conformance: add conformance CLI and action

.github/workflows/conformance.yml

@@ -0,0 +1,21 @@
+on: [push, pull_request]
+
+name: Conformance Suite
+
+jobs:
+  conformance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
+        with:
+          command: build
+          args: --manifest-path=tests/conformance/Cargo.toml
+      - uses: sigstore/sigstore-conformance@main
+        with:
+          entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore

tests/conformance/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "sigstore-conformance"
+description = "sigstore conformance testing workflow"
+version = "0.0.1"
+edition = "2021"
+authors = ["sigstore-rs developers"]
+license = "Apache-2.0"
+
+[dependencies]
+clap = { version = "4.0.8", features = ["derive"] }
+sigstore = { path = "../../" }
+tokio = { version = "1.17.0", features = ["rt"] }
+
+[[bin]]
+name = "sigstore"
+path = "conformance.rs"

tests/conformance/conformance.rs

@@ -0,0 +1,110 @@
+//
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// CLI implemented to specification:
+// https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md
+
+use clap::{Parser, Subcommand};
+
+#[derive(Parser, Debug)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand, Debug)]
+enum Commands {
+    Sign(Sign),
+    SignBundle(SignBundle),
+    Verify(Verify),
+    VerifyBundle(VerifyBundle),
+}
+
+#[derive(Parser, Debug)]
+struct Sign {
+    // The OIDC identity token to use
+    #[clap(long)]
+    identity_token: String,
+
+    // The path to write the signature to
+    #[clap(long)]
+    signature: String,
+
+    // The path to write the signing certificate to
+    #[clap(long)]
+    certificate: String,
+
+    // The artifact to sign
+    artifact: String,
+}
+
+#[derive(Parser, Debug)]
+struct SignBundle {
+    // The OIDC identity token to use
+    #[clap(long)]
+    identity_token: String,
+
+    // The path to write the bundle to
+    #[clap(long)]
+    bundle: String,
+
+    // The artifact to sign
+    artifact: String,
+}
+
+#[derive(Parser, Debug)]
+struct Verify {
+    // The path to the signature to verify
+    #[clap(long)]
+    signature: String,
+
+    // The path to the signing certificate to verify
+    #[clap(long)]
+    certificate: String,
+
+    // The expected identity in the signing certificate's SAN extension
+    #[clap(long)]
+    certificate_identity: String,
+
+    // The expected OIDC issuer for the signing certificate
+    #[clap(long)]
+    certificate_oidc_issuer: String,
+
+    // The path to the artifact to verify
+    artifact: String,
+}
+
+#[derive(Parser, Debug)]
+struct VerifyBundle {
+    // The path to the Sigstore bundle to verify
+    #[clap(long)]
+    bundle: String,
+
+    // The expected identity in the signing certificate's SAN extension
+    #[clap(long)]
+    certificate_identity: String,
+
+    // The expected OIDC issuer for the signing certificate
+    #[clap(long)]
+    certificate_oidc_issuer: String,
+
+    // The path to the artifact to verify
+    artifact: String,
+}
+
+#[tokio::main]
+pub async fn main() {
+    let cli = Cli::parse();
+}