Skip to content

Commit

Permalink
default to signing v0.3 bundles (#1269)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <bdehamer@github.com>
  • Loading branch information
bdehamer authored Oct 9, 2024

Verified

This commit was signed with the committer’s verified signature. The key has expired.
travi Matt Travi
1 parent 9df66ee commit 54c1b04
Showing 8 changed files with 37 additions and 36 deletions.
5 changes: 5 additions & 0 deletions .changeset/cold-icons-dream.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sigstore/sign': major
---

Default `DSSEBundleBuilder` to generating v0.3 bundles
2 changes: 1 addition & 1 deletion packages/cli/src/commands/attest.ts
Original file line number Diff line number Diff line change
@@ -191,5 +191,5 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {

// Build the bundle with the singleCertificate option which will
// trigger the creation of v0.3 DSSE bundles
return new DSSEBundleBuilder({ signer, witnesses, singleCertificate: true });
return new DSSEBundleBuilder({ signer, witnesses });
};
5 changes: 4 additions & 1 deletion packages/client/src/config.ts
Original file line number Diff line number Diff line change
@@ -93,7 +93,10 @@ export function createBundleBuilder(
case 'messageSignature':
return new MessageSignatureBundleBuilder(bundlerOptions);
case 'dsseEnvelope':
return new DSSEBundleBuilder(bundlerOptions);
return new DSSEBundleBuilder({
...bundlerOptions,
certificateChain: true,
});
}
}

31 changes: 14 additions & 17 deletions packages/sign/src/__tests__/bundler/bundle.test.ts
Original file line number Diff line number Diff line change
@@ -84,7 +84,7 @@ describe('toDSSEBundle', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
);

assert(b.content?.$case === 'dsseEnvelope');
@@ -120,7 +120,7 @@ describe('toDSSEBundle', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
);

assert(b.content?.$case === 'dsseEnvelope');
@@ -152,7 +152,7 @@ describe('toDSSEBundle', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
);

assert(b.content?.$case === 'dsseEnvelope');
@@ -164,18 +164,14 @@ describe('toDSSEBundle', () => {
expect(b.content.dsseEnvelope.signatures[0].keyid).toEqual('');

expect(b.verificationMaterial).toBeTruthy();
assert(b.verificationMaterial.content?.$case === 'x509CertificateChain');
expect(
b.verificationMaterial.content?.x509CertificateChain.certificates
).toHaveLength(1);
expect(
b.verificationMaterial.content?.x509CertificateChain.certificates[0]
.rawBytes
).toEqual(pem.toDER(certificate));
assert(b.verificationMaterial.content?.$case === 'certificate');
expect(b.verificationMaterial.content?.certificate.rawBytes).toEqual(
pem.toDER(certificate)
);
});
});

describe('when the single-certificate representation is requested', () => {
describe('when the certificate chain representation is requested', () => {
const signature = {
key: {
$case: 'x509Certificate',
@@ -189,7 +185,7 @@ describe('toDSSEBundle', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle.v0.3+json'
'application/vnd.dev.sigstore.bundle+json;version=0.2'
);

assert(b.content?.$case === 'dsseEnvelope');
@@ -201,10 +197,11 @@ describe('toDSSEBundle', () => {
expect(b.content.dsseEnvelope.signatures[0].keyid).toEqual('');

expect(b.verificationMaterial).toBeTruthy();
assert(b.verificationMaterial.content?.$case === 'certificate');
expect(b.verificationMaterial.content?.certificate.rawBytes).toEqual(
pem.toDER(certificate)
);
assert(b.verificationMaterial.content?.$case === 'x509CertificateChain');
expect(
b.verificationMaterial.content?.x509CertificateChain.certificates[0]
.rawBytes
).toEqual(pem.toDER(certificate));
});
});
});
10 changes: 5 additions & 5 deletions packages/sign/src/__tests__/bundler/dsse.test.ts
Original file line number Diff line number Diff line change
@@ -65,7 +65,7 @@ describe('DSSEBundleBuilder', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
);

