fixup operator fields everywhere

woodruffw · woodruffw · commit 600f2aa15d5c · 2025-07-22T11:26:43.000-04:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -39,7 +39,7 @@ dependencies = [
   "rfc3161-client >= 1.0.3,< 1.1.0",
   # Both sigstore-models and sigstore-rekor types are unstable
   # so we pin them conservatively.
-  "sigstore-models == 0.0.3",
+  "sigstore-models == 0.0.4",
   "sigstore-rekor-types == 0.0.18",
   "tuf ~= 6.0",
   "platformdirs ~= 4.2",
diff --git a/sigstore/_internal/trust.py b/sigstore/_internal/trust.py
@@ -49,7 +49,6 @@
     PublicKey,
     key_id,
     load_der_public_key,
-    read_embedded,
 )
 from sigstore.errors import Error, MetadataError, TUFError, VerificationError
 
diff --git a/test/assets/signing_config/signingconfig-only-v1-rekor.v2.json b/test/assets/signing_config/signingconfig-only-v1-rekor.v2.json
@@ -6,15 +6,17 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2023-04-14T21:38:40Z"
-      }
+      },
+      "operator": "example.com"
     },
     {
       "url": "https://fulcio-old.example.com",
       "majorApiVersion": 1,
       "validFor": {
         "start": "2022-04-14T21:38:40Z",
         "end": "2023-04-14T21:38:40Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "oidcUrls": [
@@ -23,7 +25,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-16T00:00:00Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "rekorTlogUrls": [
@@ -32,7 +35,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2021-01-12T11:53:27Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "tsaUrls": [
@@ -41,7 +45,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-09T00:00:00Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "rekorTlogConfig": {
diff --git a/test/assets/signing_config/signingconfig.v2.json b/test/assets/signing_config/signingconfig.v2.json
@@ -6,15 +6,17 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2023-04-14T21:38:40Z"
-      }
+      },
+      "operator": "example.com"
     },
     {
       "url": "https://fulcio-old.example.com",
       "majorApiVersion": 1,
       "validFor": {
         "start": "2022-04-14T21:38:40Z",
         "end": "2023-04-14T21:38:40Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "oidcUrls": [
@@ -23,7 +25,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-16T00:00:00Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "rekorTlogUrls": [
@@ -32,14 +35,16 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2021-01-12T11:53:27Z"
-      }
+      },
+      "operator": "example.com"
     },
     {
       "url": "https://rekor-v2.example.com",
       "majorApiVersion": 2,
       "validFor": {
         "start": "2021-01-12T11:53:27Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "tsaUrls": [
@@ -48,7 +53,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-09T00:00:00Z"
-      }
+      },
+      "operator": "example.com"
     }
   ],
   "rekorTlogConfig": {
diff --git a/test/assets/staging-tuf/16.snapshot.json b/test/assets/staging-tuf/16.snapshot.json
@@ -2,21 +2,21 @@
  "signatures": [
   {
    "keyid": "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4",
-   "sig": "3046022100c36bf62c4b5f72f8e3defc1af05148518a282394b304f0e0a154c10feeaee9a1022100ed8bb83508e1fcd3906bdf71af0da30f066a048db0f8da589db7dfe5f1458537"
