Skip to content

sign, verify: Expose sign and verify as importable modules#383

Merged
woodruffw merged 16 commits intomainfrom
alex/public-api
Jan 7, 2023
Merged

sign, verify: Expose sign and verify as importable modules#383
woodruffw merged 16 commits intomainfrom
alex/public-api

Conversation

@tetsuo-cpp
Copy link
Copy Markdown
Contributor

@tetsuo-cpp tetsuo-cpp commented Jan 5, 2023

Closes #4

@tetsuo-cpp
sign, verify: Expose sign and verify as importable modules
e09fd92 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 5, 2023
edited
Loading

Do we also want to somehow expose the web browser workflow and ambient credential detection? The signing side of the API is hard to use without these.

Either that or only expose verification initially.

I'm writing a simple example to test the verify API to get an idea for what this looks like for users.

@tetsuo-cpp tetsuo-cpp requested review from di and woodruffw January 5, 2023 01:03
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 5, 2023 

import base64
from pathlib import Path

from sigstore.verify import Verifier, VerificationMaterials
from sigstore.verify.policy import Identity

artifact = Path("README.md")
cert = Path("README.md.crt")
signature = Path("README.md.sig")

with artifact.open("rb") as a, cert.open("r") as c, signature.open("rb") as s:
    materials = VerificationMaterials(
        input_=a,
        cert_pem=c.read(),
        signature=base64.b64decode(s.read()),
        offline_rekor_entry=None,
    )
    verifier = Verifier.production()
    result = verifier.verify(
        materials,
        Identity(
            identity="alex.cameron@trailofbits.com",
            issuer="https://accounts.google.com",
        ),
    )
    print(result)

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 5, 2023

Do we also want to somehow expose the web browser workflow and ambient credential detection? The signing side of the API is hard to use without these.

Yeah, let's expose these as well. Let's make sure to expose the minimum surface necessary for each -- probably just the top-level functions/classes.

tetsuo-cpp
tetsuo-cpp commented Jan 6, 2023
View reviewed changes
tetsuo-cpp
tetsuo-cpp commented Jan 6, 2023
View reviewed changes
sigstore/_internal/rekor/client.py
)

def to_bundle(self) -> RekorBundle:
def from_entry(cls, entry: RekorEntry) -> RekorBundle:
Copy link
Copy Markdown
Contributor Author

@tetsuo-cpp tetsuo-cpp Jan 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved this to_bundle method from the RekorEntry to a from_entry class method. This minimises the public API and means that it doesn't have to know about this bundle type.

Copy link
Copy Markdown
Member

@woodruffw woodruffw Jan 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works for me. IMO it would also be acceptable to have the RekorBundle be part of the public API, since it's a well-defined public format already. But we can move forwards with this for now.

@tetsuo-cpp
rekor: Move from_response helper to internal module
90159e7 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
tetsuo-cpp
tetsuo-cpp commented Jan 6, 2023
View reviewed changes
tetsuo-cpp
tetsuo-cpp commented Jan 6, 2023
View reviewed changes
sigstore/oidc.py
Raises `AmbientCredentialError` if any detector fails internally (i.e.
detects a credential, but cannot retrieve it).
"""
from sigstore._internal.oidc.ambient import detect_gcp, detect_github
Copy link
Copy Markdown
Contributor Author

@tetsuo-cpp tetsuo-cpp Jan 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to do this to avoid circular imports. I figured this would be better than further complicating the tree with more modules, but I can try fixing this another way if you'd like.

@tetsuo-cpp
oidc: Add top-level oidc module
4a8b76f 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 6, 2023

The sign workflow looks reasonable too.

from pathlib import Path

from sigstore.sign import Signer
from sigstore.oidc import get_identity_token, Issuer

artifact = Path("README.md")
token = get_identity_token("sigstore", "", Issuer("https://oauth2.sigstore.dev/auth"))

with artifact.open("rb") as a:
    signer = Signer.production()
    result = signer.sign(input_=a, identity_token=token)
    print(result)

@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 6, 2023
edited
Loading

One thing to note. The constructors for Signer takes FulcioClient and RekorClient and Verifier takes RekorClient. I'm assuming we probably don't want to expose these client types yet so I've left them under _internal. I don't think this is a big deal as most users are going to instantiate with one of the production or staging class methods.

