url:
+            raise Error("No valid OIDC provider found in signing config")
+        return url
+
+    def get_tsa_urls(self) -> list[str]:
+        """
+        Returns timestamp authority API end points. Currently returns a single one
+        but may return more in future.
+        """
+        url = self._get_valid_service_url(self._inner.tsa_urls)
+        if not url:
+            raise Error("No valid Timestamp Authority found in signing config")
+        return [url]
+
+
 class TrustedRoot:
     """
     The cryptographic root(s) of trust for a Sigstore instance.
@@ -473,3 +586,10 @@ def trusted_root(self) -> TrustedRoot:
         Return the interior root of trust, as a `TrustedRoot`.
         """
         return TrustedRoot(self._inner.trusted_root)
+
+    @property
+    def signing_config(self) -> SigningConfig:
+        """
+        Return the interior root of trust, as a `SigningConfig`.
+        """
+        return SigningConfig(self._inner.signing_config)

sigstore/sign.py

@@ -352,13 +352,13 @@ def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
 
         @api private
         """
+        signing_config = trust_config.signing_config
         return cls(
-            fulcio=FulcioClient(trust_config._inner.signing_config.ca_url),
-            rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
+            fulcio=FulcioClient(signing_config.get_fulcio_url()),
+            rekor=RekorClient(signing_config.get_tlog_urls()[0]),
             trusted_root=trust_config.trusted_root,
             tsa_clients=[
-                TimestampAuthorityClient(tsa_url)
-                for tsa_url in trust_config._inner.signing_config.tsa_urls
+                TimestampAuthorityClient(url) for url in signing_config.get_tsa_urls()
             ],
         )
 

test/assets/signing_config/signingconfig.v2.json

@@ -0,0 +1,60 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+  "caUrls": [
+    {
+      "url": "https://fulcio.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2023-04-14T21:38:40Z"
+      }
+    },
+    {
+      "url": "https://fulcio-old.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2022-04-14T21:38:40Z",
+        "end": "2023-04-14T21:38:40Z"
+      }
+    }
+  ],
+  "oidcUrls": [
+    {
+      "url": "https://oauth2.example.com/auth",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-04-16T00:00:00Z"
+      }
+    }
+  ],
+  "rekorTlogUrls": [
+    {
+      "url": "https://rekor.example.com",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2021-01-12T11:53:27Z"
+      }
+    },
+    {
+      "url": "https://rekor-v2.example.com",
+      "majorApiVersion": 2,
+      "validFor": {
+        "start": "2021-01-12T11:53:27Z"
+      }
+    }
+  ],
+  "tsaUrls": [
+    {
+      "url": "https://timestamp.example.com/api/v1/timestamp",
+      "majorApiVersion": 1,
+      "validFor": {
+        "start": "2025-04-09T00:00:00Z"
+      }
+    }
+  ],
+  "rekorTlogConfig": {
+    "selector": "ANY"
+  },
+  "tsaConfig": {
+    "selector": "ANY"
+  }
+}

test/assets/trust_config/config.badtype.json

@@ -114,14 +114,64 @@
             }
         ]
     },
-    "signingConfig": {
-        "caUrl": "https://fakeca.example.com",
-        "oidcUrl": "https://fakeoidc.example.com",
-        "tlogUrls": [
-            "https://fakelog.example.com"
+    "signing_config": {
+        "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+        "caUrls": [
+            {
+                "url": "https://fulcio.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                "start": "2023-04-14T21:38:40Z"
+                }
+            },
+            {
+                "url": "https://fulcio-old.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                "start": "2022-04-14T21:38:40Z",
+                "end": "2023-04-14T21:38:40Z"
+                }
+            }
+        ],
+        "oidcUrls": [
+            {
+                "url": "https://oauth2.example.com/auth",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2025-04-16T00:00:00Z"
+                }
+            }
+        ],
+        "rekorTlogUrls": [
+            {
+                "url": "https://rekor.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2021-01-12T11:53:27Z"
+                }
+            },
+            {
+                "url": "https://rekor-v2.example.com",
+                "majorApiVersion": 2,
+                "validFor": {
+                    "start": "2021-01-12T11:53:27Z"
+                }
+            }
         ],
         "tsaUrls": [
-            "https://faketsa.example.com"
-        ]
+            {
+                "url": "https://timestamp.example.com/api/v1/timestamp",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2025-04-09T00:00:00Z"
+                }
+            }
+        ],
+        "rekorTlogConfig": {
+            "selector": "ANY"
+        },
+        "tsaConfig": {
+            "selector": "ANY"
+        }
     }
 }

test/assets/trust_config/config.v1.json

@@ -114,14 +114,64 @@
             }
         ]
     },
-    "signingConfig": {
-        "caUrl": "https://fakeca.example.com",
-        "oidcUrl": "https://fakeoidc.example.com",
-        "tlogUrls": [
-            "https://fakelog.example.com"
+    "signing_config": {
+        "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+        "caUrls": [
+            {
+                "url": "https://fulcio.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                "start": "2023-04-14T21:38:40Z"
+                }
+            },
+            {
+                "url": "https://fulcio-old.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                "start": "2022-04-14T21:38:40Z",
+                "end": "2023-04-14T21:38:40Z"
+                }
+            }
+        ],
+        "oidcUrls": [
+            {
+                "url": "https://oauth2.example.com/auth",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2025-04-16T00:00:00Z"
+                }
+            }
+            ],
+            "rekorTlogUrls": [
+            {
+                "url": "https://rekor.example.com",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2021-01-12T11:53:27Z"
+                }
+            },
+            {
+                "url": "https://rekor-v2.example.com",
+                "majorApiVersion": 2,
+                "validFor": {
+                    "start": "2021-01-12T11:53:27Z"
+                }
+            }
         ],
         "tsaUrls": [
-            "https://faketsa.example.com"
-        ]
+            {
+                "url": "https://timestamp.example.com/api/v1/timestamp",
+                "majorApiVersion": 1,
+                "validFor": {
+                    "start": "2025-04-09T00:00:00Z"
+                }
+            }
+        ],
+        "rekorTlogConfig": {
+            "selector": "ANY"
+        },
+        "tsaConfig": {
+            "selector": "ANY"
+        }
     }
 }