From d7b528e9734c444dadc1e8d2d42540f0dd6c1351 Mon Sep 17 00:00:00 2001
From: Brian DeHamer <bdehamer@github.com>
Date: Tue, 17 Dec 2024 09:01:56 -0800
Subject: [PATCH] bump sigstore-conformance from 0.0.13 to 0.0.14 (#1335)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
---
 .changeset/twenty-tables-search.md          |   5 +
 .github/workflows/conformance.yml           |   4 +-
 package-lock.json                           |   1 -
 packages/conformance/package.json           |   1 -
 packages/conformance/src/commands/sign.ts   |  75 -------------
 packages/conformance/src/commands/verify.ts | 110 --------------------
 packages/conformance/tsconfig.json          |   1 -
 7 files changed, 7 insertions(+), 190 deletions(-)
 create mode 100644 .changeset/twenty-tables-search.md
 delete mode 100644 packages/conformance/src/commands/sign.ts
 delete mode 100644 packages/conformance/src/commands/verify.ts

diff --git a/.changeset/twenty-tables-search.md b/.changeset/twenty-tables-search.md
new file mode 100644
index 00000000..18265a64
--- /dev/null
+++ b/.changeset/twenty-tables-search.md
@@ -0,0 +1,5 @@
+---
+'@sigstore/conformance': minor
+---
+
+Remove `sign` and `verify` commands from conformance CLI
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 4d8bf414..9ccc084a 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -26,7 +26,7 @@ jobs:
       run: npm ci
     - name: Build sigstore-js
       run: npm run build
-    - uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13
+    - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14
       with:
         entrypoint: ${{ github.workspace }}/packages/conformance/bin/run
 
@@ -45,7 +45,7 @@ jobs:
       run: npm ci
     - name: Build sigstore-js
       run: npm run build
-    - uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13
+    - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14
       with:
         entrypoint: ${{ github.workspace }}/packages/conformance/bin/run
         environment: staging
diff --git a/package-lock.json b/package-lock.json
index 65c21bfe..da66d543 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -13247,7 +13247,6 @@
       "dependencies": {
         "@oclif/core": "^4",
         "@sigstore/bundle": "^3.0.0",
-        "@sigstore/core": "^2.0.0",
         "@sigstore/protobuf-specs": "^0.3.2",
         "@sigstore/tuf": "^3.0.0",
         "@sigstore/verify": "^2.0.0",
diff --git a/packages/conformance/package.json b/packages/conformance/package.json
index c8012327..095e6e97 100644
--- a/packages/conformance/package.json
+++ b/packages/conformance/package.json
@@ -19,7 +19,6 @@
   "dependencies": {
     "@oclif/core": "^4",
     "@sigstore/bundle": "^3.0.0",
-    "@sigstore/core": "^2.0.0",
     "@sigstore/protobuf-specs": "^0.3.2",
     "@sigstore/tuf": "^3.0.0",
     "@sigstore/verify": "^2.0.0",
diff --git a/packages/conformance/src/commands/sign.ts b/packages/conformance/src/commands/sign.ts
deleted file mode 100644
index cb537ee2..00000000
--- a/packages/conformance/src/commands/sign.ts
+++ /dev/null
@@ -1,75 +0,0 @@
-import { Args, Command, Flags } from '@oclif/core';
-import fs from 'fs/promises';
-import * as sigstore from 'sigstore';
-import { FULCIO_STAGING_URL, REKOR_STAGING_URL } from '../staging';
-
-export default class Sign extends Command {
-  static override flags = {
-    'identity-token': Flags.string({
-      description: 'OIDC identity token',
-      required: true,
-    }),
-    signature: Flags.string({
-      description: 'path to which the signature will be written',
-      required: true,
-    }),
-    certificate: Flags.string({
-      description: 'path to which the certificate will be written',
-      required: true,
-    }),
-    staging: Flags.boolean({
-      description: 'whether to use the staging environment',
-      default: false,
-    }),
-  };
-
-  static override args = {
-    artifact: Args.file({
-      description: 'artifact to sign',
-      required: true,
-      exists: true,
-    }),
-  };
-
-  public async run(): Promise<void> {
-    const { args, flags } = await this.parse(Sign);
-
-    const options: Parameters<typeof sigstore.sign>[1] = {
-      identityToken: flags['identity-token'],
-    };
-
-    if (flags['staging']) {
-      options.fulcioURL = FULCIO_STAGING_URL;
-      options.rekorURL = REKOR_STAGING_URL;
-    }
-
-    const artifact = await fs.readFile(args.artifact);
-    const bundle = await sigstore.sign(artifact, options);
-
-    if (bundle.messageSignature?.signature) {
-      const signature = bundle.messageSignature.signature;
-      await fs.writeFile(flags['signature'], signature);
-    } else {
-      this.error('No signature found');
-    }
-
-    if (bundle.verificationMaterial.x509CertificateChain?.certificates) {
-      const certBytes =
-        bundle.verificationMaterial.x509CertificateChain.certificates[0]
-          .rawBytes;
-      const pem = toPEM(certBytes);
-      await fs.writeFile(flags['certificate'], pem);
-    } else {
-      this.error('No certificate found');
-    }
-  }
-}
-
-function toPEM(der: string): string {
-  // Split the certificate into lines of 64 characters.