expect(b.content.dsseEnvelope).toBeTruthy();
@@ -106,7 +106,7 @@ describe('DSSEBundleBuilder', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
'application/vnd.dev.sigstore.bundle.v0.3+json'
);

expect(b.content.dsseEnvelope).toBeTruthy();
@@ -129,11 +129,11 @@ describe('DSSEBundleBuilder', () => {
});
});

describe('when a single-certificate bundle is requested', () => {
describe('when a certificate chain bundle is requested', () => {
const subject = new DSSEBundleBuilder({
signer: signer,
witnesses: [],
singleCertificate: true,
certificateChain: true,
});
const artifact = {
data: Buffer.from('artifact'),
@@ -152,7 +152,7 @@ describe('DSSEBundleBuilder', () => {

expect(b).toBeTruthy();
expect(b.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle.v0.3+json'
'application/vnd.dev.sigstore.bundle+json;version=0.2'
);

expect(b.content.dsseEnvelope).toBeTruthy();
8 changes: 2 additions & 6 deletions packages/sign/src/__tests__/integration.test.ts
Original file line number Diff line number Diff line change
@@ -81,12 +81,8 @@ describe('artifact signing', () => {
expect(bundle.content.dsseEnvelope.payload).toBe(data);
expect(bundle.content.dsseEnvelope.signatures).toHaveLength(1);

assert(
bundle.verificationMaterial.content.$case === 'x509CertificateChain'
);
expect(
bundle.verificationMaterial.content.x509CertificateChain.certificates
).toHaveLength(1);
assert(bundle.verificationMaterial.content.$case === 'certificate');
expect(bundle.verificationMaterial.content.certificate).toBeDefined();

expect(bundle.verificationMaterial.tlogEntries).toHaveLength(1);
expect(bundle.verificationMaterial.tlogEntries[0].kindVersion.kind).toBe(
4 changes: 2 additions & 2 deletions packages/sign/src/bundler/bundle.ts
Original file line number Diff line number Diff line change
@@ -45,7 +45,7 @@ export function toMessageSignatureBundle(
export function toDSSEBundle(
artifact: Required<Artifact>,
signature: Signature,
singleCertificate?: boolean
certificateChain?: boolean
): sigstore.BundleWithDsseEnvelope {
return sigstore.toDSSEBundle({
artifact: artifact.data,
@@ -57,6 +57,6 @@ export function toDSSEBundle(
: undefined,
keyHint:
signature.key.$case === 'publicKey' ? signature.key.hint : undefined,
certificateChain: singleCertificate ? false : true,
certificateChain,
});
}
8 changes: 4 additions & 4 deletions packages/sign/src/bundler/dsse.ts
Original file line number Diff line number Diff line change
@@ -24,15 +24,15 @@ type DSSEBundleBuilderOptions = BundleBuilderOptions & {
// When set to true, the bundle verification material will use the
// certificate field instead of the x509CertificateChain field.
// When undefied/false, a v0.2 bundle will be created.
singleCertificate?: boolean;
certificateChain?: boolean;
};

// BundleBuilder implementation for DSSE wrapped attestations
export class DSSEBundleBuilder extends BaseBundleBuilder<BundleWithDsseEnvelope> {
private singleCertificate?: boolean;
private certificateChain?: boolean;
constructor(options: DSSEBundleBuilderOptions) {
super(options);
this.singleCertificate = options.singleCertificate ?? false;
this.certificateChain = options.certificateChain ?? false;
}

// DSSE requires the artifact to be pre-encoded with the payload type
@@ -50,7 +50,7 @@ export class DSSEBundleBuilder extends BaseBundleBuilder<BundleWithDsseEnvelope>
return toDSSEBundle(
artifactDefaults(artifact),
signature,
this.singleCertificate
this.certificateChain
);
}
}

0 comments on commit 54c1b04

Please sign in to comment.