Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sigstore/sigstore-python
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.6.0
Choose a base ref
...
head repository: sigstore/sigstore-python
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Loading
Showing with 1,216 additions and 665 deletions.
  1. +1 −1 .github/actions/upload-coverage/action.yml
  2. +63 −0 .github/workflows/check-embedded-root.yml
  3. +16 −5 .github/workflows/ci.yml
  4. +2 −2 .github/workflows/conformance.yml
  5. +2 −4 .github/workflows/docs.yml
  6. +3 −3 .github/workflows/lint.yml
  7. +2 −2 .github/workflows/pin-requirements.yml
  8. +5 −6 .github/workflows/release.yml
  9. +1 −1 .github/workflows/requirements.yml
  10. +3 −3 .github/workflows/scorecards-analysis.yml
  11. +1 −1 .github/workflows/staging-tests.yml
  12. +1 −0 .gitignore
  13. +10 −1 CHANGELOG.md
  14. +14 −3 Makefile
  15. +8 −245 README.md
  16. +22 −0 docs/advanced/custom_trust.md
  17. +43 −0 docs/advanced/offline.md
  18. +2 −0 docs/api/errors.md
  19. +2 −0 docs/api/hashes.md
  20. +6 −0 docs/api/index.md
  21. +2 −0 docs/api/models.md
  22. +2 −0 docs/api/oidc.md
  23. +2 −0 docs/api/sign.md
  24. +2 −0 docs/api/verify/policy.md
  25. +2 −0 docs/api/verify/verifier.md
  26. BIN docs/assets/images/favicon.png
  27. BIN docs/assets/images/logo.png
  28. +44 −0 docs/index.md
  29. +51 −0 docs/installation.md
  30. +145 −0 docs/policy.md
  31. +84 −0 docs/scripts/gen_ref_pages.py
  32. +133 −0 docs/signing.md
  33. +5 −0 docs/stylesheets/custom.css
  34. +95 −0 docs/verify.md
  35. +1 −1 install/requirements.in
  36. +172 −151 install/requirements.txt
  37. +83 −0 mkdocs.yml
  38. +4 −5 pyproject.toml
  39. +1 −1 sigstore/__init__.py
  40. +1 −1 sigstore/_cli.py
  41. +1 −22 sigstore/_internal/fulcio/client.py
  42. +16 −19 sigstore/_internal/sct.py
  43. +143 −154 sigstore/_store/prod/root.json
  44. +3 −4 sigstore/_store/prod/trusted_root.json
  45. +3 −9 sigstore/sign.py
  46. +0 −3 sigstore/verify/verifier.py
  47. +12 −15 test/unit/internal/test_sct.py
  48. +1 −1 test/unit/test_utils.py
  49. +1 −2 test/unit/verify/test_policy.py
2 changes: 1 addition & 1 deletion .github/actions/upload-coverage/action.yml
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ runs:
fi
id: coverage-uuid
shell: bash
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
- uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }}
include-hidden-files: 'true'
63 changes: 63 additions & 0 deletions .github/workflows/check-embedded-root.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Check embedded root

on:
workflow_dispatch:
schedule:
- cron: '13 13 * * 3'

