sigstore-cli 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/exe/sigstore-cli +5 -0
- data/lib/sigstore/cli/id_token.rb +89 -0
- data/lib/sigstore/cli.rb +269 -0
- metadata +80 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 2bc6c2be40d13591ca8500483b3e698764d3fc29e8af44ea3292ab498faeea5a
|
|
4
|
+
data.tar.gz: ab212f10f5132aab74e2534834ea78cd3602a1bc95a74f240b56e87c493af19f
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 1c09fb5334d58c661c710d4a815e3c082c453e84834cf88dcf5e1c510d11b44b8728946416a1d62becfa4d4af2bb50280f5baf28a6c5692a9c2e1ed4cf18a9f0
|
|
7
|
+
data.tar.gz: f633f7c2d4e8319db67aed71cdda3d7cfc14fa8651d78ff253a1076da60d6749450eab23c6613f1014a44c84ad31a9a9d7e2fe949bbbddaf4351a6b07a355712
|
data/exe/sigstore-cli
ADDED
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
class Sigstore::CLI
|
|
4
|
+
class IdToken
|
|
5
|
+
include Sigstore::Loggable
|
|
6
|
+
|
|
7
|
+
class AmbientCredentialError < Sigstore::Error
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def self.detect_credential
|
|
11
|
+
[
|
|
12
|
+
GitHub
|
|
13
|
+
# detect_gcp,
|
|
14
|
+
# detect_buildkite,
|
|
15
|
+
# detect_gitlab,
|
|
16
|
+
# detect_circleci
|
|
17
|
+
].each do |detector|
|
|
18
|
+
credential = detector.call("sigstore")
|
|
19
|
+
return credential if credential
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
logger.debug { "failed to find ambient OIDC credential" }
|
|
23
|
+
|
|
24
|
+
nil
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def self.call(audience)
|
|
28
|
+
new(audience).call
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def initialize(audience)
|
|
32
|
+
@audience = audience
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def call
|
|
36
|
+
raise NotImplementedError, "#{self.class}#call"
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
class GitHub < IdToken
|
|
40
|
+
class PermissionCredentialError < Sigstore::Error
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def call
|
|
44
|
+
logger.debug { "looking for OIDC credentials" }
|
|
45
|
+
unless ENV["GITHUB_ACTIONS"]
|
|
46
|
+
logger.debug { "environment doesn't look like a GH action; giving up" }
|
|
47
|
+
return
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
req_token = ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_TOKEN", nil)
|
|
51
|
+
unless req_token
|
|
52
|
+
raise PermissionCredentialError,
|
|
53
|
+
"missing or insufficient OIDC token permissions, " \
|
|
54
|
+
"the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable was unset"
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
req_url = ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_URL", nil)
|
|
58
|
+
unless req_url
|
|
59
|
+
raise PermissionCredentialError,
|
|
60
|
+
"missing or insufficient OIDC token permissions, " \
|
|
61
|
+
"the ACTIONS_ID_TOKEN_REQUEST_URL environment variable was unset"
|
|
62
|
+
end
|
|
63
|
+
req_url = URI.parse(req_url)
|
|
64
|
+
req_url.query = "audience=#{URI.encode_uri_component(@audience)}"
|
|
65
|
+
|
|
66
|
+
logger.debug { "requesting OIDC token" }
|
|
67
|
+
resp = Net::HTTP.get_response(
|
|
68
|
+
req_url, { "Authorization" => "bearer #{req_token}" }
|
|
69
|
+
)
|
|
70
|
+
|
|
71
|
+
begin
|
|
72
|
+
resp.value
|
|
73
|
+
rescue Net::HTTPExceptions
|
|
74
|
+
raise AmbientCredentialError, "OIDC token request failed (code=#{resp.code}, body=#{resp.body})"
|
|
75
|
+
rescue Timeout::Error
|
|
76
|
+
raise AmbientCredentialError, "OIDC token request timed out"
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
begin
|
|
80
|
+
body = JSON.parse resp.body
|
|
81
|
+
rescue StandardError
|
|
82
|
+
raise AmbientCredentialError, "malformed or incomplete json"
|
|
83
|
+
else
|
|
84
|
+
body.fetch("value")
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
end
|
|
89
|
+
end
|
data/lib/sigstore/cli.rb
ADDED
|
@@ -0,0 +1,269 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "thor"
|
|
4
|
+
require "sigstore"
|
|
5
|
+
|
|
6
|
+
module Sigstore
|
|
7
|
+
class CLI < Thor
|
|
8
|
+
def self.exit_on_failure?
