Skip to content

sigstore: prep verify APIs for DSSE #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Mar 5, 2024
Merged

sigstore: prep verify APIs for DSSE #904

merged 13 commits into from
Mar 5, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Feb 14, 2024
edited
Loading

WIP.

This is the first step towards DSSE verification support, breaking apart some of our internal design mistakes around the state carried in VerificationMaterials. Merging this will allow us to be more flexible about the inputs passed to verify(), including DSSE statements and prehashed inputs as Hashed objects.

@woodruffw
sigstore: prep verify APIs for DSSE
362b512 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw added component:verification Core verification functionality component:api Public APIs labels Feb 14, 2024
@woodruffw woodruffw self-assigned this Feb 14, 2024
@woodruffw
Merge branch 'main' into ww/dsse-verify
55da819
@woodruffw
test: fixup tests
cd28d0e 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
lintage
8503ea6 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
fix sign test
b59cc7c 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw marked this pull request as ready for review February 20, 2024 19:57
@woodruffw woodruffw requested a review from jku February 20, 2024 19:57
@woodruffw woodruffw mentioned this pull request Feb 21, 2024
Closed
jku
jku approved these changes Feb 29, 2024
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a solid improvement to me. Left one test suggestion/question

test/unit/verify/test_models.py
(_, a_materials) = signing_materials("a.txt")
(file, offline_rekor_materials) = signing_bundle("bundle.txt")

with file.open(mode="rb", buffering=0) as input_:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if signing_materials() should just open the file and yield (input_, materials) instead so we can avoid doing this in the tests?

  • Not every test needs input_ of course... but I would think open() is not expensive in context.
  • some tests want to read the file twice so would then probably need input_.seek(0)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works, although to go one step further: I think signing_materials/signing_bundle should probably just return bytes/Hashed directly, since the plan is to have both sign and verify take those types rather than do their own I/O 🙂

@woodruffw woodruffw merged commit 7015855 into main Mar 5, 2024
25 checks passed
@woodruffw woodruffw deleted the ww/dsse-verify branch March 5, 2024 17:46
This was referenced Mar 5, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku jku approved these changes

Assignees

@woodruffw woodruffw

Labels
component:api Public APIs component:verification Core verification functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@woodruffw @jku