Add Manifest.from_signature() to extract manifest from existing signatures

This method enables reading a manifest from a signature file without
performing cryptographic verification. This is the foundation for
incremental re-hashing, where we need to know what files were
previously signed to determine which files need re-hashing.

The method:
- Reads and parses Sigstore bundle JSON format
- Extracts the DSSE envelope payload
- Decodes base64-encoded payload
- Validates manifest integrity (root digest matches resources)
- Returns a Manifest object

Includes comprehensive tests covering:
- Valid manifest extraction
- Rejection of inconsistent manifests
- Error handling for missing files, invalid JSON, and missing envelopes

Related to issue #160 - API for incremental model re-hashing

Author: Emrick Donadei

src/model_signing/manifest.py

@@ -39,8 +39,10 @@
 """
 
 import abc
+import base64
 from collections.abc import Iterable, Iterator
 import dataclasses
+import json
 import pathlib
 import sys
 from typing import Any, Final
@@ -466,3 +468,53 @@ def serialization_type(self) -> dict[str, Any]:
         manifest so that signature verification can use the same method.
         """
         return self._serialization_type.serialization_parameters
+
+    @classmethod
+    def from_signature(cls, signature_path: pathlib.Path) -> Self:
+        """Extracts a manifest from an existing signature file.
+
+        This method reads a signature file (Sigstore bundle) and extracts the
+        manifest without performing cryptographic verification. This is useful
+        for incremental re-hashing where you need to know what files were
+        previously signed without verifying the signature.
+
+        Args:
+            signature_path: Path to the signature file to read.
+
+        Returns:
+            A Manifest object representing the signed model.
+
+        Raises:
+            ValueError: If the signature file cannot be parsed or doesn't
+                contain a valid manifest.
+            FileNotFoundError: If the signature file doesn't exist.
+        """
+        # Avoid circular import by importing here
+        from model_signing._signing import signing
+
+        # Read the signature file
+        content = signature_path.read_text(encoding="utf-8")
+        bundle_dict = json.loads(content)
+
+        # Extract the DSSE envelope payload
+        if "dsseEnvelope" in bundle_dict:
+            # This is a protobuf-based bundle
+            envelope = bundle_dict["dsseEnvelope"]
+        elif "dsse_envelope" in bundle_dict:
+            # Alternative snake_case naming
+            envelope = bundle_dict["dsse_envelope"]
+        else:
+            raise ValueError(
+                "Signature file does not contain a DSSE envelope"
+            )
+
+        # Decode the payload (it's base64 encoded)
+        payload_b64 = envelope.get("payload")
+        if not payload_b64:
+            raise ValueError("DSSE envelope does not contain a payload")
+
+        payload_bytes = base64.b64decode(payload_b64)
+        payload_dict = json.loads(payload_bytes)
+
+        # Use the existing function to convert DSSE payload to manifest
+        return signing.dsse_payload_to_manifest(payload_dict)

