Skip to content

Commit 5c6b4f1

Browse files
committed
hook up client trust config
Signed-off-by: William Woodruff <william@trailofbits.com>
1 parent 239397a commit 5c6b4f1

File tree

4 files changed

+41
-13
lines changed

4 files changed

+41
-13
lines changed

sigstore/_cli.py

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,13 +29,13 @@
2929
from sigstore import __version__
3030
from sigstore._internal.fulcio.client import ExpiredCertificate
3131
from sigstore._internal.rekor import _hashedrekord_from_parts
32+
from sigstore._internal.trust import ClientTrustConfig
3233
from sigstore._utils import sha256_digest
3334
from sigstore.errors import Error, VerificationError
3435
from sigstore.hashes import Hashed
3536
from sigstore.models import Bundle
3637
from sigstore.oidc import (
3738
DEFAULT_OAUTH_ISSUER_URL,
38-
STAGING_OAUTH_ISSUER_URL,
3939
ExpiredIdentity,
4040
IdentityToken,
4141
Issuer,
@@ -210,7 +210,7 @@ def _parser() -> argparse.ArgumentParser:
210210
global_instance_options.add_argument(
211211
"--trust-config",
212212
metavar="FILE",
213-
type=str,
213+
type=Path,
214214
help="The client trust configuration to use",
215215
)
216216
subcommands = parser.add_subparsers(
@@ -515,9 +515,9 @@ def _sign(args: argparse.Namespace) -> None:
515515
if args.staging:
516516
_logger.debug("sign: staging instances requested")
517517
signing_ctx = SigningContext.staging()
518-
args.oidc_issuer = STAGING_OAUTH_ISSUER_URL
519518
elif args.trust_config:
520-
raise ValueError("fuck")
519+
trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
520+
signing_ctx = SigningContext._from_trust_config(trust_config)
521521
else:
522522
# If the user didn't request the staging instance or pass in an
523523
# explicit client trust config, we're using the public good (i.e.
@@ -679,7 +679,8 @@ def _collect_verification_state(
679679
_logger.debug("verify: staging instances requested")
680680
verifier = Verifier.staging()
681681
elif args.trust_config:
682-
raise ValueError("fuck")
682+
trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
683+
verifier = Verifier._from_trust_config(trust_config)
683684
else:
684685
verifier = Verifier.production()
685686

sigstore/_internal/trust.py

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -344,20 +344,22 @@ class ClientTrustConfig:
344344
"""
345345

346346
@classmethod
347-
def from_json(cls, raw: str) -> None:
347+
def from_json(cls, raw: str) -> ClientTrustConfig:
348348
"""
349349
Deserialize the given client trust config.
350350
"""
351351
inner = _ClientTrustConfig().from_json(raw)
352-
cls(inner)
352+
return cls(inner)
353353

354354
def __init__(self, inner: _ClientTrustConfig) -> None:
355355
"""
356356
@api private
357357
"""
358358
self._inner = inner
359-
# self._
360359

361-
# @property
362-
# def trusted_root(self) -> TrustedRoot:
363-
# pass
360+
@property
361+
def trusted_root(self) -> TrustedRoot:
362+
"""
363+
Return the interior root of trust, as a `TrustedRoot`.
364+
"""
365+
return TrustedRoot(self._inner.trusted_root)

sigstore/sign.py

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@
6262
)
6363
from sigstore._internal.rekor.client import RekorClient
6464
from sigstore._internal.sct import verify_sct
65-
from sigstore._internal.trust import KeyringPurpose, TrustedRoot
65+
from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
6666
from sigstore._utils import sha256_digest
6767
from sigstore.models import Bundle
6868
from sigstore.oidc import ExpiredIdentity, IdentityToken
@@ -333,6 +333,19 @@ def staging(cls) -> SigningContext:
333333
trusted_root=TrustedRoot.staging(),
334334
)
335335

336+
@classmethod
337+
def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
338+
"""
339+
Create a `SigningContext` from the given `ClientTrustConfig`.
340+
341+
@api private
342+
"""
343+
return cls(
344+
fulcio=FulcioClient(trust_config._inner.signing_config.ca_url),
345+
rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
346+
trusted_root=trust_config.trusted_root,
347+
)
348+
336349
@contextmanager
337350
def signer(
338351
self, identity_token: IdentityToken, *, cache: bool = True

sigstore/verify/verifier.py

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@
4444
_get_precertificate_signed_certificate_timestamps,
4545
verify_sct,
4646
)
47-
from sigstore._internal.trust import KeyringPurpose, TrustedRoot
47+
from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
4848
from sigstore._utils import base64_encode_pem_cert, sha256_digest
4949
from sigstore.errors import VerificationError
5050
from sigstore.hashes import Hashed
@@ -96,6 +96,18 @@ def staging(cls) -> Verifier:
9696
trusted_root=TrustedRoot.staging(),
9797
)
9898

99+
@classmethod
100+
def _from_trust_config(cls, trust_config: ClientTrustConfig) -> Verifier:
101+
"""
102+
Create a `Verifier` from the given `ClientTrustConfig`.
103+
104+
@api private
105+
"""
106+
return cls(
107+
rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
108+
trusted_root=trust_config.trusted_root,
109+
)
110+
99111
def _verify_common_signing_cert(
100112
self, bundle: Bundle, policy: VerificationPolicy
101113
) -> None:

0 commit comments

Comments
 (0)