refactor: begin to remove sigstore_protobuf_specs (#1470)

* refactor: begin to remove sigstore_protobuf_specs

* fixup tests, use wrapper APIs

* burn down changes

* burn down tests

* more burndown

* get more tests passing

* fixup test

* replace more protobuf models

* port rekor v2 models, get tests passing locally

* pyproject: drop sigstore-protobuf-specs dependency

* pyproject: add sigstore-models

* sign: b64 wrapping

* fix more API errors

* more fixes

* fix two last tests

* bump sigstore-models

* fmt

* fmt

* pyproject: bump sigstore-models to 0.0.3

* hush some CI findings

* more CI cleanup

* typecheck fixes, burndown

* more typecheck burndown

* squash more typecheck findings

* bump embedded signing configs

* test: fixup

* fixup operator fields everywhere

* lint

* fmt

* operator, operator everywhere

* pyproject: bump sigstore-models to 0.0.5

* fixup content

Signed-off-by: William Woodruff <[email protected]>

* another missing b64

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Jussi Kukkonen <[email protected]>

Author: woodruffw

.github/workflows/ci.yml

@@ -7,7 +7,9 @@ on:
       - series/*
   pull_request:
   schedule:
-    - cron: '0 12 * * *'
+    - cron: "0 12 * * *"
+
+permissions: {}
 
 jobs:
   test:
@@ -98,7 +100,7 @@ jobs:
     if: always()
 
     needs:
-    - test
+      - test
 
     runs-on: ubuntu-latest
 
@@ -121,7 +123,7 @@ jobs:
 
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: '3.x'
+          python-version: "3.x"
 
       - run: pip install coverage[toml]
 

.github/workflows/conformance.yml

@@ -7,6 +7,8 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   conformance:
     runs-on: ubuntu-latest

.github/workflows/docs.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/lint.yml

@@ -6,6 +6,8 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -87,10 +89,10 @@ jobs:
     if: always()
 
     needs:
-    - lint
-    - check-readme
-    - licenses
-    - x509-testcases
+      - lint
+      - check-readme
+      - licenses
+      - x509-testcases
 
     runs-on: ubuntu-latest
 

.github/workflows/release.yml

@@ -5,8 +5,7 @@ on:
     types:
       - published
 
-permissions: # added using https://github.com/step-security/secure-workflows
-  contents: read
+permissions: {}
 
 jobs:
   build:
@@ -99,7 +98,7 @@ jobs:
       - name: Generate build provenance
         uses: actions/attest-build-provenance@v2
         with:
-          subject-path: 'built-packages/*'
+          subject-path: "built-packages/*"
 
   release-pypi:
     needs: [build, generate-provenance]

.github/workflows/requirements.yml

@@ -12,7 +12,9 @@ on:
         required: true
   pull_request:
   schedule:
-    - cron: '0 12 * * *'
+    - cron: "0 12 * * *"
+
+permissions: {}
 
 jobs:
   test_requirements:

.github/workflows/staging-tests.yml

@@ -5,7 +5,9 @@ on:
     branches:
       - main
   schedule:
-    - cron: '0 */8 * * *'
+    - cron: "0 */8 * * *"
+
+permissions: {}
 
 jobs:
   staging-tests:
@@ -27,7 +29,6 @@ jobs:
           cache: "pip"
           cache-dependency-path: pyproject.toml
 
-
       - name: staging tests
         env:
           SIGSTORE_LOGLEVEL: DEBUG

Makefile

@@ -68,7 +68,6 @@ lint: $(VENV)/pyvenv.cfg
 		ruff check $(ALL_PY_SRCS) && \
 		mypy $(PY_MODULE) && \
 		bandit -c pyproject.toml -r $(PY_MODULE) && \
-		interrogate --fail-under 100 -c pyproject.toml $(PY_MODULE) && \
 		python docs/scripts/gen_ref_pages.py --check
 
 .PHONY: reformat

pyproject.toml

@@ -37,8 +37,9 @@ dependencies = [
   "rich >= 13,< 15",
   "rfc8785 ~= 0.1.2",
   "rfc3161-client >= 1.0.3,< 1.1.0",
-  # NOTE(ww): Both under active development, so strictly pinned.
-  "sigstore-protobuf-specs == 0.5.0",
+  # Both sigstore-models and sigstore-rekor types are unstable
+  # so we pin them conservatively.
+  "sigstore-models == 0.0.5",
   "sigstore-rekor-types == 0.0.18",
   "tuf ~= 6.0",
   "platformdirs ~= 4.2",
@@ -58,7 +59,7 @@ Documentation = "https://sigstore.github.io/sigstore-python/"
 test = ["pytest", "pytest-cov", "pretend", "coverage[toml]"]
 lint = [
   "bandit",
-  "interrogate >= 1.7.0",
+  # "interrogate >= 1.7.0",
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.

sigstore/_cli.py

@@ -30,10 +30,8 @@
 from pydantic import ValidationError
 from rich.console import Console
 from rich.logging import RichHandler
-from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import (
-    Bundle as RawBundle,
-)
-from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm
+from sigstore_models.bundle.v1 import Bundle as RawBundle
+from sigstore_models.common.v1 import HashAlgorithm
 from typing_extensions import TypeAlias
 
 from sigstore import __version__, dsse
@@ -670,7 +668,7 @@ def _sign_file_threaded(
         raise exp_certificate
 
     _logger.info(
-        f"Transparency log entry created at index: {result.log_entry.log_index}"
+        f"Transparency log entry created at index: {result.log_entry._inner.log_index}"
     )
 
     if outputs.signature is not None:
@@ -1236,7 +1234,7 @@ def _fix_bundle(args: argparse.Namespace) -> None:
 
     rekor = RekorClient.staging() if args.staging else RekorClient.production()
 
-    raw_bundle = RawBundle.from_dict(json.loads(args.bundle.read_bytes()))
+    raw_bundle = RawBundle.from_json(args.bundle.read_bytes())
 
     if len(raw_bundle.verification_material.tlog_entries) != 1:
         _fatal("unfixable bundle: must have exactly one log entry")
@@ -1249,8 +1247,8 @@ def _fix_bundle(args: argparse.Namespace) -> None:
     inclusion_proof = tlog_entry.inclusion_proof
     if not inclusion_proof.checkpoint:
         _logger.info("fixable: bundle's log entry is missing a checkpoint")
-        new_entry = rekor.log.entries.get(log_index=tlog_entry.log_index)._to_rekor()
-        raw_bundle.verification_material.tlog_entries = [new_entry]
+        new_entry = rekor.log.entries.get(log_index=tlog_entry.log_index)
+        raw_bundle.verification_material.tlog_entries = [new_entry._inner]
 
     # Try to create our invariant-preserving Bundle from the any changes above.
     try: