cli: Add --rekor-version to sign arguments

This should not be needed... but it could be handy if
* SigningConfig already contains rekor v2
* user for some reason does not want rekor v2 entries in
  the bundle

This option only does anything if there are multiple Rekor versions
listed in SigningConfig.

The test is changed since the "ANY" selector is now considered to not be
an error if there are 0 services:
* This is not a problem since for both TSAs and tlogs we have a check
  that there is at least one service
* This improves the error message when --rekor-version is used with
  a version that is not found in signingconfig

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

sigstore/_cli.py

@@ -288,6 +288,11 @@ def _parser() -> argparse.ArgumentParser:
         formatter_class=argparse.ArgumentDefaultsHelpFormatter,
         parents=[parent_parser],
     )
+    attest.add_argument(
+        "--rekor-version",
+        type=int,
+        help="Force the rekor transparency log version (in case there are multiple in signing configuration)",
+    )
     attest.add_argument(
         "files",
         metavar="FILE",
@@ -348,6 +353,11 @@ def _parser() -> argparse.ArgumentParser:
         formatter_class=argparse.ArgumentDefaultsHelpFormatter,
         parents=[parent_parser],
     )
+    sign.add_argument(
+        "--rekor-version",
+        type=int,
+        help="Force the rekor transparency log version (in case there are multiple in signing configuration)",
+    )
 
     oidc_options = sign.add_argument_group("OpenID Connect options")
     oidc_options.add_argument(
@@ -1195,11 +1205,16 @@ def _get_trust_config(args: argparse.Namespace) -> ClientTrustConfig:
     offline = getattr(args, "offline", False)
 
     if args.trust_config:
-        return ClientTrustConfig.from_json(args.trust_config.read_text())
+        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
     elif args.staging:
-        return ClientTrustConfig.staging(offline=offline)
+        trust_config = ClientTrustConfig.staging(offline=offline)
     else:
-        return ClientTrustConfig.production(offline=offline)
+        trust_config = ClientTrustConfig.production(offline=offline)
+
+    # Enforce rekor version if --rekor-version is used
+    trust_config.force_tlog_version = getattr(args, "rekor_version", None)
+
+    return trust_config
 
 
 def _get_identity(

sigstore/_internal/trust.py

@@ -335,10 +335,13 @@ def __str__(self) -> str:
             """Returns the variant's string value."""
             return self.value
 
-    def __init__(self, inner: _SigningConfig):
+    def __init__(self, inner: _SigningConfig, tlog_version: int | None = None):
         """
         Construct a new `SigningConfig`.
 
+        tlog_version is an optional argument that enforces that only specified
+        versions of rekor are included in the transparency logs.
+
         @api private
         """
         self._inner = inner
@@ -351,8 +354,13 @@ def __init__(self, inner: _SigningConfig):
 
         # Create lists of service protos that are valid, selected by the service
         # configuration & supported by this client
+        if tlog_version is None:
+            tlog_versions = REKOR_VERSIONS
+        else:
+            tlog_versions = [tlog_version]
+
         self._tlogs = self._get_valid_services(
-            self._inner.rekor_tlog_urls, REKOR_VERSIONS, self._inner.rekor_tlog_config
+            self._inner.rekor_tlog_urls, tlog_versions, self._inner.rekor_tlog_config
         )
         if not self._tlogs:
             raise Error("No valid Rekor transparency log found in signing config")
@@ -415,7 +423,7 @@ def _get_valid_services(
 
         # handle EXACT and ANY selectors
         count = config.count if config.selector == ServiceSelector.EXACT else 1
-        if len(result) < count:
+        if config.selector == ServiceSelector.EXACT and len(result) < count:
             raise ValueError(
                 f"Expected {count} services in signing config, found {len(result)}"
             )
@@ -655,6 +663,9 @@ def __init__(self, inner: _ClientTrustConfig) -> None:
         self._inner = inner
         self._verify()
 
+        # This can be used to enforce a specific rekor major version in signingconfig
+        self.force_tlog_version: int | None = None
+
     def _verify(self) -> None:
         """
         Performs various feats of heroism to ensure that the client trust config
@@ -681,4 +692,6 @@ def signing_config(self) -> SigningConfig:
         """
         Return the interior root of trust, as a `SigningConfig`.
         """
-        return SigningConfig(self._inner.signing_config)
+        return SigningConfig(
+            self._inner.signing_config, tlog_version=self.force_tlog_version
+        )

test/unit/internal/test_trust.py

@@ -188,11 +188,6 @@ def test_get_valid_services(self, services, versions, config, expected_result):
     @pytest.mark.parametrize(
         "services, versions, config",
         [
-            (  # ANY selector without services
-                [],
-                [1],
-                ServiceConfiguration(ServiceSelector.ANY),
-            ),
             (  # EXACT selector without enough services
                 [_service_v1_op1],
                 [1],