Skip to content

Commit a623010

Browse files
authored
Merge branch 'main' into ww/bump-proto-specs
Signed-off-by: William Woodruff <william@trailofbits.com>
2 parents f3c66ad + 2ff9ee9 commit a623010

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+837
-771
lines changed

.github/actions/upload-coverage/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ runs:
2020
fi
2121
id: coverage-uuid
2222
shell: bash
23-
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
23+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
2424
with:
2525
name: coverage-data-${{ steps.coverage-uuid.outputs.COVERAGE_UUID }}
2626
include-hidden-files: 'true'

.github/dependabot.yml

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -27,14 +27,3 @@ updates:
2727
actions:
2828
patterns:
2929
- "*"
30-
31-
- package-ecosystem: gomod
32-
directory: "/.github"
33-
schedule:
34-
interval: daily
35-
open-pull-requests-limit: 1
36-
rebase-strategy: "disabled"
37-
groups:
38-
actions:
39-
patterns:
40-
- "*"

.github/go.mod

Lines changed: 0 additions & 11 deletions
This file was deleted.
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
name: Check embedded root
2+
3+
on:
4+
workflow_dispatch:
5+
schedule:
6+
- cron: '13 13 * * 3'
7+
8+
jobs:
9+
check-embedded-root:
10+
runs-on: ubuntu-latest
11+
permissions:
12+
issues: write
13+
14+
steps:
15+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
16+
with:
17+
persist-credentials: false
18+
19+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
20+
with:
21+
python-version: "3.x"
22+
cache: "pip"
23+
cache-dependency-path: pyproject.toml
24+
25+
- name: Setup environment
26+
run: make dev
27+
28+
- name: Check if embedded root is up-to-date
29+
run: |
30+
make update-embedded-root
31+
git diff --exit-code
32+
33+
34+
- if: failure()
35+
name: Create an issue if embedded root is not up-to-date
36+
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
37+
with:
38+
script: |
39+
const repo = context.repo.owner + "/" + context.repo.repo
40+
const body = `
41+
The Sigstore [TUF repository](https://tuf-repo-cdn.sigstore.dev/) contents have changed: the data embedded
42+
in sigstore-python sources can be updated. This is not urgent but will improve cold-cache performance.
43+
44+
Run \`make update-embedded-root\` to update the embedded data.
45+
46+
This issue was filed by _${context.workflow}_ [workflow run](${context.serverUrl}/${repo}/actions/runs/${context.runId}).
47+
`
48+
49+
const issues = await github.rest.search.issuesAndPullRequests({
50+
q: "label:embedded-root-update+state:open+type:issue+repo:" + repo,
51+
})
52+
if (issues.data.total_count > 0) {
53+
console.log("Issue for embedded root update exists already.")
54+
} else {
55+
github.rest.issues.create({
56+
owner: context.repo.owner,
57+
repo: context.repo.repo,
58+
title: "Embedded TUF root is not up-to-date",
59+
labels: ["embedded-root-update"],
60+
body: body,
61+
})
62+
console.log("New issue created.")
63+
}

.github/workflows/ci.yml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
with:
3434
persist-credentials: false
3535

36-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
36+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
3737
with:
3838
python-version: ${{ matrix.conf.py }}
3939
allow-prereleases: true
@@ -62,19 +62,27 @@ jobs:
6262
- name: test
6363
run: make test TEST_ARGS="-vv --showlocals"
6464

65+
# TODO: Refactor this or remove it entirely once there's
66+
# a suitable staging TSA instance.
6567
- name: test (timestamp-authority)
6668
if: ${{ matrix.conf.os == 'ubuntu-latest' }}
6769
run: |
68-
SIGSTORE_TIMESTAMP_VERSION=$(grep "github.com/sigstore/timestamp-authority" .github/go.mod | awk '{print $2}')
70+
# Fetch the latest sigstore/timestamp-authority build
71+
SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0].name')
6972
wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
7073
chmod +x /tmp/timestamp-server
74+
7175
# Run the TSA in background
7276
/tmp/timestamp-server serve --port 3000 --disable-ntp-monitoring &
7377
export TEST_SIGSTORE_TIMESTAMP_AUTHORITY_URL="http://localhost:3000/api/v1/timestamp"
78+
7479
# Ensure Timestamp Authority tests are not skipped by
7580
# having pytest show skipped tests and verifying ours are running
7681
make test TEST_ARGS="-m timestamp_authority -rs" | tee output
7782
! grep -q "skipping test that requires a Timestamp Authority" output || (echo "ERROR: Found skip message" && exit 1)
83+
env:
84+
# Needed for `gh api` above.
85+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7886

