From ab9624f10c4c23c7c043a4e9d7d93d2873505b1f Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Fri, 31 Mar 2023 11:30:19 +0200 Subject: [PATCH 1/3] Improve README * Use java.nio.file.Files.newBufferedReader to not require Guava in sample * Remove invalid semicolon Signed-off-by: Louis Jacomet --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 989aa5c8..63bd088e 100644 --- a/README.md +++ b/README.md @@ -58,12 +58,12 @@ var keylessSignature = ##### KeylessSignature from bundle ```java var bundleFile = // java.nio.path to some bundle file -var keylessSignature = BundleFactory.readBundle(Files.newReader(bundleFile, StandardCharsets.UTF_8)); +var keylessSignature = BundleFactory.readBundle(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8)); ``` ##### Configure verification options ```java -var verificationOptionsBuilder = +var verificationOptions = VerificationOptions.builder() // verify online? (connect to rekor for inclusion proof) .isOnline(true) @@ -72,7 +72,7 @@ var verificationOptionsBuilder = CertificateIdentity.builder() .issuer("https://accounts.example.com")) .subjectAlternativeName("test@example.com") - .build()); + .build()) .build(); ``` From 6abe49bd614660e7fd408f80d9d812eb4a237569 Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Fri, 31 Mar 2023 18:06:30 +0200 Subject: [PATCH 2/3] Fix typo in error message Signed-off-by: Louis Jacomet --- .../dev/sigstore/fulcio/client/FulcioCertificateVerifier.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioCertificateVerifier.java b/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioCertificateVerifier.java index 5bd3a59e..ba911fd8 100644 --- a/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioCertificateVerifier.java +++ b/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioCertificateVerifier.java @@ -89,7 +89,7 @@ private String extractSan(X509Certificate cert) throws FulcioVerificationExcepti } if (sans.size() > 1) { throw new FulcioVerificationException( - "Fulcio ceritifcate must only have 1 SAN, but found " + sans.size()); + "Fulcio certificate must only have 1 SAN, but found " + sans.size()); } var san = sans.stream().findFirst().get(); var type = (Integer) san.get(0); From 72f4503baa7c8b59afec23548edd2c79d3cdba12 Mon Sep 17 00:00:00 2001 From: Louis Jacomet Date: Fri, 31 Mar 2023 18:14:13 +0200 Subject: [PATCH 3/3] Document requirements for GitHub Actions OIDC support Minor formatting improvements Signed-off-by: Louis Jacomet --- sigstore-gradle/README.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/sigstore-gradle/README.md b/sigstore-gradle/README.md index 0357f34e..4f00aca5 100644 --- a/sigstore-gradle/README.md +++ b/sigstore-gradle/README.md @@ -9,9 +9,9 @@ Signature format uses [Sigstore bundle](https://github.com/sigstore/cosign/pull/ ## Requirements -Java 11 (https://github.com/sigstore/sigstore-java requires Java 11) -Gradle 7.5 (Gradle 6 could be supported once https://github.com/jsonschema2dataclass/js2d-gradle/issues/401 is released) -Gradle configuration cache is supported. +* Java 11 (https://github.com/sigstore/sigstore-java requires Java 11) +* Gradle 7.5 (Gradle 6 could be supported once https://github.com/jsonschema2dataclass/js2d-gradle/issues/401 is released) +* Gradle configuration cache is supported. ## Minimal usage @@ -25,6 +25,18 @@ plugins { // and it would resort to Web Browser OIDC otherwise. ``` +### GitHub Actions OIDC support + +In order for the required environment variables to be available, the workflow requires the following permissions: + +```yaml +permissions: + id-token: write + contents: read +``` + +See [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings) for details. + ## Full configuration ```kotlin