Skip to content

Commit

Permalink
Add sigstore attest CLI subcommand to sign using DSSE envelopes (#1115
Browse files Browse the repository at this point in the history
)

Co-authored-by: William Woodruff <william@trailofbits.com>
  • Loading branch information
facutuesca and woodruffw authored Sep 13, 2024
1 parent 75d5f50 commit b704f82
Show file tree
Hide file tree
Showing 6 changed files with 531 additions and 83 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ All versions prior to 0.9.0 are untracked.
statement's predicate, which `sigstore-python` does not verify and should be
verified by the user.

* CLI: The `sigstore attest` subcommand has been added. This command is
similar to `cosign attest` in that it signs over an artifact and a
predicate using a DSSE envelope. This commands requires the user to pass
a path to the file containing the predicate, and the predicate type.
Currently only the SLSA Provenance v0.2 and v1.0 types are supported.

## [3.2.0]

### Added
Expand Down
10 changes: 10 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,16 @@ check-readme:
$(MAKE) -s run ARGS="sign --help" \
)

# sigstore attest --help
@diff \
<( \
awk '/@begin-sigstore-attest-help@/{f=1;next} /@end-sigstore-attest-help@/{f=0} f' \
< README.md | sed '1d;$$d' \
) \
<( \
$(MAKE) -s run ARGS="attest --help" \
)

# sigstore verify identity --help
@diff \
<( \
Expand Down
53 changes: 53 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ a tool for signing and verifying Python package distributions

positional arguments:
COMMAND the operation to perform
attest sign one or more inputs using DSSE
sign sign one or more inputs
verify verify one or more inputs
get-identity-token
Expand Down Expand Up @@ -179,6 +180,58 @@ Output options:
```
<!-- @end-sigstore-sign-help@ -->
### Signing with DSSE envelopes
<!-- @begin-sigstore-attest-help@ -->
```
usage: sigstore attest [-h] [-v] --predicate FILE --predicate-type TYPE
[--identity-token TOKEN] [--oidc-client-id ID]
[--oidc-client-secret SECRET]
[--oidc-disable-ambient-providers] [--oidc-issuer URL]
[--oauth-force-oob] [--bundle FILE] [--overwrite]
FILE [FILE ...]

positional arguments:
FILE The file to sign

optional arguments:
-h, --help show this help message and exit
-v, --verbose run with additional debug logging; supply multiple
times to increase verbosity (default: 0)

DSSE options:
--predicate FILE Path to the predicate file (default: None)
--predicate-type TYPE
Specify a predicate type
(https://slsa.dev/provenance/v0.2,
https://slsa.dev/provenance/v1) (default: None)

OpenID Connect options:
--identity-token TOKEN
the OIDC identity token to use (default: None)
--oidc-client-id ID The custom OpenID Connect client ID to use during
OAuth2 (default: sigstore)
--oidc-client-secret SECRET
The custom OpenID Connect client secret to use during
OAuth2 (default: None)
--oidc-disable-ambient-providers
Disable ambient OpenID Connect credential detection
(e.g. on GitHub Actions) (default: False)
--oidc-issuer URL The OpenID Connect issuer to use (conflicts with
--staging) (default: https://oauth2.sigstore.dev/auth)
--oauth-force-oob Force an out-of-band OAuth flow and do not
automatically start the default web browser (default:
False)

Output options:
--bundle FILE Write a single Sigstore bundle to the given file; does
not work with multiple input files (default: None)
--overwrite Overwrite preexisting bundle outputs, if present
(default: False)
```
<!-- @end-sigstore-attest-help@ -->
### Verifying
#### Generic identities
Expand Down
Loading

0 comments on commit b704f82

Please sign in to comment.