Do not enable rekor2 signing yet

jku · jku · commit 12c20fbf1ef1 · 2025-10-20T11:07:53.000+03:00
* Force Rekor tlog version 1 when signing
* Make sure this is the case with a check in test_roundtrip()

Not that rekor v2 entries are still considered valid in verification
already, and that timestamps are included in the attestation
even if the entry is from rekor v1
diff --git a/src/pypi_attestations/_cli.py b/src/pypi_attestations/_cli.py
@@ -430,6 +430,9 @@ def _sign(args: argparse.Namespace) -> None:
         _die(f"Failed to detect identity: {identity_error}")
 
     trust_config = ClientTrustConfig.staging() if args.staging else ClientTrustConfig.production()
+    # Make sure we choose the rekor version: currently v1
+    trust_config.force_tlog_version = 1
+
     signing_ctx = SigningContext.from_trust_config(trust_config)
 
     # Validates that every file we want to sign exist but none of their attestations
diff --git a/test/test_impl.py b/test/test_impl.py
@@ -76,13 +76,22 @@ class TestAttestation:
     @online
     def test_roundtrip(self, id_token: IdentityToken) -> None:
         trust_config = ClientTrustConfig.staging()
+        # Make sure we choose the rekor version: currently v1
+        trust_config.force_tlog_version = 1
         sign_ctx = SigningContext.from_trust_config(trust_config)
 
         with sign_ctx.signer(id_token) as signer:
             attestation = impl.Attestation.sign(signer, dist)
 
         attestation.verify(policy.UnsafeNoOp(), dist, staging=True)
 
+        # ensure we only produce attestations with rekor v1 entries for now:
+        for entry in attestation.verification_material.transparency_entries:
+            assert entry["kindVersion"] == {
+                "kind": "dsse",
+                "version": "0.0.1"
+            }
+
         # converting to a bundle and verifying as a bundle also works
         bundle = attestation.to_bundle()
         Verifier.staging().verify_dsse(bundle, policy.UnsafeNoOp())
@@ -111,6 +120,8 @@ def in_validity_period(_: IdentityToken) -> bool:
         monkeypatch.setattr(IdentityToken, "in_validity_period", in_validity_period)
 
         trust_config = ClientTrustConfig.staging()
+        # Make sure we choose the rekor version: currently v1
+        trust_config.force_tlog_version = 1
         sign_ctx = SigningContext.from_trust_config(trust_config)
 
         with sign_ctx.signer(id_token, cache=False) as signer:
@@ -130,6 +141,8 @@ def get_bundle(*_: Any) -> Bundle:
         monkeypatch.setattr(sigstore.sign.Signer, "sign_dsse", get_bundle)
 
         trust_config = ClientTrustConfig.staging()
+        # Make sure we choose the rekor version: currently v1
+        trust_config.force_tlog_version = 1
         sign_ctx = SigningContext.from_trust_config(trust_config)
 
         with pytest.raises(impl.AttestationError):
@@ -240,6 +253,9 @@ def test_verify_with_timestamp(self) -> None:
         Verifier.production(offline=True).verify_dsse(bundle, policy.UnsafeNoOp())
 
     def test_verify_with_timestamp_and_rekor2_entry(self) -> None:
+        # Note that the pypi-attestations does not currently create attestatations with rekor2
+        # entries. This test still asserts that verification works
+
         # Our checked-in asset has this identity.
         pol = policy.Identity(identity="jku@goto.fi", issuer="https://github.com/login/oauth")
 