tests/manifest_test.py

@@ -206,3 +206,171 @@ def test_manifest_has_the_correct_resource_descriptors(self):
         assert descriptors[0].digest.digest_value == b"hash1"
         assert descriptors[1].digest.digest_value == b"hash2"
         assert descriptors[2].digest.digest_value == b"hash3"
+
+
+class TestManifestFromSignature:
+    def test_from_signature_rejects_inconsistent_manifest(self, tmp_path):
+        import base64
+        import json
+
+        # Create a Sigstore bundle with inconsistent root digest
+        # The subject digest doesn't match the hash of the resources
+        payload_dict = {
+            "_type": "https://in-toto.io/Statement/v1",
+            "subject": [
+                {
+                    "name": "test_model",
+                    "digest": {
+                        "sha256": "0b8a5a8c8e8f1a8b8c8d8e8f2a8b8c8d8e8f3a8b8c8d8e8f4a8b8c8d8e8f5a8b"
+                    },
+                }
+            ],
+            "predicateType": "https://model_signing/signature/v1.0",
+            "predicate": {
+                "serialization": {
+                    "method": "files",
+                    "hash_type": "sha256",
+                    "allow_symlinks": False,
+                    "ignore_paths": [],
+                },
+                "resources": [
+                    {
+                        "name": "file1.txt",
+                        "algorithm": "sha256",
+                        "digest": "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234",
+                    },
+                    {
+                        "name": "file2.txt",
+                        "algorithm": "sha256",
+                        "digest": "5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba",
+                    },
+                ],
+            },
+        }
+
+        # Create DSSE envelope
+        payload_json = json.dumps(payload_dict)
+        payload_b64 = base64.b64encode(payload_json.encode("utf-8")).decode(
+            "utf-8"
+        )
+
+        bundle_dict = {
+            "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+            "verificationMaterial": {
+                "publicKey": {"hint": "test"},
+                "tlogEntries": [],
+            },
+            "dsseEnvelope": {
+                "payload": payload_b64,
+                "payloadType": "application/vnd.in-toto+json",
+                "signatures": [{"sig": "fake_signature"}],
+            },
+        }
+
+        # Write to file
+        sig_file = tmp_path / "test.sig"
+        sig_file.write_text(json.dumps(bundle_dict), encoding="utf-8")
+
+        # Verify that inconsistent manifest is rejected
+        with pytest.raises(ValueError, match="Manifest is inconsistent"):
+            manifest.Manifest.from_signature(sig_file)
+
+    def test_from_signature_extracts_valid_manifest(self, tmp_path):
+        import base64
+        import hashlib
+        import json
+
+        # Create valid SHA256 hex digests (64 chars each)
+        digest1_hex = "abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
+        digest2_hex = "5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba5678dcba"
+
+        digest1_bytes = bytes.fromhex(digest1_hex)
+        digest2_bytes = bytes.fromhex(digest2_hex)
+
+        # Compute root digest (SHA256 of both digests concatenated)
+        hasher = hashlib.sha256()
+        hasher.update(digest1_bytes)
+        hasher.update(digest2_bytes)
+        root_digest = hasher.hexdigest()
+
+        payload_dict = {
+            "_type": "https://in-toto.io/Statement/v1",
+            "subject": [
+                {"name": "test_model", "digest": {"sha256": root_digest}}
+            ],
+            "predicateType": "https://model_signing/signature/v1.0",
+            "predicate": {
+                "serialization": {
+                    "method": "files",
+                    "hash_type": "sha256",
+                    "allow_symlinks": False,
+                    "ignore_paths": [],
+                },
+                "resources": [
+                    {
+                        "name": "file1.txt",
+                        "algorithm": "sha256",
+                        "digest": digest1_hex,
+                    },
+                    {
+                        "name": "file2.txt",
+                        "algorithm": "sha256",
+                        "digest": digest2_hex,
+                    },
+                ],
+            },
+        }
+
+        payload_json = json.dumps(payload_dict)
+        payload_b64 = base64.b64encode(payload_json.encode("utf-8")).decode(
+            "utf-8"
+        )
+
+        bundle_dict = {
+            "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+            "verificationMaterial": {
+                "publicKey": {"hint": "test"},
+                "tlogEntries": [],
+            },
+            "dsseEnvelope": {
+                "payload": payload_b64,
+                "payloadType": "application/vnd.in-toto+json",
+                "signatures": [{"sig": "fake_signature"}],
+            },
+        }
+
+        sig_file = tmp_path / "test.sig"
+        sig_file.write_text(json.dumps(bundle_dict), encoding="utf-8")
+
+        # Extract manifest
+        extracted_manifest = manifest.Manifest.from_signature(sig_file)
+
+        # Verify the manifest has the correct files
+        descriptors = list(extracted_manifest.resource_descriptors())
+        assert len(descriptors) == 2
+        assert descriptors[0].identifier == "file1.txt"
+        assert descriptors[1].identifier == "file2.txt"
+        assert descriptors[0].digest.digest_hex == digest1_hex
+        assert descriptors[1].digest.digest_hex == digest2_hex
+        assert extracted_manifest.model_name == "test_model"
+
+    def test_from_signature_file_not_found(self, tmp_path):
+        non_existent = tmp_path / "does_not_exist.sig"
+        with pytest.raises(FileNotFoundError):
+            manifest.Manifest.from_signature(non_existent)
+
+    def test_from_signature_invalid_json(self, tmp_path):
+        import json
+
+        sig_file = tmp_path / "invalid.sig"
+        sig_file.write_text("not valid json", encoding="utf-8")
+        with pytest.raises(json.JSONDecodeError):
+            manifest.Manifest.from_signature(sig_file)
+
+    def test_from_signature_missing_envelope(self, tmp_path):
+        import json
+
+        sig_file = tmp_path / "missing_envelope.sig"
+        sig_file.write_text("{}", encoding="utf-8")
+        with pytest.raises(ValueError, match="does not contain a DSSE envelope"):
+            manifest.Manifest.from_signature(sig_file)