simtabi
diff --git a/‎docs/adr/0001-sigstore-key-management.md‎
Lines changed: 166 additions & 0 deletions b/‎docs/adr/0001-sigstore-key-management.md‎
Lines changed: 166 additions & 0 deletions
diff --git a/‎scripts/bundle.py‎
Lines changed: 1 addition & 0 deletions b/‎scripts/bundle.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/get_installer/forge.py‎
Lines changed: 186 additions & 0 deletions b/‎src/get_installer/forge.py‎
Lines changed: 186 additions & 0 deletions
@@ -0,0 +1,166 @@
+# ADR-0001 — Sigstore key management
+
+**Status**: Accepted (2026-05-16)
+**Phase**: SPEC §4 Phase F — signed releases via sigstore
+**Unblocks**: `verify.sign_bundle_with_sigstore` implementation
+
+## Context
+
+Phase F ships a sigstore-signed `installer.py` bundle so an
+operator can verify the binary they're about to pipe into `sh`
+came from this repo, not from a tampered mirror. The scaffold
+shipped in v0.4.0 (commit `433d7e1`) but the actual signing flow
+was blocked on three open questions:
+
+1. **Which signing identity?** sigstore's identity-based signing
+   ties a signature to an OIDC subject. Options: maintainer's
+   personal GitHub identity, a service account, the repo's GitHub
+   Actions workflow identity, or a hybrid.
+2. **Where does the public verification key live?** Sigstore uses
+   Rekor for public transparency log entries; verification doesn't
+   need a pre-shared public key, but operators need to know what
+   identity to trust.
+3. **Rotation cadence?** If we use a long-lived signing identity,
+   when do we rotate it? If we use a short-lived workflow
+   identity, what happens to old signatures when the workflow
+   moves?
+
+## Decision
+
+### 1. Identity: GitHub Actions workflow OIDC subject
+
+Sign from the release workflow only, using the workflow's OIDC
+identity:
+
+```
+repo:simtabi/get-installer:ref:refs/tags/v*
+```
+
+This is sigstore's "keyless" flow: no long-lived signing key
+exists. The signature is bound to an ephemeral certificate issued
+by Fulcio for the duration of the workflow run, recorded in
+Rekor. Verification proves "this artifact was signed by a release
+workflow on `simtabi/get-installer` targeting a `v*` tag at the
+time recorded in Rekor."
+
+### 2. Verification: documented OIDC subject
+
+`SECURITY.md` and the bundle's sidecar `installer.py.sigstore`
+both name the expected subject. Operators verify with:
+
+```bash
+sigstore verify identity \
+  --bundle installer.py.sigstore \
+  --cert-identity 'https://github.com/simtabi/get-installer/.github/workflows/release.yml@refs/tags/v0.4.0' \
+  --cert-oidc-issuer 'https://token.actions.githubusercontent.com' \
+  installer.py
+```
+
+The `--cert-identity` URL includes the exact tag, so an attacker
+who managed to sign a malicious `installer.py` from a feature
+branch wouldn't pass verification.
+
+### 3. Rotation: not applicable
+
+No long-lived keys = nothing to rotate. The trust anchor is the
+GitHub Actions OIDC issuer, which Sigstore re-roots via Fulcio's
+public root every ~6 months. Tooling updates handle that
+transparently.
+
+When a release workflow is renamed or moved, old signatures
+remain verifiable against the historical identity (Rekor entries
+are immutable). The verification command in the consumer docs
+must reference the SAME path the signature was minted under.
+
+## Consequences
+
+### What this enables
+
+- `verify.sign_bundle_with_sigstore(path, dry_run=False)` can be
+  implemented. The implementation calls
+  `sigstore-python`'s `sign` command via subprocess (the python
+  API is also fine; we go subprocess to match the rest of our
+  signing flow which is shell-readable).
+- Release workflow gains a `sign` step between the bundle build
+  and the GitHub release attachment. The `.sigstore` file is
+  uploaded alongside `installer.py`.
+- `docs/security.md` gets a "Verifying the bundle" subsection.
+
+### What this costs
+
+- A new optional dep (`sigstore>=3.0`) — already scaffolded via
+  the `[sigstore]` extras.
+- Release workflow gets one more required permission:
+  `id-token: write` (already there for PyPI trusted publishing,
+  no new grant needed).
+- Renaming `release.yml` after a release retroactively breaks
+  the verification command for prior signatures. Mitigation:
+  document this in `SECURITY.md` + keep the file name forever.
+
+### What this doesn't fix
+
+- A compromised GitHub Actions runner can still sign whatever it
+  wants while the workflow runs. Sigstore signing is a transparency
+  layer, not an attestation that the build was reproducible. For
+  reproducibility, see the `bundle.py --check` reproducibility
+  test (already gated in CI).
