Bump sigstore, remove deprecated email identity setting (#37)

* treewide: bump to sigstore 0.8.3, remove deprecated setting

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: remove old selftest

Signed-off-by: William Woodruff <[email protected]>

* README: fix accidental edit

Signed-off-by: William Woodruff <[email protected]>

* action: toggle verification

Signed-off-by: William Woodruff <[email protected]>

* action: lintage

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: exercise verification

Signed-off-by: William Woodruff <[email protected]>

* action: prevent users from specifying ineffective verification options

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: experiment with xfails

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: more experimenting

Signed-off-by: William Woodruff <[email protected]>

* selftest: fix xfail

Signed-off-by: William Woodruff <[email protected]>

* workflows/selftest: xfail matrix

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/selftest.yml

@@ -73,7 +73,7 @@ jobs:
           certificate: ./test/custom_certificate.crt
           staging: true
 
-  selftest-verify-cert-identity:
+  selftest-verify:
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
@@ -83,35 +83,54 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/artifact.txt
+          verify: true
           verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+          verify-oidc-issuer: https://token.actions.githubusercontent.com
           staging: true
 
-  # NOTE(ww): Remove once `verify-cert-email` is removed.
-  selftest-verify-cert-email:
+  selftest-xfail-verify-missing-options:
     runs-on: ubuntu-latest
-    if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
-    steps:
-      - uses: actions/checkout@v3
-      - name: Sign artifact and publish signature
-        uses: ./
-        id: sigstore-python
-        with:
-          inputs: ./test/artifact.txt
-          verify-cert-email: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
-          staging: true
+    strategy:
+      matrix:
+        config:
+          # fails if both verify-cert-identity and verify-oidc-issuer are missing
+          - verify: true
+
+          # fails if either is missing
+          - verify: true
+            verify-oidc-issuer: https://token.actions.githubusercontent.com
+
+          - verify: true
+            verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+
+          # fails if either option is passed while verification is disabled
+          - verify: false
+            verify-oidc-issuer: https://token.actions.githubusercontent.com
+
+          - verify: false
+            verify-cert-identity: https://github.com/sigstore/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
 
-  selftest-verify-issuer:
-    runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
       - uses: actions/checkout@v3
       - name: Sign artifact and publish signature
+        continue-on-error: true
         uses: ./
         id: sigstore-python
         with:
           inputs: ./test/artifact.txt
-          verify-oidc-issuer: https://token.actions.githubusercontent.com
+          verify: ${{ matrix.config.verify }}
+          verify-oidc-issuer: ${{ matrix.config.verify-oidc-issuer }}
+          verify-cert-identity: ${{ matrix.config.verify-cert-identity }}
           staging: true
+      - name: Check failure
+        env:
+          XFAIL: ${{ steps.sigstore-python.outcome == 'failure' }}
+          JOB_NAME: ${{ github.job }}
+        run: |
+          echo "xfail ${JOB_NAME}: ${XFAIL}"
+
+          [[ "${XFAIL}" == "true" ]] || { >&2 echo "expected step to fail"; exit 1; }
 
   selftest-identity-token:
     runs-on: ubuntu-latest

README.md

@@ -264,26 +264,6 @@ Example:
     verify: false
 ```
 
-### `verify-cert-email`
-
-**Default**: Empty
-
-**This option is deprecated, with [`verify-cert-identity`](#verify-cert-identity) as a replacement.
-It will be removed in an upcoming release.**
-
-The `verify-cert-email` setting controls whether to verify the Subject Alternative Name (SAN) of the
-signing certificate after signing has taken place. If it is set, `sigstore-python` will compare the
-certificate's SAN against the provided value.
-
-This setting only applies if `verify` is set to `true`.
-
-```yaml
-- uses: sigstore/[email protected]
-  with:
-    inputs: file.txt
-    verify-cert-identity: [email protected]
-```
-
 ### `verify-cert-identity`
 
 **Default**: Empty

action.py

@@ -80,7 +80,7 @@ def _fatal_help(msg):
 sigstore_python_env = {}
 
 # Flag to check whether we want enable the verify step.
-enable_verify = True
+enable_verify = bool(os.getenv("GHA_SIGSTORE_PYTHON_VERIFY", "false").lower() == "true")
 
 # A list of paths to signing artifacts generated by `sigstore-python`. We want
 # to upload these as workflow artifacts after signing.
@@ -142,26 +142,20 @@ def _fatal_help(msg):
     sigstore_sign_args.append("--staging")
     sigstore_verify_args.append("--staging")
 
-if os.getenv("GHA_SIGSTORE_PYTHON_VERIFY", "false") == "false":
-    enable_verify = False
-
-verify_cert_email = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL")
-if verify_cert_email != "":
-    _warning(
-        "verify-cert-email has been deprecated and will be removed in the next release; "
-        "use verify-cert-identity instead. "
-        "See: https://github.com/sigstore/gh-action-sigstore-python#verify-cert-identity"
-    )
-    # NOTE: This will cause sigstore-python to fail if the user passes the identity
-    # via both `--cert-email` and `--cert-identity`, but that's acceptable.
-    sigstore_verify_args.extend(["--cert-email", verify_cert_email])
-
 verify_cert_identity = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY")
-if verify_cert_identity != "":
+if enable_verify and not verify_cert_identity:
+    _fatal_help("verify-cert-identity must be specified when verify is enabled")
+elif not enable_verify and verify_cert_identity:
+    _fatal_help("verify-cert-identity cannot be specified without verify: true")
+else:
     sigstore_verify_args.extend(["--cert-identity", verify_cert_identity])
 
 verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER")
-if verify_oidc_issuer != "":
+if enable_verify and not verify_oidc_issuer:
+    _fatal_help("verify-oidc-issuer must be specified when verify is enabled")
+elif not enable_verify and verify_oidc_issuer:
+    _fatal_help("verify-oidc-issuer cannot be specified without verify: true")
+else:
     sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])
 
 for input_ in inputs:

action.yml

@@ -63,20 +63,19 @@ inputs:
   verify:
     description: "verify the generated signatures after signing"
     required: false
-    default: true
-  verify-cert-email:
+    default: false
+  verify-cert-identity:
     description: |
-      verify the email in the signing certificate's Subject Alternative Name (only applies when `verify` is enabled)
+      verify the identity in the signing certificate's Subject Alternative Name
 
-      this option is DEPRECATED and will be removed in an upcoming release of this action.
-    required: false
-    default: ""
-  verify-cert-identity:
-    description: "verify the identity in the signing certificate's Subject Alternative Name (only applies when `verify` is enabled)"
+      required if `verify` is enabled; has no effect otherwise.
     required: false
     default: ""
   verify-oidc-issuer:
-    description: "verify the issuer extension of the signing certificate (only applies when `verify` is enabled)"
+    description: |
+      verify the issuer extension of the signing certificate
+
+      required if `verify` is enabled; has no effect otherwise.
     required: false
     default: ""
   upload-signing-artifacts:
@@ -117,7 +116,6 @@ runs:
         GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
-        GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL: "${{ inputs.verify-cert-email }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"
         GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"

requirements.txt

@@ -1 +1 @@
-sigstore==0.7.0
+sigstore==0.8.3