From 3548791113e7d811f9d8c4ef8d738bf7f46b15e1 Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Thu, 23 Mar 2023 14:15:44 -0500 Subject: [PATCH 1/4] action: upload artifact being signed for (#55) * action: upload artifact being signed for Signed-off-by: Andrew Pan * workflows/selftest: confirm presence of artifacts Signed-off-by: Andrew Pan --------- Signed-off-by: Andrew Pan --- .github/workflows/selftest.yml | 11 +++++++++++ action.py | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 5c829b0..573a69e 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -95,6 +95,17 @@ jobs: inputs: ./test/artifact.txt staging: true upload-signing-artifacts: true + - uses: actions/download-artifact@v3 + with: + name: "signing-artifacts-${{ github.job }}" + path: ./test/uploaded + - name: Verify presence of uploaded files + run: | + [[ -f ./artifact.txt ]] || exit 1 + [[ -f ./artifact.txt.sig ]] || exit 1 + [[ -f ./artifact.txt.crt ]] || exit 1 + [[ -f ./artifact.txt.sigstore ]] || exit 1 + working-directory: ./test/uploaded selftest-custom-paths: runs-on: ubuntu-latest diff --git a/action.py b/action.py index 71ee386..43e8db3 100755 --- a/action.py +++ b/action.py @@ -200,6 +200,10 @@ def _fatal_help(msg): for file_ in files: if not file_.is_file(): _fatal_help(f"input {file_} does not look like a file") + + # Also upload artifact being signed for. + signing_artifact_paths.append(file_) + if not bundle_only and "--certificate" not in sigstore_sign_args: signing_artifact_paths.append(f"{file_}.crt") if not bundle_only and "--signature" not in sigstore_sign_args: From b71bf555b8ab1eebf19f9661c054041c170689c5 Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Thu, 23 Mar 2023 14:28:38 -0500 Subject: [PATCH 2/4] action: stringify `file_` (#57) Signed-off-by: Andrew Pan --- action.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.py b/action.py index 43e8db3..3da8474 100755 --- a/action.py +++ b/action.py @@ -202,7 +202,7 @@ def _fatal_help(msg): _fatal_help(f"input {file_} does not look like a file") # Also upload artifact being signed for. - signing_artifact_paths.append(file_) + signing_artifact_paths.append(str(file_)) if not bundle_only and "--certificate" not in sigstore_sign_args: signing_artifact_paths.append(f"{file_}.crt") From b8ab929e350f8ee7963107d00f9da24c1e310d63 Mon Sep 17 00:00:00 2001 From: Andrew Pan <3821575+tnytown@users.noreply.github.com> Date: Thu, 23 Mar 2023 15:01:11 -0500 Subject: [PATCH 3/4] Makefile, action: lint with mypy + resolve lints (#58) Signed-off-by: Andrew Pan --- Makefile | 8 +++++--- action.py | 37 +++++++++++++++++++++---------------- dev-requirements.txt | 2 ++ 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 26b6ff4..8b88c26 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,8 @@ dev: env/pyvenv.cfg .PHONY: lint lint: env/pyvenv.cfg action.py - ./env/bin/python -m black action.py - ./env/bin/python -m isort action.py - ./env/bin/python -m flake8 --max-line-length 100 action.py + . ./env/bin/activate && \ + black action.py && \ + isort action.py && \ + mypy action.py && \ + flake8 --max-line-length 100 action.py diff --git a/action.py b/action.py index 3da8474..3a82cf2 100755 --- a/action.py +++ b/action.py @@ -31,7 +31,10 @@ _HERE = Path(__file__).parent.resolve() _TEMPLATES = _HERE / "templates" -_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a") +_summary_path = os.getenv("GITHUB_STEP_SUMMARY") +assert _summary_path is not None +_SUMMARY = Path(_summary_path).open("a") + _RENDER_SUMMARY = os.getenv("GHA_SIGSTORE_PYTHON_SUMMARY", "true") == "true" _DEBUG = os.getenv("GHA_SIGSTORE_PYTHON_INTERNAL_BE_CAREFUL_DEBUG", "false") != "false" @@ -117,49 +120,49 @@ def _fatal_help(msg): sigstore_python_env["SIGSTORE_LOGLEVEL"] = "DEBUG" identity_token = os.getenv("GHA_SIGSTORE_PYTHON_IDENTITY_TOKEN") -if identity_token != "": +if identity_token: sigstore_sign_args.extend(["--identity-token", identity_token]) client_id = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID") -if client_id != "": +if client_id: sigstore_sign_args.extend(["--oidc-client-id", client_id]) client_secret = os.getenv("GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET") -if client_secret != "": +if client_secret: sigstore_sign_args.extend(["--oidc-client-secret", client_secret]) signature = os.getenv("GHA_SIGSTORE_PYTHON_SIGNATURE") -if signature != "": +if signature: sigstore_sign_args.extend(["--signature", signature]) sigstore_verify_args.extend(["--signature", signature]) signing_artifact_paths.append(signature) certificate = os.getenv("GHA_SIGSTORE_PYTHON_CERTIFICATE") -if certificate != "": +if certificate: sigstore_sign_args.extend(["--certificate", certificate]) sigstore_verify_args.extend(["--certificate", certificate]) signing_artifact_paths.append(certificate) bundle = os.getenv("GHA_SIGSTORE_PYTHON_BUNDLE") -if bundle != "": +if bundle: sigstore_sign_args.extend(["--bundle", bundle]) sigstore_verify_args.extend(["--bundle", bundle]) signing_artifact_paths.append(bundle) fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL") -if fulcio_url != "": +if fulcio_url: sigstore_sign_args.extend(["--fulcio-url", fulcio_url]) rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL") -if rekor_url != "": +if rekor_url: sigstore_global_args.extend(["--rekor-url", rekor_url]) ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE") -if ctfe != "": +if ctfe: sigstore_sign_args.extend(["--ctfe", ctfe]) rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY") -if rekor_root_pubkey != "": +if rekor_root_pubkey: sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey]) if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": @@ -170,7 +173,7 @@ def _fatal_help(msg): _fatal_help("verify-cert-identity must be specified when verify is enabled") elif not enable_verify and verify_cert_identity: _fatal_help("verify-cert-identity cannot be specified without verify: true") -else: +elif verify_cert_identity: sigstore_verify_args.extend(["--cert-identity", verify_cert_identity]) verify_oidc_issuer = os.getenv("GHA_SIGSTORE_PYTHON_VERIFY_OIDC_ISSUER") @@ -178,7 +181,7 @@ def _fatal_help(msg): _fatal_help("verify-oidc-issuer must be specified when verify is enabled") elif not enable_verify and verify_oidc_issuer: _fatal_help("verify-oidc-issuer cannot be specified without verify: true") -else: +elif verify_oidc_issuer: sigstore_verify_args.extend(["--cert-oidc-issuer", verify_oidc_issuer]) if os.getenv("GHA_SIGSTORE_PYTHON_RELEASE_SIGNING_ARTIFACTS") == "true": @@ -211,8 +214,8 @@ def _fatal_help(msg): if "--bundle" not in sigstore_sign_args: signing_artifact_paths.append(f"{file_}.sigstore") - sigstore_sign_args.extend(files) - sigstore_verify_args.extend(files) + sigstore_sign_args.extend([str(f) for f in files]) + sigstore_verify_args.extend([str(f) for f in files]) _debug(f"signing: sigstore-python {[str(a) for a in sigstore_sign_args]}") @@ -273,7 +276,9 @@ def _fatal_help(msg): # # In GitHub Actions, environment variables can be made to persist across # workflow steps by appending to the file at `GITHUB_ENV`. -with Path(os.getenv("GITHUB_ENV")).open("a") as gh_env: +_github_env = os.getenv("GITHUB_ENV") +assert _github_env is not None +with Path(_github_env).open("a") as gh_env: # Multiline values must match the following syntax: # # {name}<<{delimiter} diff --git a/dev-requirements.txt b/dev-requirements.txt index f086aa4..e3da308 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -1,3 +1,5 @@ flake8 isort black +mypy +types-requests From fd04d371f70269671a4bfa57b7f5ea4ce5697678 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 24 Mar 2023 02:49:01 -0400 Subject: [PATCH 4/4] README: prep 1.2.2 (#59) Signed-off-by: William Woodruff --- README.md | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index b046a36..5627bc3 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v3 - name: install run: python -m pip install . - - uses: sigstore/gh-action-sigstore-python@v1.2.1 + - uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt ``` @@ -53,7 +53,7 @@ provided. To sign one or more files: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file0.txt file1.txt file2.txt ``` @@ -61,7 +61,7 @@ To sign one or more files: The `inputs` argument also supports file globbing: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: ./path/to/inputs/*.txt ``` @@ -74,7 +74,7 @@ The `identity-token` setting controls the OpenID Connect token provided to Fulci workflow will use the credentials found in the GitHub Actions environment. ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt identity-token: ${{ IDENTITY_TOKEN }} # assigned elsewhere @@ -90,7 +90,7 @@ Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt oidc-client-id: alternative-sigstore-id @@ -106,7 +106,7 @@ Connect Server during OAuth2. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt oidc-client-secret: alternative-sigstore-secret @@ -122,7 +122,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt signature: custom-signature-filename.sig @@ -131,7 +131,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file0.txt file1.txt file2.txt signature: custom-signature-filename.sig @@ -147,7 +147,7 @@ work when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt certificate: custom-certificate-filename.crt @@ -156,7 +156,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file0.txt file1.txt file2.txt certificate: custom-certificate-filename.crt @@ -172,7 +172,7 @@ when signing multiple input files. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt bundle: custom-bundle.sigstore @@ -181,7 +181,7 @@ Example: However, this example is invalid: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file0.txt file1.txt file2.txt certificate: custom-bundle.sigstore @@ -197,7 +197,7 @@ from. This setting cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt fulcio-url: https://fulcio.sigstage.dev @@ -213,7 +213,7 @@ cannot be used in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt rekor-url: https://rekor.sigstage.dev @@ -229,7 +229,7 @@ in combination with the `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt ctfe: ./path/to/ctfe.pub @@ -245,7 +245,7 @@ be used in combination with `staging` setting. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt ctfe: ./path/to/rekor.pub @@ -261,7 +261,7 @@ instead of the default production instances. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt staging: true @@ -284,7 +284,7 @@ and `verify-oidc-issuer` settings. Failing to pass these will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt verify: true @@ -307,7 +307,7 @@ This setting may only be used in conjunction with `verify-oidc-issuer`. Supplying it without `verify-oidc-issuer` will produce an error. ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt verify: true @@ -332,7 +332,7 @@ Supplying it without `verify-cert-identity` will produce an error. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt verify: true @@ -354,7 +354,7 @@ workflow artifact retention period is used. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt upload-signing-artifacts: true @@ -382,7 +382,7 @@ permissions: # ... -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt release-signing-artifacts: true @@ -404,7 +404,7 @@ signing artifact is uploaded. Example: ```yaml -- uses: sigstore/gh-action-sigstore-python@v1.2.1 +- uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt upload-signing-artifacts: true @@ -432,7 +432,7 @@ Example: Example: ```yaml - - uses: sigstore/gh-action-sigstore-python@v1.2.1 + - uses: sigstore/gh-action-sigstore-python@v1.2.2 with: inputs: file.txt internal-be-careful-debug: true