Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement Sigstore signing and verification of models (#276)
* Add a `from_str` method to `manifest.Shard`. The `ShardedFileManifestItem` objects (items in `ShardLevelManifest`) are recorded as a single string in the in-toto payloads used for signing. The canonicalization to string is done by appending the file (relative) path, the start offset and the end offset, separated by `:`. When validating a signature and rebuilding a manifest, we need to parse a string back to a shard. Rather than replicating this in all places, we create a member function for the conversion. Also adds the relevant tests. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Ensure all in-toto statements have names for subjects Although names in in-toto are optional, for sigstore-python they are mandatory. So, we set the name to "." when we don't have other option. Updated goldens to reflect the change. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Add `SigstoreSignature` for storing Sigstore signatures Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Sign models with Sigstore, generate Sigstore bundles Supports both signing models serialized to digests (a la `serialize_v0`/`serialize_v1`) and models serialized to manifests. Suppoorts both signing digests directly and signing in-toto manifest. There is a need to convert from in-toto's in-toto types to the ones expected by sigstore-python, but this additional step will be removed in the future. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Verify sigstore bundles Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> --------- Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
- Loading branch information