diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index c2a8c724..eb994d15 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -35,7 +35,7 @@ jobs: - name: Unpack sigstore-java distribution run: tar -xvf ${{ github.workspace }}/sigstore-cli/build/distributions/sigstore-cli-*.tar --strip-components 1 - - uses: sigstore/sigstore-conformance@6bd1c54e236c9517da56f7344ad16cc00439fe19 # v0.0.13 + - uses: sigstore/sigstore-conformance@b0635d4101f11dbd18a50936568a1f7f55b17760 # v0.0.14 with: entrypoint: ${{ github.workspace }}/bin/sigstore-cli environment: ${{ matrix.sigstore-env }} diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java index c518dd62..c91198ee 100644 --- a/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java +++ b/sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java @@ -41,8 +41,11 @@ public class Sign implements Callable { @Parameters(arity = "1", paramLabel = "", description = "artifact to sign") Path artifact; - @ArgGroup(multiplicity = "1", exclusive = true) - SignatureFiles signatureFiles; + @Option( + names = {"--bundle"}, + description = "path to bundle file", + required = true) + Path bundleFile; @ArgGroup(multiplicity = "0..1", exclusive = true) Verify.Target target; @@ -113,15 +116,7 @@ public Integer call() throws Exception { } var signer = signerBuilder.build(); var bundle = signer.signFile(artifact); - if (signatureFiles.sigAndCert != null) { - Files.write( - signatureFiles.sigAndCert.signatureFile, - Base64.getEncoder().encode(bundle.getMessageSignature().get().getSignature())); - Files.write( - signatureFiles.sigAndCert.certificateFile, Certificates.toPemBytes(bundle.getCertPath())); - } else { - Files.write(signatureFiles.bundleFile, bundle.toJson().getBytes(StandardCharsets.UTF_8)); - } + Files.write(bundleFile, bundle.toJson().getBytes(StandardCharsets.UTF_8)); return 0; } } diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/SignatureFiles.java b/sigstore-cli/src/main/java/dev/sigstore/cli/SignatureFiles.java deleted file mode 100644 index 939c7d84..00000000 --- a/sigstore-cli/src/main/java/dev/sigstore/cli/SignatureFiles.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright 2023 The Sigstore Authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package dev.sigstore.cli; - -import java.nio.file.Path; -import picocli.CommandLine.ArgGroup; -import picocli.CommandLine.Option; - -public class SignatureFiles { - - @ArgGroup(multiplicity = "1", exclusive = false) - SigAndCert sigAndCert; - - public static class SigAndCert { - @Option( - names = {"--signature"}, - description = "path to signature file", - required = true) - Path signatureFile; - - @Option( - names = {"--certificate"}, - description = "path to certificate file", - required = true) - Path certificateFile; - } - - @Option( - names = {"--bundle"}, - description = "path to bundle file", - required = true) - Path bundleFile; -} diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java index 7ce21bb7..d4768497 100644 --- a/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java +++ b/sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java @@ -58,8 +58,11 @@ public class Verify implements Callable { description = "an artifact path or artifact hash (sha256:abc...) to verify") String artifact; - @ArgGroup(multiplicity = "1", exclusive = true) - SignatureFiles signatureFiles; + @Option( + names = {"--bundle"}, + description = "path to bundle file", + required = true) + Path bundleFile; @ArgGroup(multiplicity = "0..1", exclusive = false) Policy policy; @@ -119,29 +122,7 @@ public Integer call() throws Exception { ? Hex.decodeHex(artifact.substring(SHA256_PREFIX.length())) : asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes(); - Bundle bundle; - if (signatureFiles.sigAndCert != null) { - byte[] signature = - Base64.getMimeDecoder() - .decode(Files.readAllBytes(signatureFiles.sigAndCert.signatureFile)); - CertPath certPath = - Certificates.fromPemChain(Files.readAllBytes(signatureFiles.sigAndCert.certificateFile)); - RekorEntryFetcher fetcher = - target == null - ? RekorEntryFetcher.sigstorePublicGood() - : target.staging - ? RekorEntryFetcher.sigstoreStaging() - : RekorEntryFetcher.fromTrustedRoot(target.trustedRoot); - bundle = - ImmutableBundle.builder() - .messageSignature(MessageSignature.of(HashAlgorithm.SHA2_256, digest, signature)) - .certPath(certPath) - .addEntries( - fetcher.getEntryFromRekor(digest, Certificates.getLeaf(certPath), signature)) - .build(); - } else { - bundle = Bundle.from(signatureFiles.bundleFile, StandardCharsets.UTF_8); - } + Bundle bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8); var verificationOptionsBuilder = VerificationOptions.builder(); if (policy != null) {