+
+## Implementation
+
+```python
+# Inside verify.sign_bundle_with_sigstore:
+import subprocess
+result = subprocess.run(
+    ["sigstore", "sign", "--bundle", f"{bundle_path}.sigstore", str(bundle_path)],
+    capture_output=True, text=True, check=False, timeout=120,
+)
+if result.returncode != 0:
+    raise SecurityError(f"sigstore sign failed: {result.stderr.strip()}")
+return bundle_path.with_suffix(bundle_path.suffix + ".sigstore")
+```
+
+The 120-second timeout matches sigstore's typical Fulcio + Rekor
+round-trip latency with headroom.
+
+## Alternatives considered
+
+### Long-lived GPG key (rejected)
+
+Owner: maintainer. Rotation: annual. Public key: published in
+SECURITY.md.
+
+**Why rejected:** key rotation is operationally painful; key
+revocation has no good story when the maintainer changes; GPG
+verification has worse UX than `sigstore verify`.
+
+### Cosign with a static keypair (rejected)
+
+Same pros/cons as GPG with slightly better tooling.
+
+**Why rejected:** still requires a long-lived secret on disk
+somewhere. Sigstore keyless removes that whole class of
+operational risk.
+
+### Per-maintainer identity (rejected)
+
+Each maintainer's personal GitHub OIDC signs releases.
+
+**Why rejected:** maintainer comings + goings are a real concern
+over the project lifetime. Workflow identity outlives any single
+maintainer.
+
+## Next steps
+
+1. Land the `sign_bundle_with_sigstore` implementation behind the
+   existing `dry_run=False` path.
+2. Wire the sign step into `.github/workflows/release.yml` after
+   the bundle build, before the GitHub release attachment.
+3. Update `SECURITY.md` with the verification command + cert
+   identity URL.
+4. Add a `tests/test_verify.py::test_sigstore_smoke` test that
+   asserts the sign step works against a real Fulcio endpoint
+   (skipped unless `INTEGRATION_SIGSTORE=1` in env, since it
+   needs network + OIDC). Document the skip rationale.
+
+Tracked in the `[sigstore]` extras + the
+`verify.sign_bundle_with_sigstore` symbol shipped in v0.4.0.
@@ -41,6 +41,7 @@
     "verify",
     "python_setup",
     "env_file",
+    "forge",
     "installer",
     "__main__",
 )
 
@@ -0,0 +1,186 @@
+"""Per-forge release-asset resolvers (SPEC Phase D — Round 3 #19).
+
+The registry.json schema gained a per-version ``forge`` block in
+v0.4.0 (commit ``08db77e``). This module turns that informational
+block into actual URL resolution: given the forge type + owner +
+repo + version, return the URL where the release asset lives.
+
+Five forges are first-class:
+
+- ``github``    — ``https://api.github.com/repos/{owner}/{repo}/releases/...``
+- ``gitlab``    — ``https://gitlab.com/api/v4/projects/{owner}%2F{repo}/releases/...``
+- ``codeberg``  — Gitea-flavoured at ``https://codeberg.org/api/v1``
+- ``gitea``     — generic Gitea host (the user provides ``host`` in extras)
+- ``bitbucket`` — ``https://api.bitbucket.org/2.0/repositories/{workspace}/{repo}/downloads``
+
+Each resolver returns a URL string that downstream callers feed
+through :func:`get_installer.verify.fetch_https` so the existing
+HTTPS-only / allowlist / sha256 enforcement still applies.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+
+class ForgeError(Exception):
+    """Raised when a forge metadata block is malformed or unresolvable."""
+
+
+@dataclass(frozen=True)
+class ForgeSpec:
+    """Parsed forge metadata. Built from the registry.json ``forge`` block.
+
+    @field type           one of github|gitlab|codeberg|gitea|bitbucket
+    @field owner          org / user / workspace name
+    @field repo           repository name
+    @field release_tag_template  how to compute the tag from a version
+                          (default ``"v{version}"``)
+    @field asset_pattern  optional glob matching the release asset filename
+    @field host           custom hostname (gitea only; defaults per forge)
+    """
+
+    type: str
+    owner: str
+    repo: str
+    release_tag_template: str = "v{version}"
+    asset_pattern: str | None = None
+    host: str | None = None
+
+
+SUPPORTED_FORGES: tuple[str, ...] = ("github", "gitlab", "codeberg", "gitea", "bitbucket")
+
+
+def parse_forge_spec(block: dict[str, Any]) -> ForgeSpec:
+    """Build a ForgeSpec from the registry.json ``forge`` dict."""
+    forge_type = str(block.get("type", ""))
+    if forge_type not in SUPPORTED_FORGES:
+        raise ForgeError(
+            f"unsupported forge type {forge_type!r}; "
+            f"expected one of {SUPPORTED_FORGES}"
+        )
+    owner = str(block.get("owner", ""))
+    repo = str(block.get("repo", ""))
+    if not owner or not repo:
+        raise ForgeError(
+            f"forge {forge_type}: missing owner/repo "
+            f"(got owner={owner!r}, repo={repo!r})"
+        )
+    return ForgeSpec(
+        type=forge_type,
+        owner=owner,
+        repo=repo,
+        release_tag_template=str(block.get("release_tag_template", "v{version}")),
+        asset_pattern=block.get("asset_pattern"),
+        host=block.get("host"),
+    )
+
+
+def release_tag(spec: ForgeSpec, version: str) -> str:
+    """Compute the release tag for a given version + template."""
