-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sigstore: extract LogEntry conversions to their own functions #992
sigstore: extract LogEntry conversions to their own functions #992
Conversation
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
125caea
to
823089a
Compare
Thanks @facutuesca! Could you add a round-trip test for these? Something simple where we ensure that |
(Test failures are OK; expected as part of ongoing flakiness from staging.) |
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
done! |
Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Facundo Tuesca <facu@tuesca.com>
Co-authored-by: William Woodruff <william@yossarian.net> Signed-off-by: Facundo Tuesca <facu@tuesca.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @facutuesca!
This moves the logic that converts between
rekor_v1.TransparencyLogEntry
andsigstore.models.LogEntry
to their own separate functions:The motivation for having these available is PEP 740, which defines an attestation format for PyPI artifacts. This PEP doesn't define a specific transparency log entry format, rather it leaves the choice to the implementation. In practice, it makes sense to use the exact same structure as a
rekor_v1.TransparencyLogEntry
for these entries. Using a different structure is not necessary and would introduce another format conversion to keep track of.This means that at some point, in order to verify artifacts using the PEP 740 attestation format, we will have to convert it (back) to a Sigstore bundle. The only API to construct a
Bundle
other thanBundle.from_json
isBundle.from_parts
:But since it requires an already constructed
LogEntry
, it can't be used unless you already have one.The new methods would allow a user of
sigstore-python
to create aLogEntry
from an existingrekor_v1.TransparencyLogEntry
without exposing the actual type, just adict[str, Any]
. This would look something like:cc @woodruffw