cli: search for {input}.sigstore.json by default (#820)

sigstore · Dec 7, 2023 · 02565a3 · 02565a3
1 parent 3e45958
commit 02565a3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -17,6 +17,7 @@ build
 *.pub
 *.rekor
 *.sigstore
+*.sigstore.json
 
 # Don't ignore these files when we intend to include them
 !sigstore/_store/*.crt

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,13 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+### Added
+
+* CLI: `sigstore verify`'s subcommands now discover `{input}.sigstore.json`
+  by default, in addition to the previous `{input}.sigstore`. The former now
+  takes precedence over the latter, and supplying both results in an error
+  ([#820](https://github.com/sigstore/sigstore-python/pull/820))
+
 ## [2.0.1]
 
 ### Fixed

diff --git a/pyproject.toml b/pyproject.toml
@@ -58,7 +58,7 @@ lint = [
   "mypy ~= 1.1",
   # NOTE(ww): ruff is under active development, so we pin conservatively here
   # and let Dependabot periodically perform this update.
-  "ruff < 0.1.7",
+  "ruff < 0.1.8",
   "types-requests",
   # TODO(ww): Re-enable once dependency on types-cryptography is dropped.
   # See: https://github.com/python/typeshed/issues/8699

diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -195,7 +195,7 @@ def _add_shared_verification_options(group: argparse._ArgumentGroup) -> None:
 
 
 def _add_shared_oidc_options(
-    group: Union[argparse._ArgumentGroup, argparse.ArgumentParser]
+    group: Union[argparse._ArgumentGroup, argparse.ArgumentParser],
 ) -> None:
     """
     Common OIDC options, shared between `sigstore sign` and `sigstore get-identity-token`.
@@ -766,7 +766,26 @@ def _collect_verification_state(
         if cert is None:
             cert = file.parent / f"{file.name}.crt"
         if bundle is None:
-            bundle = file.parent / f"{file.name}.sigstore"
+            # NOTE(ww): If the user hasn't specified a bundle via `--bundle` and
+            # `{input}.sigstore.json` doesn't exist, then we try `{input}.sigstore`
+            # for backwards compatibility.
+            legacy_default_bundle = file.parent / f"{file.name}.sigstore"
+            bundle = file.parent / f"{file.name}.sigstore.json"
+
+            if not bundle.is_file() and legacy_default_bundle.is_file():
+                logger.warning(
+                    f"{file}: {legacy_default_bundle} should be named {bundle}. "
+                    "Support for discovering 'bare' .sigstore inputs will be deprecated in "
+                    "a future release."
+                )
+                bundle = legacy_default_bundle
+            elif bundle.is_file() and legacy_default_bundle.is_file():
+                # Don't allow the user to implicitly verify `{input}.sigstore.json` if
+                # `{input}.sigstore` is also present, since this implies user confusion.
+                _die(
+                    args,
+                    f"Conflicting inputs: {bundle} and {legacy_default_bundle}",
+                )
 
         missing = []
         if args.signature or args.certificate:
@@ -778,9 +797,10 @@ def _collect_verification_state(
         else:
             # If a user hasn't explicitly supplied `--signature`, `--certificate` or
             # `--rekor-bundle`, we expect a bundle either supplied via `--bundle` or with the
-            # default `{input}.sigstore` name.
+            # default `{input}.sigstore(.json)?` name.
             if not bundle.is_file():
                 missing.append(str(bundle))
+
             input_map[file] = {"bundle": bundle}
 
         if missing: