feat: adding trust_config parameter for private sigstore instances (#460)

* feat: adding trust_config param for private sigstore instances

Signed-off-by: SequeI <[email protected]>

* fix: reword trust config example

Signed-off-by: SequeI <[email protected]>

---------

Signed-off-by: SequeI <[email protected]>

Author: SequeI

CHANGELOG.md

@@ -28,6 +28,7 @@ All versions prior to 1.0.0 are untracked.
 - cli: Added support for `--ignore_unsigned_files` option
 - Implemented a new, minimal container image. This variant excludes optional dependencies (like OTel and PKCS#11) to reduce footprint, focusing solely on core signing and verification mechanisms.
 - The library now requires at least v4.0.0 of `sigstore` due to breaking changes in that library
+- Added support for signing and verifying using private Sigstore instances (`--trust_config`)
 
 ## [1.0.1] - 2024-04-18
 

README.md

@@ -117,6 +117,32 @@ This will open an OIDC flow to obtain a short lived token for the certificate.
 The identity used during signing and the provider must be reused during
 verification.
 
+## Using Private Sigstore Instances
+
+To use a private Sigstore setup (e.g. custom Rekor/Fulcio), use the `--trust_config` flag:
+
+```bash
+[...]$ model_signing sign bert-base-uncased --trust_config client_trust_config.json
+```
+
+For verification:
+
+```bash
+[...]$ model_signing verify bert-base-uncased \
+      --signature model.sig \
+      --trust_config client_trust_config.json
+      --identity "$identity"
+      --identity_provider "$oidc_provider"
+```
+
+The `client_trust_config.json` file should include:
+
+- A signed target trust root
+- A `signingConfig` section with your private Rekor, Fulcio, and CT log endpoints
+- Public keys for verification (if applicable)
+
+You can find an example `client_trust_config.json` that references the public Sigstore production services in the Sigstore Python repository [here](https://github.com/sigstore/sigstore-python/blob/main/test/assets/trust_config/config.v1.json).
+
 As another example, here is how we can sign with private keys. First, we
 generate the key pair:
 

src/model_signing/_cli.py

@@ -68,6 +68,14 @@ def set_attribute(self, key, value):
     help="Location of the signature file to verify.",
 )
 
+# Decorator for the commonly used option for the custom trust configuration.
+_trust_config_option = click.option(
+    "--trust_config",
+    type=pathlib.Path,
+    metavar="TRUST_CONFIG_PATH",
+    help="The client trust configuration to use",
+)
+
 # Decorator for the commonly used option to ignore certain paths
 _ignore_paths_option = click.option(
     "--ignore-paths",
@@ -278,6 +286,7 @@ def _sign() -> None:
 @_allow_symlinks_option
 @_write_signature_option
 @_sigstore_staging_option
+@_trust_config_option
 @click.option(
     "--use_ambient_credentials",
     type=bool,
@@ -326,6 +335,7 @@ def _sign_sigstore(
     identity_token: Optional[str] = None,
     client_id: Optional[str] = None,
     client_secret: Optional[str] = None,
+    trust_config: Optional[pathlib.Path] = None,
 ) -> None:
     """Sign using Sigstore (DEFAULT signing method).
 
@@ -342,6 +352,19 @@ def _sign_sigstore(
     Sigstore allows users to use a staging instance for test-only signatures.
     Passing the `--use_staging` flag would use that instance instead of the
     production one.
+
+    Additionally, you can specify a custom trust configuration JSON file using
+    the `--trust_config` flag. This allows you to fully customize the PKI
+    (Private Key Infrastructure) used in the signing process. By providing a
+    `--trust_config`, you can define your own transparency logs, certificate
+    authorities, and other trust settings, enabling full control over the
+    trust model, including which PKI to use for signature verification.
+
+    If `--trust_config` is not provided, the default Sigstore instance is
+    used, which is pre-configured with Sigstore’s own trusted transparency
+    logs and certificate authorities. This provides a ready-to-use default
+    trust model for most use cases but may not be suitable for custom or
+    highly regulated environments.
     """
     with tracer.start_as_current_span("Sign") as span:
         span.set_attribute("sigstore.sign_method", "sigstore")
@@ -362,6 +385,7 @@ def _sign_sigstore(
                 force_oob=oauth_force_oob,
                 client_id=client_id,
                 client_secret=client_secret,
+                trust_config=trust_config,
             ).set_hashing_config(
                 model_signing.hashing.Config()
                 .set_ignored_paths(
@@ -599,6 +623,12 @@ def _verify() -> None:
     signature is assumed to be generated via Sigstore (as if invoking `sigstore`
     subcommand).
 
