feat: expose ClientTrustConfig as a public class

Signed-off-by: SequeI <[email protected]>

Author: SequeI

CHANGELOG.md

@@ -65,6 +65,9 @@ All versions prior to 0.9.0 are untracked.
   * SigningConfig now has methods that return actual clients (like `RekorClient`) instead of
     just URLs. The returned clients are also filtered according to SigningConfig contents.
     [#1407](https://github.com/sigstore/sigstore-python/pull/1407)
+  * The ClientTrustConfig class has been moved from the private _internal package to a public
+    module (sigstore.models). This change formally adds the class to the project's public API,
+    making it available for use in other projects. [#1496](https://github.com/sigstore/sigstore-python/pull/1496)
 * `--trust-config` now requires a file with SigningConfig v0.2, and is able to fully
   configure the used Sigstore instance [#1358]/(https://github.com/sigstore/sigstore-python/pull/1358)
 * By default (when `--trust-config` is not used) the whole trust configuration now

sigstore/_cli.py

@@ -38,7 +38,6 @@
 from sigstore._internal.fulcio.client import ExpiredCertificate
 from sigstore._internal.rekor import _hashedrekord_from_parts
 from sigstore._internal.rekor.client import RekorClient
-from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
 from sigstore.dsse import StatementBuilder, Subject
 from sigstore.dsse._predicate import (
@@ -48,7 +47,7 @@
 )
 from sigstore.errors import Error, VerificationError
 from sigstore.hashes import Hashed
-from sigstore.models import Bundle, InvalidBundle
+from sigstore.models import Bundle, ClientTrustConfig, InvalidBundle
 from sigstore.oidc import (
     ExpiredIdentity,
     IdentityToken,

sigstore/_internal/rekor/client_v2.py

@@ -21,6 +21,7 @@
 import base64
 import json
 import logging
+import typing
 
 import requests
 from cryptography.hazmat.primitives import serialization
@@ -38,7 +39,9 @@
 )
 from sigstore.dsse import Envelope
 from sigstore.hashes import Hashed
-from sigstore.models import TransparencyLogEntry
+
+if typing.TYPE_CHECKING:
+    from sigstore.models import TransparencyLogEntry
 
 _logger = logging.getLogger(__name__)
 

sigstore/_internal/trust.py

@@ -19,13 +19,13 @@
 from __future__ import annotations
 
 import logging
+import typing
 from collections import defaultdict
 from collections.abc import Iterable
 from dataclasses import dataclass
 from datetime import datetime, timezone
 from enum import Enum
 from pathlib import Path
-from typing import ClassVar, NewType
 
 import cryptography.hazmat.primitives.asymmetric.padding as padding
 from cryptography.exceptions import InvalidSignature
@@ -40,17 +40,18 @@
 
 from sigstore._internal.fulcio.client import FulcioClient
 from sigstore._internal.rekor import RekorLogSubmitter
-from sigstore._internal.rekor.client import RekorClient
 from sigstore._internal.rekor.client_v2 import RekorV2Client
 from sigstore._internal.timestamp import TimestampAuthorityClient
-from sigstore._internal.tuf import DEFAULT_TUF_URL, STAGING_TUF_URL, TrustUpdater
 from sigstore._utils import (
     KeyID,
     PublicKey,
     key_id,
     load_der_public_key,
 )
-from sigstore.errors import Error, MetadataError, TUFError, VerificationError
+from sigstore.errors import Error, MetadataError, VerificationError
+
+if typing.TYPE_CHECKING:
+    from sigstore._internal.rekor.client import RekorClient
 
 # Versions supported by this client
 REKOR_VERSIONS = [1, 2]
@@ -95,14 +96,14 @@ class Key:
     key: PublicKey
     key_id: KeyID
 
-    _RSA_SHA_256_DETAILS: ClassVar = {
+    _RSA_SHA_256_DETAILS: typing.ClassVar = {
         common_v1.PublicKeyDetails.PKCS1_RSA_PKCS1V5,
         common_v1.PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256,
         common_v1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256,
         common_v1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256,
     }
 
-    _EC_DETAILS_TO_HASH: ClassVar = {
+    _EC_DETAILS_TO_HASH: typing.ClassVar = {
         common_v1.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256: hashes.SHA256(),
         common_v1.PublicKeyDetails.PKIX_ECDSA_P384_SHA_384: hashes.SHA384(),
         common_v1.PublicKeyDetails.PKIX_ECDSA_P521_SHA_512: hashes.SHA512(),
@@ -221,8 +222,8 @@ def verify(self, *, key_id: KeyID, signature: bytes, data: bytes) -> None:
             raise VerificationError("keyring: invalid signature")
 