+    return spec.release_tag_template.replace("{version}", version)
+
+
+# --- per-forge resolvers ---------------------------------------------------
+
+
+def github_release_url(spec: ForgeSpec, version: str, asset: str) -> str:
+    """Direct asset URL for a GitHub release."""
+    tag = release_tag(spec, version)
+    return (
+        f"https://github.com/{spec.owner}/{spec.repo}"
+        f"/releases/download/{tag}/{asset}"
+    )
+
+
+def github_release_api_url(spec: ForgeSpec, version: str) -> str:
+    """API URL for a GitHub release's metadata (asset list, SHA, etc.)."""
+    tag = release_tag(spec, version)
+    return (
+        f"https://api.github.com/repos/{spec.owner}/{spec.repo}"
+        f"/releases/tags/{tag}"
+    )
+
+
+def gitlab_release_api_url(spec: ForgeSpec, version: str) -> str:
+    """GitLab Releases API URL. ``owner/repo`` is URL-encoded."""
+    tag = release_tag(spec, version)
+    project = f"{spec.owner}%2F{spec.repo}"
+    return f"https://gitlab.com/api/v4/projects/{project}/releases/{tag}"
+
+
+def codeberg_release_api_url(spec: ForgeSpec, version: str) -> str:
+    """Codeberg uses Gitea's API at codeberg.org."""
+    tag = release_tag(spec, version)
+    return (
+        f"https://codeberg.org/api/v1/repos/{spec.owner}/{spec.repo}"
+        f"/releases/tags/{tag}"
+    )
+
+
+def gitea_release_api_url(spec: ForgeSpec, version: str) -> str:
+    """Generic Gitea host. ``host`` extras key required."""
+    if not spec.host:
+        raise ForgeError(
+            "gitea forge requires a 'host' field "
+            "(e.g., 'host: gitea.my-org.com')"
+        )
+    tag = release_tag(spec, version)
+    return (
+        f"https://{spec.host}/api/v1/repos/{spec.owner}/{spec.repo}"
+        f"/releases/tags/{tag}"
+    )
+
+
+def bitbucket_download_url(spec: ForgeSpec, version: str, asset: str) -> str:
+    """Bitbucket downloads area — assets live under /downloads/, not releases."""
+    return (
+        f"https://bitbucket.org/{spec.owner}/{spec.repo}"
+        f"/downloads/{asset}"
+    )
+
+
+# --- unified entry point ---------------------------------------------------
+
+
+def resolve_release_metadata_url(spec: ForgeSpec, version: str) -> str:
+    """Return the URL that lists release metadata (assets + checksums).
+
+    The caller fetches this JSON (via verify.fetch_https) and finds
+    the asset matching ``spec.asset_pattern`` if set, else the sdist.
+
+    @raises ForgeError on bitbucket (no metadata API; assets are
+        downloaded by direct URL via :func:`bitbucket_download_url`).
+    """
+    if spec.type == "github":
+        return github_release_api_url(spec, version)
+    if spec.type == "gitlab":
+        return gitlab_release_api_url(spec, version)
+    if spec.type == "codeberg":
+        return codeberg_release_api_url(spec, version)
+    if spec.type == "gitea":
+        return gitea_release_api_url(spec, version)
+    if spec.type == "bitbucket":
+        raise ForgeError(
+            "bitbucket has no release-metadata API; "
+            "use bitbucket_download_url() with an explicit asset name"
+        )
+    raise ForgeError(f"no resolver for forge type {spec.type!r}")
+
+
+def resolve_asset_url(spec: ForgeSpec, version: str, asset: str) -> str:
+    """Return the direct download URL for a named release asset."""
+    if spec.type == "github":
+        return github_release_url(spec, version, asset)
+    if spec.type == "bitbucket":
+        return bitbucket_download_url(spec, version, asset)
+    if spec.type in {"gitlab", "codeberg", "gitea"}:
+        # These forges return asset URLs via the release-metadata API;
+        # the caller resolves them from there. We surface a clear
+        # exception so callers don't accidentally guess.
+        raise ForgeError(
+            f"{spec.type}: use resolve_release_metadata_url() to fetch the "
+            "release JSON and read the asset URL from its 'assets' list"
+        )
+    raise ForgeError(f"no resolver for forge type {spec.type!r}")
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@`
`41`	`41`	`"verify",`
`42`	`42`	`"python_setup",`
`43`	`43`	`"env_file",`
	`44`	`+ "forge",`
`44`	`45`	`"installer",`
`45`	`46`	`"__main__",`
`46`	`47`	`)`