|
|
9
|
+
true
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def self.start(given_args = ARGV, config = {})
|
|
13
|
+
super
|
|
14
|
+
rescue Sigstore::Error => e
|
|
15
|
+
raise if config[:debug] || ENV["THOR_DEBUG"] == "1"
|
|
16
|
+
|
|
17
|
+
config[:shell].error(e.detailed_message)
|
|
18
|
+
|
|
19
|
+
exit(false)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
class ShellWrapper
|
|
23
|
+
def initialize(shell)
|
|
24
|
+
@shell = shell
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def close
|
|
28
|
+
@shell.close
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def write(...)
|
|
32
|
+
@shell.say(...)
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def initialize(*)
|
|
37
|
+
super
|
|
38
|
+
Sigstore.logger.reopen ShellWrapper.new(shell)
|
|
39
|
+
Sigstore.logger.level = options[:debug] ? Logger::DEBUG : Logger::INFO
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
package_name "sigstore-cli"
|
|
43
|
+
|
|
44
|
+
desc "verify FILE", "Verify a signature"
|
|
45
|
+
option :staging, type: :boolean, desc: "Use the staging trusted root"
|
|
46
|
+
option :signature, type: :string, desc: "Path to the signature file"
|
|
47
|
+
option :certificate, type: :string, desc: "Path to the public certificate"
|
|
48
|
+
option :certificate_identity, type: :string, desc: "The identity of the certificate"
|
|
49
|
+
option :certificate_oidc_issuer, type: :string, desc: "The OIDC issuer of the certificate"
|
|
50
|
+
option :offline, type: :boolean, desc: "Do not fetch the latest timestamp from the Rekor server"
|
|
51
|
+
option :bundle, type: :string, desc: "Path to the signed bundle"
|
|
52
|
+
option :trusted_root, type: :string, desc: "Path to the trusted root"
|
|
53
|
+
option :update_trusted_root, type: :boolean, desc: "Update the trusted root", default: true
|
|
54
|
+
exclusive :bundle, :signature
|
|
55
|
+
exclusive :bundle, :certificate
|
|
56
|
+
def verify(*files)
|
|
57
|
+
verifier, files_with_materials = collect_verification_state(files)
|
|
58
|
+
policy = Sigstore::Policy::Identity.new(
|
|
59
|
+
identity: options[:certificate_identity],
|
|
60
|
+
issuer: options[:certificate_oidc_issuer]
|
|
61
|
+
)
|
|
62
|
+
|
|
63
|
+
verified = files_with_materials.all? do |file, input|
|
|
64
|
+
result = verifier.verify(input:, policy:, offline: options[:offline])
|
|
65
|
+
|
|
66
|
+
if result.verified?
|
|
67
|
+
say "OK: #{file}"
|
|
68
|
+
true
|
|
69
|
+
else
|
|
70
|
+
say "FAIL: #{file}"
|
|
71
|
+
say "\t#{result.reason}"
|
|
72
|
+
false
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
exit(false) unless verified
|
|
76
|
+
end
|
|
77
|
+
map "verify-bundle" => :verify
|
|
78
|
+
|
|
79
|
+
desc "sign ARTIFACT", "Sign a file"
|
|
80
|
+
option :staging, type: :boolean, desc: "Use the staging trusted root"
|
|
81
|
+
option :identity_token, type: :string, desc: "Identity token to use for signing"
|
|
82
|
+
option :bundle, type: :string, desc: "Path to write the signed bundle to"
|
|
83
|
+
option :signature, type: :string, desc: "Path to write the signature to"
|
|
84
|
+
option :certificate, type: :string, desc: "Path to the public certificate"
|
|
85
|
+
option :trusted_root, type: :string, desc: "Path to the trusted root"
|
|
86
|
+
option :update_trusted_root, type: :boolean, desc: "Update the trusted root", default: true
|
|
87
|
+
def sign(file)
|
|
88
|
+
self.options = options.merge(identity_token: IdToken.detect_credential).freeze if options[:identity_token].nil?
