Rekor: Tweak the log submitter abstraction

jku · jku · commit 9b60fb6ed873 · 2025-06-04T11:01:34.000+03:00
* Make sure the exposed signatures actually are abstract:
  the request payload can be just a dict so both clients actually
  implement the same API
* There is still a "EntryRequest" NewType being used instead of dict
  just to make the intent clear

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/sigstore/_internal/rekor/__init__.py b/sigstore/_internal/rekor/__init__.py
@@ -20,11 +20,11 @@
 
 import base64
 from abc import ABC, abstractmethod
+from typing import Any, NewType
 
 import rekor_types
 from cryptography.x509 import Certificate
 
-from sigstore._internal.rekor.v2_types.dev.sigstore.rekor import v2
 from sigstore._utils import base64_encode_pem_cert
 from sigstore.dsse import Envelope
 from sigstore.hashes import Hashed
@@ -34,12 +34,19 @@
     "_hashedrekord_from_parts",
 ]
 
+EntryRequest = NewType("EntryRequest", dict[str, Any])
+
 
 class RekorLogSubmitter(ABC):
+    """Abstract class to represent a Rekor log entry submitter.
+
+    Intended to be implemented by RekorClient and RekorV2Client
+    """
+
     @abstractmethod
     def create_entry(
         self,
-        request: rekor_types.Hashedrekord | rekor_types.Dsse | v2.CreateEntryRequest,
+        request: EntryRequest,
     ) -> LogEntry:
         """
         Submit the request to Rekor.
@@ -50,7 +57,7 @@ def create_entry(
     @abstractmethod
     def _build_hashed_rekord_request(
         self, hashed_input: Hashed, signature: bytes, certificate: Certificate
-    ) -> rekor_types.Hashedrekord | v2.CreateEntryRequest:
+    ) -> EntryRequest:
         """
         Construct a hashed rekord request to submit to Rekor.
         """
@@ -60,7 +67,7 @@ def _build_hashed_rekord_request(
     @abstractmethod
     def _build_dsse_request(
         self, envelope: Envelope, certificate: Certificate
-    ) -> rekor_types.Dsse | v2.CreateEntryRequest:
+    ) -> EntryRequest:
         """
         Construct a dsse request to submit to Rekor.
         """
diff --git a/sigstore/_internal/rekor/client.py b/sigstore/_internal/rekor/client.py
@@ -32,6 +32,7 @@
 
 from sigstore._internal import USER_AGENT
 from sigstore._internal.rekor import (
+    EntryRequest,
     RekorLogSubmitter,
 )
 from sigstore.dsse import Envelope
@@ -153,13 +154,12 @@ def get(
 
     def post(
         self,
-        proposed_entry: rekor_types.Hashedrekord | rekor_types.Dsse,
+        payload: EntryRequest,
     ) -> LogEntry:
         """
         Submit a new entry for inclusion in the Rekor log.
         """
 
-        payload = proposed_entry.model_dump(mode="json", by_alias=True)
         _logger.debug(f"proposed: {json.dumps(payload)}")
 
         resp: requests.Response = self.session.post(self.url, json=payload)
@@ -270,21 +270,19 @@ def log(self) -> RekorLog:
         """
         return RekorLog(f"{self.url}/log", session=self.session)
 
-    def create_entry(  # type: ignore[override]
-        self, request: rekor_types.Hashedrekord | rekor_types.Dsse
-    ) -> LogEntry:
+    def create_entry(self, request: EntryRequest) -> LogEntry:
         """
         Submit the request to Rekor.
         """
         return self.log.entries.post(request)
 
     def _build_hashed_rekord_request(  # type: ignore[override]
         self, hashed_input: Hashed, signature: bytes, certificate: Certificate
-    ) -> rekor_types.Hashedrekord:
+    ) -> EntryRequest:
         """
-        Construct a hashed rekord request to submit to Rekor.
+        Construct a hashed rekord payload to submit to Rekor.
         """
-        return rekor_types.Hashedrekord(
+        rekord = rekor_types.Hashedrekord(
             spec=rekor_types.hashedrekord.HashedrekordV001Schema(
                 signature=rekor_types.hashedrekord.Signature(
                     content=base64.b64encode(signature).decode(),
@@ -304,14 +302,15 @@ def _build_hashed_rekord_request(  # type: ignore[override]
                 ),
             ),
         )
+        return EntryRequest(rekord.model_dump(mode="json", by_alias=True))
 
     def _build_dsse_request(  # type: ignore[override]
         self, envelope: Envelope, certificate: Certificate
-    ) -> rekor_types.Dsse:
+    ) -> EntryRequest:
         """
         Construct a dsse request to submit to Rekor.
         """
-        return rekor_types.Dsse(
+        dsse = rekor_types.Dsse(
             spec=rekor_types.dsse.DsseSchema(
                 # NOTE: mypy can't see that this kwarg is correct due to two interacting
                 # behaviors/bugs (one pydantic, one datamodel-codegen):
@@ -329,3 +328,4 @@ def _build_dsse_request(  # type: ignore[override]
                 ),
             ),
         )
+        return EntryRequest(dsse.model_dump(mode="json", by_alias=True))
diff --git a/sigstore/_internal/rekor/client_v2.py b/sigstore/_internal/rekor/client_v2.py
@@ -27,7 +27,7 @@
 from cryptography.x509 import Certificate
 
 from sigstore._internal import USER_AGENT
-from sigstore._internal.rekor import RekorLogSubmitter
+from sigstore._internal.rekor import EntryRequest, RekorLogSubmitter
 from sigstore._internal.rekor.v2_types.dev.sigstore.common import v1 as common_v1
 from sigstore._internal.rekor.v2_types.dev.sigstore.rekor import v2
 from sigstore._internal.rekor.v2_types.io import intoto as v2_intoto
@@ -72,12 +72,10 @@ def __del__(self) -> None:
         """
         self.session.close()
 
-    # TODO: when we remove the original Rekor client, remove the type ignore here
-    def create_entry(self, request: v2.CreateEntryRequest) -> LogEntry:  # type: ignore[override]
+    def create_entry(self, payload: EntryRequest) -> LogEntry:
         """
         Submit a new entry for inclusion in the Rekor log.
         """
-        payload = request.to_dict()
         _logger.debug(f"proposed: {json.dumps(payload)}")
         resp = self.session.post(
             f"{self.url}/log/entries",
@@ -100,11 +98,11 @@ def _build_hashed_rekord_request(
         hashed_input: Hashed,
         signature: bytes,
         certificate: Certificate,
-    ) -> v2.CreateEntryRequest:
+    ) -> EntryRequest:
         """
         Construct a hashed rekord request to submit to Rekor.
         """
-        return v2.CreateEntryRequest(
+        req = v2.CreateEntryRequest(
             hashed_rekord_request_v0_0_2=v2.HashedRekordRequestV002(
                 digest=hashed_input.digest,
                 signature=v2.Signature(
@@ -120,15 +118,16 @@ def _build_hashed_rekord_request(
                 ),
             )
         )
+        return EntryRequest(req.to_dict())
 
     @classmethod
     def _build_dsse_request(
         cls, envelope: Envelope, certificate: Certificate
-    ) -> v2.CreateEntryRequest:
+    ) -> EntryRequest:
         """
         Construct a dsse request to submit to Rekor.
         """
-        return v2.CreateEntryRequest(
+        req = v2.CreateEntryRequest(
             dsse_request_v0_0_2=v2.DsseRequestV002(
                 envelope=v2_intoto.Envelope(
                     payload=envelope._inner.payload,
@@ -153,6 +152,7 @@ def _build_dsse_request(
                 ],
             )
         )
+        return EntryRequest(req.to_dict())
 
 
 class RekorClientError(Exception):
diff --git a/sigstore/sign.py b/sigstore/sign.py
@@ -45,7 +45,6 @@
 from typing import Optional
 
 import cryptography.x509 as x509
-import rekor_types
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.x509.oid import NameOID
@@ -60,6 +59,7 @@
     ExpiredCertificate,
     FulcioClient,
 )
+from sigstore._internal.rekor import EntryRequest
 from sigstore._internal.rekor.client import RekorClient
 from sigstore._internal.sct import verify_sct
 from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError
@@ -175,7 +175,7 @@ def _finalize_sign(
         self,
         cert: x509.Certificate,
         content: MessageSignature | dsse.Envelope,
-        proposed_entry: rekor_types.Hashedrekord | rekor_types.Dsse,
+        proposed_entry: EntryRequest,
     ) -> Bundle:
         """
         Perform the common "finalizing" steps in a Sigstore signing flow.
