Bundle support (#42)

* requirements: sigstore ~= 1.1

Signed-off-by: William Woodruff <[email protected]>

* action: initial Sigstore bundle support

Signed-off-by: William Woodruff <[email protected]>

* selftest: add some file tests

Signed-off-by: William Woodruff <[email protected]>

* action: fix path

Signed-off-by: William Woodruff <[email protected]>

* selftest: whitespace

Signed-off-by: William Woodruff <[email protected]>

* README: document `bundle`

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/selftest.yml

@@ -21,6 +21,11 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/artifact.txt
+      - name: Check outputs
+        run: |
+          [[ -f ./test/artifact.txt.sig ]] || exit 1
+          [[ -f ./test/artifact.txt.crt ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
 
   selftest-xfail-invalid-inputs:
     runs-on: ubuntu-latest
@@ -60,6 +65,11 @@ jobs:
         with:
           inputs: ./test/artifact.txt
           staging: true
+      - name: Check outputs
+        run: |
+          [[ -f ./test/artifact.txt.sig ]] || exit 1
+          [[ -f ./test/artifact.txt.crt ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
 
   selftest-glob:
     runs-on: ubuntu-latest
@@ -98,7 +108,13 @@ jobs:
           inputs: ./test/artifact.txt
           signature: ./test/custom_signature.sig
           certificate: ./test/custom_certificate.crt
+          bundle: ./test/custom_bundle.sigstore
           staging: true
+      - name: Check outputs
+        run: |
+          [[ -f ./test/custom_signature.sig ]] || exit 1
+          [[ -f ./test/custom_certificate.crt ]] || exit 1
+          [[ -f ./test/custom_bundle.sigstore ]] || exit 1
 
   selftest-verify:
     runs-on: ubuntu-latest

README.md

@@ -162,6 +162,31 @@ However, this example is invalid:
     certificate: custom-certificate-filename.crt
 ```
 
+### `bundle`
+
+**Default**: Empty (bundle files will get named as `{input}.sigstore`)
+
+The `bundle` setting controls the name of the output Sigstore bundle. This setting does not work
+when signing multiple input files.
+
+Example:
+
+```yaml
+- uses: sigstore/[email protected]
+  with:
+    inputs: file.txt
+    bundle: custom-bundle.sigstore
+```
+
+However, this example is invalid:
+
+```yaml
+- uses: sigstore/[email protected]
+  with:
+    inputs: file0.txt file1.txt file2.txt
+    certificate: custom-bundle.sigstore
+```
+
 ### `fulcio-url`
 
 **Default**: `https://fulcio.sigstore.dev`

action.py

@@ -114,21 +114,19 @@ def _fatal_help(msg):
 if signature != "":
     sigstore_sign_args.extend(["--signature", signature])
     sigstore_verify_args.extend(["--signature", signature])
+    signing_artifact_paths.append(signature)
 
 certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE")
 if certificate != "":
     sigstore_sign_args.extend(["--certificate", certificate])
     sigstore_verify_args.extend(["--certificate", certificate])
+    signing_artifact_paths.append(certificate)
 
-output_signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE")
-if output_signature != "":
-    sigstore_sign_args.extend(["--signature", output_signature])
-    signing_artifact_paths.append(output_signature)
-
-output_certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE")
-if output_certificate != "":
-    sigstore_sign_args.extend(["--certificate", output_certificate])
-    signing_artifact_paths.append(output_certificate)
+bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE")
+if bundle != "":
+    sigstore_sign_args.extend(["--bundle", bundle])
+    sigstore_verify_args.extend(["--bundle", bundle])
+    signing_artifact_paths.append(bundle)
 
 fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL")
 if fulcio_url != "":
@@ -180,6 +178,8 @@ def _fatal_help(msg):
             signing_artifact_paths.append(f"{file_}.crt")
         if "--signature" not in sigstore_sign_args:
             signing_artifact_paths.append(f"{file_}.sig")
+        if "--bundle" not in sigstore_sign_args:
+            signing_artifact_paths.append(f"{file_}.sigstore")
 
     sigstore_sign_args.extend(files)
     sigstore_verify_args.extend(files)

action.yml

@@ -40,6 +40,10 @@ inputs:
     description: "write a single certificate to the given file; does not work with multiple input files"
     required: false
     default: ""
+  bundle:
+    description: "write a single Sigstore bundle to the given file; does not work with multiple input files"
+    required: false
+    default: ""
   fulcio-url:
     description: "the Fulcio instance to use (conflicts with `staging`)"
     required: false
@@ -108,6 +112,7 @@ runs:
         GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}"
         GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}"
+        GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
         GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}"

requirements.txt

@@ -1 +1 @@
-sigstore ~= 1.0
+sigstore ~= 1.1