introduce new artifact api

Author: wolfv

crates/sigstore-conformance/src/main.rs

@@ -12,7 +12,7 @@ use sigstore_oidc::IdentityToken;
 use sigstore_rekor::RekorClient;
 use sigstore_trust_root::TrustedRoot;
 use sigstore_tsa::TimestampClient;
-use sigstore_types::{Bundle, SignatureContent};
+use sigstore_types::{Bundle, Sha256Hash, SignatureContent};
 use sigstore_verify::{verify, VerificationPolicy};
 
 use std::env;
@@ -382,12 +382,12 @@ fn verify_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
             .into());
         }
 
-        // Create a policy that skips artifact hash validation since we already checked it
-        let digest_policy = policy.skip_artifact_hash();
-        let dummy_artifact = vec![];
+        // Convert digest bytes to Sha256Hash for verification
+        let artifact_digest = Sha256Hash::try_from_slice(&digest_bytes)
+            .map_err(|e| format!("Invalid digest: {}", e))?;
 
-        // Verify the signature with trusted root
-        let result = verify(&dummy_artifact, &bundle, &digest_policy, &trusted_root)?;
+        // Verify the signature with trusted root using the digest directly
+        let result = verify(artifact_digest, &bundle, &policy, &trusted_root)?;
 
         if !result.success {
             return Err("Verification failed".into());

crates/sigstore-crypto/src/hash.rs

@@ -2,6 +2,7 @@
 
 use aws_lc_rs::digest::{self, Context, SHA256};
 use sigstore_types::Sha256Hash;
+use std::io::{self, Read};
 
 /// Hash data using SHA-256, returning a typed hash
 pub fn sha256(data: &[u8]) -> Sha256Hash {
@@ -44,6 +45,31 @@ impl Default for Sha256Hasher {
     }
 }
 
+/// Compute SHA-256 hash by reading from a reader (streaming, constant memory)
+///
+/// This is useful for hashing large files without loading them entirely into memory.
+///
+/// # Example
+/// ```no_run
+/// use std::fs::File;
+/// use sigstore_crypto::sha256_reader;
+///
+/// let file = File::open("large-file.tar.gz").unwrap();
+/// let hash = sha256_reader(file).unwrap();
+/// ```
+pub fn sha256_reader(mut reader: impl Read) -> io::Result<Sha256Hash> {
+    let mut hasher = Sha256Hasher::new();
+    let mut buf = [0u8; 8192];
+    loop {
+        let n = reader.read(&mut buf)?;
+        if n == 0 {
+            break;
+        }
+        hasher.update(&buf[..n]);
+    }
+    Ok(hasher.finalize())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -70,4 +96,16 @@ mod tests {
         let direct = sha256(b"hello");
         assert_eq!(hash, direct);
     }
+
+    #[test]
+    fn test_sha256_reader() {
+        use std::io::Cursor;
+
+        let data = b"hello world, this is a test of streaming hash";
+        let cursor = Cursor::new(data);
+        let hash = sha256_reader(cursor).unwrap();
+
+        let direct = sha256(data);
+        assert_eq!(hash, direct);
+    }
 }

crates/sigstore-crypto/src/lib.rs

@@ -16,7 +16,7 @@ pub use checkpoint::{
     verify_signature_auto, Checkpoint, CheckpointSignature, CheckpointVerifyExt, KeyType,
 };
 pub use error::{Error, Result};
-pub use hash::{sha256, Sha256Hasher};
+pub use hash::{sha256, sha256_reader, Sha256Hasher};
 pub use keyring::Keyring;
 pub use signing::{KeyPair, SigningScheme};
 pub use verification::{verify_signature, verify_signature_prehashed, VerificationKey};

crates/sigstore-sign/Cargo.toml

@@ -18,12 +18,12 @@ sigstore-tsa = { workspace = true }
 thiserror = { workspace = true }
 base64 = { workspace = true }
 x509-cert = { workspace = true }
+serde_json = { workspace = true }
 
 [dev-dependencies]
 tokio = { workspace = true }
 chrono = { workspace = true }
 serde = { workspace = true }
-serde_json = { workspace = true }
 hex = { workspace = true }
 
 [features]

crates/sigstore-sign/README.md

@@ -27,35 +27,48 @@ This crate provides high-level APIs for creating Sigstore signatures. It orchest
 ## Usage
 
 ```rust
-use sigstore_sign::{Signer, SigningConfig};
+use sigstore_sign::{SigningContext, Attestation, AttestationSubject};
+use sigstore_oidc::IdentityToken;
+use sigstore_types::Sha256Hash;
 
-let config = SigningConfig::production();
-let signer = Signer::new(config).await?;
+// Create a signing context for production
+let context = SigningContext::production();
 
-// Sign a blob
-let bundle = signer.sign(artifact_bytes).await?;
+// Get an identity token (from OIDC provider)
+let token = IdentityToken::new("your-identity-token".to_string());
 
-// Sign with a DSSE envelope
-let bundle = signer.sign_dsse(payload_type, payload).await?;
+// Create a signer
+let signer = context.signer(token);
+
+// Sign artifact bytes
+let artifact = b"hello world";
+let bundle = signer.sign(artifact).await?;
+
+// Or sign with a pre-computed digest (for large files)
+let digest = Sha256Hash::from_hex("b94d27b9...")?;
+let bundle = signer.sign(digest).await?;
+
+// Sign an in-toto attestation (DSSE envelope)
+let subject = AttestationSubject::new("artifact.tar.gz", digest);
+let attestation = Attestation::new("https://slsa.dev/provenance/v1")
+    .with_subject(subject)
+    .with_predicate(serde_json::json!({"key": "value"}));
+let bundle = signer.sign_attestation(attestation).await?;
+
+// Write bundle to file
+std::fs::write("artifact.sigstore.json", bundle.to_json_pretty()?)?;
 ```
 
 ## Configuration
 
 ```rust
-use sigstore_sign::SigningConfig;
+use sigstore_sign::SigningContext;
 
-// Production (default)
-let config = SigningConfig::production();
+// Production environment
+let context = SigningContext::production();
 
 // Staging environment
-let config = SigningConfig::staging();
-
-// Custom configuration
-let config = SigningConfig {
-    fulcio_url: "https://fulcio.example.com".into(),
-    rekor_url: "https://rekor.example.com".into(),
-    // ...
-};
+let context = SigningContext::staging();
 ```
 
 ## Related Crates

crates/sigstore-sign/src/lib.rs

@@ -35,4 +35,6 @@ pub use sigstore_tsa as tsa;
 pub use sigstore_types as types;
 
 pub use error::{Error, Result};
-pub use sign::{sign_context, Signer, SigningConfig, SigningContext};
+pub use sign::{
+    sign_context, Attestation, AttestationSubject, Signer, SigningConfig, SigningContext,
+};