+    To enable verification with custom PKI configurations, use the
+    `--trust_config` option. This allows you to specify your own set of trusted
+    public keys, transparency logs, and certificate authorities for verifying
+    the signature. If not provided, the default Sigstore instance and its
+    associated public keys, logs, and authorities are used.
+
     Use each subcommand's `--help` option for details on each mode.
     """
 
@@ -610,6 +640,7 @@ def _verify() -> None:
 @_ignore_git_paths_option
 @_allow_symlinks_option
 @_sigstore_staging_option
+@_trust_config_option
 @click.option(
     "--identity",
     type=str,
@@ -635,6 +666,7 @@ def _verify_sigstore(
     identity_provider: str,
     use_staging: bool,
     ignore_unsigned_files: bool,
+    trust_config: Optional[pathlib.Path] = None,
 ) -> None:
     """Verify using Sigstore (DEFAULT verification method).
 
@@ -661,6 +693,7 @@ def _verify_sigstore(
                 identity=identity,
                 oidc_issuer=identity_provider,
                 use_staging=use_staging,
+                trust_config=trust_config,
             ).set_hashing_config(
                 model_signing.hashing.Config()
                 .set_ignored_paths(

src/model_signing/_signing/sign_sigstore.py

@@ -73,6 +73,7 @@ def __init__(
         force_oob: bool = False,
         client_id: Optional[str] = None,
         client_secret: Optional[str] = None,
+        trust_config: Optional[pathlib.Path] = None,
     ):
         """Initializes Sigstore signers.
 
@@ -107,9 +108,18 @@ def __init__(
               identity to the OIDC provider. If not provided, it is assumed
               that the client is public or the provider does not require a
               secret.
+            trust_config: A path to a custom trust configuration. When
+              provided, the signature verification process will rely on the
+              supplied PKI and trust configurations, instead of the default
+              Sigstore setup. If not specified, the default Sigstore
+              configuration is used.
         """
         if use_staging:
             trust_config = sigstore_models.ClientTrustConfig.staging()
+        elif trust_config:
+            trust_config = sigstore_models.ClientTrustConfig.from_json(
+                trust_config.read_text()
+            )
         else:
             trust_config = sigstore_models.ClientTrustConfig.production()
 
@@ -135,11 +145,13 @@ def _get_identity_token(self) -> sigstore_oidc.IdentityToken:
         3) Interactive OAuth flow
         """
         if self._identity_token:
-            return sigstore_oidc.IdentityToken(self._identity_token)
+            return sigstore_oidc.IdentityToken(
+                self._identity_token, self._client_id
+            )
         if self._use_ambient_credentials:
-            token = sigstore_oidc.detect_credential()
+            token = sigstore_oidc.detect_credential(self._client_id)
             if token:
-                return sigstore_oidc.IdentityToken(token)
+                return sigstore_oidc.IdentityToken(token, self._client_id)
 
         return self._issuer.identity_token(
             force_oob=self._force_oob,
@@ -168,7 +180,12 @@ class Verifier(signing.Verifier):
     """Signature verification using Sigstore."""
 
     def __init__(
-        self, *, identity: str, oidc_issuer: str, use_staging: bool = False
+        self,
+        *,
+        identity: str,
+        oidc_issuer: str,
+        use_staging: bool = False,
+        trust_config: Optional[pathlib.Path] = None,
     ):
         """Initializes Sigstore verifiers.
 
@@ -182,11 +199,24 @@ def __init__(
               certificate used for the signature.
             use_staging: Use staging configurations, instead of production. This
               is supposed to be set to True only when testing. Default is False.
+            trust_config: A path to a custom trust configuration. When provided,
+              the signature verification process will rely on the supplied
+              PKI and trust configurations, instead of the default Sigstore
+              setup. If not specified, the default Sigstore configuration
+              is used.
         """
-        if use_staging:
-            self._verifier = sigstore_verifier.Verifier.staging()
+        if trust_config:
+            trust_config = sigstore_models.ClientTrustConfig.from_json(
+                trust_config.read_text()
+            )
+        elif use_staging:
+            trust_config = sigstore_models.ClientTrustConfig.staging()
         else:
-            self._verifier = sigstore_verifier.Verifier.production()
+            trust_config = sigstore_models.ClientTrustConfig.production()
+
+        self._verifier = sigstore_verifier.Verifier(
+            trusted_root=trust_config.trusted_root
+        )
 
         self._policy = sigstore_verifier.policy.Identity(
             identity=identity, issuer=oidc_issuer

src/model_signing/signing.py

@@ -78,9 +78,13 @@ def sign(model_path: hashing.PathLike, signature_path: hashing.PathLike):
 class Config:
     """Configuration to use when signing models.
 
