Skip to content

Commit 6f7b4b4

Browse files
committed
Support DSSE signing conformance test
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
1 parent 8db74cb commit 6f7b4b4

2 files changed

Lines changed: 33 additions & 6 deletions

File tree

.github/workflows/conformance.yml

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,13 @@ jobs:
1414
strategy:
1515
matrix:
1616
java-version: [11, 17, 21]
17-
sigstore-env: [production, staging]
1817
fail-fast: false
1918

2019
concurrency:
2120
# On main/release, we don't want any jobs cancelled
2221
# On PR branches, we cancel the job if new commits are pushed
2322
# More info: https://stackoverflow.com/a/70972844/1261287
24-
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}-${{ matrix.java-version }}-${{ matrix.sigstore-env }}
23+
group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}-${{ matrix.java-version }}
2524
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
2625

2726
runs-on: ubuntu-latest
@@ -54,9 +53,25 @@ jobs:
5453
java-version: ${{ matrix.java-version }}
5554
distribution: 'temurin'
5655

57-
- uses: sigstore/sigstore-conformance@eae6eb1f59e25c6d3d602c5dad3dc55767c2f1cb # v0.0.25
56+
- name: Run Conformance Tests (production)
57+
uses: sigstore/sigstore-conformance@9611941d54398f2e3f6383b6f744442a56d2fb2a # v0.0.26
5858
with:
5959
entrypoint: ${{ github.workspace }}/sigstore-cli/sigstore-cli-server
60-
environment: ${{ matrix.sigstore-env }}
60+
environment: production
6161
skip-result-upload: ${{ matrix.java-version != 17 }}
62-
xfail: "test_verify*-intoto-with-custom-trust-root] test_verify*managed-key-happy-path] test_verify*managed-key-and-trusted-root]"
62+
xfail: >-
63+
test_verify*-intoto-with-custom-trust-root]
64+
test_verify*managed-key-happy-path]
65+
test_verify*managed-key-and-trusted-root]
66+
test_sign_verify_dsse
67+
68+
- name: Run Conformance Tests (staging)
69+
uses: sigstore/sigstore-conformance@9611941d54398f2e3f6383b6f744442a56d2fb2a # v0.0.26
70+
with:
71+
entrypoint: ${{ github.workspace }}/sigstore-cli/sigstore-cli-server
72+
environment: staging
73+
skip-result-upload: ${{ matrix.java-version != 17 }}
74+
xfail: >-
75+
test_verify*-intoto-with-custom-trust-root]
76+
test_verify*managed-key-happy-path]
77+
test_verify*managed-key-and-trusted-root]

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import dev.sigstore.KeylessSigner;
1919
import dev.sigstore.SigningConfigProvider;
2020
import dev.sigstore.TrustedRootProvider;
21+
import dev.sigstore.bundle.Bundle;
2122
import dev.sigstore.oidc.client.OidcClients;
2223
import dev.sigstore.oidc.client.TokenStringOidcClient;
2324
import dev.sigstore.tuf.RootProvider;
@@ -89,6 +90,12 @@ static class Target {
8990
required = false)
9091
Path workingDirectory;
9192

93+
@Option(
94+
names = {"--in-toto"},
95+
description = "treat the artifact as an in-toto statement payload",
96+
required = false)
97+
boolean inToto;
98+
9299
@Override
93100
public Integer call() throws Exception {
94101
if (workingDirectory != null) {
@@ -151,7 +158,12 @@ public Integer call() throws Exception {
151158
OidcClients.of(TokenStringOidcClient.from(identityToken)));
152159
}
153160
var signer = signerBuilder.build();
154-
var bundle = signer.signFile(artifact);
161+
Bundle bundle;
162+
if (inToto) {
163+
bundle = signer.attest(Files.readString(artifact, StandardCharsets.UTF_8));
164+
} else {
165+
bundle = signer.signFile(artifact);
166+
}
155167
Files.write(bundleFile, bundle.toJson().getBytes(StandardCharsets.UTF_8));
156168
return 0;
157169
}

0 commit comments

Comments
 (0)