Merge branch 'main' into ww/bump-proto-specs

Signed-off-by: William Woodruff <william@trailofbits.com>

Author: woodruffw

.github/actions/upload-coverage/action.yml

@@ -20,7 +20,7 @@ runs:
         fi
       id: coverage-uuid
       shell: bash
-    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }}
         include-hidden-files: 'true'

.github/dependabot.yml

@@ -27,14 +27,3 @@ updates:
       actions:
         patterns:
           - "*"
-
-  - package-ecosystem: gomod
-    directory: "/.github"
-    schedule:
-      interval: daily
-    open-pull-requests-limit: 1
-    rebase-strategy: "disabled"
-    groups:
-      actions:
-        patterns:
-          - "*"

.github/go.mod

@@ -0,0 +1,63 @@
+name: Check embedded root
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '13 13 * * 3'
+
+jobs:
+  check-embedded-root:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+        with:
+          python-version: "3.x"
+          cache: "pip"
+          cache-dependency-path: pyproject.toml
+
+      - name: Setup environment
+        run: make dev
+
+      - name: Check if embedded root is up-to-date
+        run: |
+          make update-embedded-root
+          git diff --exit-code
+
+
+      - if: failure()
+        name: Create an issue if embedded root is not up-to-date
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const repo = context.repo.owner + "/" + context.repo.repo
+            const body = `
+            The Sigstore [TUF repository](https://tuf-repo-cdn.sigstore.dev/) contents have changed: the data embedded
+            in sigstore-python sources can be updated. This is not urgent but will improve cold-cache performance.
+            
+            Run \`make update-embedded-root\` to update the embedded data.
+            
+            This issue was filed by _${context.workflow}_ [workflow run](${context.serverUrl}/${repo}/actions/runs/${context.runId}).
+            `
+
+            const issues = await github.rest.search.issuesAndPullRequests({
+              q: "label:embedded-root-update+state:open+type:issue+repo:" + repo,
+            })
+            if (issues.data.total_count > 0) {
+              console.log("Issue for embedded root update exists already.")
+            } else {
+              github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: "Embedded TUF root is not up-to-date",
+                labels: ["embedded-root-update"],
+                body: body,
+              })
+              console.log("New issue created.")
+            }

.github/workflows/check-embedded-root.yml

@@ -33,7 +33,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: ${{ matrix.conf.py }}
           allow-prereleases: true
@@ -62,19 +62,27 @@ jobs:
       - name: test
         run: make test TEST_ARGS="-vv --showlocals"
 
+      # TODO: Refactor this or remove it entirely once there's
+      # a suitable staging TSA instance.
       - name: test (timestamp-authority)
         if: ${{ matrix.conf.os == 'ubuntu-latest' }}
         run: |
-          SIGSTORE_TIMESTAMP_VERSION=$(grep "github.com/sigstore/timestamp-authority" .github/go.mod | awk '{print $2}')
+          # Fetch the latest sigstore/timestamp-authority build
+          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0].name')
           wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
           chmod +x /tmp/timestamp-server
+
           # Run the TSA in background
           /tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring &
           export TEST_SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp"
+
           # Ensure Timestamp Authority tests are not skipped by
           # having pytest show skipped tests and verifying ours are running
           make test TEST_ARGS="-m timestamp_authority -rs" | tee output
           ! grep -q "skipping test that requires a Timestamp Authority" output || (echo "ERROR: Found skip message" && exit 1)
+        env:
+          # Needed for `gh api` above.
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: test (interactive)
         if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
@@ -110,14 +118,14 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: '3.x'
 
       - run: pip install coverage[toml]
 
       - name: download coverage data
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
           path: all-artifacts/
 

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.x"
           cache: "pip"
@@ -24,7 +24,7 @@ jobs:
       - name: install sigstore-python
         run: python -m pip install .
 
-      - uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
+      - uses: sigstore/sigstore-conformance@640e7dfb715518eeeb492910c6d244cedcc6cfea # v0.0.17
         with:
           entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
           xfail: "test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" # see issue 821

.github/workflows/conformance.yml

@@ -13,7 +13,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.x"
           cache: "pip"

.github/workflows/docs.yml

@@ -14,7 +14,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.x"
           cache: "pip"
@@ -35,7 +35,7 @@ jobs:
 
       # NOTE: We intentionally check `--help` rendering against our minimum Python,
       # since it changes slightly between Python versions.
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.9"
           cache: "pip"
@@ -71,7 +71,7 @@ jobs:
           persist-credentials: false
 
