Merge branch 'main' into kindversion

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

Author: ramonpetgrave64

CHANGELOG.md

@@ -14,6 +14,15 @@ All versions prior to 0.9.0 are untracked.
   either from the root of the response, or from the reponse's inner base64-encoded JSON `body`.
   [#1370](https://github.com/sigstore/sigstore-python/pull/1370)
 
+### Fixed
+
+* Fixed the certificate calidity period check for Timestamp Authorities (TSA).
+  Certificates need not have and end date, while still requiring a start date.
+  [#1368](https://github.com/sigstore/sigstore-python/pull/1368)
+
+* API: Make Rekor APIs compatible with Rekor v2 by removing trailing slashes
+  from endpoints ([#1366](https://github.com/sigstore/sigstore-python/pull/1366))
+
 ## [3.6.2]
 
 ### Fixed

sigstore/_internal/rekor/client.py

@@ -23,7 +23,6 @@
 from abc import ABC
 from dataclasses import dataclass
 from typing import Any, Optional
-from urllib.parse import urljoin
 
 import rekor_types
 import requests
@@ -112,7 +111,7 @@ def entries(self) -> RekorEntries:
         Returns a `RekorEntries` capable of accessing detailed information
         about individual log entries.
         """
-        return RekorEntries(urljoin(self.url, "entries/"), session=self.session)
+        return RekorEntries(f"{self.url}/entries", session=self.session)
 
 
 class RekorEntries(_Endpoint):
@@ -134,7 +133,7 @@ def get(
         resp: requests.Response
 
         if uuid is not None:
-            resp = self.session.get(urljoin(self.url, uuid))
+            resp = self.session.get(f"{self.url}/{uuid}")
         else:
             resp = self.session.get(self.url, params={"logIndex": log_index})
 
@@ -170,9 +169,7 @@ def retrieve(self) -> RekorEntriesRetrieve:
         """
         Returns a `RekorEntriesRetrieve` capable of retrieving entries.
         """
-        return RekorEntriesRetrieve(
-            urljoin(self.url, "retrieve/"), session=self.session
-        )
+        return RekorEntriesRetrieve(f"{self.url}/retrieve/", session=self.session)
 
 
 class RekorEntriesRetrieve(_Endpoint):
@@ -226,7 +223,7 @@ def __init__(self, url: str) -> None:
         """
         Create a new `RekorClient` from the given URL.
         """
-        self.url = urljoin(url, "api/v1/")
+        self.url = f"{url}/api/v1"
         self.session = requests.Session()
         self.session.headers.update(
             {
@@ -263,4 +260,4 @@ def log(self) -> RekorLog:
         """
         Returns a `RekorLog` adapter for making requests to a Rekor log.
         """
-        return RekorLog(urljoin(self.url, "log/"), session=self.session)
+        return RekorLog(f"{self.url}/log", session=self.session)

sigstore/_internal/trust.py

@@ -253,7 +253,7 @@ def _verify(self) -> None:
             raise Error("missing a certificate in Certificate Authority")
 
     @property
-    def validity_period_start(self) -> datetime | None:
+    def validity_period_start(self) -> datetime:
         """
         Validity period start.
         """

sigstore/models.py

@@ -492,9 +492,9 @@ def _verify(self) -> None:
             # We expect some old bundles to violate the rules around root
             # and intermediate CAs, so we issue warnings and not hard errors
             # in those cases.
-            leaf_cert, *chain_certs = [
+            leaf_cert, *chain_certs = (
                 load_der_x509_certificate(cert.raw_bytes) for cert in certs
-            ]
+            )
             if not cert_is_leaf(leaf_cert):
                 raise InvalidBundle(
                     "bundle contains an invalid leaf or non-leaf certificate in the leaf position"

sigstore/verify/verifier.py

@@ -150,26 +150,19 @@ def _verify_signed_timestamp(
 
             if (
                 certificate_authority.validity_period_start
-                and certificate_authority.validity_period_end
+                <= timestamp_response.tst_info.gen_time
+            ) and (
+                not certificate_authority.validity_period_end
+                or timestamp_response.tst_info.gen_time
+                < certificate_authority.validity_period_end
             ):
-                if (
-                    certificate_authority.validity_period_start
-                    <= timestamp_response.tst_info.gen_time
-                    < certificate_authority.validity_period_end
-                ):
-                    return TimestampVerificationResult(
-                        source=TimestampSource.TIMESTAMP_AUTHORITY,
-                        time=timestamp_response.tst_info.gen_time,
-                    )
-
-                _logger.debug(
-                    "Unable to verify Timestamp because not in CA time range."
-                )
-            else:
-                _logger.debug(
-                    "Unable to verify Timestamp because no validity provided."
+                return TimestampVerificationResult(
+                    source=TimestampSource.TIMESTAMP_AUTHORITY,
+                    time=timestamp_response.tst_info.gen_time,
                 )
 
+            _logger.debug("Unable to verify Timestamp because not in CA time range.")
+
         return None
 
     def _verify_timestamp_authority(

test/unit/verify/test_verifier.py

@@ -212,6 +212,16 @@ def test_verifier_verify_timestamp(self, verifier, asset, null_policy):
             null_policy,
         )
 
+    def test_verifier_no_validity_end(self, verifier, asset, null_policy):
+        verifier._trusted_root.get_timestamp_authorities()[
+            0
+        ]._inner.valid_for.end = None
+        verifier.verify_artifact(
+            asset("tsa/bundle.txt").read_bytes(),
+            Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
+            null_policy,
+        )
+
     def test_verifier_without_timestamp(
         self, verifier, asset, null_policy, monkeypatch
     ):
@@ -241,24 +251,6 @@ def test_verifier_duplicate_timestamp(self, verifier, asset, null_policy):
                 null_policy,
             )
 
-    def test_verifier_no_validity(self, caplog, verifier, asset, null_policy):
-        verifier._trusted_root.get_timestamp_authorities()[
-            0
-        ]._inner.valid_for.end = None
-
-        with caplog.at_level(logging.DEBUG, logger="sigstore.verify.verifier"):
-            with pytest.raises(VerificationError, match="not enough timestamps"):
-                verifier.verify_artifact(
-                    asset("tsa/bundle.txt").read_bytes(),
-                    Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
-                    null_policy,
-                )
-
-        assert (
-            "Unable to verify Timestamp because no validity provided."
-            == caplog.records[0].message
-        )
-
     def test_verifier_outside_validity_range(
         self, caplog, verifier, asset, null_policy
     ):