 
-RekorKeyring = NewType("RekorKeyring", Keyring)
-CTKeyring = NewType("CTKeyring", Keyring)
+RekorKeyring = typing.NewType("RekorKeyring", Keyring)
+CTKeyring = typing.NewType("CTKeyring", Keyring)
 
 
 class KeyringPurpose(str, Enum):
@@ -547,102 +548,3 @@ def get_timestamp_authorities(self) -> list[CertificateAuthority]:
             for cert_chain in self._inner.timestamp_authorities
         ]
         return certificate_authorities
-
-
-class ClientTrustConfig:
-    """
-    Represents a Sigstore client's trust configuration, including a root of trust.
-    """
-
-    class ClientTrustConfigType(str, Enum):
-        """
-        Known Sigstore client trust config media types.
-        """
-
-        CONFIG_0_1 = "application/vnd.dev.sigstore.clienttrustconfig.v0.1+json"
-
-        def __str__(self) -> str:
-            """Returns the variant's string value."""
-            return self.value
-
-    @classmethod
-    def from_json(cls, raw: str) -> ClientTrustConfig:
-        """
-        Deserialize the given client trust config.
-        """
-        inner = trustroot_v1.ClientTrustConfig.from_json(raw)
-        return cls(inner)
-
-    @classmethod
-    def production(
-        cls,
-        offline: bool = False,
-    ) -> ClientTrustConfig:
-        """Create new trust config from Sigstore production TUF repository.
-
-        If `offline`, will use data in local TUF cache. Otherwise will
-        update the data from remote TUF repository.
-        """
-        return cls.from_tuf(DEFAULT_TUF_URL, offline)
-
-    @classmethod
-    def staging(
-        cls,
-        offline: bool = False,
-    ) -> ClientTrustConfig:
-        """Create new trust config from Sigstore staging TUF repository.
-
-        If `offline`, will use data in local TUF cache. Otherwise will
-        update the data from remote TUF repository.
-        """
-        return cls.from_tuf(STAGING_TUF_URL, offline)
-
-    @classmethod
-    def from_tuf(
-        cls,
-        url: str,
-        offline: bool = False,
-    ) -> ClientTrustConfig:
-        """Create a new trust config from a TUF repository.
-
-        If `offline`, will use data in local TUF cache. Otherwise will
-        update the trust config from remote TUF repository.
-        """
-        updater = TrustUpdater(url, offline)
-
-        tr_path = updater.get_trusted_root_path()
-        inner_tr = trustroot_v1.TrustedRoot.from_json(Path(tr_path).read_bytes())
-
-        try:
-            sc_path = updater.get_signing_config_path()
-            inner_sc = trustroot_v1.SigningConfig.from_json(Path(sc_path).read_bytes())
-        except TUFError as e:
-            raise e
-
-        return cls(
-            trustroot_v1.ClientTrustConfig(
-                media_type=ClientTrustConfig.ClientTrustConfigType.CONFIG_0_1.value,
-                trusted_root=inner_tr,
-                signing_config=inner_sc,
-            )
-        )
-
-    def __init__(self, inner: trustroot_v1.ClientTrustConfig) -> None:
-        """
-        @api private
-        """
-        self._inner = inner
-
-    @property
-    def trusted_root(self) -> TrustedRoot:
-        """
-        Return the interior root of trust, as a `TrustedRoot`.
-        """
-        return TrustedRoot(self._inner.trusted_root)
-
-    @property
-    def signing_config(self) -> SigningConfig:
-        """
-        Return the interior root of trust, as a `SigningConfig`.
-        """
-        return SigningConfig(self._inner.signing_config)

sigstore/models.py

@@ -58,6 +58,13 @@
 if typing.TYPE_CHECKING:
     from sigstore._internal.trust import RekorKeyring
 
+from pathlib import Path
+
+from sigstore_models.trustroot import v1 as trustroot_v1
+
+from sigstore._internal.trust import SigningConfig, TrustedRoot
+from sigstore._internal.tuf import DEFAULT_TUF_URL, STAGING_TUF_URL, TrustUpdater
+from sigstore.errors import TUFError
 
 _logger = logging.getLogger(__name__)
 