7987
- name: test (interactive)
8088
if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
@@ -110,14 +118,14 @@ jobs:
110118
with:
111119
persist-credentials: false
112120

113-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
121+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
114122
with:
115123
python-version: '3.x'
116124

117125
- run: pip install coverage[toml]
118126

119127
- name: download coverage data
120-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
128+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
121129
with:
122130
path: all-artifacts/
123131

.github/workflows/conformance.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
with:
1616
persist-credentials: false
1717

18-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
18+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
1919
with:
2020
python-version: "3.x"
2121
cache: "pip"
@@ -24,7 +24,7 @@ jobs:
2424
- name: install sigstore-python
2525
run: python -m pip install .
2626

27-
- uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
27+
- uses: sigstore/sigstore-conformance@640e7dfb715518eeeb492910c6d244cedcc6cfea # v0.0.17
2828
with:
2929
entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
3030
xfail: "test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" # see issue 821

.github/workflows/docs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
with:
1414
persist-credentials: false
1515

16-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
16+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
1717
with:
1818
python-version: "3.x"
1919
cache: "pip"

.github/workflows/lint.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
with:
1515
persist-credentials: false
1616

17-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
17+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
1818
with:
1919
python-version: "3.x"
2020
cache: "pip"
@@ -35,7 +35,7 @@ jobs:
3535

3636
# NOTE: We intentionally check `--help` rendering against our minimum Python,
3737
# since it changes slightly between Python versions.
38-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
38+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
3939
with:
4040
python-version: "3.9"
4141
cache: "pip"
@@ -71,7 +71,7 @@ jobs:
7171
persist-credentials: false
7272

7373
# NOTE: We intentionally check test certificates against our minimum supported Python.
74-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
74+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
7575
with:
7676
python-version: "3.9"
7777
cache: "pip"

.github/workflows/pin-requirements.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ jobs:
7070
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
7171
git config user.name "github-actions[bot]"
7272
73-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
73+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
7474
with:
7575
python-version-file: install/.python-version
7676
cache: "pip"
@@ -129,7 +129,7 @@ jobs:
129129
git push -f origin "origin/main:${SIGSTORE_PIN_REQUIREMENTS_BRANCH}"
130130
131131
- name: Open pull request
132-
uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6
132+
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
133133
with:
134134
title: |
135135
Update pinned requirements for ${{ env.SIGSTORE_RELEASE_TAG }}

.github/workflows/release.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
with:
2020
persist-credentials: false
2121

22-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
22+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
2323
with:
2424
# NOTE: We intentionally don't use a cache in the release step,
2525
# to reduce the risk of cache poisoning.
@@ -74,14 +74,14 @@ jobs:
7474
done
7575
7676
- name: Upload built packages
77-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
77+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
7878
with:
7979
name: built-packages
8080
path: ./dist/
8181
if-no-files-found: warn
8282

8383
- name: Upload smoketest-artifacts
84-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
84+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
8585
with:
8686
name: smoketest-artifacts
8787
path: smoketest-artifacts/
@@ -95,7 +95,7 @@ jobs:
9595
attestations: write # To persist the attestation files.
9696
steps:
9797
- name: Download artifacts directories # goes to current working directory
98-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
98+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
9999
- name: Generate build provenance
100100
uses: actions/attest-build-provenance@v2
101101
with:
@@ -109,10 +109,10 @@ jobs:
109109
id-token: write
110110
steps:
111111
- name: Download artifacts directories # goes to current working directory
112-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
112+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
113113

114114
- name: publish
115-
uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
115+
uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
116116
with:
117117
packages-dir: built-packages/
118118

@@ -124,7 +124,7 @@ jobs:
124124
contents: write
125125
steps:
126126
- name: Download artifacts directories # goes to current working directory
127-
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
127+
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
128128

129129
- name: Upload artifacts to github
130130
# Confusingly, this action also supports updating releases, not