jobs:
check-embedded-root:
runs-on: ubuntu-latest
permissions:
issues: write

steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml

- name: Setup environment
run: make dev

- name: Check if embedded root is up-to-date
run: |
make update-embedded-root
git diff --exit-code
- if: failure()
name: Create an issue if embedded root is not up-to-date
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const repo = context.repo.owner + "/" + context.repo.repo
const body = `
The Sigstore [TUF repository](https://tuf-repo-cdn.sigstore.dev/) contents have changed: the data embedded
in sigstore-python sources can be updated. This is not urgent but will improve cold-cache performance.
Run \`make update-embedded-root\` to update the embedded data.
This issue was filed by _${context.workflow}_ [workflow run](${context.serverUrl}/${repo}/actions/runs/${context.runId}).
`
const issues = await github.rest.search.issuesAndPullRequests({
q: "label:embedded-root-update+state:open+type:issue+repo:" + repo,
})
if (issues.data.total_count > 0) {
console.log("Issue for embedded root update exists already.")
} else {
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: "Embedded TUF root is not up-to-date",
labels: ["embedded-root-update"],
body: body,
})
console.log("New issue created.")
}
21 changes: 16 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -33,7 +33,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: ${{ matrix.conf.py }}
allow-prereleases: true
@@ -46,32 +46,43 @@ jobs:
- name: test (offline)
if: matrix.conf.os == 'ubuntu-latest'
run: |
# Look at me. I am the captain now.
sudo sysctl -w kernel.unprivileged_userns_clone=1
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
# We use `unshare` to "un-share" the default networking namespace,
# in effect running the tests as if the host is offline.
# This in turn effectively exercises the correctness of our
# "online-only" test markers, since any test that's online
# but not marked as such will fail.
# We also explicitly exclude the intergration tests, since these are
# We also explicitly exclude the integration tests, since these are
# always online.
unshare --map-root-user --net make test T="test/unit" TEST_ARGS="--skip-online -vv --showlocals"
- name: test
run: make test TEST_ARGS="-vv --showlocals"

# TODO: Refactor this or remove it entirely once there's
# a suitable staging TSA instance.
- name: test (timestamp-authority)
if: ${{ matrix.conf.os == 'ubuntu-latest' }}
run: |
wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
# Fetch the latest sigstore/timestamp-authority build
SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0].name')
wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
chmod +x /tmp/timestamp-server
# Run the TSA in background
/tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring &
export TEST_SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp"
# Ensure Timestamp Authority tests are not skipped by
# having pytest show skipped tests and verifying ours are running
make test TEST_ARGS="-m timestamp_authority -rs" | tee output
! grep -q "skipping test that requires a Timestamp Authority" output || (echo "ERROR: Found skip message" && exit 1)
env:
SIGSTORE_TIMESTAMP: "v1.2.3"
# Needed for `gh api` above.
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: test (interactive)
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
@@ -107,7 +118,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: '3.x'

4 changes: 2 additions & 2 deletions .github/workflows/conformance.yml
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.x"
cache: "pip"
@@ -24,7 +24,7 @@ jobs:
- name: install sigstore-python
run: python -m pip install .

- uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13
- uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
with:
entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
xfail: "test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" # see issue 821
6 changes: 2 additions & 4 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
@@ -13,11 +13,9 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
# NOTE: We use 3.10+ typing syntax via future, which pdoc only
# understands if it's actually run with Python 3.10 or newer.
python-version: ">= 3.10"
python-version: "3.x"
cache: "pip"
cache-dependency-path: pyproject.toml

6 changes: 3 additions & 3 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.x"
cache: "pip"
@@ -35,7 +35,7 @@ jobs:

# NOTE: We intentionally check `--help` rendering against our minimum Python,
# since it changes slightly between Python versions.
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.9"
cache: "pip"
@@ -71,7 +71,7 @@ jobs:
persist-credentials: false

# NOTE: We intentionally check test certificates against our minimum supported Python.
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.9"
cache: "pip"
4 changes: 2 additions & 2 deletions .github/workflows/pin-requirements.yml
Original file line number Diff line number Diff line change
@@ -70,7 +70,7 @@ jobs:
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version-file: install/.python-version
cache: "pip"
@@ -129,7 +129,7 @@ jobs:
git push -f origin "origin/main:${SIGSTORE_PIN_REQUIREMENTS_BRANCH}"
- name: Open pull request
uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
with:
title: |
Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}
11 changes: 5 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -19,7 +19,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
# NOTE: We intentionally don't use a cache in the release step,
# to reduce the risk of cache poisoning.
@@ -74,14 +74,14 @@ jobs:
done
- name: Upload built packages
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: built-packages
path: ./dist/
if-no-files-found: warn

- name: Upload smoketest-artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: smoketest-artifacts
path: smoketest-artifacts/
@@ -112,10 +112,9 @@ jobs:
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

