Streamline settings (#22)

* Remove `no-default-files` setting

Signed-off-by: Alex Cameron <[email protected]>

* Remove `overwrite` setting

* Add setting for identity token for the case where we don't want to use
the GitHub Actions credential

* Remove overwrite mapping

* Add identity token mapping

* Rename `oidc-issuer` to `verify-oidc-issuer` and only apply it to the
`verify` invocation

* Update action.py

Co-authored-by: William Woodruff <[email protected]>

* Fix CLI option

* Get the name right this time...

* Add more self tests to CI (#23)

* Add a few more selftests

* Add selftest to verify OIDC issuer

* Fill in the expected OIDC issuer

* Fill in expected SAN

* Correct SAN

* Comment out verify SAN test

* Add selftest to exercise `identity-token` setting

* Update .github/workflows/selftest.yml

Co-authored-by: William Woodruff <[email protected]>

Co-authored-by: William Woodruff <[email protected]>

Author: tetsuo-cpp

.github/workflows/selftest.yml

@@ -41,6 +41,7 @@ jobs:
         id: sigstore-python
         with:
           inputs: ./test/*.txt
+          staging: true
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -53,3 +54,64 @@ jobs:
           inputs: ./test/artifact.txt
           staging: true
           upload-signing-artifacts: true
+
+  selftest-custom-paths:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          signature: ./test/custom_signature.sig
+          certificate: ./test/custom_certificate.crt
+          staging: true
+
+  # NOTE(alex): `sigstore-python` doesn't support verifying URI SANs yet.
+  # selftest-verify-san:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - name: Sign artifact and publish signature
+  #       uses: ./
+  #       id: sigstore-python
+  #       with:
+  #         inputs: ./test/artifact.txt
+  #         verify-cert-email: https://github.com/trailofbits/gh-action-sigstore-python/.github/workflows/selftest.yml@${{ github.ref }}
+  #         staging: true
+
+  selftest-verify-issuer:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          verify-oidc-issuer: https://token.actions.githubusercontent.com
+          staging: true
+
+  selftest-identity-token:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Get OIDC token
+        id: get-oidc-token
+        run: |
+          identity_token=$( \
+            curl -H \
+              "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+              "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore" \
+            | jq -r .value \
+          )
+          echo "::set-output name=identity-token::$identity_token"
+        shell: bash
+      - name: Sign artifact and publish signature
+        uses: ./
+        id: sigstore-python
+        with:
+          inputs: ./test/artifact.txt
+          identity-token: ${{ steps.get-oidc-token.outputs.identity-token }}
+          staging: true

README.md

@@ -68,6 +68,20 @@ The `inputs` argument also supports file globbing:
     inputs: ./path/to/inputs/*.txt
 ```
 
+### `identity-token`
+
+**Default**: Empty (the GitHub Actions credential will be used)
+
+The `identity-token` setting controls the OpenID Connect token provided to Fulcio. By default, the
+workflow will use the credentials found in the GitHub Actions environment.
+
+```yaml
+- uses: trailofbits/[email protected]
+  with:
+    inputs: file.txt
+    identity-token: ${{ IDENTITY_TOKEN  }} # assigned elsewhere
+```
+
 ### `oidc-client-id`
 
 **Default**: `sigstore`
@@ -100,25 +114,6 @@ Example:
     oidc-client-secret: alternative-sigstore-secret
 ```
 
-### `no-default-files`
-
-**Default**: `false`
-
-The `no-default-files` setting controls whether the default output files (`{input}.sig` and
-`{input.crt}`) are emitted.
-
-These output files are necessary for verification so turning this setting on will automatically set
-`verify` to `false`.
-
-Example:
-
-```yaml
-- uses: trailofbits/[email protected]
-  with:
-    inputs: file.txt
-    no-default-files: true
-```
-
 ### `signature`
 
 **Default**: Empty (signature files will get named as `{input}.sig`)
@@ -169,22 +164,6 @@ However, this example is invalid:
     certificate: custom-certificate-filename.crt
 ```
 
-### `overwrite`
-
-**Default**: `false`
-
-The `overwrite` setting controls whether preexisting signature and certificate outputs get
-overwritten.
-
-Example:
-
-```yaml
-- uses: trailofbits/[email protected]
-  with:
-    inputs: file.txt
-    overwrite: true
-```
-
 ### `fulcio-url`
 
 **Default**: `https://fulcio.sigstore.dev`
@@ -249,23 +228,6 @@ Example:
     ctfe: ./path/to/rekor.pub
 ```
 
