Merge remote-tracking branch 'origin/main' into rekov2-client

Author: jku

.github/workflows/scorecards-analysis.yml

@@ -29,7 +29,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -52,6 +52,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -16,6 +16,9 @@ All versions prior to 0.9.0 are untracked.
 
 * Added support for ed25519 keys.
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+* API: `IdentityToken` now supports `client_id` for audience claim validation.
+  [#1402](https://github.com/sigstore/sigstore-python/pull/1402)
+
 
 * Added a `RekorV2Client` for posting new entries to a Rekor V2 instance.
   [#1400](https://github.com/sigstore/sigstore-python/pull/1400)
@@ -27,6 +30,10 @@ All versions prior to 0.9.0 are untracked.
 * TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.
   [#1373](https://github.com/sigstore/sigstore-python/pull/1373)
 
+* TSA: Correctly verify timestamps with hashes other than SHA-256. Currently supported
+  algorithms are SHA-256, SHA-384, SHA-512.
+  [#1373](https://github.com/sigstore/sigstore-python/pull/1373)
+
 * Fixed the certificate validity period check for Timestamp Authorities (TSA).
   Certificates need not have an end date, while still requiring a start date.
   [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
@@ -39,6 +46,10 @@ All versions prior to 0.9.0 are untracked.
   still required.
   [#1381](https://github.com/sigstore/sigstore-python/pull/1381)
 
+* Verify: Avoid hard failure if trusted root contains unsupported keytypes (as verification
+  may succeed without that key).
+  [#1424](https://github.com/sigstore/sigstore-python/pull/1424)
+
 * CI: Timestamp Authority tests use latest release, not latest tag, of
   [sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority)
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
@@ -53,6 +64,9 @@ All versions prior to 0.9.0 are untracked.
   * ClientTrustConfig now provides methods `production()`, `staging()`and `from_tuf()`
     to get access to current client configuration (trusted keys & certificates,
     URLs and their validity periods). [#1363](https://github.com/sigstore/sigstore-python/pull/1363)
+  * SigningConfig now has methods that return actual clients (like `RekorClient`) instead of
+    just URLs. The returned clients are also filtered according to SigningConfig contents.
+    [#1407](https://github.com/sigstore/sigstore-python/pull/1407)
 * `--trust-config` now requires a file with SigningConfig v0.2, and is able to fully
   configure the used Sigstore instance [#1358]/(https://github.com/sigstore/sigstore-python/pull/1358)
 * By default (when `--trust-config` is not used) the whole trust configuration now

mkdocs.yml

@@ -80,4 +80,4 @@ extra:
     - icon: fontawesome/brands/slack
       link: https://sigstore.slack.com
     - icon: fontawesome/brands/x-twitter
-      link: https://twitter.com/projectsigstore
+      link: https://twitter.com/projectsigstore

pyproject.toml

@@ -36,7 +36,7 @@ dependencies = [
   "requests",
   "rich >= 13,< 15",
   "rfc8785 ~= 0.1.2",
-  "rfc3161-client >= 0.1.2,< 1.1.0",
+  "rfc3161-client >= 1.0.2,< 1.1.0",
   # NOTE(ww): Both under active development, so strictly pinned.
   "sigstore-protobuf-specs == 0.4.2",
   "sigstore-rekor-types == 0.0.18",
@@ -62,7 +62,7 @@ lint = [
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
-  "ruff < 0.11.12",
+  "ruff < 0.11.13",
   "types-requests",
   "types-pyOpenSSL",
 ]

sigstore/_cli.py

@@ -659,7 +659,7 @@ def _sign_common(
     # 3) Interactive OAuth flow
     identity: IdentityToken | None
     if args.identity_token:
-        identity = IdentityToken(args.identity_token)
+        identity = IdentityToken(args.identity_token, args.oidc_client_id)
     else:
         identity = _get_identity(args, trust_config)
 
@@ -1181,11 +1181,11 @@ def _get_identity(
 ) -> Optional[IdentityToken]:
     token = None
     if not args.oidc_disable_ambient_providers:
-        token = detect_credential()
+        token = detect_credential(args.oidc_client_id)
 
     # Happy path: we've detected an ambient credential, so we can return early.
     if token:
-        return IdentityToken(token)
+        return IdentityToken(token, args.oidc_client_id)
 
     if args.oidc_issuer is not None:
         issuer = Issuer(args.oidc_issuer)

sigstore/_internal/trust.py

@@ -18,6 +18,8 @@
 
 from __future__ import annotations
 
+import logging
+from collections import defaultdict
 from collections.abc import Iterable
 from dataclasses import dataclass
 from datetime import datetime, timezone
@@ -46,6 +48,7 @@
 )
 from sigstore_protobuf_specs.dev.sigstore.trustroot.v1 import (
     Service,
+    ServiceConfiguration,
     ServiceSelector,
     TransparencyLogInstance,
 )
@@ -56,6 +59,9 @@
     TrustedRoot as _TrustedRoot,
 )
 
+from sigstore._internal.fulcio.client import FulcioClient
+from sigstore._internal.rekor.client import RekorClient
+from sigstore._internal.timestamp import TimestampAuthorityClient
 from sigstore._internal.tuf import DEFAULT_TUF_URL, STAGING_TUF_URL, TrustUpdater
 from sigstore._utils import (
     KeyID,
@@ -66,6 +72,14 @@
 )
 from sigstore.errors import Error, MetadataError, TUFError, VerificationError
 
+# Versions supported by this client
+REKOR_VERSIONS = [1]
+TSA_VERSIONS = [1]
+FULCIO_VERSIONS = [1]
+OIDC_VERSIONS = [1]
+
+_logger = logging.getLogger(__name__)
+
 
 def _is_timerange_valid(period: TimeRange | None, *, allow_expired: bool) -> bool:
     """
@@ -189,8 +203,11 @@ def __init__(self, public_keys: list[_PublicKey] = []):
         self._keyring: dict[KeyID, Key] = {}
 
         for public_key in public_keys:
-            key = Key(public_key)
-            self._keyring[key.key_id] = key
+            try:
+                key = Key(public_key)
+                self._keyring[key.key_id] = key
+            except VerificationError as e:
+                _logger.warning(f"Failed to load a trusted root key: {e}")
 
     def verify(self, *, key_id: KeyID, signature: bytes, data: bytes) -> None:
         """
@@ -323,28 +340,34 @@ def __init__(self, inner: _SigningConfig):
         @api private
         """
         self._inner = inner
-        self._verify()
-
-    def _verify(self) -> None:
-        """
-        Performs various feats of heroism to ensure that the signing config
-        is well-formed.
-        """
 
         # must have a recognized media type.
         try:
             SigningConfig.SigningConfigType(self._inner.media_type)
         except ValueError:
             raise Error(f"unsupported signing config format: {self._inner.media_type}")
 
-        # currently not supporting other select modes
-        # TODO: Support other modes ensuring tsa_urls() and tlog_urls() work
-        if self._inner.rekor_tlog_config.selector != ServiceSelector.ANY:
-            raise Error(
-                f"unsupported tlog selector {self._inner.rekor_tlog_config.selector}"
-            )
-        if self._inner.tsa_config.selector != ServiceSelector.ANY:
-            raise Error(f"unsupported TSA selector {self._inner.tsa_config.selector}")
+        # Create lists of service protos that are valid, selected by the service
+        # configuration & supported by this client
+        self._tlogs = self._get_valid_services(
+            self._inner.rekor_tlog_urls, REKOR_VERSIONS, self._inner.rekor_tlog_config
+        )
+        if not self._tlogs:
+            raise Error("No valid Rekor transparency log found in signing config")
+
+        self._tsas = self._get_valid_services(
+            self._inner.tsa_urls, TSA_VERSIONS, self._inner.tsa_config
+        )
+
+        self._fulcios = self._get_valid_services(
+            self._inner.ca_urls, FULCIO_VERSIONS, None
+        )
+        if not self._fulcios:
+            raise Error("No valid Fulcio CA found in signing config")
+
+        self._oidcs = self._get_valid_services(
+            self._inner.oidc_urls, OIDC_VERSIONS, None
+        )
 
     @classmethod
     def from_file(
@@ -356,54 +379,73 @@ def from_file(
         return cls(inner)
 
     @staticmethod
-    def _get_valid_service_url(services: list[Service]) -> str | None:
+    def _get_valid_services(
+        services: list[Service],
+        supported_versions: list[int],
+        config: ServiceConfiguration | None,
+    ) -> list[Service]:
+        """Return supported services, taking SigningConfig restrictions into account"""
+
+        # split services by operator, only include valid services
+        services_by_operator: dict[str, list[Service]] = defaultdict(list)
         for service in services:
-            if service.major_api_version != 1:
+            if service.major_api_version not in supported_versions:
                 continue
 
             if not _is_timerange_valid(service.valid_for, allow_expired=False):
                 continue
-            return service.url
-        return None
 
-    def get_tlog_urls(self) -> list[str]:
+            services_by_operator[service.operator].append(service)
+
+        # build a list of services but make sure we only include one service per operator
+        # and use the highest version available for that operator
+        result: list[Service] = []
+        for op_services in services_by_operator.values():
+            op_services.sort(key=lambda s: s.major_api_version)
+            result.append(op_services[-1])
+
+        # Depending on ServiceSelector, prune the result list
+        if not config or config.selector == ServiceSelector.ALL:
+            return result
+
+        if config.selector == ServiceSelector.UNDEFINED:
+            raise ValueError("Undefined is not a valid signing config ServiceSelector")
+
+        # handle EXACT and ANY selectors
+        count = config.count if config.selector == ServiceSelector.EXACT else 1
+        if len(result) < count:
+            raise ValueError(
+                f"Expected {count} services in signing config, found {len(result)}"
+            )
+
+        return result[:count]
+
+    def get_tlogs(self) -> list[RekorClient]:
         """
-        Returns the rekor transparency logs that client should sign with.
-        Currently only returns a single one but could in future return several
+        Returns the rekor transparency log clients to sign with.
         """
+        return [RekorClient(tlog.url) for tlog in self._tlogs]
 
-        url = self._get_valid_service_url(self._inner.rekor_tlog_urls)
-        if not url:
-            raise Error("No valid Rekor transparency log found in signing config")
-        return [url]
-
-    def get_fulcio_url(self) -> str:
+    def get_fulcio(self) -> FulcioClient:
         """
-        Returns url for the fulcio instance that client should use to get a
-        signing certificate from
+        Returns a Fulcio client to get a signing certificate from
         """
-        url = self._get_valid_service_url(self._inner.ca_urls)
-        if not url:
-            raise Error("No valid Fulcio CA found in signing config")
-        return url
+        return FulcioClient(self._fulcios[0].url)
 
     def get_oidc_url(self) -> str:
         """
         Returns url for the OIDC provider that client should use to interactively
         authenticate.
         """
-        url = self._get_valid_service_url(self._inner.oidc_urls)
-        if not url:
+        if not self._oidcs:
             raise Error("No valid OIDC provider found in signing config")
-        return url
+        return self._oidcs[0].url
 
-    def get_tsa_urls(self) -> list[str]:
+    def get_tsas(self) -> list[TimestampAuthorityClient]:
         """
-        Returns timestamp authority API end points. Currently returns a single one
-        but may return more in future.
+        Returns timestamp authority clients for urls configured in signing config.
         """
-        url = self._get_valid_service_url(self._inner.tsa_urls)
-        return [] if url is None else [url]
+        return [TimestampAuthorityClient(s.url) for s in self._tsas]
 
 
 class TrustedRoot:

sigstore/_store/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/signing_config.v0.2.json

@@ -34,6 +34,6 @@
     "selector": "ANY"
   },
   "tsaConfig": {
-    "selector": "ANY"
+    "selector": "ALL"
   }
 }

sigstore/oidc.py

@@ -41,7 +41,8 @@
     "https://oauth2.sigstage.dev/auth": "email",
     "https://token.actions.githubusercontent.com": "sub",
 }
-_DEFAULT_AUDIENCE = "sigstore"
+
+_DEFAULT_CLIENT_ID = "sigstore"
 
 
 class _OpenIDConfiguration(BaseModel):
@@ -66,7 +67,7 @@ class IdentityToken:
     a sensible subject, issuer, and audience for Sigstore purposes.
     """
 
-    def __init__(self, raw_token: str) -> None:
+    def __init__(self, raw_token: str, client_id: str = _DEFAULT_CLIENT_ID) -> None:
         """
         Create a new `IdentityToken` from the given OIDC token.
         """
@@ -90,7 +91,7 @@ def __init__(self, raw_token: str) -> None:
                     # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
                     "require": ["aud", "sub", "iat", "exp", "iss"],
                 },
-                audience=_DEFAULT_AUDIENCE,
+                audience=client_id,
                 # NOTE: This leeway shouldn't be strictly necessary, but is
                 # included to preempt any (small) skew between the host
                 # and the originating IdP.
@@ -270,7 +271,7 @@ def __init__(self, base_url: str) -> None:
 
     def identity_token(  # nosec: B107
         self,
-        client_id: str = "sigstore",
+        client_id: str = _DEFAULT_CLIENT_ID,
         client_secret: str = "",
         force_oob: bool = False,
     ) -> IdentityToken:
@@ -350,7 +351,7 @@ def identity_token(  # nosec: B107
         if token_error is not None:
             raise IdentityError(f"Error response from token endpoint: {token_error}")
 
-        return IdentityToken(token_json["access_token"])
+        return IdentityToken(token_json["access_token"], client_id)
 
 
 class IdentityError(Error):
@@ -402,9 +403,10 @@ def diagnostics(self) -> str:
             """
 
 
-def detect_credential() -> Optional[str]:
+def detect_credential(client_id: str = _DEFAULT_CLIENT_ID) -> Optional[str]:
     """Calls `id.detect_credential`, but wraps exceptions with our own exception type."""
+
     try:
-        return cast(Optional[str], id.detect_credential(_DEFAULT_AUDIENCE))
+        return cast(Optional[str], id.detect_credential(client_id))
     except id.IdentityError as exc:
         IdentityError.raise_from_id(exc)

sigstore/sign.py

@@ -299,12 +299,10 @@ def from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
         """
         signing_config = trust_config.signing_config
         return cls(
-            fulcio=FulcioClient(signing_config.get_fulcio_url()),
-            rekor=RekorClient(signing_config.get_tlog_urls()[0]),
+            fulcio=signing_config.get_fulcio(),
+            rekor=signing_config.get_tlogs()[0],
             trusted_root=trust_config.trusted_root,
-            tsa_clients=[
-                TimestampAuthorityClient(url) for url in signing_config.get_tsa_urls()
-            ],
+            tsa_clients=signing_config.get_tsas(),
         )
 
     @contextmanager