sigstore: Bump to v0.7.0 (#36)

* sigstore: Bump to v0.7.0

Signed-off-by: Alex Cameron <[email protected]>

* README, action: re-enable verify-cert-email with a deprecation warning

Signed-off-by: William Woodruff <[email protected]>

* workflows: enable identity selftest

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: add a verify-cert-email test

Signed-off-by: William Woodruff <[email protected]>

* action.py: add a URL

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: Alex Cameron <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: William Woodruff <[email protected]>

Author: tetsuo-cpp

.github/workflows/selftest.yml

@@ -73,19 +73,32 @@ jobs:
           certificate: ./test/custom_certificate.crt
           staging: true
 
-  # NOTE(alex): `sigstore-python` doesn't support verifying URI SANs yet.
-  # selftest-verify-san:
-  #   runs-on: ubuntu-latest
-  #   if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
-  #   steps:
-  #     - uses: actions/checkout@v3
-  #     - name: Sign artifact and publish signature
-  #       uses: ./
-  #       id: sigstore-python
-  #       with:
-  #         inputs: ./test/artifact.txt
-  #         verify-cert-email: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
-  #         staging: true
+  selftest-verify-cert-identity:
+    runs-on: ubuntu-latest
+    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+          staging: true
+
+  # NOTE(ww): Remove once `verify-cert-email` is removed.
+  selftest-verify-cert-email:
+    runs-on: ubuntu-latest
+    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          verify-cert-email: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+          staging: true
 
   selftest-verify-issuer:
     runs-on: ubuntu-latest

README.md

@@ -268,6 +268,9 @@ Example:
 
 **Default**: Empty
 
+**This option is deprecated, with [`verify-cert-identity`](#verify-cert-identity) as a replacement.
+It will be removed in an upcoming release.**
+
 The `verify-cert-email` setting controls whether to verify the Subject Alternative Name (SAN) of the
 signing certificate after signing has taken place. If it is set, `sigstore-python` will compare the
 certificate's SAN against the provided value.
@@ -278,7 +281,24 @@ This setting only applies if `verify` is set to `true`.
 - uses: sigstore/[email protected]
   with:
     inputs: file.txt
-    verify-cert-email: [email protected]
+    verify-cert-identity: [email protected]
+```
+
+### `verify-cert-identity`
+
+**Default**: Empty
+
+The `verify-cert-identity` setting controls whether to verify the Subject Alternative Name (SAN) of the
+signing certificate after signing has taken place. If it is set, `sigstore-python` will compare the
+certificate's SAN against the provided value.
+
+This setting only applies if `verify` is set to `true`.
+
+```yaml
+- uses: sigstore/[email protected]
+  with:
+    inputs: file.txt
+    verify-cert-identity: [email protected]
 ```
 
 ### `verify-oidc-issuer`

action.py

@@ -61,6 +61,10 @@ def _sigstore_verify(*args):
     return ["python", "-m", "sigstore", "verify", *args]
 
 
+def _warning(msg):
+    print(f"::warning::⚠️ {msg}")
+
+
 def _fatal_help(msg):
     print(f"::error::❌ {msg}")
     sys.exit(1)
@@ -143,8 +147,19 @@ def _fatal_help(msg):
 
 verify_cert_email = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL")
 if verify_cert_email != "":
+    _warning(
+        "verify-cert-email has been deprecated and will be removed in the next release; "
+        "use verify-cert-identity instead. "
+        "See: https://github.com/sigstore/gh-action-sigstore-python#verify-cert-identity"
+    )
+    # NOTE: This will cause sigstore-python to fail if the user passes the identity
+    # via both `--cert-email` and `--cert-identity`, but that's acceptable.
     sigstore_verify_args.extend(["--cert-email", verify_cert_email])
 
+verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
+if verify_cert_identity != "":
+    sigstore_verify_args.extend(["--cert-identity", verify_cert_identity])
+
 verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER")
 if verify_oidc_issuer != "":
     sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])

action.yml

@@ -65,11 +65,18 @@ inputs:
     required: false
     default: true
   verify-cert-email:
-    description: "verify the email address to in the signing certificate's Subject Alternative Name (only applies when `verify` is on)"
+    description: |
+      verify the email in the signing certificate's Subject Alternative Name (only applies when `verify` is enabled)
+
+      this option is DEPRECATED and will be removed in an upcoming release of this action.
+    required: false
+    default: ""
+  verify-cert-identity:
+    description: "verify the identity in the signing certificate's Subject Alternative Name (only applies when `verify` is enabled)"
     required: false
     default: ""
   verify-oidc-issuer:
-    description: "verify the issuer extension of the signing certificate"
+    description: "verify the issuer extension of the signing certificate (only applies when `verify` is enabled)"
     required: false
     default: ""
   upload-signing-artifacts:
@@ -111,6 +118,7 @@ runs:
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL: "${{ inputs.verify-cert-email }}"
+        GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash

requirements.txt

@@ -1 +1 @@
-sigstore==0.6.8
+sigstore==0.7.0