Skip to content

Commit 2336e27

Browse files
authored
Merge branch 'main' into chore/cifuzz-perms
2 parents 56f7531 + d335d9d commit 2336e27

7 files changed

Lines changed: 55 additions & 24 deletions

File tree

.github/workflows/ci.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646
21
4747
distribution: 'temurin'
4848
- name: Setup Go environment
49-
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
49+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
5050
with:
5151
go-version: '1.25.x'
5252

scripts/change_version.sh

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,14 @@
66
# this script is simple and should work for most usecases, but it may break if we do weird things
77
set -Eeo pipefail
88

9+
sedi() {
10+
if [ "$(uname)" = "Darwin" ]; then
11+
sed -i "" "$@"
12+
else
13+
sed -i "$@"
14+
fi
15+
}
16+
917
old_version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
1018
other_old_version=$(grep "sigstoreJavaVersion.convention" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt | cut -d'"' -f2)
1119
if [[ "$old_version" != "$other_old_version" ]]; then
@@ -20,12 +28,12 @@ echo "old : $old_version"
2028
echo "new : $new_version"
2129
read -r -p "Run update? [y/N]: " yn
2230
go=${yn:-"n"}
23-
if [ "${go,,}" != "y" ]; then
31+
if [ "$go" != "y" ] && [ "$go" != "Y" ]; then
2432
echo "aborting"
2533
exit
2634
fi
2735

2836
# update to latest dev version (change update_versions.sh if you change this section)
29-
sed -i "s/\(sigstoreJavaVersion.convention(\"\)$old_version/\1$new_version/" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
30-
sed -i "s/version=$old_version/version=$new_version/" gradle.properties
37+
sedi "s/\(sigstoreJavaVersion.convention(\"\)$old_version/\1$new_version/" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
38+
sedi "s/version=$old_version/version=$new_version/" gradle.properties
3139

scripts/update_versions.sh

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,14 @@
55
# this script is simple and should work for most usecases, but it may break if we do weird things
66
set -Eeo pipefail
77

8+
sedi() {
9+
if [ "$(uname)" = "Darwin" ]; then
10+
sed -i "" "$@"
11+
else
12+
sed -i "$@"
13+
fi
14+
}
15+
816
calculated_release_version=$(grep "^version=" gradle.properties | cut -d'=' -f2)
917
read -r -p "Enter released version [${calculated_release_version}]: " vin
1018
release_version=${vin:-${calculated_release_version}}
@@ -23,21 +31,21 @@ echo "latest : $release_version"
2331
echo "next : $next_version"
2432
read -r -p "Run update? [y/N]: " yn
2533
go=${yn:-"n"}
26-
if [ "${go,,}" != "y" ]; then
34+
if [ "$go" != "y" ] && [ "$go" != "Y" ]; then
2735
echo "aborting"
2836
exit
2937
fi
3038

3139
# sed below is probably accepting .'s in versions as regex any chars, but this works for our purposes
3240

3341
# updates to new release version
34-
sed -i "s/\(sigstore-gradle-sign-plugin:\)$previous_version/\1$release_version/" build-logic/publishing/build.gradle.kts
35-
sed -i "s/\(<version>\)$previous_version/\1$release_version/" sigstore-maven-plugin/README.md
36-
sed -i "s/\(dev.sigstore.sign\") version \"\)$previous_version/\1$release_version/" sigstore-gradle/README.md
37-
sed -i "s/\(sigstore.version.*\)$previous_version/\1$release_version/" examples/hello-world/build.gradle.kts
38-
sed -i "s/\(<sigstore.version>\)$previous_version/\1$release_version/" examples/hello-world/pom.xml
42+
sedi "s/\(sigstore-gradle-sign-plugin:\)$previous_version/\1$release_version/" build-logic/publishing/build.gradle.kts
43+
sedi "s/\(<version>\)$previous_version/\1$release_version/" sigstore-maven-plugin/README.md
44+
sedi "s/\(dev.sigstore.sign\") version \"\)$previous_version/\1$release_version/" sigstore-gradle/README.md
45+
sedi "s/\(sigstore.version.*\)$previous_version/\1$release_version/" examples/hello-world/build.gradle.kts
46+
sedi "s/\(<sigstore.version>\)$previous_version/\1$release_version/" examples/hello-world/pom.xml
3947

4048
# update to latest dev version (change change_version.sh if you change this section)
41-
sed -i "s/\(sigstoreJavaVersion.convention(\"\)$release_version/\1$next_version/" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
42-
sed -i "s/version=$release_version/version=$next_version/" gradle.properties
49+
sedi "s/\(sigstoreJavaVersion.convention(\"\)$release_version/\1$next_version/" sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt
50+
sedi "s/version=$release_version/version=$next_version/" gradle.properties
4351

sigstore-java/src/main/java/dev/sigstore/encryption/signers/EcdsaVerifier.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,18 @@
1515
*/
1616
package dev.sigstore.encryption.signers;
1717

18+
import dev.sigstore.AlgorithmRegistry;
1819
import java.security.*;
1920

2021
/** ECDSA verifier, instantiated by {@link Verifiers#newVerifier(PublicKey)}. */
2122
public class EcdsaVerifier implements Verifier {
2223

