Merge branch 'main' into grantbirki/cut-new-release

Author: GrantBirki

.github/workflows/ci.yml

@@ -159,8 +159,7 @@ jobs:
     needs: ruby-versions
     runs-on: ubuntu-latest
     name: Smoketest
-    permissions:
-      id-token: write
+    permissions: {}
     strategy:
       fail-fast: false
       matrix:
@@ -186,12 +185,15 @@ jobs:
         id: list-gems
         run: |
           echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
+      - name: Fetch testing OIDC token
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
       - name: Run the smoketest
         run: |
           ./bin/smoketest ${BUILT_GEMS}
         env:
           BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
-          WORKFLOW_NAME: ci
+          OIDC_TOKEN_FILE: ./oidc-token.txt
+          SIGSTORE_CERT_IDENTITY: https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main
 
   all-tests-pass:
     if: always()

.github/workflows/release.yml

@@ -64,6 +64,7 @@ jobs:
           ./bin/smoketest ${BUILT_GEMS}
         env:
           BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
+          SIGSTORE_CERT_IDENTITY: ${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml@${{ github.ref }}
 
       - name: Generate hashes for provenance
         shell: bash

README.md

@@ -1,6 +1,6 @@
 # Sigstore
 
-This is a pure Ruby implementation of the `sigstore verify` command from the [sigstore/cosign](https://sigstore.dev/projects/cosign) project. It is intended to be used as a library in other Ruby projects, in additional to a `gem` subcommand. The project also contains a TUF client implementation, given TUF is a part of the sigstore verification flow.
+This is a pure Ruby implementation of the `sigstore verify` command from the [sigstore/cosign](https://sigstore.dev/projects/cosign) project. It is intended to be used as a library in other Ruby projects or directly through a new `gem` subcommand. The project also contains a TUF client implementation, given TUF is a part of the sigstore verification flow.
 
 ## Usage
 

bin/smoketest

@@ -22,8 +22,12 @@ env = {
   "BUNDLE_GEMFILE" => "smoketest-gem-home/Gemfile"
 }
 
-cert_identity = "#{ENV.fetch("GITHUB_SERVER_URL")}/#{ENV.fetch("GITHUB_REPOSITORY")}" \
-                "/.github/workflows/#{ENV.fetch("WORKFLOW_NAME", "release")}.yml@#{ENV.fetch("GITHUB_REF")}"
+# Get cert identity from environment
+cert_identity = ENV.fetch("SIGSTORE_CERT_IDENTITY")
+
+# Read OIDC token from file if available
+oidc_token_file = ENV.fetch("OIDC_TOKEN_FILE", nil)
+oidc_token = (File.read(oidc_token_file).strip if oidc_token_file && File.exist?(oidc_token_file))
 
 sh(env, "gem", "install", *dists, "--no-document", exception: true)
 
@@ -32,12 +36,22 @@ File.write("smoketest-gem-home/Gemfile", <<~RUBY)
 RUBY
 
 dists.each do |dist|
-  sh(env, File.expand_path("sigstore-cli", __dir__),
-     "sign", dist,
-     "--signature=smoketest-artifacts/#{File.basename(dist)}.sig",
-     "--certificate=smoketest-artifacts/#{File.basename(dist)}.crt",
-     "--bundle=smoketest-artifacts/#{File.basename(dist)}.sigstore.json",
-     exception: true)
+  # Build sign command with optional identity token
+  sign_cmd = [
+    File.expand_path("sigstore-cli", __dir__),
+    "sign",
+    dist
+  ]
+
+  sign_cmd.push("--identity-token", oidc_token) if oidc_token
+
+  sign_cmd.push(
+    "--signature=smoketest-artifacts/#{File.basename(dist)}.sig",
+    "--certificate=smoketest-artifacts/#{File.basename(dist)}.crt",
+    "--bundle=smoketest-artifacts/#{File.basename(dist)}.sigstore.json"
+  )
+
+  sh(env, *sign_cmd, exception: true)
 
   sh(env, File.expand_path("sigstore-cli", __dir__),
      "verify",