Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove Verifier param from verify() API #62

Merged
merged 10 commits into from
Oct 22, 2024
Merged

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Oct 11, 2024

WIP; See #55 (comment) for motivating context.

This removes a foreign type by instead constructing the Verifier under the hood within verify().

Key changes:

  • Attestation.verify() now constructs the verifier internally, based on the staging kwarg.
  • Attestation.verify() can now take Publishers, which are converted into their appropriate policies under the hood. Policies can also still be passed in directly.
  • Publisher variants now have _as_policy(), which is a private API for the publisher to verification policy transform.

This will hopefully make things easier for downstream users, particularly people who are pulling provenance objects from PyPI via PEP 740 and trying to verify them (but are getting stuck on the transforms between the "PEP 740" and "Sigstore" views).

This removes a foreign type by instead constructing
the Verifier under the hood within verify().

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw mentioned this pull request Oct 11, 2024
WIP.

Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw marked this pull request as ready for review October 11, 2024 10:57
@woodruffw woodruffw requested a review from facutuesca October 11, 2024 10:58
@woodruffw woodruffw self-assigned this Oct 11, 2024
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
test/test_impl.py Show resolved Hide resolved
src/pypi_attestations/_impl.py Outdated Show resolved Hide resolved
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
@woodruffw woodruffw requested a review from facutuesca October 21, 2024 20:59
Copy link
Collaborator

@facutuesca facutuesca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I only left a naming suggestion/question

policies: list[VerificationPolicy] = [
policy.OIDCIssuerV2("https://token.actions.githubusercontent.com"),
policy.OIDCSourceRepositoryURI(f"https://github.com/{self.repository}"),
_GitHubTrustedPublisherPolicy(self.repository, self.workflow),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the name _GitHubTrustedPublisherPolicy suggests that it's, by itself, the full policy for GitHub. Maybe we could rename it to something like _GitHubBuildConfigURIPolicy?

Or alternatively, make _GitHubTrustedPublisherPolicy return the full AllOf(OIDCIssuer,OIDCSourceRep,...) policy?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yeah, good idea -- I'll make it contain the AllOf internally.

Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw merged commit b172958 into main Oct 22, 2024
5 checks passed
@woodruffw woodruffw deleted the ww/rm-verifier-param branch October 22, 2024 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants