From 02e36656a121763bd439731616b494998bfabb2c Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Fri, 28 Jul 2023 11:36:47 -0400 Subject: [PATCH 1/6] conformance: cli Signed-off-by: Jack Leightcap --- Cargo.toml | 6 ++ examples/conformance/main.rs | 113 +++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 examples/conformance/main.rs diff --git a/Cargo.toml b/Cargo.toml index 0284457ba4..d284660658 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -134,6 +134,12 @@ testcontainers = "0.14" tracing-subscriber = { version = "0.3.9", features = ["env-filter"] } hex = "0.4.3" +# conformance CLI + +[[example]] +name = "conformance_suite" +path = "examples/conformance/main.rs" + # cosign example mappings [[example]] diff --git a/examples/conformance/main.rs b/examples/conformance/main.rs new file mode 100644 index 0000000000..767c6ab747 --- /dev/null +++ b/examples/conformance/main.rs @@ -0,0 +1,113 @@ +// +// Copyright 2023 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// CLI implemented to specification: +// https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md + +use clap::{Parser, Subcommand}; + +#[derive(Parser, Debug)] +struct Cli { + #[command(subcommand)] + command: Commands, +} + +#[derive(Subcommand, Debug)] +enum Commands { + Sign, + SignBundle, + Verify, + VerifyBundle, +} + +#[derive(Parser, Debug)] +struct Sign { + // The OIDC identity token to use + #[clap(long)] + identity_token: String, + + // The path to write the signature to + #[clap(long)] + signature: String, + + // The path to write the signing certificate to + #[clap(long)] + certificate: String, + + // The artifact to sign + artifact: String, +} + +#[derive(Parser, Debug)] +struct SignBundle { + // The OIDC identity token to use + #[clap(long)] + identity_token: String, + + // The path to write the bundle to + #[clap(long)] + bundle: String, + + // The artifact to sign + #[clap(long)] + artifact: String, +} + +#[derive(Parser, Debug)] +struct Verify { + // The path to the signature to verify + #[clap(long)] + signature: String, + + // The path to the signing certificate to verify + #[clap(long)] + certificate: String, + + // The expected identity in the signing certificate's SAN extension + #[clap(long)] + certificate_identity: String, + + // The expected OIDC issuer for the signing certificate + #[clap(long)] + certificate_oidc_issuer: String, + + // The path to the artifact to verify + #[clap(long)] + artifact: String, +} + +#[derive(Parser, Debug)] +struct VerifyBundle { + // The path to the Sigstore bundle to verify + #[clap(long)] + bundle: String, + + // The expected identity in the signing certificate's SAN extension + #[clap(long)] + certificate_identity: String, + + // The expected OIDC issuer for the signing certificate + #[clap(long)] + certificate_oidc_issuer: String, + + // The path to the artifact to verify + #[clap(long)] + artifact: String, +} + +#[tokio::main] +pub async fn main() { + let cli = Cli::parse(); +} From b33b1dec2e0e323a6f9ad99befb71a5b1f82d22a Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Fri, 28 Jul 2023 11:53:00 -0400 Subject: [PATCH 2/6] conformance: add action+entrypoint Signed-off-by: Jack Leightcap --- .github/workflows/conformance.yml | 17 +++++++++++++++++ examples/conformance/main.rs | 11 ++++------- 2 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/conformance.yml diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml new file mode 100644 index 0000000000..76409c1b63 --- /dev/null +++ b/.github/workflows/conformance.yml @@ -0,0 +1,17 @@ +on: [push, pull_request] + +name: Conformance Suite + +jobs: + conformance: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 + with: + profile: minimal + toolchain: stable + override: true + - uses: sigstore/sigstore-conformance@v0.0.5 + with: + entrypoint: cargo run --example conformance_suite -- \ No newline at end of file diff --git a/examples/conformance/main.rs b/examples/conformance/main.rs index 767c6ab747..237b8f5c4d 100644 --- a/examples/conformance/main.rs +++ b/examples/conformance/main.rs @@ -26,10 +26,10 @@ struct Cli { #[derive(Subcommand, Debug)] enum Commands { - Sign, - SignBundle, - Verify, - VerifyBundle, + Sign(Sign), + SignBundle(SignBundle), + Verify(Verify), + VerifyBundle(VerifyBundle), } #[derive(Parser, Debug)] @@ -61,7 +61,6 @@ struct SignBundle { bundle: String, // The artifact to sign - #[clap(long)] artifact: String, } @@ -84,7 +83,6 @@ struct Verify { certificate_oidc_issuer: String, // The path to the artifact to verify - #[clap(long)] artifact: String, } @@ -103,7 +101,6 @@ struct VerifyBundle { certificate_oidc_issuer: String, // The path to the artifact to verify - #[clap(long)] artifact: String, } From d6a7b54d2f28ac2f2603df8ff023c27c3df1dfc5 Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Fri, 28 Jul 2023 12:38:35 -0400 Subject: [PATCH 3/6] conformance: use child binary crate Signed-off-by: Jack Leightcap --- .github/workflows/conformance.yml | 8 ++++++-- Cargo.toml | 6 ------ tests/conformance/Cargo.toml | 16 ++++++++++++++++ .../main.rs => tests/conformance/conformance.rs | 0 4 files changed, 22 insertions(+), 8 deletions(-) create mode 100644 tests/conformance/Cargo.toml rename examples/conformance/main.rs => tests/conformance/conformance.rs (100%) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 76409c1b63..4ed3b1c9c4 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -12,6 +12,10 @@ jobs: profile: minimal toolchain: stable override: true - - uses: sigstore/sigstore-conformance@v0.0.5 + - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: - entrypoint: cargo run --example conformance_suite -- \ No newline at end of file + command: build + args: --manifest-path=tests/conformance/Cargo.toml + - uses: sigstore/sigstore-conformance@main + with: + entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore \ No newline at end of file diff --git a/Cargo.toml b/Cargo.toml index d284660658..0284457ba4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -134,12 +134,6 @@ testcontainers = "0.14" tracing-subscriber = { version = "0.3.9", features = ["env-filter"] } hex = "0.4.3" -# conformance CLI - -[[example]] -name = "conformance_suite" -path = "examples/conformance/main.rs" - # cosign example mappings [[example]] diff --git a/tests/conformance/Cargo.toml b/tests/conformance/Cargo.toml new file mode 100644 index 0000000000..dfeef1798f --- /dev/null +++ b/tests/conformance/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "sigstore-conformance" +description = "sigstore conformance testing workflow" +version = "0.0.1" +edition = "2021" +authors = ["sigstore-rs developers"] +license = "Apache-2.0" + +[dependencies] +clap = { version = "4.0.8", features = ["derive"] } +sigstore = { path = "../../" } +tokio = { version = "1.17.0", features = ["rt"] } + +[[bin]] +name = "sigstore" +path = "conformance.rs" \ No newline at end of file diff --git a/examples/conformance/main.rs b/tests/conformance/conformance.rs similarity index 100% rename from examples/conformance/main.rs rename to tests/conformance/conformance.rs From 7e8b6cf83121d01358c855d7ba123128a3cadf74 Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Tue, 1 Aug 2023 14:50:56 -0400 Subject: [PATCH 4/6] conformance: remove async main Signed-off-by: Jack Leightcap --- tests/conformance/Cargo.toml | 1 - tests/conformance/conformance.rs | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/conformance/Cargo.toml b/tests/conformance/Cargo.toml index dfeef1798f..fd511cdc54 100644 --- a/tests/conformance/Cargo.toml +++ b/tests/conformance/Cargo.toml @@ -9,7 +9,6 @@ license = "Apache-2.0" [dependencies] clap = { version = "4.0.8", features = ["derive"] } sigstore = { path = "../../" } -tokio = { version = "1.17.0", features = ["rt"] } [[bin]] name = "sigstore" diff --git a/tests/conformance/conformance.rs b/tests/conformance/conformance.rs index 237b8f5c4d..c52c822fe1 100644 --- a/tests/conformance/conformance.rs +++ b/tests/conformance/conformance.rs @@ -104,7 +104,6 @@ struct VerifyBundle { artifact: String, } -#[tokio::main] -pub async fn main() { +fn main() { let cli = Cli::parse(); } From 32b897c03a825c1f18e466eb12ef5e1c44b7bdb7 Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Tue, 1 Aug 2023 14:55:23 -0400 Subject: [PATCH 5/6] conformance: trailing newlines Signed-off-by: Jack Leightcap --- .github/workflows/conformance.yml | 2 +- tests/conformance/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 4ed3b1c9c4..d58372b0de 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -18,4 +18,4 @@ jobs: args: --manifest-path=tests/conformance/Cargo.toml - uses: sigstore/sigstore-conformance@main with: - entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore \ No newline at end of file + entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore diff --git a/tests/conformance/Cargo.toml b/tests/conformance/Cargo.toml index fd511cdc54..6c0c5d16a9 100644 --- a/tests/conformance/Cargo.toml +++ b/tests/conformance/Cargo.toml @@ -12,4 +12,4 @@ sigstore = { path = "../../" } [[bin]] name = "sigstore" -path = "conformance.rs" \ No newline at end of file +path = "conformance.rs" From f35ca2bb5a2ecacdd6a4c4b856a389788ee21d67 Mon Sep 17 00:00:00 2001 From: Jack Leightcap Date: Wed, 2 Aug 2023 10:34:21 -0400 Subject: [PATCH 6/6] conformance: workflow dispatch trigger Signed-off-by: Jack Leightcap --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index d58372b0de..171620f059 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -1,4 +1,4 @@ -on: [push, pull_request] +on: [workflow_dispatch] name: Conformance Suite