Merge branch 'main' into gpeacock/builder_fixes

Author: gpeacock

.github/workflows/build.yml

@@ -1,15 +1,18 @@
 name: Build
 
 on:
+  pull_request:
   push:
     branches:
       - main
     tags:
       - "*"
   workflow_dispatch:
-
-permissions:
-  contents: read
+    inputs:
+      publish:
+        description: 'Publish'
+        required: true
+        default: 'false'
 
 jobs:
   linux:
@@ -18,8 +21,8 @@ jobs:
       matrix:
         target: [x86_64, aarch64]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
           cache: "pip"
@@ -35,7 +38,24 @@ jobs:
           args: --release --out dist --find-interpreter
           sccache: "true"
           manylinux: ${{ matrix.target == 'aarch64' && 'manylinux_2_28' || 'auto' }}
-          before-script-linux: "pip install uniffi-bindgen==0.24.1"
+          before-script-linux: |
+            pip install uniffi-bindgen==0.24.1
+
+            # ISSUE: https://github.com/sfackler/rust-openssl/issues/2036#issuecomment-1724324145
+            # If we're running on rhel centos, install needed packages.
+            if command -v yum &> /dev/null; then
+                yum update -y && yum install -y perl-core openssl openssl-devel pkgconfig libatomic
+
+                # If we're running on i686 we need to symlink libatomic
+                # in order to build openssl with -latomic flag.
+                if [[ ! -d "/usr/lib64" ]]; then
+                    ln -s /usr/lib/libatomic.so.1 /usr/lib/libatomic.so
+                fi
+            else
+                # If we're running on debian-based system.
+                apt update -y && apt-get install -y libssl-dev openssl pkg-config
+            fi
+
       - name: Upload wheels
         uses: actions/upload-artifact@v3
         with:
@@ -48,8 +68,8 @@ jobs:
       matrix:
         target: [x64, x86]
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
           architecture: ${{ matrix.target }}
@@ -70,8 +90,8 @@ jobs:
   macos_x86:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
           cache: "pip"
@@ -91,8 +111,8 @@ jobs:
   macos_aarch64:
     runs-on: macos-latest-large
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
           cache: "pip"
@@ -112,7 +132,7 @@ jobs:
   sdist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Build sdist
         uses: PyO3/maturin-action@v1
         with:
@@ -128,7 +148,7 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     environment: Publish
-    if: "startsWith(github.ref, 'refs/tags/')"
+    if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true'
     needs: [linux, windows, macos_x86, macos_aarch64, sdist]
     steps:
       - uses: actions/download-artifact@v3

CONTRIBUTING.md

@@ -78,5 +78,5 @@ feel free to reach out to existing committers to have a conversation about that.
 
 ## Security issues
 
-Security issues shouldn't be reported on this issue tracker. Instead,
-[file an issue to our security experts](https://helpx.adobe.com/security/alertus.html).
+Do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). 
+For more information on reporting security issues, see [SECURITY.md](SECURITY.md).

README.md

@@ -36,7 +36,7 @@ Import the API as follows:
 from c2pa import *
 ```
 
-### Read and validate C2PA data in a file
+### Read and validate C2PA data in a file or stream
 
 Use the `Reader` to read C2PA data from the specified file.
 This  examines the specified media file for C2PA data and generates a report of any data it finds. If there are validation errors, the report includes a `validation_status` field.  For a summary of supported media types, see [Supported file formats](#supported-file-formats).
@@ -48,7 +48,12 @@ The manifests may contain binary resources such as thumbnails which can be retri
 NOTE: For a comprehensive reference to the JSON manifest structure, see the [Manifest store reference](https://opensource.contentauthenticity.org/docs/manifest/manifest-ref).
 ```py
 try:
-  reader = c2pa.Reader("path/to/media_file.jpg")
+  # Create a reader from a file path
+  reader = c2pa.Reader.from_file("path/to/media_file.jpg")
+  # It's also possible to create a reader from a format and stream
+  # Note that these two readers are functionally equivalent
+  stream = open("path/to/media_file.jpg", "rb")
+  reader = c2pa.Reader("image/jpeg", stream)
 
   # Print the JSON for a manifest. 
   print("manifest store:", reader.json())
@@ -65,7 +70,7 @@ except Exception as err:
     print(err)
 ```
 
-### Add a signed manifest to a media file
+### Add a signed manifest to a media file or stream
 
 Use a `Builder` to add a manifest to an asset.
 
@@ -115,6 +120,10 @@ try:
   # The uri provided here "thumbnail" must match an identifier in the manifest definition.
   builder.add_resource_file("thumbnail", "tests/fixtures/A_thumbnail.jpg")
 
+  # Or add the resource from a stream
+  a_thumbnail_jpg_stream = open("tests/fixtures/A_thumbnail.jpg", "rb")
+  builder.add_resource("image/jpeg", a_thumbnail_jpg_stream)
+
   # Define an ingredient, in this case a parent ingredient named A.jpg, with a thumbnail
   ingredient_json = {
     "title": "A.jpg",
@@ -128,6 +137,10 @@ try:
   # Add the ingredient to the builder loading information  from a source file.
   builder.add_ingredient_file(ingredient_json, "tests/fixtures/A.jpg")
 
+  # Or add the ingredient from a stream
+  a_jpg_stream = open("tests/fixtures/A.jpg", "rb")
+  builder.add_ingredient("image/jpeg", a_jpg_stream)
+
   # At this point we could archive or unarchive our Builder to continue later.
   # In this example we use a bytearray for the archive stream.
   # all ingredients and resources will be saved in the archive
@@ -140,6 +153,11 @@ try:
   # This returns the binary manifest data that could be uploaded to cloud storage.
   c2pa_data = builder.sign_file(signer, "tests/fixtures/A.jpg", "target/out.jpg")
 
+  # Or sign the builder with a stream and output it to a stream
+  input_stream = open("tests/fixtures/A.jpg", "rb")
+  output_stream = open("target/out.jpg", "wb")
+  c2pa_data = builder.sign(signer, "image/jpeg", input_stream, output_stream)
+
 except Exception as err:
     print(err)
  ```

SECURITY.md

@@ -0,0 +1,22 @@
+# Security
+
+This C2PA open-source library is maintained in partnership with Adobe. At this time, Adobe is taking point on accepting security reports through its HackerOne portal and public bug bounty program.
+
+## Reporting a vulnerability
+
+Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). If for some reason this is not possible, reach out to [email protected].
+
+
+## Vulnerability SLAs
+
+Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are:
+
+1. 72 hours for vulnerabilities with a CVSS score of 9.0-10.0
+2. 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9
+
+Any vulnerability with a score below 6.9 will be resolved when possible.
+
+
+## C2PA Vulnerabilities
+
+This library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported [here](https://github.com/c2pa-org/specifications/issues).