|
|
89
|
+
unless options[:identity_token]
|
|
90
|
+
raise Error::InvalidIdentityToken,
|
|
91
|
+
"Failed to detect an ambient identity token, please provide one via --identity-token"
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
contents = File.binread(file)
|
|
95
|
+
bundle = Sigstore::Signer.new(
|
|
96
|
+
jwt: options[:identity_token],
|
|
97
|
+
trusted_root:
|
|
98
|
+
).sign(contents)
|
|
99
|
+
|
|
100
|
+
File.binwrite(options[:bundle], bundle.to_json) if options[:bundle]
|
|
101
|
+
if options[:signature]
|
|
102
|
+
File.binwrite(options[:signature], Internal::Util.base64_encode(bundle.message_signature.signature))
|
|
103
|
+
end
|
|
104
|
+
File.binwrite(options[:certificate], bundle.verification_material.certificate.raw_bytes) if options[:certificate]
|
|
105
|
+
end
|
|
106
|
+
map "sign-bundle" => :sign
|
|
107
|
+
|
|
108
|
+
desc "display", "Display sigstore bundle(s)"
|
|
109
|
+
def display(*files)
|
|
110
|
+
files.each do |file|
|
|
111
|
+
bundle_bytes = Gem.read_binary(file)
|
|
112
|
+
bundle = SBundle.new Bundle::V1::Bundle.decode_json(bundle_bytes, registry: Sigstore::REGISTRY)
|
|
113
|
+
|
|
114
|
+
say "--- Bundle #{file} ---"
|
|
115
|
+
say "Media Type: #{bundle.media_type}"
|
|
116
|
+
say bundle.leaf_certificate.to_text
|
|
117
|
+
|
|
118
|
+
case bundle.content
|
|
119
|
+
when :message_signature
|
|
120
|
+
say "Signature over: #{bundle.message_signature.message_digest.algorithm} " \
|
|
121
|
+
"#{Internal::Util.hex_encode bundle.message_signature.message_digest.digest}"
|
|
122
|
+
when :dsse_envelope
|
|
123
|
+
say bundle.dsse_envelope.payloadType
|
|
124
|
+
say bundle.dsse_envelope.payload
|
|
125
|
+
else raise Error::InvalidBundle, "expected either message_signature or dsse_envelope"
|
|
126
|
+
end
|
|
127
|
+
end
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
class TUF < Thor
|
|
131
|
+
def self.exit_on_failure?
|
|
132
|
+
true
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
desc "download-target TARGET...", "Download a target from a TUP repo"
|
|
136
|
+
option :metadata_url, type: :string, desc: "URL to the metadata", required: true
|
|
137
|
+
option :metadata_dir, type: :string, desc: "Directory to store the metadata", required: true
|
|
138
|
+
option :targets_dir, type: :string, desc: "Directory to store the targets", required: true
|
|
139
|
+
option :cached, type: :boolean, desc: "Return cached targets only"
|
|
140
|
+
option :target_base_url, type: :string, desc: "Base URL for the targets"
|
|
141
|
+
def download_target(*targets)
|
|
142
|
+
trust_updater = Sigstore::TUF::TrustUpdater.new(
|
|
143
|
+
options[:metadata_url], false,
|
|
144
|
+
metadata_dir: options[:metadata_dir], targets_dir: options[:targets_dir],
|
|
145
|
+
target_base_url: options[:target_base_url]
|
|
146
|
+
)
|
|
147
|
+
trust_updater.refresh
|
|
148
|
+
|
|
149
|
+
targets.each do |target|
|
|
150
|
+
target_info = trust_updater.updater.get_targetinfo(target)
|
|
151
|
+
raise Sigstore::TUF::Error, "No such target: #{target}" unless target_info
|
|
152
|
+
|
|
153
|
+
path = if @cached
|
|
154
|
+
trust_updater.updater.find_cached_target(target_info)
|
|
155
|
+
else
|
|
156
|
+
trust_updater.updater.download_target(target_info)
|
|
157
|
+
end
|
|
158
|
+
say "Downloaded #{target} to #{path}"
|
|
159
|
+
end
|
|
160
|
+
end
|
|
161
|
+
|
|
162
|
+
desc "init ROOT", "Initialize a TUF repo"
|
|
163
|
+
option :metadata_dir, type: :string, desc: "Directory to store the metadata", required: true
|
|
164
|
+
def init(root)
|
|
165
|
+
FileUtils.mkdir_p(options[:metadata_dir])
|
|
166
|
+
FileUtils.cp(root, File.join(options[:metadata_dir], "root.json"))
|
|
167
|
+
end
|
|
168
|
+
|
|
169
|
+
desc "refresh", "Refresh the metadata"