- name: publish
uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
with:
packages-dir: built-packages/
attestations: true

release-github:
needs: [build, generate-provenance]
@@ -131,7 +130,7 @@ jobs:
# Confusingly, this action also supports updating releases, not
# just creating them. This is what we want here, since we've manually
# created the release that triggered the action.
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
with:
# smoketest-artifacts/ contains the signatures and certificates.
files: |
2 changes: 1 addition & 1 deletion .github/workflows/requirements.yml
Original file line number Diff line number Diff line change
@@ -36,7 +36,7 @@ jobs:
ref: ${{ env.SIGSTORE_REF }}
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
name: Install Python ${{ matrix.python_version }}
with:
python-version: ${{ matrix.python_version }}
6 changes: 3 additions & 3 deletions .github/workflows/scorecards-analysis.yml
Original file line number Diff line number Diff line change
@@ -29,7 +29,7 @@ jobs:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
@@ -44,14 +44,14 @@ jobs:

# Upload the results as artifacts (optional).
- name: "Upload artifact"
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/staging-tests.yml
Original file line number Diff line number Diff line change
@@ -21,7 +21,7 @@ jobs:
with:
persist-credentials: false

- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: "3.x"
cache: "pip"
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
.cache/
env/
pip-wheel-metadata/
*.egg-info/
11 changes: 10 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -8,6 +8,14 @@ All versions prior to 0.9.0 are untracked.

## [Unreleased]

## [3.6.1]

### Fixed

* Relaxed the transitive dependency on `cryptography` to allow v43 and v44
to be resolved
([#1251](https://github.com/sigstore/sigstore-python/pull/1251))

## [3.6.0]

### Added
@@ -585,7 +593,8 @@ This is a corrective release for [2.1.1].


<!--Release URLs -->
[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...HEAD
[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...HEAD
[3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
[3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.5.3...v3.6.0
[3.5.3]: https://github.com/sigstore/sigstore-python/compare/v3.5.2...v3.5.3
[3.5.2]: https://github.com/sigstore/sigstore-python/compare/v3.5.1...v3.5.2
17 changes: 14 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
@@ -3,7 +3,8 @@ SHELL := /bin/bash
PY_MODULE := sigstore

ALL_PY_SRCS := $(shell find $(PY_MODULE) -name '*.py') \
$(shell find test -name '*.py')
$(shell find test -name '*.py') \
$(shell find docs/scripts -name '*.py') \

# Optionally overriden by the user, if they're using a virtual environment manager.
VENV ?= env
@@ -67,7 +68,8 @@ lint: $(VENV)/pyvenv.cfg
ruff check $(ALL_PY_SRCS) && \
mypy $(PY_MODULE) && \
bandit -c pyproject.toml -r $(PY_MODULE) && \
interrogate --fail-under 100 -c pyproject.toml $(PY_MODULE)
interrogate --fail-under 100 -c pyproject.toml $(PY_MODULE) && \
python docs/scripts/gen_ref_pages.py --check

.PHONY: reformat
reformat: $(VENV)/pyvenv.cfg
@@ -97,7 +99,8 @@ gen-x509-testcases: $(VENV)/pyvenv.cfg
.PHONY: doc
doc: $(VENV)/pyvenv.cfg
. $(VENV_BIN)/activate && \
pdoc --output-directory html $(PY_MODULE)
python docs/scripts/gen_ref_pages.py --overwrite && \
mkdocs build --strict --site-dir html

.PHONY: package
package: $(VENV)/pyvenv.cfg
@@ -169,3 +172,11 @@ check-readme:
.PHONY: edit
edit:
$(EDITOR) $(ALL_PY_SRCS)

update-embedded-root: $(VENV)/pyvenv.cfg
. $(VENV_BIN)/activate && \
python -m sigstore plumbing update-trust-root
cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \
sigstore/_store/prod/root.json
cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \
sigstore/_store/prod/trusted_root.json
Loading