+   "sig": "304402202733036a5044a3257392cb6737c80d1972aa2bce8e7194fac23e3d0b939e83ce0220797111c4aa47094278a2997d727c728fcda795b02b8ec803e2265fdac9614a21"
   }
  ],
  "signed": {
   "_type": "snapshot",
-  "expires": "2035-04-30T07:17:48Z",
+  "expires": "2035-06-11T11:54:57Z",
   "meta": {
    "registry.npmjs.org.json": {
     "version": 5
    },
    "targets.json": {
-    "version": 13
+    "version": 17
    }
   },
   "spec_version": "1.0",
-  "version": 13
+  "version": 16
  }
 }
diff --git a/test/assets/staging-tuf/17.targets.json b/test/assets/staging-tuf/17.targets.json
@@ -2,11 +2,11 @@
  "signatures": [
   {
    "keyid": "aa61e09f6af7662ac686cf0c6364079f63d3e7a86836684eeced93eace3acd81",
-   "sig": "3046022100c1968b55a40906590168f9b9ecd2251ef4056f79e9067fb80374ad4bc1a770a102210085d17acfcd779f8d004b54e0c5170e9e4629487603859bf85f4519d46ef3a994"
+   "sig": "3045022031cbae59944160c1b9b1df859c43cf74d8c5257c32924f1c78146ccd621aae53022100cc8097664966a0f187e41643a61524613434517ec97c9a21f319752fd842e122"
   },
   {
    "keyid": "61f9609d2655b346fcebccd66b509d5828168d5e447110e261f0bcc8553624bc",
-   "sig": "3046022100fc18a5d048d94be077f240866f344bc679098dde898f4d61ed44ba1cd37f86ec022100cc3b9d06b15ea56f953afbd3917a53c674b86e94ee5d3ffb160f3f465c2fee70"
+   "sig": "30440220149fb96582721bcaf506b06465cf8df9b4b4c7847f19165eec8f7faeccc61ed8022020090a30e448e7cd71824bf0042ce9982b8882e557be343a919ffc4d825927f6"
   },
   {
    "keyid": "9471fbda95411d10109e467ad526082d15f14a38de54ea2ada9687ab39d8e237",
@@ -44,7 +44,7 @@
     }
    ]
   },
-  "expires": "2035-04-27T13:57:15Z",
+  "expires": "2035-06-10T18:17:38Z",
   "spec_version": "1.0",
   "targets": {
    "ctfe.pub": {
@@ -133,18 +133,18 @@
    },
    "signing_config.v0.2.json": {
     "hashes": {
-     "sha256": "cb9a48c332a0d515db7760ad6972a09a0f4ed721fe5e839b70371e0d0802abe2"
+     "sha256": "0f395087486ba318321eda478d847962b1dd89846c7dc6e95752a6b110669393"
     },
-    "length": 885
+    "length": 1022
    },
    "trusted_root.json": {
     "hashes": {
-     "sha256": "3f8ab41b9311910106caf66cb5e4117b1bee0d1871def4e816c6c60cee69d421"
+     "sha256": "ed6a9cf4e7c2e3297a4b5974fce0d17132f03c63512029d7aa3a402b43acab49"
     },
-    "length": 6399
+    "length": 6824
    }
   },
-  "version": 13,
+  "version": 17,
   "x-tuf-on-ci-expiry-period": 3650,
   "x-tuf-on-ci-signing-period": 365
  }
diff --git a/test/assets/staging-tuf/targets/0f395087486ba318321eda478d847962b1dd89846c7dc6e95752a6b110669393.signing_config.v0.2.json b/test/assets/staging-tuf/targets/0f395087486ba318321eda478d847962b1dd89846c7dc6e95752a6b110669393.signing_config.v0.2.json
@@ -6,7 +6,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2022-04-14T21:38:40Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "oidcUrls": [
@@ -15,7 +16,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-16T00:00:00Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "rekorTlogUrls": [
@@ -24,7 +26,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2021-01-12T11:53:27Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "tsaUrls": [
@@ -33,7 +36,8 @@
       "majorApiVersion": 1,
       "validFor": {
         "start": "2025-04-09T00:00:00Z"
-      }
+      },
+      "operator": "sigstore.dev"
     }
   ],
   "rekorTlogConfig": {