|
|
170
|
+
option :metadata_url, type: :string, desc: "URL to the metadata", required: true
|
|
171
|
+
option :metadata_dir, type: :string, desc: "Directory to store the metadata", required: true
|
|
172
|
+
def refresh
|
|
173
|
+
Sigstore::TUF::TrustUpdater.new(
|
|
174
|
+
options[:metadata_url], false,
|
|
175
|
+
metadata_dir: options[:metadata_dir]
|
|
176
|
+
).refresh
|
|
177
|
+
end
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
register TUF, "tuf", "tuf SUBCOMMAND", "TUF commands"
|
|
181
|
+
|
|
182
|
+
private
|
|
183
|
+
|
|
184
|
+
def trusted_root
|
|
185
|
+
return Sigstore::TrustedRoot.from_file(options[:trusted_root]) if options[:trusted_root]
|
|
186
|
+
|
|
187
|
+
if options[:staging]
|
|
188
|
+
Sigstore::TrustedRoot.staging(offline: !options[:update_trusted_root])
|
|
189
|
+
else
|
|
190
|
+
Sigstore::TrustedRoot.production(offline: !options[:update_trusted_root])
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
|
|
194
|
+
def collect_verification_state(files)
|
|
195
|
+
if (options[:certificate] || options[:signature] || options[:bundle]) && files.size > 1
|
|
196
|
+
raise Thor::InvocationError, "Too many files specified: #{files.inspect}"
|
|
197
|
+
end
|
|
198
|
+
|
|
199
|
+
if options[:bundle] && (options[:certificate] || options[:signature])
|
|
200
|
+
raise Thor::InvocationError, "Cannot specify both --bundle and --certificate or --signature"
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
input_map = {}
|
|
204
|
+
|
|
205
|
+
verifier = Sigstore::Verifier.for_trust_root(trust_root: trusted_root)
|
|
206
|
+
|
|
207
|
+
all_materials = []
|
|
208
|
+
|
|
209
|
+
files.each do |file|
|
|
210
|
+
raise Thor::InvocationError, "File not found: #{file}" unless File.exist?(file) || file.start_with?("sha256:")
|
|
211
|
+
|
|
212
|
+
sig = options[:signature]
|
|
213
|
+
cert = options[:certificate]
|
|
214
|
+
bundle = options[:bundle]
|
|
215
|
+
|
|
216
|
+
directory = File.dirname(file)
|
|
217
|
+
|
|
218
|
+
sig ||= File.join(directory, "#{file}.sig")
|
|
219
|
+
cert ||= File.join(directory, "#{file}.cert")
|
|
220
|
+
bundle = File.join(directory, "#{file}.sigstore.json") if bundle.nil?
|
|
221
|
+
|
|
222
|
+
missing = []
|
|
223
|
+
|
|
224
|
+
if options[:signature] || options[:certificate]
|
|
225
|
+
missing << sig unless File.exist?(sig)
|
|
226
|
+
missing << cert unless File.exist?(cert)
|
|
227
|
+
input_map[file] = { cert:, sig: }
|
|
228
|
+
else
|
|
229
|
+
missing << bundle unless File.exist?(bundle)
|
|
230
|
+
input_map[file] = { bundle: }
|
|
231
|
+
end
|
|
232
|
+
|
|
233
|
+
raise Thor::InvocationError, "Missing files: #{missing.join(", ")}" if missing.any?
|
|
234
|
+
end
|
|
235
|
+
|
|
236
|
+
input_map.each do |file, inputs|
|
|
237
|
+
artifact = Sigstore::Verification::V1::Artifact.new
|
|
238
|
+
case file
|
|
239
|
+
when /\Asha256:/
|
|
240
|
+
artifact.artifact_uri = file
|
|
241
|
+
else
|
|
242
|
+
artifact.artifact = File.binread(file)
|
|
243
|
+
end
|
|
244
|
+
|
|
245
|
+
verification_input = Sigstore::Verification::V1::Input.new
|
|
246
|
+
verification_input.artifact = artifact
|
|
247
|
+
|
|
248
|
+
if inputs[:bundle]
|
|
249
|
+
bundle_bytes = Gem.read_binary(inputs[:bundle])
|
|
250
|
+
verification_input.bundle = Sigstore::Bundle::V1::Bundle.decode_json(bundle_bytes,
|
|
251
|
+
registry: Sigstore::REGISTRY)
|
|
252
|
+
else
|
|
253
|
+
cert_pem = Gem.read_binary(inputs[:cert])
|
|
254
|
+
b64_sig = Gem.read_binary(inputs[:sig])
|
|
255
|
+
signature = b64_sig.unpack1("m")
|
|
256
|
+
|
|
257
|
+
verification_input.bundle = Sigstore::SBundle.for_cert_bytes_and_signature(cert_pem, signature).__getobj__
|
|
258
|
+
end
|
|
259
|
+
|
|
260
|
+
say "Verifying #{file}..."
