Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigstore: extract LogEntry conversions to their own functions #992

Merged
merged 5 commits into from
Apr 30, 2024
Merged

sigstore: extract LogEntry conversions to their own functions #992

merged 5 commits into from
Apr 30, 2024

Conversation

facutuesca
Copy link
Contributor

This moves the logic that converts between rekor_v1.TransparencyLogEntry and sigstore.models.LogEntry to their own separate functions:

    @classmethod
    def _from_dict_rekor(cls, dict_: dict[str, Any]) -> LogEntry:
    ...

    def _to_dict_rekor(self, is_message_signature: bool) -> dict[str, Any]:
    ...

The motivation for having these available is PEP 740, which defines an attestation format for PyPI artifacts. This PEP doesn't define a specific transparency log entry format, rather it leaves the choice to the implementation. In practice, it makes sense to use the exact same structure as a rekor_v1.TransparencyLogEntry for these entries. Using a different structure is not necessary and would introduce another format conversion to keep track of.

This means that at some point, in order to verify artifacts using the PEP 740 attestation format, we will have to convert it (back) to a Sigstore bundle. The only API to construct a Bundle other than Bundle.from_json is Bundle.from_parts:

    def from_parts(cls, cert: Certificate, sig: bytes, log_entry: LogEntry) -> Bundle:

But since it requires an already constructed LogEntry, it can't be used unless you already have one.

The new methods would allow a user of sigstore-python to create a LogEntry from an existing rekor_v1.TransparencyLogEntry without exposing the actual type, just a dict[str, Any]. This would look something like:

def pypi_to_sigstore(pypi_attestation: Attestation) -> Bundle:
    ....
    tlog_entry = pypi_attestation.verification_material.transparency_entries[0]

    return Bundle.from_parts(..., log_entry = LogEntry._from_dict_rekor(pypi_attestation....))

cc @woodruffw

@facutuesca
sigstore: extract LogEntry conversions to their own functions
823089a 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@woodruffw woodruffw self-requested a review April 29, 2024 21:45
@woodruffw woodruffw added the enhancement New feature or request label Apr 29, 2024
@woodruffw
Copy link
Member

Thanks @facutuesca! Could you add a round-trip test for these? Something simple where we ensure that entry == from_dict(to_dict(entry)) works would be perfect 🙂

@woodruffw
Copy link
Member

(Test failures are OK; expected as part of ongoing flakiness from staging.)

@facutuesca
test: add test for roundtrip LogEntry conversion
8a72ac4 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@facutuesca
Copy link
Contributor Author

Thanks @facutuesca! Could you add a round-trip test for these? Something simple where we ensure that entry == from_dict(to_dict(entry)) works would be perfect 🙂

done!

woodruffw
woodruffw reviewed Apr 29, 2024
View reviewed changes
sigstore/models.py Outdated Show resolved Hide resolved
@facutuesca
sigstore,test: deduce LogEntry type from its body
1f128c1 
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
woodruffw
woodruffw reviewed Apr 30, 2024
View reviewed changes
sigstore/models.py Outdated Show resolved Hide resolved
@facutuesca @woodruffw
Update sigstore/models.py
4436f5c 
Co-authored-by: William Woodruff <william@yossarian.net>
Signed-off-by: Facundo Tuesca <facu@tuesca.com>
woodruffw
woodruffw reviewed Apr 30, 2024
View reviewed changes
sigstore/models.py Outdated Show resolved Hide resolved
@facutuesca @woodruffw
Update sigstore/models.py
93491e9 
Co-authored-by: William Woodruff <william@yossarian.net>
Signed-off-by: Facundo Tuesca <facu@tuesca.com>
woodruffw
woodruffw approved these changes Apr 30, 2024
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @facutuesca!

@woodruffw woodruffw marked this pull request as ready for review April 30, 2024 14:57
@woodruffw woodruffw merged commit 7583a78 into sigstore:ww/refactor-modules Apr 30, 2024
22 checks passed
@woodruffw woodruffw deleted the logentry-tlog-conversion-api branch April 30, 2024 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@facutuesca @woodruffw