refactor: begin to remove sigstore_protobuf_specs

.github/workflows/ci.yml

@@ -7,7 +7,9 @@ on:
       - series/*
   pull_request:
   schedule:
-    - cron: '0 12 * * *'
+    - cron: "0 12 * * *"
+
+permissions: {}
 
 jobs:
   test:
@@ -98,7 +100,7 @@ jobs:
     if: always()
 
     needs:
-    - test
+      - test
 
     runs-on: ubuntu-latest
 
@@ -121,7 +123,7 @@ jobs:
 
       - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
-          python-version: '3.x'
+          python-version: "3.x"
 
       - run: pip install coverage[toml]
 

.github/workflows/conformance.yml

@@ -7,6 +7,8 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   conformance:
     runs-on: ubuntu-latest

.github/workflows/docs.yml

@@ -5,6 +5,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/lint.yml

@@ -6,6 +6,8 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -87,10 +89,10 @@ jobs:
     if: always()
 
     needs:
-    - lint
-    - check-readme
-    - licenses
-    - x509-testcases
+      - lint
+      - check-readme
+      - licenses
+      - x509-testcases
 
     runs-on: ubuntu-latest
 

.github/workflows/release.yml

@@ -5,8 +5,7 @@ on:
     types:
       - published
 
-permissions: # added using https://github.com/step-security/secure-workflows
-  contents: read
+permissions: {}
 
 jobs:
   build:
@@ -99,7 +98,7 @@ jobs:
       - name: Generate build provenance
         uses: actions/attest-build-provenance@v2
         with:
-          subject-path: 'built-packages/*'
+          subject-path: "built-packages/*"
 
   release-pypi:
     needs: [build, generate-provenance]

.github/workflows/requirements.yml

@@ -12,7 +12,9 @@ on:
         required: true
   pull_request:
   schedule:
-    - cron: '0 12 * * *'
+    - cron: "0 12 * * *"
+
+permissions: {}
 
 jobs:
   test_requirements:

.github/workflows/staging-tests.yml

@@ -5,7 +5,9 @@ on:
     branches:
       - main
   schedule:
-    - cron: '0 */8 * * *'
+    - cron: "0 */8 * * *"
+
+permissions: {}
 
 jobs:
   staging-tests:
@@ -27,7 +29,6 @@ jobs:
           cache: "pip"
           cache-dependency-path: pyproject.toml
 
-
       - name: staging tests
         env:
           SIGSTORE_LOGLEVEL: DEBUG

Makefile

@@ -68,7 +68,6 @@ lint: $(VENV)/pyvenv.cfg
 		ruff check $(ALL_PY_SRCS) && \
 		mypy $(PY_MODULE) && \
 		bandit -c pyproject.toml -r $(PY_MODULE) && \
-		interrogate --fail-under 100 -c pyproject.toml $(PY_MODULE) && \
 		python docs/scripts/gen_ref_pages.py --check
 
 .PHONY: reformat

pyproject.toml

@@ -37,8 +37,9 @@ dependencies = [
   "rich >= 13,< 15",
   "rfc8785 ~= 0.1.2",
   "rfc3161-client >= 1.0.3,< 1.1.0",
-  # NOTE(ww): Both under active development, so strictly pinned.
-  "sigstore-protobuf-specs == 0.5.0",
+  # Both sigstore-models and sigstore-rekor types are unstable
+  # so we pin them conservatively.
+  "sigstore-models == 0.0.5",
   "sigstore-rekor-types == 0.0.18",
   "tuf ~= 6.0",
   "platformdirs ~= 4.2",
@@ -58,7 +59,7 @@ Documentation = "https://sigstore.github.io/sigstore-python/"
 test = ["pytest", "pytest-cov", "pretend", "coverage[toml]"]
 lint = [
   "bandit",
-  "interrogate >= 1.7.0",
+  # "interrogate >= 1.7.0",
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.

sigstore/_cli.py

@@ -29,10 +29,8 @@
 from pydantic import ValidationError
 from rich.console import Console
 from rich.logging import RichHandler
-from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import (
-    Bundle as RawBundle,
-)
-from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm
+from sigstore_models.bundle.v1 import Bundle as RawBundle
+from sigstore_models.common.v1 import HashAlgorithm
 from typing_extensions import TypeAlias
 
 from sigstore import __version__, dsse
@@ -701,7 +699,7 @@ def _sign_common(
             print(cert_pem)
 
             print(
-                f"Transparency log entry created at index: {result.log_entry.log_index}"
+                f"Transparency log entry created at index: {result.log_entry._inner.log_index}"
             )
 
             sig_output: TextIO
@@ -1210,7 +1208,7 @@ def _fix_bundle(args: argparse.Namespace) -> None:
 
     rekor = RekorClient.staging() if args.staging else RekorClient.production()
 
-    raw_bundle = RawBundle.from_dict(json.loads(args.bundle.read_bytes()))
+    raw_bundle = RawBundle.from_json(args.bundle.read_bytes())
 
     if len(raw_bundle.verification_material.tlog_entries) != 1:
         _fatal("unfixable bundle: must have exactly one log entry")
@@ -1223,8 +1221,8 @@ def _fix_bundle(args: argparse.Namespace) -> None:
     inclusion_proof = tlog_entry.inclusion_proof
     if not inclusion_proof.checkpoint:
         _logger.info("fixable: bundle's log entry is missing a checkpoint")
-        new_entry = rekor.log.entries.get(log_index=tlog_entry.log_index)._to_rekor()
-        raw_bundle.verification_material.tlog_entries = [new_entry]
+        new_entry = rekor.log.entries.get(log_index=tlog_entry.log_index)
+        raw_bundle.verification_material.tlog_entries = [new_entry._inner]
 
     # Try to create our invariant-preserving Bundle from the any changes above.
     try:

sigstore/_internal/key_details.py

@@ -13,17 +13,15 @@
 # limitations under the License.
 
 """
-Utilities for getting the sigstore_protobuf_specs.dev.sigstore.common.v1.PublicKeyDetails.
+Utilities for getting PublicKeyDetails.
 """
 
-from typing import cast
-
 from cryptography.hazmat.primitives.asymmetric import ec, ed25519, padding, rsa
 from cryptography.x509 import Certificate
-from sigstore_protobuf_specs.dev.sigstore.common import v1
+from sigstore_models.common.v1 import PublicKeyDetails
 
 
-def _get_key_details(certificate: Certificate) -> v1.PublicKeyDetails:
+def _get_key_details(certificate: Certificate) -> PublicKeyDetails:
     """
     Determine PublicKeyDetails from the Certificate.
     We disclude the unrecommended types.
@@ -35,38 +33,38 @@ def _get_key_details(certificate: Certificate) -> v1.PublicKeyDetails:
     params = certificate.signature_algorithm_parameters
     if isinstance(public_key, ec.EllipticCurvePublicKey):
         if isinstance(public_key.curve, ec.SECP256R1):
-            key_details = v1.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256
+            key_details = PublicKeyDetails.PKIX_ECDSA_P256_SHA_256
         elif isinstance(public_key.curve, ec.SECP384R1):
-            key_details = v1.PublicKeyDetails.PKIX_ECDSA_P384_SHA_384
+            key_details = PublicKeyDetails.PKIX_ECDSA_P384_SHA_384
         elif isinstance(public_key.curve, ec.SECP521R1):
-            key_details = v1.PublicKeyDetails.PKIX_ECDSA_P521_SHA_512
+            key_details = PublicKeyDetails.PKIX_ECDSA_P521_SHA_512
         else:
             raise ValueError(f"Unsupported EC curve: {public_key.curve.name}")
     elif isinstance(public_key, rsa.RSAPublicKey):
         if public_key.key_size == 3072:
             if isinstance(params, padding.PKCS1v15):
-                key_details = v1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256
+                key_details = PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256
             elif isinstance(params, padding.PSS):
-                key_details = v1.PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256
+                key_details = PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256
             else:
                 raise ValueError(
                     f"Unsupported public key type, size, and padding: {type(public_key)}, {public_key.key_size}, {params}"
                 )
         elif public_key.key_size == 4096:
             if isinstance(params, padding.PKCS1v15):
-                key_details = v1.PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256
+                key_details = PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256
             elif isinstance(params, padding.PSS):
-                key_details = v1.PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256
+                key_details = PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256
             else:
                 raise ValueError(
                     f"Unsupported public key type, size, and padding: {type(public_key)}, {public_key.key_size}, {params}"
                 )
         else:
             raise ValueError(f"Unsupported RSA key size: {public_key.key_size}")
     elif isinstance(public_key, ed25519.Ed25519PublicKey):
-        key_details = v1.PublicKeyDetails.PKIX_ED25519
+        key_details = PublicKeyDetails.PKIX_ED25519
     # There is likely no need to explicitly detect PKIX_ED25519_PH, especially since the cryptography
     # library does not yet support Ed25519ph.
     else:
         raise ValueError(f"Unsupported public key type: {type(public_key)}")
-    return cast(v1.PublicKeyDetails, key_details)
+    return key_details