.github/workflows/requirements.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ jobs:
3636
ref: ${{ env.SIGSTORE_REF }}
3737
persist-credentials: false
3838

39-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
39+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
4040
name: Install Python ${{ matrix.python_version }}
4141
with:
4242
python-version: ${{ matrix.python_version }}

.github/workflows/scorecards-analysis.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
persist-credentials: false
3030

3131
- name: "Run analysis"
32-
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
32+
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
3333
with:
3434
results_file: results.sarif
3535
results_format: sarif
@@ -44,14 +44,14 @@ jobs:
4444

4545
# Upload the results as artifacts (optional).
4646
- name: "Upload artifact"
47-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
47+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
4848
with:
4949
name: SARIF file
5050
path: results.sarif
5151
retention-days: 5
5252

5353
# Upload the results to GitHub's code scanning dashboard.
5454
- name: "Upload to code-scanning"
55-
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
55+
uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
5656
with:
5757
sarif_file: results.sarif

.github/workflows/staging-tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
with:
2222
persist-credentials: false
2323

24-
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
24+
- uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
2525
with:
2626
python-version: "3.x"
2727
cache: "pip"

CHANGELOG.md

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,21 @@ All versions prior to 0.9.0 are untracked.
88

99
## [Unreleased]
1010

11+
## [3.6.2]
12+
13+
### Fixed
14+
15+
* Fixed issue where a trust root with multiple rekor keys was not considered valid:
16+
Now any rekor key listed in the trust root is considered good to verify entries
17+
[#1350](https://github.com/sigstore/sigstore-python/pull/1350)
18+
19+
### Changed
20+
21+
* Upgraded python-tuf dependency to 6.0: Connections to TUF repository
22+
now use system certificates (instead of certifi) and have automatic
23+
retries
24+
* Updated the embedded TUF root to version 12
25+
1126
## [3.6.1]
1227

1328
### Fixed
@@ -593,8 +608,9 @@ This is a corrective release for [2.1.1].
593608

594609

595610
<!--Release URLs -->
596-
[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...HEAD
597-
[3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
611+
[Unreleased]: https://github.com/sigstore/sigstore-python/compare/v3.6.2...HEAD
612+
[3.6.2]: https://github.com/sigstore/sigstore-python/compare/v3.6.1...v3.6.2
613+
[3.6.1]: https://github.com/sigstore/sigstore-python/compare/v3.6.0...v3.6.1
598614
[3.6.0]: https://github.com/sigstore/sigstore-python/compare/v3.5.3...v3.6.0
599615
[3.5.3]: https://github.com/sigstore/sigstore-python/compare/v3.5.2...v3.5.3
600616
[3.5.2]: https://github.com/sigstore/sigstore-python/compare/v3.5.1...v3.5.2

Makefile

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ALL_PY_SRCS := $(shell find $(PY_MODULE) -name '*.py') \
66
$(shell find test -name '*.py') \
77
$(shell find docs/scripts -name '*.py') \
88

9-
# Optionally overriden by the user, if they're using a virtual environment manager.
9+
# Optionally overridden by the user, if they're using a virtual environment manager.
1010
VENV ?= env
1111

1212
# On Windows, venv scripts/shims are under `Scripts` instead of `bin`.
@@ -34,7 +34,7 @@ ifneq ($(TESTS),)
3434
COV_ARGS :=
3535
else
3636
TEST_ARGS := $(TEST_ARGS)
37-
# TODO: Reenable coverage testing
37+
# TODO: Re-enable coverage testing
3838
# COV_ARGS := --fail-under 100
3939
endif
4040

@@ -172,3 +172,11 @@ check-readme:
172172
.PHONY: edit
173173
edit:
174174
$(EDITOR) $(ALL_PY_SRCS)
175+
176+
update-embedded-root: $(VENV)/pyvenv.cfg
177+
. $(VENV_BIN)/activate && \
178+
python -m sigstore plumbing update-trust-root
179+
cp ~/.local/share/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/root.json \
180+
sigstore/_store/prod/root.json
181+
cp ~/.cache/sigstore-python/tuf/https%3A%2F%2Ftuf-repo-cdn.sigstore.dev/trusted_root.json \
182+
sigstore/_store/prod/trusted_root.json

0 commit comments

Comments
 (0)