requirements: sigstore ~3.0 (#140)

* requirements: sigstore ~3.0

Signed-off-by: William Woodruff <william@trailofbits.com>

* selftest: update filenames

Signed-off-by: William Woodruff <william@trailofbits.com>

* action: update another path

Signed-off-by: William Woodruff <william@trailofbits.com>

* action: remove deprecated settings

Signed-off-by: William Woodruff <william@trailofbits.com>

* README: remove old docs

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>

.github/workflows/selftest.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
   selftest-whitespace:
     strategy:
@@ -65,7 +65,7 @@ jobs:
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
           [[ -f ./test/white\ space.txt ]] || exit 1
           [[ -f ./test/more\ white\ space.txt ]] || exit 1
 
@@ -96,7 +96,7 @@ jobs:
       - name: Check outputs
         shell: bash
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
   selftest-xfail-invalid-inputs:
     runs-on: ubuntu-latest
@@ -140,7 +140,7 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
 
   selftest-glob:
     runs-on: ubuntu-latest
@@ -156,9 +156,9 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
 
   selftest-xfail-glob-input-expansion:
     runs-on: ubuntu-latest
@@ -200,14 +200,14 @@ jobs:
           internal-be-careful-debug: true
       - name: Check outputs
         run: |
-          [[ -f ./test/artifact.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact1.txt.sigstore ]] || exit 1
-          [[ -f ./test/artifact2.txt.sigstore ]] || exit 1
-          [[ -f ./test/another1.txt.sigstore ]] || exit 1
-          [[ -f ./test/another2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1
-          [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1
+          [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/another2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1
+          [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1
 
   selftest-upload-artifacts:
     runs-on: ubuntu-latest
@@ -229,7 +229,7 @@ jobs:
       - name: Verify presence of uploaded files
         run: |
           [[ -f ./artifact.txt ]] || exit 1
-          [[ -f ./artifact.txt.sigstore ]] || exit 1
+          [[ -f ./artifact.txt.sigstore.json ]] || exit 1
         working-directory: ./test/uploaded
 
   selftest-custom-paths:

README.md

@@ -203,70 +203,6 @@ However, this example is invalid:
     certificate: custom-bundle.sigstore
 ```
 
-### `fulcio-url`
-
-**Default**: `https://fulcio.sigstore.dev`
-
-The `fulcio-url` setting controls the Fulcio instance to retrieve the ephemeral signing certificate
-from. This setting cannot be used in combination with the `staging` setting.
-
-Example:
-
-```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
-  with:
-    inputs: file.txt
-    fulcio-url: https://fulcio.sigstage.dev
-```
-
-### `rekor-url`
-
-**Default**: `https://rekor.sigstore.dev`
-
-The `rekor-url` setting controls the Rekor instance to upload the file signature to. This setting
-cannot be used in combination with the `staging` setting.
-
-Example:
-
-```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
-  with:
-    inputs: file.txt
-    rekor-url: https://rekor.sigstage.dev
-```
-
-### `ctfe`
-
-**Default**: `ctfe.pub` (the CTFE key embedded in `sigstore-python`)
-
-The `ctfe` setting is a path to a PEM-encoded public key for the CT log. This setting cannot be used
-in combination with the `staging` setting.
-
-Example:
-
-```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
-  with:
-    inputs: file.txt
-    ctfe: ./path/to/ctfe.pub
-```
-
-### `rekor-root-pubkey`
-
-**Default**: `rekor.pub` (the Rekor key embedded in `sigstore-python`)
-
-The `rekor-root-pubkey` setting is a path to a PEM-encoded public key for Rekor. This setting cannot
-be used in combination with `staging` setting.
-
-Example:
-
-```yaml
-- uses: sigstore/gh-action-sigstore-python@v2.1.1
-  with:
-    inputs: file.txt
-    ctfe: ./path/to/rekor.pub
-```
-
 ### `staging`
 
 **Default**: `false`

action.py

@@ -164,22 +164,6 @@ def _fatal_help(msg):
     sigstore_verify_args.extend(["--bundle", bundle])
     signing_artifact_paths.append(bundle)
 
-fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL")
-if fulcio_url:
-    sigstore_sign_args.extend(["--fulcio-url", fulcio_url])
-
-rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL")
-if rekor_url:
-    sigstore_global_args.extend(["--rekor-url", rekor_url])
-
-ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE")
-if ctfe:
-    sigstore_sign_args.extend(["--ctfe", ctfe])
-
-rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY")
-if rekor_root_pubkey:
-    sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey])
-
 if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false":
     sigstore_global_args.append("--staging")
 
@@ -229,7 +213,7 @@ def _fatal_help(msg):
         signing_artifact_paths.append(str(file_))
 
         if "--bundle" not in sigstore_sign_args:
-            signing_artifact_paths.append(f"{file_}.sigstore")
+            signing_artifact_paths.append(f"{file_}.sigstore.json")
 
     sigstore_sign_args.extend([str(f) for f in files])
     sigstore_verify_args.extend([str(f) for f in files])

action.yml

@@ -44,22 +44,6 @@ inputs:
     description: "write a single Sigstore bundle to the given file; does not work with multiple input files"
     required: false
     default: ""
-  fulcio-url:
-    description: "the Fulcio instance to use (conflicts with `staging`)"
-    required: false
-    default: ""
-  rekor-url:
-    description: "the Rekor instance to use (conflicts with `staging`)"
-    required: false
-    default: ""
-  ctfe:
-    description: "a PEM-encoded public key for the CT log (conflicts with `staging`)"
-    required: false
-    default: ""
-  rekor-root-pubkey:
-    description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)"
-    required: false
-    default: ""
   staging:
     description: "use sigstore's staging instances, instead of the default production instances"
     required: false
@@ -119,10 +103,6 @@ runs:
         GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}"
         GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}"
-        GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}"
-        GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}"
-        GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}"
-        GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}"
         GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}"
         GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}"
         GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}"

requirements.txt

@@ -1,2 +1,2 @@
-sigstore ~= 2.1
+sigstore ~= 3.0
 requests ~= 2.28