tetsuo-cpp
diff --git a/‎.github/workflows/depsreview.yml
Lines changed: 24 additions & 0 deletions b/‎.github/workflows/depsreview.yml
Lines changed: 24 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 123 additions & 70 deletions b/‎.github/workflows/release.yml
Lines changed: 123 additions & 70 deletions
diff --git a/‎README.md
Lines changed: 8 additions & 0 deletions b/‎README.md
Lines changed: 8 additions & 0 deletions
diff --git a/‎install/requirements.txt
Lines changed: 3 additions & 3 deletions b/‎install/requirements.txt
Lines changed: 3 additions & 3 deletions
diff --git a/‎sigstore/_store/ctfe_2022.2.staging.pub
Lines changed: 4 additions & 0 deletions b/‎sigstore/_store/ctfe_2022.2.staging.pub
Lines changed: 4 additions & 0 deletions
diff --git a/‎sigstore/_store/ctfe_2022.staging.pub
Lines changed: 4 additions & 0 deletions b/‎sigstore/_store/ctfe_2022.staging.pub
Lines changed: 4 additions & 0 deletions
diff --git a/‎test/conftest.py
Lines changed: 34 additions & 0 deletions b/‎test/conftest.py
Lines changed: 34 additions & 0 deletions
diff --git a/‎test/test_sign.py
Lines changed: 2 additions & 2 deletions b/‎test/test_sign.py
Lines changed: 2 additions & 2 deletions
@@ -0,0 +1,24 @@
+#
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: License and Vulnerability Scan
+    uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@9b1b5aca605f92ec5b1bf3681b1e61b3dbc420cc
@@ -1,78 +1,131 @@
+name: Release
+
 on:
   release:
     types:
       - published
 