@@ -593,3 +600,102 @@ def _from_parts(
         )
 
         return cls(inner)
+
+
+class ClientTrustConfig:
+    """
+    Represents a Sigstore client's trust configuration, including a root of trust.
+    """
+
+    class ClientTrustConfigType(str, Enum):
+        """
+        Known Sigstore client trust config media types.
+        """
+
+        CONFIG_0_1 = "application/vnd.dev.sigstore.clienttrustconfig.v0.1+json"
+
+        def __str__(self) -> str:
+            """Returns the variant's string value."""
+            return self.value
+
+    @classmethod
+    def from_json(cls, raw: str) -> ClientTrustConfig:
+        """
+        Deserialize the given client trust config.
+        """
+        inner = trustroot_v1.ClientTrustConfig.from_json(raw)
+        return cls(inner)
+
+    @classmethod
+    def production(
+        cls,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create new trust config from Sigstore production TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the data from remote TUF repository.
+        """
+        return cls.from_tuf(DEFAULT_TUF_URL, offline)
+
+    @classmethod
+    def staging(
+        cls,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create new trust config from Sigstore staging TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the data from remote TUF repository.
+        """
+        return cls.from_tuf(STAGING_TUF_URL, offline)
+
+    @classmethod
+    def from_tuf(
+        cls,
+        url: str,
+        offline: bool = False,
+    ) -> ClientTrustConfig:
+        """Create a new trust config from a TUF repository.
+
+        If `offline`, will use data in local TUF cache. Otherwise will
+        update the trust config from remote TUF repository.
+        """
+        updater = TrustUpdater(url, offline)
+
+        tr_path = updater.get_trusted_root_path()
+        inner_tr = trustroot_v1.TrustedRoot.from_json(Path(tr_path).read_bytes())
+
+        try:
+            sc_path = updater.get_signing_config_path()
+            inner_sc = trustroot_v1.SigningConfig.from_json(Path(sc_path).read_bytes())
+        except TUFError as e:
+            raise e
+
+        return cls(
+            trustroot_v1.ClientTrustConfig(
+                media_type=ClientTrustConfig.ClientTrustConfigType.CONFIG_0_1.value,
+                trusted_root=inner_tr,
+                signing_config=inner_sc,
+            )
+        )
+
+    def __init__(self, inner: trustroot_v1.ClientTrustConfig) -> None:
+        """
+        @api private
+        """
+        self._inner = inner
+
+    @property
+    def trusted_root(self) -> TrustedRoot:
+        """
+        Return the interior root of trust, as a `TrustedRoot`.
+        """
+        return TrustedRoot(self._inner.trusted_root)
+
+    @property
+    def signing_config(self) -> SigningConfig:
+        """
+        Return the interior root of trust, as a `SigningConfig`.
+        """
+        return SigningConfig(self._inner.signing_config)

sigstore/sign.py

@@ -59,9 +59,9 @@
 from sigstore._internal.rekor import EntryRequestBody, RekorLogSubmitter
 from sigstore._internal.sct import verify_sct
 from sigstore._internal.timestamp import TimestampAuthorityClient, TimestampError
-from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import KeyringPurpose, TrustedRoot
 from sigstore._utils import sha256_digest
-from sigstore.models import Bundle
+from sigstore.models import Bundle, ClientTrustConfig
 from sigstore.oidc import ExpiredIdentity, IdentityToken
 
 _logger = logging.getLogger(__name__)

sigstore/verify/verifier.py

@@ -49,11 +49,11 @@
     verify_sct,
 )
 from sigstore._internal.timestamp import TimestampSource, TimestampVerificationResult
-from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import KeyringPurpose, TrustedRoot
 from sigstore._utils import base64_encode_pem_cert, sha256_digest
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
-from sigstore.models import Bundle
+from sigstore.models import Bundle, ClientTrustConfig
 from sigstore.verify.policy import VerificationPolicy
 
 _logger = logging.getLogger(__name__)

test/unit/conftest.py

@@ -38,9 +38,8 @@
 from sigstore._internal import tuf
 from sigstore._internal.rekor import _hashedrekord_from_parts
 from sigstore._internal.rekor.client import RekorClient
-from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
-from sigstore.models import Bundle
+from sigstore.models import Bundle, ClientTrustConfig
 from sigstore.oidc import IdentityToken
 from sigstore.sign import SigningContext
 from sigstore.verify.verifier import Verifier

test/unit/internal/test_trust.py

@@ -32,14 +32,14 @@
 from sigstore._internal.timestamp import TimestampAuthorityClient
 from sigstore._internal.trust import (
     CertificateAuthority,
-    ClientTrustConfig,
     KeyringPurpose,
     SigningConfig,
     TrustedRoot,
     _is_timerange_valid,
 )
 from sigstore._utils import load_pem_public_key
 from sigstore.errors import Error
+from sigstore.models import ClientTrustConfig
 
 # Test data for TestSigningcconfig
 _service_v1_op1 = Service(url="url1", major_api_version=1, operator="op1")

test/unit/test_sign.py

@@ -21,10 +21,10 @@
 
 import sigstore.oidc
 from sigstore._internal.timestamp import TimestampAuthorityClient
-from sigstore._internal.trust import ClientTrustConfig
 from sigstore.dsse import StatementBuilder, Subject
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
+from sigstore.models import ClientTrustConfig
 from sigstore.sign import SigningContext
 from sigstore.verify.policy import UnsafeNoOp