-  const lines = der.match(/.{1,64}/g) || '';
-
-  return [`-----BEGIN CERTIFICATE-----`, ...lines, `-----END CERTIFICATE-----`]
-    .join('\n')
-    .concat('\n');
-}
diff --git a/packages/conformance/src/commands/verify.ts b/packages/conformance/src/commands/verify.ts
deleted file mode 100644
index bea29e22..00000000
--- a/packages/conformance/src/commands/verify.ts
+++ /dev/null
@@ -1,110 +0,0 @@
-import { Args, Command, Flags } from '@oclif/core';
-import { Bundle, bundleFromJSON } from '@sigstore/bundle';
-import { crypto, pem } from '@sigstore/core';
-import { toSignedEntity, Verifier } from '@sigstore/verify';
-import fs from 'fs/promises';
-import { trustMaterialFromPath, trustMaterialFromTUF } from '../trust';
-
-export default class Verify extends Command {
-  static override flags = {
-    signature: Flags.string({
-      description: 'path to the signature to verify',
-      required: true,
-    }),
-    certificate: Flags.string({
-      description: 'path to signing certificate to verify',
-      required: true,
-    }),
-    'certificate-identity': Flags.string({
-      description:
-        'The expected identity in the signing ceritifcate SAN extension',
-      required: true,
-    }),
-    'certificate-oidc-issuer': Flags.string({
-      description: 'the expected OIDC issuer for the signing certificate',
-      required: true,
-    }),
-    'trusted-root': Flags.string({
-      description: 'path to trusted root',
-      required: false,
-    }),
-    staging: Flags.boolean({
-      description: 'whether to use the staging environment',
-      default: false,
-    }),
-  };
-
-  static override args = {
-    file: Args.file({
-      description: 'artifact to verify',
-      required: true,
-      exists: true,
-    }),
-  };
-
-  public async run(): Promise<void> {
-    const { args, flags } = await this.parse(Verify);
-
-    const trustedRootPath = flags['trusted-root'];
-    const trustMaterial = trustedRootPath
-      ? await trustMaterialFromPath(trustedRootPath)
-      : await trustMaterialFromTUF(flags['staging']);
-
-    const verifier = new Verifier(trustMaterial, {
-      tlogThreshold: 0,
-      tsaThreshold: 0,
-    });
-
-    // Read the artifact, certificate, and signature and assemble them into a
-    // Sigstore bundle
-    const artifact = await fs.readFile(args.file);
-    const certificate = await fs
-      .readFile(flags.certificate)
-      .then((data) => data.toString());
-    const signature = await fs
-      .readFile(flags.signature)
-      .then((data) => data.toString());
-
-    const bundle = toBundle(artifact, certificate, signature);
-    const signedEntity = toSignedEntity(bundle, artifact);
-
-    const policy = {
-      subjectAlternativeName: flags['certificate-identity'],
-      extensions: { issuer: flags['certificate-oidc-issuer'] },
-    };
-
-    verifier.verify(signedEntity, policy);
-  }
-}
-
-// Construct a Sigstore bundle from the loose artifact, certificate, and
-// signature
-function toBundle(
-  artifact: Buffer,
-  certificate: string,
-  signature: string
-): Bundle {
-  const artifactDigest = crypto.digest('sha256', artifact);
-  const certBytes = pem.toDER(certificate);
-
-  return bundleFromJSON({
-    mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
-    verificationMaterial: {
-      certificate: {
-        rawBytes: certBytes.toString('base64'),
-      },
-      publicKey: undefined,
-      x509CertificateChain: undefined,
-      tlogEntries: [],
-      timestampVerificationData: undefined,
-    },
-    dsseEnvelope: undefined,
-    messageSignature: {
-      messageDigest: {
-        algorithm: 'SHA2_256',
-        digest: artifactDigest.toString('base64'),
-      },
-      signature,
-    },
-  });
-}
diff --git a/packages/conformance/tsconfig.json b/packages/conformance/tsconfig.json
index 9b2b9358..ef31d563 100644
--- a/packages/conformance/tsconfig.json
+++ b/packages/conformance/tsconfig.json
@@ -9,7 +9,6 @@
   "references": [
     { "path": "../bundle" },
     { "path": "../client" },
-    { "path": "../core" },
     { "path": "../tuf" },
     { "path": "../verify" }
   ]