The only issue is that pydoc still generates documentation for this constructor despite it not really being a usable part of the API.

@woodruffw woodruffw added the component:api Public APIs label Jan 6, 2023
@woodruffw woodruffw added this to the Stable release (1.0) milestone Jan 6, 2023
@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 6, 2023

Thanks @tetsuo-cpp! I'll review in a bit.

@woodruffw woodruffw mentioned this pull request Jan 6, 2023
Merged
23 tasks
@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 6, 2023

One thing to note. The constructors for Signer takes FulcioClient and RekorClient and Verifier takes RekorClient. I'm assuming we probably don't want to expose these client types yet so I've left them under _internal. I don't think this is a big deal as most users are going to instantiate with one of the production or staging class methods.

Yeah, I don't think we want to expose those directly. I'll see about maybe hiding the constructor in the docs.

@woodruffw
rekor, _internal: prefer private classmethod
23eb302 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
sigstore: issuer refactoring
a8a0a01 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
_cli: warn on subcommand-position --staging
06ffcfe 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Makefile, sigstore: fix lints
284731a 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
README, _cli: fix --help text
1e6ac18 
Signed-off-by: William Woodruff <william@trailofbits.com>
woodruffw
woodruffw reviewed Jan 6, 2023
View reviewed changes
sigstore/_cli.py
@@ -122,9 +119,14 @@ def _set_default_verify_subparser(parser: argparse.ArgumentParser, name: str) ->
def _add_shared_instance_options(group: argparse._ArgumentGroup) -> None:
Copy link
Copy Markdown
Member

@woodruffw woodruffw Jan 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

N.B.: Conceptually these common options belong at the global sigstore level, rather than embedded into each subcommand. I've moved one of them in this PR (--staging) because I needed to fix its behavior with get-identity-token, but I'll move the rest in a follow-up.

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 6, 2023

The sign workflow looks reasonable too.

from pathlib import Path

from sigstore.sign import Signer
from sigstore.oidc import get_identity_token, Issuer

artifact = Path("README.md")
token = get_identity_token("sigstore", "", Issuer("https://oauth2.sigstore.dev/auth"))

with artifact.open("rb") as a:
    signer = Signer.production()
    result = signer.sign(input_=a, identity_token=token)
    print(result)

NB, this is now:

from pathlib import Path

from sigstore.sign import Signer
from sigstore.oidc import Issuer

artifact = Path("README.md")
token = Issuer.production().identity_token()

with artifact.open("rb") as a:
    signer = Signer.production()
    result = signer.sign(input_=a, identity_token=token)
    print(result)

woodruffw
woodruffw previously approved these changes Jan 6, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I'll wait for @di to approve since I've been modifying things.

woodruffw
woodruffw reviewed Jan 6, 2023
View reviewed changes
@woodruffw
Makefile, pyproject: SQLite mypy cache in config
a345a84 
Signed-off-by: William Woodruff <william@trailofbits.com>
woodruffw
woodruffw previously approved these changes Jan 6, 2023
View reviewed changes
@woodruffw
Merge branch 'main' into alex/public-api
469c20a
@woodruffw
CHANGELOG: record changes
dcd1de3 
Signed-off-by: William Woodruff <william@trailofbits.com>
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 7, 2023

Thanks @woodruffw. Those changes to the get_identity_token API are looking really good.

I can't approve my own PR but your changes LGTM.

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 7, 2023

I'll go ahead and merge then! 🤞

@woodruffw woodruffw merged commit 51b2279 into main Jan 7, 2023
@woodruffw woodruffw deleted the alex/public-api branch January 7, 2023 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

@di di Awaiting requested review from di

Assignees

No one assigned

Labels

component:api Public APIs

Projects

None yet

Milestone

1.0

Development

Successfully merging this pull request may close these issues.

Finalize importable sigstore API

2 participants

@tetsuo-cpp @woodruffw