2324
private final PublicKey publicKey;
25+
private final AlgorithmRegistry.HashAlgorithm hashAlgorithm;
2426

25-
EcdsaVerifier(PublicKey publicKey) {
27+
EcdsaVerifier(PublicKey publicKey, AlgorithmRegistry.HashAlgorithm hashAlgorithm) {
2628
this.publicKey = publicKey;
29+
this.hashAlgorithm = hashAlgorithm;
2730
}
2831

2932
@Override
@@ -34,7 +37,7 @@ public PublicKey getPublicKey() {
3437
@Override
3538
public boolean verify(byte[] artifact, byte[] signature)
3639
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
37-
var verifier = Signature.getInstance("SHA256withECDSA");
40+
var verifier = Signature.getInstance(hashAlgorithm + "withECDSA");
3841
verifier.initVerify(publicKey);
3942
verifier.update(artifact);
4043
return verifier.verify(signature);

sigstore-java/src/main/java/dev/sigstore/encryption/signers/RsaVerifier.java

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,18 @@
1515
*/
1616
package dev.sigstore.encryption.signers;
1717

18+
import dev.sigstore.AlgorithmRegistry;
1819
import java.security.*;
1920

2021
/** RSA verifier, instantiated by {@link Verifiers#newVerifier(PublicKey)}. */
2122
public class RsaVerifier implements Verifier {
2223

2324
private final PublicKey publicKey;
25+
private final AlgorithmRegistry.HashAlgorithm hashAlgorithm;
2426

25-
RsaVerifier(PublicKey publicKey) {
27+
RsaVerifier(PublicKey publicKey, AlgorithmRegistry.HashAlgorithm hashAlgorithm) {
2628
this.publicKey = publicKey;
29+
this.hashAlgorithm = hashAlgorithm;
2730
}
2831

2932
@Override
@@ -34,7 +37,7 @@ public PublicKey getPublicKey() {
3437
@Override
3538
public boolean verify(byte[] artifact, byte[] signature)
3639
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
37-
var verifier = Signature.getInstance("SHA256withRSA");
40+
var verifier = Signature.getInstance(hashAlgorithm + "withRSA");
3841
verifier.initVerify(publicKey);
3942
verifier.update(artifact);
4043
return verifier.verify(signature);

sigstore-java/src/main/java/dev/sigstore/encryption/signers/Verifiers.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
*/
1616
package dev.sigstore.encryption.signers;
1717

18+
import dev.sigstore.AlgorithmRegistry;
1819
import java.security.NoSuchAlgorithmException;
1920
import java.security.PublicKey;
2021
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
@@ -25,10 +26,10 @@ public class Verifiers {
2526
/** Returns a new verifier for the provided public key to use during verification. */
2627
public static Verifier newVerifier(PublicKey publicKey) throws NoSuchAlgorithmException {
2728
if (publicKey.getAlgorithm().equals("RSA")) {
28-
return new RsaVerifier(publicKey);
29+
return new RsaVerifier(publicKey, AlgorithmRegistry.HashAlgorithm.SHA2_256);
2930
}
3031
if (publicKey.getAlgorithm().equals("EC") || publicKey.getAlgorithm().equals("ECDSA")) {
31-
return new EcdsaVerifier(publicKey);
32+
return new EcdsaVerifier(publicKey, AlgorithmRegistry.HashAlgorithm.SHA2_256);
3233
}
3334
if (publicKey.getAlgorithm().equals("Ed25519")) {
3435
return new Ed25519Verifier(publicKey);

sigstore-testkit/src/main/java/dev/sigstore/testkit/oidc/ConformanceTestingTokenProvider.java

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -30,18 +30,26 @@
3030
*/
3131
public class ConformanceTestingTokenProvider implements TokenStringOidcClient.TokenStringProvider {
3232

33-
public static ConformanceTestingTokenProvider newProvider() {
34-
return new ConformanceTestingTokenProvider();
33+
public static ConformanceTestingTokenProvider newProviderFromGithub() {
34+
return new ConformanceTestingTokenProvider(
35+
"https://raw.githubusercontent.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/refs/heads/current-token/oidc-token.txt");
3536
}
3637

37-
private ConformanceTestingTokenProvider() {}
38+
public static ConformanceTestingTokenProvider newProviderFromGcp() {
39+
return new ConformanceTestingTokenProvider(
40+
"https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt");
41+
}
42+
43+
private final String tokenUrl;
44+
45+
private ConformanceTestingTokenProvider(String tokenUrl) {
46+
this.tokenUrl = tokenUrl;
47+
}
3848

3949
@Override
4050
public String getTokenString() throws Exception {
4151
HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build();
42-
URI fileUri =
43-
new URI(
44-
"https://raw.githubusercontent.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/refs/heads/current-token/oidc-token.txt");
52+
URI fileUri = new URI(tokenUrl);
4553
HttpRequest request =
4654
HttpRequest.newBuilder()
4755
.uri(fileUri)

0 commit comments

Comments
 (0)