sigstore/_internal/merkle.py

@@ -23,16 +23,14 @@
 
 from __future__ import annotations
 
-import base64
 import hashlib
 import struct
 import typing
 
-from sigstore._utils import HexStr
 from sigstore.errors import VerificationError
 
 if typing.TYPE_CHECKING:
-    from sigstore.models import LogEntry
+    from sigstore.models import TransparencyLogEntry
 
 
 _LEAF_HASH_PREFIX = 0
@@ -54,30 +52,30 @@ def _decomp_inclusion_proof(index: int, size: int) -> tuple[int, int]:
     return inner, border
 
 
-def _chain_inner(seed: bytes, hashes: list[str], log_index: int) -> bytes:
+def _chain_inner(seed: bytes, hashes: list[bytes], log_index: int) -> bytes:
     """
     Computes a subtree hash for a node on or below the tree's right border. Assumes |proof| hashes
     are ordered from lower levels to upper, and |seed| is the initial subtree/leaf hash on the path
     located at the specified |index| on its level.
     """
 
     for i in range(len(hashes)):
-        h = bytes.fromhex(hashes[i])
+        h = hashes[i]
         if (log_index >> i) & 1 == 0:
             seed = _hash_children(seed, h)
         else:
             seed = _hash_children(h, seed)
     return seed
 
 
-def _chain_border_right(seed: bytes, hashes: list[str]) -> bytes:
+def _chain_border_right(seed: bytes, hashes: list[bytes]) -> bytes:
     """
     Chains proof hashes along tree borders. This differs from inner chaining because |proof|
     contains only left-side subtree hashes.
     """
 
     for h in hashes:
-        seed = _hash_children(bytes.fromhex(h), seed)
+        seed = _hash_children(h, seed)
     return seed
 
 
@@ -93,9 +91,9 @@ def _hash_leaf(leaf: bytes) -> bytes:
     return hashlib.sha256(data).digest()
 
 
-def verify_merkle_inclusion(entry: LogEntry) -> None:
+def verify_merkle_inclusion(entry: TransparencyLogEntry) -> None:
     """Verify the Merkle Inclusion Proof for a given Rekor entry."""
-    inclusion_proof = entry.inclusion_proof
+    inclusion_proof = entry._inner.inclusion_proof
 
     # Figure out which subset of hashes corresponds to the inner and border nodes.
     inner, border = _decomp_inclusion_proof(
@@ -111,20 +109,18 @@ def verify_merkle_inclusion(entry: LogEntry) -> None:
 
     # The new entry's hash isn't included in the inclusion proof so we should calculate this
     # ourselves.
-    leaf_hash: bytes = _hash_leaf(base64.b64decode(entry.body))
+    leaf_hash: bytes = _hash_leaf(entry._inner.canonicalized_body)
 
     # Now chain the hashes belonging to the inner and border portions. We should expect the
     # calculated hash to match the root hash.
     intermediate_result: bytes = _chain_inner(
         leaf_hash, inclusion_proof.hashes[:inner], inclusion_proof.log_index
     )
 
-    calc_hash: HexStr = HexStr(
-        _chain_border_right(intermediate_result, inclusion_proof.hashes[inner:]).hex()
-    )
+    calc_hash = _chain_border_right(intermediate_result, inclusion_proof.hashes[inner:])
 
     if calc_hash != inclusion_proof.root_hash:
         raise VerificationError(
             f"inclusion proof contains invalid root hash: expected {inclusion_proof}, calculated "
-            f"{calc_hash}"
+            f"{calc_hash.hex()}"
         )

sigstore/_internal/rekor/__init__.py

@@ -31,7 +31,7 @@
 from sigstore.hashes import Hashed
 
 if typing.TYPE_CHECKING:
-    from sigstore.models import LogEntry
+    from sigstore.models import TransparencyLogEntry
 
 __all__ = [
     "_hashedrekord_from_parts",
@@ -72,7 +72,7 @@ class RekorLogSubmitter(ABC):
     def create_entry(
         self,
         request: EntryRequestBody,
-    ) -> LogEntry:
+    ) -> TransparencyLogEntry:
         """
         Submit the request to Rekor.
         """