diff --git a/test/assets/staging-tuf/targets/ed6a9cf4e7c2e3297a4b5974fce0d17132f03c63512029d7aa3a402b43acab49.trusted_root.json b/test/assets/staging-tuf/targets/ed6a9cf4e7c2e3297a4b5974fce0d17132f03c63512029d7aa3a402b43acab49.trusted_root.json
@@ -14,6 +14,20 @@
       "logId": {
         "keyId": "0y8wo8MtY5wrdiIFohx7sHeI5oKDpK5vQhGHI6G+pJY="
       }
+    },
+    {
+      "baseUrl": "https://log2025-alpha1.rekor.sigstage.dev",
+      "hashAlgorithm": "SHA2_256",
+      "publicKey": {
+        "rawBytes": "MCowBQYDK2VwAyEAPn+AREHoBaZ7wgS1zBqpxmLSGnyhxXj4lFxSdWVB8o8=",
+        "keyDetails": "PKIX_ED25519",
+        "validFor": {
+          "start": "2025-04-16T00:00:00Z"
+        }
+      },
+      "logId": {
+        "keyId": "8w1amZ2S5mJIQkQmPxdMuOrL/oJkvFg9MnQXmeOCXck="
+      }
     }
   ],
   "certificateAuthorities": [
diff --git a/test/assets/staging-tuf/timestamp.json b/test/assets/staging-tuf/timestamp.json
@@ -2,18 +2,18 @@
  "signatures": [
   {
    "keyid": "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4",
-   "sig": "30450220665b03b09118979b8c8d93b55077279e0424ae5802a0f59e14fdccef49b0c420022100f2fd10223ca19ee7e0671839e69508e8fd4a5ea875cf7e19fe6d0d77acd604a3"
+   "sig": "3046022100fedb5a3d1a3c461c1337d7535edca8012fb0ab8da31315dbdf22b7f38f76973e022100a87967789d2d2942919dcc4f33def8ee74745f577ff0ef5479cc9f573842e8de"
   }
  ],
  "signed": {
   "_type": "timestamp",
-  "expires": "2025-05-09T07:17:49Z",
+  "expires": "2025-07-29T13:28:44Z",
   "meta": {
    "snapshot.json": {
-    "version": 13
+    "version": 16
    }
   },
   "spec_version": "1.0",
-  "version": 280
+  "version": 353
  }
 }
diff --git a/test/assets/trust_config/config.v1.json b/test/assets/trust_config/config.v1.json
@@ -121,16 +121,18 @@
                 "url": "https://fulcio.example.com",
                 "majorApiVersion": 1,
                 "validFor": {
-                "start": "2023-04-14T21:38:40Z"
-                }
+                    "start": "2023-04-14T21:38:40Z"
+                },
+                "operator": "example.com"
             },
             {
                 "url": "https://fulcio-old.example.com",
                 "majorApiVersion": 1,
                 "validFor": {
-                "start": "2022-04-14T21:38:40Z",
-                "end": "2023-04-14T21:38:40Z"
-                }
+                    "start": "2022-04-14T21:38:40Z",
+                    "end": "2023-04-14T21:38:40Z"
+                },
+                "operator": "example.com"
             }
         ],
         "oidcUrls": [
@@ -139,23 +141,26 @@
                 "majorApiVersion": 1,
                 "validFor": {
                     "start": "2025-04-16T00:00:00Z"
-                }
+                },
+                "operator": "example.com"
             }
-            ],
-            "rekorTlogUrls": [
+        ],
+        "rekorTlogUrls": [
             {
                 "url": "https://rekor.example.com",
                 "majorApiVersion": 1,
                 "validFor": {
                     "start": "2021-01-12T11:53:27Z"
-                }
+                },
+                "operator": "example.com"
             },
             {
                 "url": "https://rekor-v2.example.com",
                 "majorApiVersion": 2,
                 "validFor": {
                     "start": "2021-01-12T11:53:27Z"
-                }
+                },
+                "operator": "example.com"
             }
         ],
         "tsaUrls": [
@@ -164,7 +169,8 @@
                 "majorApiVersion": 1,
                 "validFor": {
                     "start": "2025-04-09T00:00:00Z"
-                }
+                },
+                "operator": "example.com"
             }
         ],
         "rekorTlogConfig": {
diff --git a/test/unit/conftest.py b/test/unit/conftest.py
@@ -252,7 +252,9 @@ def signer():
         trust_config = ClientTrustConfig.staging()
         trust_config.signing_config._tlogs.append(
             Service(
-                url="https://log2025-alpha1.rekor.sigstage.dev", major_api_version=2, operator="sigstage.dev"
+                url="https://log2025-alpha1.rekor.sigstage.dev",
+                major_api_version=2,
+                operator="sigstage.dev",
             )
         )
         return SigningContext.from_trust_config(trust_config)
diff --git a/test/unit/internal/test_trust.py b/test/unit/internal/test_trust.py

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,6 @@`
`49`	`49`	`PublicKey,`
`50`	`50`	`key_id,`
`51`	`51`	`load_der_public_key,`
`52`		`- read_embedded,`
`53`	`52`	`)`
`54`	`53`	`from sigstore.errors import Error, MetadataError, TUFError, VerificationError`
`55`	`54`
Original file line number	Diff line number	Diff line change
`@@ -2,21 +2,21 @@`
`2`	`2`	`"signatures": [`
`3`	`3`	`{`
`4`	`4`	`"keyid": "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4",`
`5`		`- "sig": "3046022100c36bf62c4b5f72f8e3defc1af05148518a282394b304f0e0a154c10feeaee9a1022100ed8bb83508e1fcd3906bdf71af0da30f066a048db0f8da589db7dfe5f1458537"`
	`5`	`+ "sig": "304402202733036a5044a3257392cb6737c80d1972aa2bce8e7194fac23e3d0b939e83ce0220797111c4aa47094278a2997d727c728fcda795b02b8ec803e2265fdac9614a21"`
`6`	`6`	`}`
`7`	`7`	`],`
`8`	`8`	`"signed": {`
`9`	`9`	`"_type": "snapshot",`
`10`		`- "expires": "2035-04-30T07:17:48Z",`
	`10`	`+ "expires": "2035-06-11T11:54:57Z",`
`11`	`11`	`"meta": {`
`12`	`12`	`"registry.npmjs.org.json": {`
`13`	`13`	`"version": 5`
`14`	`14`	`},`
`15`	`15`	`"targets.json": {`
`16`		`- "version": 13`
	`16`	`+ "version": 17`
`17`	`17`	`}`
`18`	`18`	`},`
`19`	`19`	`"spec_version": "1.0",`
`20`		`- "version": 13`
	`20`	`+ "version": 16`
`21`	`21`	`}`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,18 +2,18 @@`
`2`	`2`	`"signatures": [`
`3`	`3`	`{`
`4`	`4`	`"keyid": "c3479007e861445ce5dc109d9661ed77b35bbc0e3f161852c46114266fc2daa4",`
`5`		`- "sig": "30450220665b03b09118979b8c8d93b55077279e0424ae5802a0f59e14fdccef49b0c420022100f2fd10223ca19ee7e0671839e69508e8fd4a5ea875cf7e19fe6d0d77acd604a3"`
	`5`	`+ "sig": "3046022100fedb5a3d1a3c461c1337d7535edca8012fb0ab8da31315dbdf22b7f38f76973e022100a87967789d2d2942919dcc4f33def8ee74745f577ff0ef5479cc9f573842e8de"`
`6`	`6`	`}`
`7`	`7`	`],`
`8`	`8`	`"signed": {`
`9`	`9`	`"_type": "timestamp",`
`10`		`- "expires": "2025-05-09T07:17:49Z",`
	`10`	`+ "expires": "2025-07-29T13:28:44Z",`
`11`	`11`	`"meta": {`
`12`	`12`	`"snapshot.json": {`
`13`		`- "version": 13`
	`13`	`+ "version": 16`
`14`	`14`	`}`
`15`	`15`	`},`
`16`	`16`	`"spec_version": "1.0",`
`17`		`- "version": 280`
	`17`	`+ "version": 353`
`18`	`18`	`}`
`19`	`19`	`}`