       # NOTE: We intentionally check test certificates against our minimum supported Python.
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.9"
           cache: "pip"

.github/workflows/lint.yml

@@ -70,7 +70,7 @@ jobs:
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config user.name "github-actions[bot]"
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version-file: install/.python-version
           cache: "pip"
@@ -129,7 +129,7 @@ jobs:
           git push -f origin "origin/main:${SIGSTORE_PIN_REQUIREMENTS_BRANCH}"
 
       - name: Open pull request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           title: |
             Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}

.github/workflows/pin-requirements.yml

@@ -19,7 +19,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           # NOTE: We intentionally don't use a cache in the release step,
           # to reduce the risk of cache poisoning.
@@ -74,14 +74,14 @@ jobs:
           done
 
       - name: Upload built packages
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: built-packages
           path: ./dist/
           if-no-files-found: warn
 
       - name: Upload smoketest-artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: smoketest-artifacts
           path: smoketest-artifacts/
@@ -95,7 +95,7 @@ jobs:
       attestations: write # To persist the attestation files.
     steps:
       - name: Download artifacts directories # goes to current working directory
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       - name: Generate build provenance
         uses: actions/attest-build-provenance@v2
         with:
@@ -109,10 +109,10 @@ jobs:
       id-token: write
     steps:
       - name: Download artifacts directories # goes to current working directory
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
 
       - name: publish
-        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           packages-dir: built-packages/
 
@@ -124,7 +124,7 @@ jobs:
       contents: write
     steps:
       - name: Download artifacts directories # goes to current working directory
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
 
       - name: Upload artifacts to github
         # Confusingly, this action also supports updating releases, not

.github/workflows/release.yml

@@ -36,7 +36,7 @@ jobs:
           ref: ${{ env.SIGSTORE_REF }}
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         name: Install Python ${{ matrix.python_version }}
         with:
           python-version: ${{ matrix.python_version }}

.github/workflows/requirements.yml

@@ -29,7 +29,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -44,14 +44,14 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: results.sarif

.github/workflows/scorecards-analysis.yml

@@ -21,7 +21,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
           python-version: "3.x"
           cache: "pip"

.github/workflows/staging-tests.yml

@@ -8,6 +8,21 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+## [3.6.2]
+
+### Fixed
+
+* Fixed issue where a trust root with multiple rekor keys was not considered valid:
+  Now any rekor key listed in the trust root is considered good to verify entries
+  [#1350](https://github.com/sigstore/sigstore-python/pull/1350)
+
+### Changed
+
+* Upgraded python-tuf dependency to 6.0: Connections to TUF repository
+  now use system certificates (instead of certifi) and have automatic
+  retries
+* Updated the embedded TUF root to version 12
+
 ## [3.6.1]
 
 ### Fixed
@@ -593,8 +608,9 @@ This is a corrective release for [2.1.1].
 
 
 <!--Release URLs -->
-[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...HEAD
-[3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
+[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...HEAD
+[3.6.2]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...v3.6.2
+[3.6.1]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
 [3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.5.3...v3.6.0
 [3.5.3]: https://github.com/sigstore/sigstore-python/compare/v3.5.2...v3.5.3
 [3.5.2]: https://github.com/sigstore/sigstore-python/compare/v3.5.1...v3.5.2

CHANGELOG.md

@@ -6,7 +6,7 @@ ALL_PY_SRCS := $(shell find $(PY_MODULE) -name '*.py') \
 	$(shell find test -name '*.py') \
 	$(shell find docs/scripts -name '*.py') \
 
-# Optionally overriden by the user, if they're using a virtual environment manager.
+# Optionally overridden by the user, if they're using a virtual environment manager.
 VENV ?= env
 
 # On Windows, venv scripts/shims are under `Scripts` instead of `bin`.
@@ -34,7 +34,7 @@ ifneq ($(TESTS),)
 	COV_ARGS :=
 else
 	TEST_ARGS := $(TEST_ARGS)
-# TODO: Reenable coverage testing
+# TODO: Re-enable coverage testing
 #	COV_ARGS := --fail-under 100
 endif
 
@@ -172,3 +172,11 @@ check-readme:
 .PHONY: edit
 edit:
 	$(EDITOR) $(ALL_PY_SRCS)
+
+update-embedded-root: $(VENV)/pyvenv.cfg
+	. $(VENV_BIN)/activate && \
+		python -m sigstore plumbing update-trust-root
+	cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \
+		sigstore/_store/prod/root.json
+	cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \
+		sigstore/_store/prod/trusted_root.json