Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI: sigstore verify github #381

Merged
merged 16 commits into from
Jan 9, 2023
Merged

CLI: sigstore verify github #381

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
11209d0
_cli: skeleton for `sigstore verify github`
woodruffw Jan 4, 2023
7da7c0b
_cli: reorg options, devolve into more groups
woodruffw Jan 4, 2023
60bb89e
_cli: more factoring out, basic GH functionality
woodruffw Jan 4, 2023
b8d759f
README, Makefile: `sigstore verify github --help`
woodruffw Jan 4, 2023
6e9ae7f
README: more docs
woodruffw Jan 4, 2023
92cec92
sigstore, README: remove `--cert-email`
woodruffw Jan 4, 2023
d95c093
_cli: tweak "helpful" error messages
woodruffw Jan 4, 2023
44f106c
Merge branch 'main' into ww/verify-github-subcommand
woodruffw Jan 5, 2023
d523f9c
_cli, README: tweak `sigstore verify github` flags
woodruffw Jan 5, 2023
355285e
Merge branch 'main' into ww/verify-github-subcommand
woodruffw Jan 9, 2023
1cc40e0
CHANGELOG: record changes
woodruffw Jan 9, 2023
d9cf303
CHANGELOG, cli: record more changes
woodruffw Jan 9, 2023
a5ec46c
_cli: add notes to help text
woodruffw Jan 9, 2023
45c2993
README: update `--help` text
woodruffw Jan 9, 2023
afe23fb
_cli: fix fallback behavior
woodruffw Jan 9, 2023
38cbbaf
_cli: lintage
woodruffw Jan 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,16 @@ check-readme:
$(MAKE) -s run ARGS="verify identity --help" \
)

# sigstore verify github --help
@diff \
<( \
awk '/@begin-sigstore-verify-github-help@/{f=1;next} /@end-sigstore-verify-github-help@/{f=0} f' \
< README.md | sed '1d;$$d' \
) \
<( \
$(MAKE) -s run ARGS="verify github --help" \
)


.PHONY: edit
edit:
Expand Down
101 changes: 82 additions & 19 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ Sigstore instance options:

### Verifying

#### Identities
#### Generic identities

This is the most common verification done with `sigstore`, and therefore
the one you probably want: you can use it to verify that a signature was
Expand All @@ -163,17 +163,13 @@ to by a particular OIDC provider (like `https://github.com/login/oauth`).
<!-- @begin-sigstore-verify-identity-help@ -->
```
usage: sigstore verify identity [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE]
[--rekor-bundle FILE] --cert-identity IDENTITY
[--require-rekor-offline] --cert-oidc-issuer
URL [--staging] [--rekor-url URL]
[--rekor-root-pubkey FILE]
[--certificate-chain FILE]
[--cert-email EMAIL] --cert-identity IDENTITY
--cert-oidc-issuer URL
[--require-rekor-offline] [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
FILE [FILE ...]

positional arguments:
FILE The file to verify

optional arguments:
-h, --help show this help message and exit

Expand All @@ -185,23 +181,18 @@ Verification inputs:
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
FILE The file to verify

Extended verification options:
--certificate-chain FILE
Path to a list of CA certificates in PEM format which
will be needed when building the certificate chain for
the signing certificate (default: None)
--cert-email EMAIL Deprecated; causes an error. Use --cert-identity
instead (default: None)
Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--cert-oidc-issuer URL
The OIDC issuer URL to check for in the certificate's
OIDC issuer extension (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--cert-oidc-issuer URL
The OIDC issuer URL to check for in the certificate's
OIDC issuer extension (default: None)

Sigstore instance options:
--staging Use sigstore's staging instances, instead of the
Expand All @@ -211,13 +202,85 @@ Sigstore instance options:
--rekor-root-pubkey FILE
A PEM-encoded root public key for Rekor itself
(conflicts with --staging) (default: None)
--certificate-chain FILE
Path to a list of CA certificates in PEM format which
will be needed when building the certificate chain for
the Fulcio signing certificate (default: None)
```
<!-- @end-sigstore-verify-identity-help@ -->

For backwards compatibility, `sigstore verify [args ...]` is equivalent to
`sigstore verify identity [args ...]`, but the latter form is **strongly**
preferred.

#### Signatures from GitHub Actions
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

If your signatures are coming from GitHub Actions (e.g., a workflow
that uses its [ambient credentials](#signing-with-ambient-credentials)),
then you can use the `sigstore verify github` subcommand to verify
claims more precisely than `sigstore verify identity` allows:

<!-- @begin-sigstore-verify-github-help@ -->
```
usage: sigstore verify github [-h] [--certificate FILE] [--signature FILE]
[--rekor-bundle FILE] --cert-identity IDENTITY
[--require-rekor-offline]
[--workflow-trigger EVENT] [--workflow-sha SHA]
[--workflow-name NAME]
[--workflow-repository REPO]
[--workflow-ref REF] [--staging]
[--rekor-url URL] [--rekor-root-pubkey FILE]
[--certificate-chain FILE]
FILE [FILE ...]

optional arguments:
-h, --help show this help message and exit

Verification inputs:
--certificate FILE, --cert FILE
The PEM-encoded certificate to verify against; not
used with multiple inputs (default: None)
--signature FILE The signature to verify against; not used with
multiple inputs (default: None)
--rekor-bundle FILE The offline Rekor bundle to verify with; not used with
multiple inputs (default: None)
FILE The file to verify

Verification options:
--cert-identity IDENTITY
The identity to check for in the certificate's Subject
Alternative Name (default: None)
--require-rekor-offline
Require offline Rekor verification with a bundle;
implied by --rekor-bundle (default: False)
--workflow-trigger EVENT
The GitHub Actions event name that triggered the
workflow (default: None)
--workflow-sha SHA The `git` commit SHA that the workflow run was invoked
with (default: None)
--workflow-name NAME The name of the workflow that was triggered (default:
None)
--workflow-repository REPO
The repository slug that the workflow was triggered
under (default: None)
--workflow-ref REF The `git` ref that the workflow was invoked with
(default: None)

Sigstore instance options:
--staging Use sigstore's staging instances, instead of the
default production instances (default: False)
--rekor-url URL The Rekor instance to use (conflicts with --staging)
(default: https://rekor.sigstore.dev)
--rekor-root-pubkey FILE
A PEM-encoded root public key for Rekor itself
(conflicts with --staging) (default: None)
--certificate-chain FILE
Path to a list of CA certificates in PEM format which
will be needed when building the certificate chain for
the Fulcio signing certificate (default: None)
```
<!-- @end-sigstore-verify-github-help@ -->

## Example uses

`sigstore` supports a wide variety of workflows and usages. Some common ones are
Expand Down
Loading