|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +TMPDIR=$(mktemp -d) || exit 1 |
| 4 | +MODELDIR="${TMPDIR}/model" |
| 5 | + |
| 6 | +signfile1="${MODELDIR}/signme-1" |
| 7 | +signfile2="${MODELDIR}/signme-2" |
| 8 | +ignorefile="${MODELDIR}/ignore" |
| 9 | + |
| 10 | +cleanup() |
| 11 | +{ |
| 12 | + rm -rf "${TMPDIR}" |
| 13 | +} |
| 14 | +trap cleanup EXIT QUIT |
| 15 | + |
| 16 | +mkdir "${MODELDIR}" || exit 1 |
| 17 | +echo "signme-1" > "${signfile1}" |
| 18 | +echo "signme-2" > "${signfile2}" |
| 19 | +echo "ignore" > "${ignorefile}" |
| 20 | + |
| 21 | +sigfile_key="${TMPDIR}/model.sig-key" |
| 22 | +sigfile_certificate="${TMPDIR}/model.sig-certificate" |
| 23 | +sigfile_sigstore="${TMPDIR}/model.sig-sigstore" |
| 24 | + |
| 25 | +TOKENPROJ="${TMPDIR}/tokenproj" |
| 26 | +mkdir -p "${TOKENPROJ}" || exit 1 |
| 27 | +token_file="${TOKENPROJ}/oidc-token.txt" |
| 28 | + |
| 29 | +VENV="${TMPDIR}/venv" |
| 30 | + |
| 31 | + |
| 32 | +# Create a signature with the currently active library |
| 33 | + |
| 34 | +echo -n "Using model_signing tool: " |
| 35 | +type -P model_signing |
| 36 | + |
| 37 | +echo -n "Use version of model_signing tool for signing: " |
| 38 | +model_signing --version |
| 39 | + |
| 40 | +echo |
| 41 | + |
| 42 | +echo "Signing with 'key' method" |
| 43 | + |
| 44 | +if ! python -m model_signing \ |
| 45 | + sign key \ |
| 46 | + --signature "${sigfile_key}" \ |
| 47 | + --private_key ./keys/certificate/signing-key.pem \ |
| 48 | + --ignore-paths "${ignorefile}" \ |
| 49 | + "${MODELDIR}" || \ |
| 50 | + test ! -f "${sigfile_key}"; then |
| 51 | + echo "Error: 'sign key' failed" |
| 52 | + exit 1 |
| 53 | +fi |
| 54 | + |
| 55 | +echo "Signing with 'certificate' method" |
| 56 | + |
| 57 | +if ! python -m model_signing \ |
| 58 | + sign certificate \ |
| 59 | + --signature "${sigfile_certificate}" \ |
| 60 | + --private_key ./keys/certificate/signing-key.pem \ |
| 61 | + --signing_certificate ./keys/certificate/signing-key-cert.pem \ |
| 62 | + --certificate_chain ./keys/certificate/int-ca-cert.pem \ |
| 63 | + --ignore-paths "${ignorefile}" \ |
| 64 | + "${MODELDIR}" || \ |
| 65 | + test ! -f "${sigfile_certificate}"; then |
| 66 | + echo "Error: 'sign certificate' failed" |
| 67 | + exit 1 |
| 68 | +fi |
| 69 | + |
| 70 | +echo "Getting OIDC test-token for sigstore signing" |
| 71 | +if ! out=$(git clone \ |
| 72 | + --single-branch \ |
| 73 | + --branch current-token \ |
| 74 | + --depth 1 \ |
| 75 | + https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon \ |
| 76 | + "${TOKENPROJ}" 2>&1); |
| 77 | +then |
| 78 | + echo "git clone failed" |
| 79 | + echo "${out}" |
| 80 | + exit 1 |
| 81 | +fi |
| 82 | + |
| 83 | +echo "Signing with 'sigstore' method" |
| 84 | +if ! python -m model_signing \ |
| 85 | + sign sigstore \ |
| 86 | + --signature "${sigfile_sigstore}" \ |
| 87 | + --identity_token "$(cat "${token_file}")" \ |
| 88 | + --ignore-paths "${ignorefile}" \ |
| 89 | + "${MODELDIR}" || \ |
| 90 | + test ! -f ${sigfile_sigstore}; then |
| 91 | + echo "Error: 'sign sigstore' failed" |
| 92 | + exit 1 |
| 93 | +fi |
| 94 | + |
| 95 | +# Setup and activate a venv |
| 96 | +echo -e "\nSetting up $(python --version) venv" |
| 97 | + |
| 98 | +python -m venv "${VENV}" || exit 1 |
| 99 | +source "${VENV}/bin/activate" |
| 100 | + |
| 101 | +echo -e "Done\n" |
| 102 | + |
| 103 | +# Install the following versions from pypi |
| 104 | +for version in v1.0.1 v1.0.0 v0.3.1 v0.3.0; do |
| 105 | + |
| 106 | + if ! out=$(pip install "model-signing==${version}" 2>&1); then |
| 107 | + echo "pip install failed" |
| 108 | + echo "${out}" |
| 109 | + exit 1 |
| 110 | + fi |
| 111 | + |
| 112 | + #Force usage of sigstore v3.6.5 on older model-signing versions |
| 113 | + case "${version}" in |
| 114 | + v1.0.1|v1.0.0|v0.3.1|v0.3.0) |
| 115 | + if ! out=$(pip install sigstore==v3.6.5 2>&1); then |
| 116 | + echo "pip install of sigstore v3.6.5 failed" |
| 117 | + echo "${out}" |
| 118 | + exit 1 |
| 119 | + fi |
| 120 | + ;; |
| 121 | + *) |
| 122 | + esac |
| 123 | + |
| 124 | + echo -n "Testing signature verification with version from pypi: " |
| 125 | + model_signing --version |
| 126 | + |
| 127 | + echo "Testing 'verify key' method" |
| 128 | + if ! out=$(python -m model_signing \ |
| 129 | + verify key \ |
| 130 | + --signature "${sigfile_key}" \ |
| 131 | + --public_key ./keys/certificate/signing-key-pub.pem \ |
| 132 | + --ignore-paths "${ignorefile}" \ |
| 133 | + "${MODELDIR}" 2>&1); then |
| 134 | + echo "Error: 'verify key' failed with ${version}" |
| 135 | + echo "${out}" |
| 136 | + exit 1 |
| 137 | + fi |
| 138 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 139 | + echo "verification failed:" |
| 140 | + echo "${out}" |
| 141 | + exit 1 |
| 142 | + fi |
| 143 | + |
| 144 | + case "${version}" in |
| 145 | + v0.3.1 | v0.3.0) |
| 146 | + # cannot verify |
| 147 | + echo "Skipping 'verify certificate' method" |
| 148 | + ;; |
| 149 | + *) |
| 150 | + echo "Testing 'verify certificate' method" |
| 151 | + if ! out=$(python -m model_signing \ |
| 152 | + verify certificate \ |
| 153 | + --signature "${sigfile_certificate}" \ |
| 154 | + --certificate_chain ./keys/certificate/ca-cert.pem \ |
| 155 | + --ignore-paths "${ignorefile}" \ |
| 156 | + "${MODELDIR}" 2>&1); then |
| 157 | + echo "Error: 'verify certificate' failed with ${version}" |
| 158 | + echo "${out}" |
| 159 | + exit 1 |
| 160 | + fi |
| 161 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 162 | + echo "verification failed:" |
| 163 | + echo "${out}" |
| 164 | + exit 1 |
| 165 | + fi |
| 166 | + esac |
| 167 | + |
| 168 | + echo "Testing 'verify sigstore' method" |
| 169 | + if ! out=$(python -m model_signing \ |
| 170 | + verify sigstore \ |
| 171 | + --signature "${sigfile_sigstore}" \ |
| 172 | + --identity https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main \ |
| 173 | + --identity_provider https://token.actions.githubusercontent.com \ |
| 174 | + --ignore-paths "${ignorefile}" \ |
| 175 | + "${MODELDIR}" 2>&1); then |
| 176 | + echo "Error: 'verify sigstore' failed with ${version}" |
| 177 | + echo "${out}" |
| 178 | + exit 1 |
| 179 | + fi |
| 180 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 181 | + echo "verification failed:" |
| 182 | + echo "${out}" |
| 183 | + exit 1 |
| 184 | + fi |
| 185 | + |
| 186 | + # Check against pre-created signatures |
| 187 | + # v represents version of the library that created a signature in the past |
| 188 | + for v in v1.0.1 v1.0.0 v0.3.1 v0.2.0; do |
| 189 | + |
| 190 | + # key method |
| 191 | + modeldir=${v}-elliptic-key |
| 192 | + modeldir_sign=${modeldir} |
| 193 | + |
| 194 | + case "${version}-${v}" in |
| 195 | + v0.3.1-v1.0.1) |
| 196 | + # v0.3.1 cannot verify signatures created by v1.0.1 |
| 197 | + ;; |
| 198 | + *-v0.3.1|*-v1.0.0) |
| 199 | + # These versions signed only a single file |
| 200 | + modeldir_sign="${modeldir}/signme-1" |
| 201 | + ;& # fallthrough |
| 202 | + *) |
| 203 | + if [ -d "${modeldir}" ]; then |
| 204 | + echo "Testing 'verify key' method with signature created by ${v}" |
| 205 | + if ! out=$(python -m model_signing \ |
| 206 | + verify key \ |
| 207 | + --signature "${modeldir}/model.sig" \ |
| 208 | + --public_key ./keys/certificate/signing-key-pub.pem \ |
| 209 | + --ignore-paths "${modeldir}/ignore-me" \ |
| 210 | + "${modeldir_sign}" 2>&1); then |
| 211 | + echo "Error: 'verify key' failed with ${version} on ${modeldir}" |
| 212 | + echo "${out}" |
| 213 | + exit 1 |
| 214 | + fi |
| 215 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 216 | + echo "verification failed on ${modeldir}:" |
| 217 | + echo "${out}" |
| 218 | + exit 1 |
| 219 | + fi |
| 220 | + fi |
| 221 | + ;; |
| 222 | + esac |
| 223 | + |
| 224 | + # certificate method |
| 225 | + modeldir=${v}-certificate |
| 226 | + |
| 227 | + case "${version}-${v}" in |
| 228 | + v0.3.0-*|v0.3.1-*|v1.0.0-v0.2.0) |
| 229 | + # cannot verify |
| 230 | + ;; |
| 231 | + *) |
| 232 | + if [ -d "${modeldir}" ]; then |
| 233 | + echo "Testing 'verify certificate' method with signature created by ${v}" |
| 234 | + if ! out=$(python -m model_signing \ |
| 235 | + verify certificate \ |
| 236 | + --signature "${modeldir}/model.sig" \ |
| 237 | + --certificate_chain ./keys/certificate/ca-cert.pem \ |
| 238 | + --ignore-paths "${modeldir}/ignore-me" \ |
| 239 | + "${modeldir}" 2>&1); then |
| 240 | + echo "Error: 'verify certificate' failed with ${version} on ${modeldir}" |
| 241 | + echo "${out}" |
| 242 | + exit 1 |
| 243 | + fi |
| 244 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 245 | + echo "verification failed on ${modeldir}:" |
| 246 | + echo "${out}" |
| 247 | + exit 1 |
| 248 | + fi |
| 249 | + fi |
| 250 | + ;; |
| 251 | + esac |
| 252 | + |
| 253 | + # sigstore method |
| 254 | + modeldir=${v}-sigstore |
| 255 | + |
| 256 | + case "${version}-${v}" in |
| 257 | + v0.3.1-v1.0.1|v0.3.1-v0.3.1|v0.3.1-v1.0.0) |
| 258 | + # cannot verify |
| 259 | + ;; |
| 260 | + *) |
| 261 | + if [ -d "${modeldir}" ]; then |
| 262 | + echo "Testing 'verify sigstore' method with signature created by ${v}" |
| 263 | + if ! out=$(python -m model_signing \ |
| 264 | + verify sigstore \ |
| 265 | + --signature "${modeldir}/model.sig" \ |
| 266 | + --identity_provider https://sigstore.verify.ibm.com/oauth2 \ |
| 267 | + |
| 268 | + --ignore-paths "${modeldir}/ignore-me" \ |
| 269 | + "${modeldir}" 2>&1); then |
| 270 | + echo "Error: 'verify sigstore' failed with ${version} on ${modeldir}" |
| 271 | + echo "${out}" |
| 272 | + exit 1 |
| 273 | + fi |
| 274 | + if ! grep -q "succeeded" <<< "${out}"; then |
| 275 | + echo "verification failed on ${modeldir}:" |
| 276 | + echo "${out}" |
| 277 | + exit 1 |
| 278 | + fi |
| 279 | + fi |
| 280 | + ;; |
| 281 | + esac |
| 282 | + done |
| 283 | + |
| 284 | + echo |
| 285 | +done |
| 286 | + |
| 287 | +# deactivate the venv |
| 288 | +deactivate |
| 289 | + |
| 290 | +exit 0 |
0 commit comments