-    Currently we support signing with Sigstore (public instance and staging
-    instance), signing with private keys and signing with signing certificates.
-    Other signing modes can be added in the future.
+    Currently, we support signing with Sigstore (both the public
+    instance and staging instance), signing with private keys,
+    signing with signing certificates, and signing with custom
+    PKI configurations using the `--trust_config` option.
+    This allows users to bring their own trust configuration
+    to sign and verify models. Other signing modes may be
+    added in the future.
     """
 
     def __init__(self):
@@ -127,6 +131,7 @@ def use_sigstore_signer(
         identity_token: Optional[str] = None,
         client_id: Optional[str] = None,
         client_secret: Optional[str] = None,
+        trust_config: Optional[pathlib.Path] = None,
     ) -> Self:
         """Configures the signing to be performed with Sigstore.
 
@@ -161,6 +166,11 @@ def use_sigstore_signer(
               identity to the OIDC provider. If not provided, it is assumed
               that the client is public or the provider does not require a
               secret.
+            trust_config: A path to a custom trust configuration. When provided,
+              the signature verification process will rely on the supplied
+              PKI and trust configurations, instead of the default Sigstore
+              setup. If not specified, the default Sigstore configuration
+              is used.
 
         Return:
             The new signing configuration.
@@ -173,6 +183,7 @@ def use_sigstore_signer(
             force_oob=force_oob,
             client_id=client_id,
             client_secret=client_secret,
+            trust_config=trust_config,
         )
         return self
 

src/model_signing/verifying.py

@@ -40,6 +40,7 @@
 from collections.abc import Iterable
 import pathlib
 import sys
+from typing import Optional
 
 from model_signing import hashing
 from model_signing import manifest
@@ -210,7 +211,12 @@ def _guess_hashing_config(self, source_manifest: manifest.Manifest) -> None:
             raise ValueError("Cannot guess the hashing configuration")
 
     def use_sigstore_verifier(
-        self, *, identity: str, oidc_issuer: str, use_staging: bool = False
+        self,
+        *,
+        identity: str,
+        oidc_issuer: str,
+        use_staging: bool = False,
+        trust_config: Optional[pathlib.Path] = None,
     ) -> Self:
         """Configures the verification of signatures produced by Sigstore.
 
@@ -224,13 +230,21 @@ def use_sigstore_verifier(
               certificate used for the signature.
             use_staging: Use staging configurations, instead of production. This
               is supposed to be set to True only when testing. Default is False.
+            trust_config: A path to a custom trust configuration. When provided,
+              the signature verification process will rely on the supplied
+              PKI and trust configurations, instead of the default Sigstore
+              setup. If not specified, the default Sigstore configuration
+              is used.
 
         Return:
             The new verification configuration.
         """
         self._uses_sigstore = True
         self._verifier = sigstore.Verifier(
-            identity=identity, oidc_issuer=oidc_issuer, use_staging=use_staging
+            identity=identity,
+            oidc_issuer=oidc_issuer,
+            use_staging=use_staging,
+            trust_config=trust_config,
         )
         return self
 

tests/_signing/sigstore_test.py

@@ -71,7 +71,7 @@ def mocked_oidc_provider():
 
         # return whatever raw_token was passed in
         mocked_identity_token = mocked_objects["IdentityToken"]
-        mocked_identity_token.side_effect = lambda x: x
+        mocked_identity_token.side_effect = lambda token, client_id: token
 
         mocked_issuer = mocked_objects["Issuer"]
         mocked_issuer.return_value.identity_token.return_value = "fake_token"
@@ -149,8 +149,7 @@ def mocked_sigstore_verifier():
         sigstore.sigstore_verifier, "Verifier", autospec=True
     ) as mocked_verifier:
         mocked_verifier.verify_dsse = _mocked_verify_dsse
-        mocked_verifier.staging = lambda: mocked_verifier
-        mocked_verifier.production = lambda: mocked_verifier
+        mocked_verifier.return_value = mocked_verifier
         yield mocked_verifier
 
 
@@ -163,7 +162,7 @@ def _verify_dsse(bundle, policy):
         sigstore.sigstore_verifier, "Verifier", autospec=True
     ) as mocked_verifier:
         mocked_verifier.verify_dsse = _verify_dsse
-        mocked_verifier.staging = lambda: mocked_verifier
+        mocked_verifier.return_value = mocked_verifier
         yield mocked_verifier