Merge branch 'main' into kindversion

jku · web-flow · commit 4274f9b4d103 · 2025-05-23T11:51:39.000+03:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -78,6 +78,7 @@ jobs:
 
           # Ensure Timestamp Authority tests are not skipped by
           # having pytest show skipped tests and verifying ours are running
+          set -o pipefail
           make test TEST_ARGS="-m timestamp_authority -rs" | tee output
           ! grep -q "skipping test that requires a Timestamp Authority" output || (echo "ERROR: Found skip message" && exit 1)
         env:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,6 +40,10 @@ All versions prior to 0.9.0 are untracked.
   [sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority)
   [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
 
+* Tests: Updated the `staging` and `sign_ctx_and_ident_for_env` fixtures to use the new methods
+  for generating a `SigningContext`.
+  [#1409](https://github.com/sigstore/sigstore-python/pull/1409)
+
 ### Changed
 
 * API:
diff --git a/pyproject.toml b/pyproject.toml
@@ -62,7 +62,7 @@ lint = [
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
-  "ruff < 0.11.11",
+  "ruff < 0.11.12",
   "types-requests",
   "types-pyOpenSSL",
 ]
diff --git a/test/assets/tsa/trust_config.json b/test/assets/tsa/trust_config.json
@@ -113,12 +113,39 @@
     ]
   },
   "signing_config": {
-    "ca_url": "https://fulcio.sigstage.dev",
-    "tlog_urls": [
-      "https://rekor.sigstage.dev"
+    "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+    "caUrls": [
+      {
+        "url": "https://fulcio.sigstage.dev",
+        "majorApiVersion": 1,
+        "validFor": {
+          "start": "2022-04-14T21:38:40.000Z"
+        }
+      }
     ],
-    "tsa_urls": [
-      "placeholder-value"
-    ]
+    "rekorTlogUrls": [
+      {
+        "url": "https://rekor.sigstage.dev",
+        "majorApiVersion": 1,
+        "validFor": {
+          "start": "2021-01-12T11:53:27.000Z"
+        }
+      }
+    ],
+    "tsaUrls": [
+      {
+        "url": "placeholder",
+        "majorApiVersion": 1,
+        "validFor": {
+          "start": "2024-11-07T14:59:40.000Z"
+        }
+      }
+    ],
+    "rekorTlogConfig": {
+      "selector": "ANY"
+    },
+    "tsaConfig": {
+      "selector": "ANY"
+    }
   }
 }
diff --git a/test/unit/conftest.py b/test/unit/conftest.py
@@ -37,6 +37,7 @@
 from sigstore._internal import tuf
 from sigstore._internal.rekor import _hashedrekord_from_parts
 from sigstore._internal.rekor.client import RekorClient
+from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
 from sigstore.models import Bundle
 from sigstore.oidc import _DEFAULT_AUDIENCE, IdentityToken
@@ -188,10 +189,20 @@ def sign_ctx_and_ident_for_env(
     pytestconfig,
     env: str,
 ) -> tuple[type[SigningContext], type[IdentityToken]]:
+    """
+    Returns a SigningContext and IdentityToken for the given environment.
+    The SigningContext is behind a callable so that it may be lazily evaluated.
+    """
     if env == "staging":
-        ctx_cls = SigningContext.staging
+
+        def ctx_cls():
+            return SigningContext.from_trust_config(ClientTrustConfig.staging())
+
     elif env == "production":
-        ctx_cls = SigningContext.production
+
+        def ctx_cls():
+            return SigningContext.from_trust_config(ClientTrustConfig.production())
+
     else:
         raise ValueError(f"Unknown env {env}")
 
@@ -205,7 +216,14 @@ def sign_ctx_and_ident_for_env(
 
 @pytest.fixture
 def staging() -> tuple[type[SigningContext], type[Verifier], IdentityToken]:
-    signer = SigningContext.staging
+    """
+    Returns a SigningContext, Verifier, and IdentityToken for the staging environment.
+    The SigningContext and Verifier are both behind callables so that they may be lazily evaluated.
+    """
+
+    def signer():
+        return SigningContext.from_trust_config(ClientTrustConfig.staging())
+
     verifier = Verifier.staging
 
     # Detect env variable for local interactive tests.
diff --git a/test/unit/test_sign.py b/test/unit/test_sign.py
@@ -174,7 +174,7 @@ def sig_ctx(self, asset, tsa_url) -> SigningContext:
             asset("tsa/trust_config.json").read_text()
         )
 
-        trust_config._inner.signing_config.tsa_urls[0] = tsa_url
+        trust_config._inner.signing_config.tsa_urls[0].url = tsa_url
 
         return SigningContext.from_trust_config(trust_config)
 

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ lint = [`
`62`	`62`	`"mypy ~= 1.1",`
`63`	`63`	`# NOTE(ww): ruff is under active development, so we pin conservatively here`
`64`	`64`	`# and let Dependabot periodically perform this update.`
`65`		`- "ruff < 0.11.11",`
	`65`	`+ "ruff < 0.11.12",`
`66`	`66`	`"types-requests",`
`67`	`67`	`"types-pyOpenSSL",`
`68`	`68`	`]`
Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,7 @@ def sig_ctx(self, asset, tsa_url) -> SigningContext:`
`174`	`174`	`asset("tsa/trust_config.json").read_text()`
`175`	`175`	`)`
`176`	`176`
`177`		`- trust_config._inner.signing_config.tsa_urls[0] = tsa_url`
	`177`	`+ trust_config._inner.signing_config.tsa_urls[0].url = tsa_url`
`178`	`178`
`179`	`179`	`return SigningContext.from_trust_config(trust_config)`
`180`	`180`