From 62f6e34fa9d73cd7c97681f38e7371678eaba010 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Wed, 24 May 2023 10:00:59 +0300 Subject: [PATCH] SigstoreSigner: Use sigstore 1.1.2 * 1.1.2 has an accidental API change that makes it incompatible with lower versions * This change is reverted in next release, but next release has planned API breaks * sigstore 1.1.1 has an unrelated bug that means it does not really work with current sigstore infrastructure (the current TUF repository to be exact) So plan is: 1. Pin 1.1.2: it's the only version that works right now 2. Upgrade to 2.0.0 once it comes out: this will require small code changes This commit handles part 1. --- pyproject.toml | 2 +- requirements-sigstore.txt | 2 +- securesystemslib/signer/_sigstore_signer.py | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 6efabb2e..0ca6fc98 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,7 +48,7 @@ gcpkms = ["google-cloud-kms", "cryptography>=37.0.0"] hsm = ["asn1crypto", "cryptography>=37.0.0", "PyKCS11"] pynacl = ["pynacl>1.2.0"] PySPX = ["PySPX>=0.5.0"] -sigstore = ["sigstore!=1.1.2"] +sigstore = ["sigstore==1.1.2"] [tool.hatch.version] path = "securesystemslib/__init__.py" diff --git a/requirements-sigstore.txt b/requirements-sigstore.txt index 4f8ef56f..6a939765 100644 --- a/requirements-sigstore.txt +++ b/requirements-sigstore.txt @@ -1 +1 @@ -sigstore==1.1.1 +sigstore==1.1.2 diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py index e0dfaadd..866c12e3 100644 --- a/securesystemslib/signer/_sigstore_signer.py +++ b/securesystemslib/signer/_sigstore_signer.py @@ -161,7 +161,9 @@ def from_priv_key_uri( issuer = Issuer.production() token = issuer.identity_token() else: - token = detect_credential() + # Note: this method signature only works with sigstore-python 1.1.2: + # dependencies must be updated when changing this + token = detect_credential("sigstore") return cls(token, public_key)