|
|
261
|
+
all_materials << [file, Sigstore::VerificationInput.new(verification_input)]
|
|
262
|
+
end
|
|
263
|
+
|
|
264
|
+
[verifier, all_materials]
|
|
265
|
+
end
|
|
266
|
+
end
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
require "sigstore/cli/id_token"
|
metadata
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: sigstore-cli
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.2.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- The Sigstore Authors
|
|
8
|
+
- Samuel Giddins
|
|
9
|
+
autorequire:
|
|
10
|
+
bindir: exe
|
|
11
|
+
cert_chain: []
|
|
12
|
+
date: 2024-11-19 00:00:00.000000000 Z
|
|
13
|
+
dependencies:
|
|
14
|
+
- !ruby/object:Gem::Dependency
|
|
15
|
+
name: sigstore
|
|
16
|
+
requirement: !ruby/object:Gem::Requirement
|
|
17
|
+
requirements:
|
|
18
|
+
- - '='
|
|
19
|
+
- !ruby/object:Gem::Version
|
|
20
|
+
version: 0.2.1
|
|
21
|
+
type: :runtime
|
|
22
|
+
prerelease: false
|
|
23
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
24
|
+
requirements:
|
|
25
|
+
- - '='
|
|
26
|
+
- !ruby/object:Gem::Version
|
|
27
|
+
version: 0.2.1
|
|
28
|
+
- !ruby/object:Gem::Dependency
|
|
29
|
+
name: thor
|
|
30
|
+
requirement: !ruby/object:Gem::Requirement
|
|
31
|
+
requirements:
|
|
32
|
+
- - ">="
|
|
33
|
+
- !ruby/object:Gem::Version
|
|
34
|
+
version: '0'
|
|
35
|
+
type: :runtime
|
|
36
|
+
prerelease: false
|
|
37
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
38
|
+
requirements:
|
|
39
|
+
- - ">="
|
|
40
|
+
- !ruby/object:Gem::Version
|
|
41
|
+
version: '0'
|
|
42
|
+
description:
|
|
43
|
+
email:
|
|
44
|
+
-
|
|
45
|
+
- segiddins@segiddins.me
|
|
46
|
+
executables:
|
|
47
|
+
- sigstore-cli
|
|
48
|
+
extensions: []
|
|
49
|
+
extra_rdoc_files: []
|
|
50
|
+
files:
|
|
51
|
+
- exe/sigstore-cli
|
|
52
|
+
- lib/sigstore/cli.rb
|
|
53
|
+
- lib/sigstore/cli/id_token.rb
|
|
54
|
+
homepage: https://github.com/sigstore/sigstore-ruby
|
|
55
|
+
licenses:
|
|
56
|
+
- Apache-2.0
|
|
57
|
+
metadata:
|
|
58
|
+
allowed_push_host: https://rubygems.org
|
|
59
|
+
homepage_uri: https://github.com/sigstore/sigstore-ruby
|
|
60
|
+
rubygems_mfa_required: 'true'
|
|
61
|
+
post_install_message:
|
|
62
|
+
rdoc_options: []
|
|
63
|
+
require_paths:
|
|
64
|
+
- lib
|
|
65
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
66
|
+
requirements:
|
|
67
|
+
- - ">="
|
|
68
|
+
- !ruby/object:Gem::Version
|
|
69
|
+
version: 3.1.0
|
|
70
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
71
|
+
requirements:
|
|
72
|
+
- - ">="
|
|
73
|
+
- !ruby/object:Gem::Version
|
|
74
|
+
version: '0'
|
|
75
|
+
requirements: []
|
|
76
|
+
rubygems_version: 3.5.22
|
|
77
|
+
signing_key:
|
|
78
|
+
specification_version: 4
|
|
79
|
+
summary: A CLI interface to the sigstore ruby client
|
|
80
|
+
test_files: []
|