diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index c511733..38b20ab 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -36,7 +36,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-whitespace: strategy: @@ -65,7 +65,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 [[ -f ./test/white\ space.txt ]] || exit 1 [[ -f ./test/more\ white\ space.txt ]] || exit 1 @@ -96,7 +96,7 @@ jobs: - name: Check outputs shell: bash run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-xfail-invalid-inputs: runs-on: ubuntu-latest @@ -140,7 +140,7 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 selftest-glob: runs-on: ubuntu-latest @@ -156,9 +156,9 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 selftest-xfail-glob-input-expansion: runs-on: ubuntu-latest @@ -200,14 +200,14 @@ jobs: internal-be-careful-debug: true - name: Check outputs run: | - [[ -f ./test/artifact.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact1.txt.sigstore ]] || exit 1 - [[ -f ./test/artifact2.txt.sigstore ]] || exit 1 - [[ -f ./test/another1.txt.sigstore ]] || exit 1 - [[ -f ./test/another2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello1.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello2.txt.sigstore ]] || exit 1 - [[ -f ./test/subdir/hello3.txt.sigstore ]] || exit 1 + [[ -f ./test/artifact.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/artifact2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/another2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello1.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello2.txt.sigstore.json ]] || exit 1 + [[ -f ./test/subdir/hello3.txt.sigstore.json ]] || exit 1 selftest-upload-artifacts: runs-on: ubuntu-latest @@ -229,7 +229,7 @@ jobs: - name: Verify presence of uploaded files run: | [[ -f ./artifact.txt ]] || exit 1 - [[ -f ./artifact.txt.sigstore ]] || exit 1 + [[ -f ./artifact.txt.sigstore.json ]] || exit 1 working-directory: ./test/uploaded selftest-custom-paths: diff --git a/README.md b/README.md index 1639198..9910109 100644 --- a/README.md +++ b/README.md @@ -203,70 +203,6 @@ However, this example is invalid: certificate: custom-bundle.sigstore ``` -### `fulcio-url` - -**Default**: `https://fulcio.sigstore.dev` - -The `fulcio-url` setting controls the Fulcio instance to retrieve the ephemeral signing certificate -from. This setting cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - fulcio-url: https://fulcio.sigstage.dev -``` - -### `rekor-url` - -**Default**: `https://rekor.sigstore.dev` - -The `rekor-url` setting controls the Rekor instance to upload the file signature to. This setting -cannot be used in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - rekor-url: https://rekor.sigstage.dev -``` - -### `ctfe` - -**Default**: `ctfe.pub` (the CTFE key embedded in `sigstore-python`) - -The `ctfe` setting is a path to a PEM-encoded public key for the CT log. This setting cannot be used -in combination with the `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/ctfe.pub -``` - -### `rekor-root-pubkey` - -**Default**: `rekor.pub` (the Rekor key embedded in `sigstore-python`) - -The `rekor-root-pubkey` setting is a path to a PEM-encoded public key for Rekor. This setting cannot -be used in combination with `staging` setting. - -Example: - -```yaml -- uses: sigstore/gh-action-sigstore-python@v2.1.1 - with: - inputs: file.txt - ctfe: ./path/to/rekor.pub -``` - ### `staging` **Default**: `false` diff --git a/action.py b/action.py index 0e7ec00..09e961f 100755 --- a/action.py +++ b/action.py @@ -164,22 +164,6 @@ def _fatal_help(msg): sigstore_verify_args.extend(["--bundle", bundle]) signing_artifact_paths.append(bundle) -fulcio_url = os.getenv("GHA_SIGSTORE_PYTHON_FULCIO_URL") -if fulcio_url: - sigstore_sign_args.extend(["--fulcio-url", fulcio_url]) - -rekor_url = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_URL") -if rekor_url: - sigstore_global_args.extend(["--rekor-url", rekor_url]) - -ctfe = os.getenv("GHA_SIGSTORE_PYTHON_CTFE") -if ctfe: - sigstore_sign_args.extend(["--ctfe", ctfe]) - -rekor_root_pubkey = os.getenv("GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY") -if rekor_root_pubkey: - sigstore_global_args.extend(["--rekor-root-pubkey", rekor_root_pubkey]) - if os.getenv("GHA_SIGSTORE_PYTHON_STAGING", "false") != "false": sigstore_global_args.append("--staging") @@ -229,7 +213,7 @@ def _fatal_help(msg): signing_artifact_paths.append(str(file_)) if "--bundle" not in sigstore_sign_args: - signing_artifact_paths.append(f"{file_}.sigstore") + signing_artifact_paths.append(f"{file_}.sigstore.json") sigstore_sign_args.extend([str(f) for f in files]) sigstore_verify_args.extend([str(f) for f in files]) diff --git a/action.yml b/action.yml index efa157b..7dc3faa 100644 --- a/action.yml +++ b/action.yml @@ -44,22 +44,6 @@ inputs: description: "write a single Sigstore bundle to the given file; does not work with multiple input files" required: false default: "" - fulcio-url: - description: "the Fulcio instance to use (conflicts with `staging`)" - required: false - default: "" - rekor-url: - description: "the Rekor instance to use (conflicts with `staging`)" - required: false - default: "" - ctfe: - description: "a PEM-encoded public key for the CT log (conflicts with `staging`)" - required: false - default: "" - rekor-root-pubkey: - description: "a PEM-encoded root public key for Rekor itself (conflicts with `staging`)" - required: false - default: "" staging: description: "use sigstore's staging instances, instead of the default production instances" required: false @@ -119,10 +103,6 @@ runs: GHA_SIGSTORE_PYTHON_BUNDLE: "${{ inputs.bundle }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_ID: "${{ inputs.oidc-client-id }}" GHA_SIGSTORE_PYTHON_OIDC_CLIENT_SECRET: "${{ inputs.oidc-client-secret }}" - GHA_SIGSTORE_PYTHON_FULCIO_URL: "${{ inputs.fulcio-url }}" - GHA_SIGSTORE_PYTHON_REKOR_URL: "${{ inputs.rekor-url }}" - GHA_SIGSTORE_PYTHON_CTFE: "${{ inputs.ctfe }}" - GHA_SIGSTORE_PYTHON_REKOR_ROOT_PUBKEY: "${{ inputs.rekor-root-pubkey }}" GHA_SIGSTORE_PYTHON_STAGING: "${{ inputs.staging }}" GHA_SIGSTORE_PYTHON_VERIFY: "${{ inputs.verify }}" GHA_SIGSTORE_PYTHON_VERIFY_CERT_IDENTITY: "${{ inputs.verify-cert-identity }}" diff --git a/requirements.txt b/requirements.txt index 393b58b..5ecd303 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -sigstore ~= 2.1 +sigstore ~= 3.0 requests ~= 2.28