-name: release
-
-permissions:
-  # Needed to access the workflow's OIDC identity.
-  id-token: write
-
-  # Needed to upload release assets.
-  contents: write
-
 jobs:
-  pypi:
-    name: Build, sign and publish release to PyPI
+  build:
+    name: Build and sign artifacts
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+
+      - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
+
+      - name: deps
+        run: python -m pip install -U build
+
+      - name: build
+        run: python -m build
+
+      - name: sign
+        run: |
+          mkdir -p smoketest-artifacts
+
+          # we smoke-test sigstore by installing each of the distributions
+          # we've built in a fresh environment and using each to sign and
+          # verify for itself, using the ambient OIDC identity
+          for dist in dist/*; do
+            dist_base="$(basename "${dist}")"
+
+            python -m venv smoketest-env
+
+            ./smoketest-env/bin/python -m pip install "${dist}"
+
+            # NOTE: signing artifacts currently go in a separate directory,
+            # to avoid confusing the package uploader (which otherwise tries
+            # to upload them to PyPI and fails). Future versions of twine
+            # and the gh-action-pypi-publish action should support these artifacts.
+            ./smoketest-env/bin/python -m \
+              sigstore sign "${dist}" \
+              --output-signature smoketest-artifacts/"${dist_base}.sig" \
+              --output-certificate smoketest-artifacts/"${dist_base}.crt"
+
+            ./smoketest-env/bin/python -m \
+              sigstore verify "${dist}" \
+              --cert "smoketest-artifacts/${dist_base}.crt" \
+              --signature "smoketest-artifacts/${dist_base}.sig" \
+              --cert-oidc-issuer https://token.actions.githubusercontent.com
+
+            rm -rf smoketest-env
+          done
+
+      - name: Generate hashes for provenance
+        shell: bash
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact1 artifact2 ... | base64 -w0
+          echo "::set-output name=hashes::$(sha256sum ./dist/* | base64 -w0)"
+
+      - name: Upload built packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: built-packages
+          path: ./dist/
+          if-no-files-found: warn
+
+      - name: Upload smoketest-artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: smoketest-artifacts
+          path: smoketest-artifacts/
+          if-no-files-found: warn
+
+  generate-provenance:
+    needs: [build]
+    name: Generate build provenance
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # Currently this action needs to be referred by tag. More details at:
+    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
+    with:
+      attestation-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+
+  release-pypi:
+    needs: [build, generate-provenance]
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Download artifacts diretories # goes to current working directory
+        uses: actions/download-artifact@v3
+
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
+        with:
+          user: __token__
+          password: ${{ secrets.PYPI_TOKEN }}
+          packages_dir: built-packages/
+
+  release-github:
+    needs: [build, generate-provenance]
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload release assets.
+      contents: write
     steps:
-    - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
-
-    - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
-
-    - name: deps
-      run: python -m pip install -U build
-
-    - name: build
-      run: python -m build
-
-    - name: sign
-      run: |
-        mkdir -p smoketest-artifacts
-
-        # we smoke-test sigstore by installing each of the distributions
-        # we've built in a fresh environment and using each to sign and
-        # verify for itself, using the ambient OIDC identity
-        for dist in dist/*; do
-          dist_base="$(basename "${dist}")"
-
-          python -m venv smoketest-env
-
-          ./smoketest-env/bin/python -m pip install "${dist}"
-
-          # NOTE: signing artifacts currently go in a separate directory,
-          # to avoid confusing the package uploader (which otherwise tries
-          # to upload them to PyPI and fails). Future versions of twine
-          # and the gh-action-pypi-publish action should support these artifacts.
-          ./smoketest-env/bin/python -m \
-            sigstore sign "${dist}" \
-            --output-signature smoketest-artifacts/"${dist_base}.sig" \
-            --output-certificate smoketest-artifacts/"${dist_base}.crt"
-
-          ./smoketest-env/bin/python -m \
-            sigstore verify "${dist}" \
-            --cert "smoketest-artifacts/${dist_base}.crt" \
-            --signature "smoketest-artifacts/${dist_base}.sig" \
-            --cert-oidc-issuer https://token.actions.githubusercontent.com \
-
-          rm -rf smoketest-env
-        done
-
-    - name: publish
-      uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
-      with:
-        user: __token__
-        password: ${{ secrets.PYPI_TOKEN }}
-
-    - name: upload artifacts to github
-      # Confusingly, this action also supports updating releases, not
-      # just creating them. This is what we want here, since we've manually
-      # created the release that triggered the action.
-      uses: softprops/action-gh-release@v1
-      with:
-        # dist/ contains the built packages, which smoketest-artifacts/
-        # contains the signatures and certificates.
-        files: |
-          dist/*
-          smoketest-artifacts/*
+      - name: Download artifacts diretories # goes to current working directory
+        uses: actions/download-artifact@v3
+
+      - name: Upload artifacts to github
+        # Confusingly, this action also supports updating releases, not
+        # just creating them. This is what we want here, since we've manually
+        # created the release that triggered the action.
+        uses: softprops/action-gh-release@v1
+        with:
+          # smoketest-artifacts/ contains the signatures and certificates.
+          files: |
+            built-packages/*
+            smoketest-artifacts/*
@@ -5,6 +5,7 @@ sigstore-python
 ![CI](https://github.com/sigstore/sigstore-python/workflows/CI/badge.svg)
 [![PyPI version](https://badge.fury.io/py/sigstore.svg)](https://pypi.org/project/sigstore)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/sigstore-python/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/sigstore-python)
+[![SLSA](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/)
 <!--- @end-badges@ --->
 
 ⚠️ This project is not ready for general-purpose use! ⚠️
@@ -305,6 +306,13 @@ Everyone interacting with this project is expected to follow the
 Should you discover any security issues, please refer to sigstore's [security
 process](https://github.com/sigstore/.github/blob/main/SECURITY.md).
 
+### SLSA Provenance
+This project emits a SLSA provenance on its release! This enables you to verify the integrity
+of the downloaded artifacts and ensured that the binary's code really comes from this source code.
+
+To do so, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance).
+
+
 ## Info
 
 `sigstore-python` is developed as part of the [`sigstore`](https://sigstore.dev) project.
 
@@ -166,9 +166,9 @@ requests==2.28.1 \
     --hash=sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983 \
     --hash=sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349
     # via sigstore
-securesystemslib==0.24.0 \
-    --hash=sha256:28ea9c44956b73cfe1400703ae11de5107f6d7c62f4463da1ccb63097bf85d5b \
-    --hash=sha256:793b5028b70dfeed1c1e25d8834ac87710a0b4637e7efa6cd368f3df91d7f878
+securesystemslib==0.25.0 \
+    --hash=sha256:04bc11593edd68405939d3dfc318080bfb31f1ebb5d81c7911914b42dfd4bf2f \
+    --hash=sha256:10d5a066e70cb87704c9bf2cef1ef6d8a06fab5ef7602dd59c26d06251317a11
     # via sigstore
 sigstore==0.6.7 \
     --hash=sha256:8ddb5d0dbca2464bf6033a53817d251080170764557ef941697284d1c7d2f0fb \
 
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8gEDKNme8AnXuPBgHjrtXdS6miHq
+c24CRblNEOFpiJRngeq8Ko73Y+K18yRYVf1DXD4AVLwvKyzdNdl5n0jUSQ==
+-----END PUBLIC KEY-----
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh99xuRi6slBFd8VUJoK/rLigy4bY
+eSYWO/fE6Br7r0D8NpMI94+A63LR/WvLxpUUGBpY8IJA3iU2telag5CRpA==
+-----END PUBLIC KEY-----
@@ -12,15 +12,44 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import os
 from pathlib import Path
 from typing import Tuple
 
 import pytest
 
+from sigstore._internal.oidc.ambient import (
+    AmbientCredentialError,
+    GitHubOidcPermissionCredentialError,
+    detect_credential,
+)
+
 _ASSETS = (Path(__file__).parent / "assets").resolve()
 assert _ASSETS.is_dir()
 
 
+def _is_ambient_env():
+    try:
+        token = detect_credential()
+        if token is None:
+            return False
+    except GitHubOidcPermissionCredentialError:
+        # On GitHub Actions, forks do not have access to OIDC identities.
+        # We differentiate this case from other GitHub credential errors,
+        # since it's a case where we want to skip (i.e. return False).
+        if os.getenv("GITHUB_EVENT_NAME") == "pull_request":
+            return False
+        return True
+    except AmbientCredentialError:
+        # If ambient credential detection raises, then we *are* in an ambient
+        # environment but one that's been configured incorrectly. We
+        # pass this through, so that the CI fails appropriately rather than
+        # silently skipping the faulty tests.
+        return True
+
+    return True
+
+
 def pytest_addoption(parser):
     parser.addoption(
         "--skip-online",
@@ -34,12 +63,17 @@ def pytest_runtest_setup(item):
         pytest.skip(
             "skipping test that requires network connectivity due to `--skip-online` flag"
         )
+    elif "ambient_oidc" in item.keywords and not _is_ambient_env():
+        pytest.skip("skipping test that requires an ambient OIDC credential")
 
 
 def pytest_configure(config):
     config.addinivalue_line(
         "markers", "online: mark test as requiring network connectivity"
     )
+    config.addinivalue_line(
+        "markers", "ambient_oidc: mark test as requiring an ambient OIDC identity"
+    )
 
 
 @pytest.fixture
 
@@ -31,11 +31,11 @@ def test_signer_staging():
 
 
 @pytest.mark.online
+@pytest.mark.ambient_oidc
 @pytest.mark.parametrize("signer", [Signer.production(), Signer.staging()])
 def test_sign_rekor_entry_consistent(signer):
     token = detect_credential()
-    if token is None:
-        pytest.skip("no ambient credentials; skipping")
+    assert token is not None
 
     payload = secrets.token_bytes(32)
     expected_entry = signer.sign(payload, token).log_entry