Merge pull request #869 from sigstore/conformance_14

loosebazooka · web-flow · commit 9ff9f395a5d2 · 2024-12-18T11:30:15.000-05:00
Update conformance to 0.0.14
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -35,7 +35,7 @@ jobs:
       - name: Unpack sigstore-java distribution
         run: tar -xvf ${{ github.workspace }}/sigstore-cli/build/distributions/sigstore-cli-*.tar --strip-components 1
 
-      - uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13
+      - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14
         with:
           entrypoint: ${{ github.workspace }}/bin/sigstore-cli
           environment: ${{ matrix.sigstore-env }}
diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java
@@ -17,15 +17,13 @@
 
 import dev.sigstore.KeylessSigner;
 import dev.sigstore.TrustedRootProvider;
-import dev.sigstore.encryption.certificates.Certificates;
 import dev.sigstore.oidc.client.OidcClients;
 import dev.sigstore.tuf.RootProvider;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.Base64;
 import java.util.concurrent.Callable;
 import picocli.CommandLine.ArgGroup;
 import picocli.CommandLine.Command;
@@ -41,8 +39,11 @@ public class Sign implements Callable<Integer> {
   @Parameters(arity = "1", paramLabel = "<artifact>", description = "artifact to sign")
   Path artifact;
 
-  @ArgGroup(multiplicity = "1", exclusive = true)
-  SignatureFiles signatureFiles;
+  @Option(
+      names = {"--bundle"},
+      description = "path to bundle file",
+      required = true)
+  Path bundleFile;
 
   @ArgGroup(multiplicity = "0..1", exclusive = true)
   Verify.Target target;
@@ -113,15 +114,7 @@ public Integer call() throws Exception {
     }
     var signer = signerBuilder.build();
     var bundle = signer.signFile(artifact);
-    if (signatureFiles.sigAndCert != null) {
-      Files.write(
-          signatureFiles.sigAndCert.signatureFile,
-          Base64.getEncoder().encode(bundle.getMessageSignature().get().getSignature()));
-      Files.write(
-          signatureFiles.sigAndCert.certificateFile, Certificates.toPemBytes(bundle.getCertPath()));
-    } else {
-      Files.write(signatureFiles.bundleFile, bundle.toJson().getBytes(StandardCharsets.UTF_8));
-    }
+    Files.write(bundleFile, bundle.toJson().getBytes(StandardCharsets.UTF_8));
     return 0;
   }
 }
diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/SignatureFiles.java b/sigstore-cli/src/main/java/dev/sigstore/cli/SignatureFiles.java
diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java
@@ -23,20 +23,12 @@
 import dev.sigstore.VerificationOptions;
 import dev.sigstore.VerificationOptions.CertificateMatcher;
 import dev.sigstore.bundle.Bundle;
-import dev.sigstore.bundle.Bundle.HashAlgorithm;
-import dev.sigstore.bundle.Bundle.MessageSignature;
-import dev.sigstore.bundle.ImmutableBundle;
-import dev.sigstore.encryption.certificates.Certificates;
-import dev.sigstore.rekor.client.RekorEntryFetcher;
 import dev.sigstore.strings.StringMatcher;
 import dev.sigstore.tuf.RootProvider;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.cert.CertPath;
-import java.util.Base64;
 import java.util.concurrent.Callable;
 import org.apache.commons.codec.binary.Hex;
 import picocli.CommandLine.ArgGroup;
@@ -58,8 +50,11 @@ public class Verify implements Callable<Integer> {
       description = "an artifact path or artifact hash (sha256:abc...) to verify")
   String artifact;
 
-  @ArgGroup(multiplicity = "1", exclusive = true)
-  SignatureFiles signatureFiles;
+  @Option(
+      names = {"--bundle"},
+      description = "path to bundle file",
+      required = true)
+  Path bundleFile;
 
   @ArgGroup(multiplicity = "0..1", exclusive = false)
   Policy policy;
@@ -119,29 +114,7 @@ public Integer call() throws Exception {
             ? Hex.decodeHex(artifact.substring(SHA256_PREFIX.length()))
             : asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes();
 
-    Bundle bundle;
-    if (signatureFiles.sigAndCert != null) {
-      byte[] signature =
-          Base64.getMimeDecoder()
-              .decode(Files.readAllBytes(signatureFiles.sigAndCert.signatureFile));
-      CertPath certPath =
-          Certificates.fromPemChain(Files.readAllBytes(signatureFiles.sigAndCert.certificateFile));
-      RekorEntryFetcher fetcher =
-          target == null
-              ? RekorEntryFetcher.sigstorePublicGood()
-              : target.staging
-                  ? RekorEntryFetcher.sigstoreStaging()
-                  : RekorEntryFetcher.fromTrustedRoot(target.trustedRoot);
-      bundle =
-          ImmutableBundle.builder()
-              .messageSignature(MessageSignature.of(HashAlgorithm.SHA2_256, digest, signature))
-              .certPath(certPath)
-              .addEntries(
-                  fetcher.getEntryFromRekor(digest, Certificates.getLeaf(certPath), signature))
-              .build();
-    } else {
-      bundle = Bundle.from(signatureFiles.bundleFile, StandardCharsets.UTF_8);
-    }
+    Bundle bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);
 
     var verificationOptionsBuilder = VerificationOptions.builder();
     if (policy != null) {