-### `oidc-issuer`
-
-**Default**: `https://oauth2.sigstore.dev/auth`
-
-The `oidc-issuer` setting controls the OpenID Connect issuer to retrieve the OpenID Connect token
-from. If `verify` is on, the issuer extension of the signing certificate will also get
-checked to ensure that it matches.
-
-Example:
-
-```yaml
-- uses: trailofbits/[email protected]
-  with:
-    inputs: file.txt
-    oidc-issuer: https://oauth2.sigstage.dev/auth
-```
-
 ### `staging`
 
 **Default**: `false`
@@ -319,6 +281,25 @@ This setting only applies if `verify` is set to `true`.
     verify-cert-email: [email protected]
 ```
 
+### `verify-oidc-issuer`
+
+**Default**: `https://oauth2.sigstore.dev/auth`
+
+The `verify-oidc-issuer` setting controls whether to verify the issuer extension of the signing
+certificate after signing has taken place. If it is set, `sigstore-python` will compare the
+certificate's issuer extension against the provided value.
+
+This setting only applies if `verify` is set to `true`.
+
+Example:
+
+```yaml
+- uses: trailofbits/[email protected]
+  with:
+    inputs: file.txt
+    verify-oidc-issuer: https://oauth2.sigstage.dev/auth
+```
+
 ### `upload-signing-artifacts`
 
 **Default**: `false`

action.py

@@ -72,6 +72,10 @@ def _fatal_help(msg):
 if _DEBUG:
     sigstore_python_env["SIGSTORE_LOGLEVEL"] = "DEBUG"
 
+identity_token = os.getenv("GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN")
+if identity_token != "":
+    sigstore_sign_args.extend(["--identity-token", identity_token])
+
 client_id = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID")
 if client_id != "":
     sigstore_sign_args.extend(["--oidc-client-id", client_id])
@@ -80,16 +84,6 @@ def _fatal_help(msg):
 if client_secret != "":
     sigstore_sign_args.extend(["--oidc-client-secret", client_secret])
 
-if os.getenv("GHA_SIGSTORE_PYTHON_NO_DEFAULT_FILES", "false") != "false":
-    sigstore_sign_args.append("--no-default-files")
-
-    # If we don't write the certificate and signature to the disk, we're unable
-    # to verify afterwards.
-    _debug(
-        "disabling verification due to the `no-default-files` setting being provided"
-    )
-    enable_verify = False
-
 signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE")
 if signature != "":
     sigstore_sign_args.extend(["--signature", signature])
@@ -110,9 +104,6 @@ def _fatal_help(msg):
     sigstore_sign_args.extend(["--certificate", output_certificate])
     signing_artifact_paths.append(output_certificate)
 
-if os.getenv("GHA_SIGSTORE_PYTHON_OVERWRITE", "false") != "false":
-    sigstore_sign_args.append("--overwrite")
-
 fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL")
 if fulcio_url != "":
     sigstore_sign_args.extend(["--fulcio-url", fulcio_url])
@@ -130,11 +121,6 @@ def _fatal_help(msg):
 if rekor_root_pubkey != "":
     sigstore_sign_args.extend(["--rekor-root-pubkey", rekor_root_pubkey])
 
-oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_ISSUER")
-if oidc_issuer != "":
-    sigstore_sign_args.extend(["--oidc-issuer", oidc_issuer])
-    sigstore_verify_args.extend(["--oidc-issuer", oidc_issuer])
-
 if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
     sigstore_sign_args.append("--staging")
     sigstore_verify_args.append("--staging")
@@ -146,6 +132,10 @@ def _fatal_help(msg):
 if verify_cert_email != "":
     sigstore_verify_args.extend(["--cert-email", verify_cert_email])
 
+verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER")
+if verify_oidc_issuer != "":
+    sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer])
+
 for input_ in inputs:
     # Forbid things that look like flags. This isn't a security boundary; just
     # a way to prevent (less motivated) users from breaking the action on themselves.
@@ -224,20 +214,19 @@ def _fatal_help(msg):
 #
 # In GitHub Actions, environment variables can be made to persist across
 # workflow steps by appending to the file at `GITHUB_ENV`.
-if "--no-default-files" not in sigstore_sign_args:
-    with Path(os.getenv("GITHUB_ENV")).open("a") as gh_env:
-        # Multiline values must match the following syntax:
-        #
