Skip to content

Commit

Permalink
add staging to conformance
Browse files Browse the repository at this point in the history
Signed-off-by: Appu Goundan <[email protected]>
  • Loading branch information
loosebazooka committed Apr 29, 2024
1 parent b5d777b commit 731c04f
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 8 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@ on:
branches:
- '**'
pull_request:
# TODO: add cron

jobs:
conformance:
strategy:
matrix:
java-version: [11, 17]
sigstore-env: [production, staging]
fail-fast: false

runs-on: ubuntu-latest
Expand All @@ -35,4 +37,5 @@ jobs:
- uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
with:
entrypoint: ${{ github.workspace }}/bin/sigstore-cli
environment: ${{ matrix.sigstore-env }}
xfail: "test_verify_dsse_bundle_with_trust_root"
12 changes: 11 additions & 1 deletion sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@ public class Sign implements Callable<Integer> {
@ArgGroup(multiplicity = "1", exclusive = true)
SignatureFiles signatureFiles;

@Option(
names = {"--staging"},
description = "test against staging",
required = false,
defaultValue = "false")
Boolean staging;

@Option(
names = {"--identity-token"},
description = "the OIDC identity token to use",
Expand All @@ -49,7 +56,10 @@ public class Sign implements Callable<Integer> {

@Override
public Integer call() throws Exception {
var signerBuilder = KeylessSigner.builder().sigstorePublicDefaults();
var signerBuilder =
staging
? KeylessSigner.builder().sigstoreStagingDefaults()
: KeylessSigner.builder().sigstorePublicDefaults();
if (identityToken != null) {
// If we've explicitly provided an identity token, customize the signer to only use the token
// string OIDC client.
Expand Down
32 changes: 25 additions & 7 deletions sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,27 @@ public class Verify implements Callable<Integer> {
@ArgGroup(multiplicity = "0..1", exclusive = false)
Policy policy;

@Option(
names = {"--trusted-root"},
description = "an alternative to the TUF managed sigstore public good trusted root",
required = false)
Path trustedRoot;
@ArgGroup(multiplicity = "0..1", exclusive = true)
Target target;

/**
* Chose one trusted root provider target, (staging or prod or custom trusted_root), default is
* prod.
*/
static class Target {
@Option(
names = {"--staging"},
description = "test against staging",
required = false,
defaultValue = "false")
Boolean staging;

@Option(
names = {"--trusted-root"},
description = "an alternative to the TUF managed sigstore public good trusted root",
required = false)
Path trustedRoot;
}

static class Policy {
@Option(
Expand Down Expand Up @@ -101,9 +117,11 @@ public Integer call() throws Exception {
var verificationOptions = verificationOptionsBuilder.alwaysUseRemoteRekorEntry(false).build();

var verifier =
(trustedRoot == null)
target == null
? new KeylessVerifier.Builder().sigstorePublicDefaults().build()
: new KeylessVerifier.Builder().fromTrustedRoot(trustedRoot).build();
: target.staging
? new KeylessVerifier.Builder().sigstoreStagingDefaults().build()
: new KeylessVerifier.Builder().fromTrustedRoot(target.trustedRoot).build();
verifier.verify(
artifact,
KeylessVerificationRequest.builder()
Expand Down

0 comments on commit 731c04f

Please sign in to comment.