Expose sigstore verify functionality (#8)

* Add verification logic

* Typo

* Fix markdown

* Attempt to fix markdown again

* Add missing details tag

* Remove explicit verify invocations in selftests

* Fiddle with timing

* Fiddle again

* Log for verification

* Wait a full min

* Remove timing sleeps

* Add settings for remaining verify CLI options

* Allow verification to be disabled

* The `no-default-files` setting implies turning off verification

* Add documentation for new settings

* Fix lint

* Remove output prefix from `output-{certificate, signature}` settings (#10)

* action: reformat

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: debugging

Signed-off-by: William Woodruff <[email protected]>

* action: fix inputs

Signed-off-by: William Woodruff <[email protected]>

* treewide: rename `verify-enable` -> `verify`

"Enable" is redundant.

Signed-off-by: William Woodruff <[email protected]>

Co-authored-by: William Woodruff <[email protected]>

Author: tetsuo-cpp

.github/workflows/selftest.yml

@@ -20,9 +20,6 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/artifact.txt
-      - name: Verify artifact signature
-        run: |
-          sigstore verify --certificate ./test/artifact.txt.crt --signature ./test/artifact.txt.sig ./test/artifact.txt
 
   selftest-staging:
     runs-on: ubuntu-latest
@@ -34,9 +31,6 @@ jobs:
         with:
           inputs: ./test/artifact.txt
           staging: true
-      - name: Verify artifact signature
-        run: |
-          sigstore verify --certificate ./test/artifact.txt.crt --signature ./test/artifact.txt.sig --staging ./test/artifact.txt
 
   selftest-glob:
     runs-on: ubuntu-latest
@@ -47,9 +41,6 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/*.txt
-      - name: Verify artifact signatures
-        run: |
-          sigstore verify ./test/artifact.txt ./test/artifact1.txt ./test/artifact2.txt
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest

README.md

@@ -107,6 +107,9 @@ Example:
 The `no-default-files` setting controls whether the default output files (`{input}.sig` and
 `{input.crt}`) are emitted.
 
+These output files are necessary for verification so turning this setting on will automatically set
+`verify` to `false`.
+
 Example:
 
 ```yaml
@@ -116,20 +119,20 @@ Example:
     no-default-files: true
 ```
 
-### `output-signature`
+### `signature`
 
 **Default**: Empty (signature files will get named as `{input}.sig`)
 
-The `output-signature` setting controls the name of the output signature file. This setting does
-not work when signing multiple input files.
+The `signature` setting controls the name of the output signature file. This setting does not work
+when signing multiple input files.
 
 Example:
 
 ```yaml
 - uses: trailofbits/[email protected]
   with:
     inputs: file.txt
-    output-signature: custom-signature-filename.sig
+    signature: custom-signature-filename.sig
 ```
 
 However, this example is invalid:
@@ -138,23 +141,23 @@ However, this example is invalid:
 - uses: trailofbits/[email protected]
   with:
     inputs: file0.txt file1.txt file2.txt
-    output-signature: custom-signature-filename.sig
+    signature: custom-signature-filename.sig
 ```
 
-### `output-certificate`
+### `certificate`
 
 **Default**: Empty (certificate files will get named as `{input}.crt`)
 
-The `output-certificate` setting controls the name of the output certificate file. This setting does
-not work when signing multiple input files.
+The `certificate` setting controls the name of the output certificate file. This setting does not
+work when signing multiple input files.
 
 Example:
 
 ```yaml
 - uses: trailofbits/[email protected]
   with:
     inputs: file.txt
-    output-certificate: custom-certificate-filename.crt
+    certificate: custom-certificate-filename.crt
 ```
 
 However, this example is invalid:
@@ -163,7 +166,7 @@ However, this example is invalid:
 - uses: trailofbits/[email protected]
   with:
     inputs: file0.txt file1.txt file2.txt
-    output-certificate: custom-certificate-filename.crt
+    certificate: custom-certificate-filename.crt
 ```
 
 ### `overwrite`
@@ -251,7 +254,8 @@ Example:
 **Default**: `https://oauth2.sigstore.dev/auth`
 
 The `oidc-issuer` setting controls the OpenID Connect issuer to retrieve the OpenID Connect token
-from.
+from. If `verify` is on, the issuer extension of the signing certificate will also get
+checked to ensure that it matches.
 
 Example:
 
@@ -278,6 +282,43 @@ Example:
     staging: true
 ```
 
+### `verify`
+
+**Default**: `true`
+
+The `verify` setting controls whether or not the generated signatures and certificates are
+verified with the `sigstore verify` subcommand after all files have been signed.
+
+This is not strictly necessary but can act as a smoke test to ensure that all signing artifacts were
+generated properly and the signature was properly submitted to Rekor.
+
+
+Example:
+
+```yaml
+- uses: trailofbits/[email protected]
+  with:
+    inputs: file.txt
+    verify: false
+```
+
+### `verify-cert-email`
+
+**Default**: Empty
+
+The `verify-cert-email` setting controls whether to verify the Subject Alternative Name (SAN) of the
+signing certificate after signing has taken place. If it is set, `sigstore-python` will compare the
+certificate's SAN against the provided value.
+
+This setting only applies if `verify` is set to `true`.
+
+```yaml
+- uses: trailofbits/[email protected]
+  with:
+    inputs: file.txt
+    verify-cert-email: [email protected]
+```
+
 ### `upload-signing-artifacts`
 
 **Default**: `false`