-        # {name}<<{delimiter}
-        # {value}
-        # {delimiter}
-        gh_env.write(
-            "GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS<<EOF"
-            + os.linesep
-            + os.linesep.join(signing_artifact_paths)
-            + os.linesep
-            + "EOF"
-        )
+with Path(os.getenv("GITHUB_ENV")).open("a") as gh_env:
+    # Multiline values must match the following syntax:
+    #
+    # {name}<<{delimiter}
+    # {value}
+    # {delimiter}
+    gh_env.write(
+        "GHA_SIGSTORE_PYTHON_SIGNING_ARTIFACTS<<EOF"
+        + os.linesep
+        + os.linesep.join(signing_artifact_paths)
+        + os.linesep
+        + "EOF"
+    )
 
 
 # If signing didn't fail, then we check the verification status, if present.

action.yml

@@ -6,6 +6,10 @@ inputs:
     description: "the files to sign, whitespace separated"
     required: true
     default: ""
+  identity-token:
+    description: "the OIDC identity token to use"
+    required: false
+    default: ""
   oidc-client-id:
     description: "the custom OpenID Connect client ID to use during OAuth2"
     required: false
@@ -14,10 +18,6 @@ inputs:
     description: "the custom OpenID Connect client secret to use during OAuth2"
     required: false
     default: ""
-  no-default-files:
-    description: "don't emit the default output files ({input}.sig and {input}.crt)"
-    required: false
-    default: false
   signature:
     description: "write a single signature to the given file; does not work with multiple input files"
     required: false
@@ -26,10 +26,6 @@ inputs:
     description: "write a single certificate to the given file; does not work with multiple input files"
     required: false
     default: ""
-  overwrite:
-    description: "overwrite preexisting signature and certificate outputs, if present"
-    required: false
-    default: false
   fulcio-url:
     description: "the Fulcio instance to use (conflicts with `staging`)"
     required: false
@@ -46,10 +42,6 @@ inputs:
     description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)"
     required: false
     default: ""
-  oidc-issuer:
-    description: "the OpenID Connect issuer to use; if `verify` is on, the issuer extension of the signing certificate will also get checked to ensure that it matches"
-    required: false
-    default: ""
   staging:
     description: "use sigstore's staging instances, instead of the default production instances"
     required: false
@@ -62,6 +54,10 @@ inputs:
     description: "verify the email address to in the signing certificate's Subject Alternative Name (only applies when `verify` is on)"
     required: false
     default: ""
+  verify-oidc-issuer:
+    description: "verify the issuer extension of the signing certificate"
+    required: false
+    default: ""
   upload-signing-artifacts:
     description: "upload all signing artifacts as workflow artifacts"
     required: false
@@ -89,20 +85,19 @@ runs:
       run: |
         ${{ github.action_path }}/action.py "${{ inputs.inputs }}"
       env:
-        GHA_SIGSTORE_PYTHON_NO_DEFAULT_FILES: "${{ inputs.no-default-files }}"
+        GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN: "${{ inputs.identity-token }}"
         GHA_SIGSTORE_PYTHON_SIGNATURE: "${{ inputs.signature }}"
         GHA_SIGSTORE_PYTHON_CERTIFICATE: "${{ inputs.certificate }}"
-        GHA_SIGSTORE_PYTHON_OVERWRITE: "${{ inputs.overwrite }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
         GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}"
         GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}"
         GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}"
         GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}"
-        GHA_SIGSTORE_PYTHON_OIDC_ISSUER: "${{ inputs.oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_EMAIL: "${{ inputs.verify-cert-email }}"
+        GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER: "${{ inputs.verify-oidc-issuer }}"
         GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG: "${{ inputs.internal-be-careful-debug }}"
       shell: bash