signer: fix imports in sigstore signer

The sigstore library is an optional and circular dependency in securesystemslib. Importing it in the methods, where it is needed, allows importing the module from within sigstore (circular import), or if sigstore is not installed. This commit wraps the local scope imports in try/except to fail gracefully if the methods are called w/o sigstore available, and locally disables the related linter warning. The commit also disables a linter import warning in the related test, which requires sigstore. Alternatively, we could install sigstore in the lint job, which does not seem worth the cycles, just for one method call. Signed-off-by: Lukas Puehringer <[email protected]>
secure-systems-lab · Mar 7, 2023 · ba73dc9 · ba73dc9
1 parent 10ac123
commit ba73dc9
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py
@@ -41,6 +41,7 @@
 from typing import Any, Dict, Optional
 
 from securesystemslib.exceptions import (
+    UnsupportedLibraryError,
     UnverifiedSignatureError,
     VerificationError,
 )
@@ -51,6 +52,8 @@
     Signer,
 )
 
+IMPORT_ERROR = "sigstore library required to use 'sigstore-oidc' keys"
+
 logger = logging.getLogger(__name__)
 
 
@@ -80,9 +83,13 @@ def to_dict(self) -> Dict:
         }
 
     def verify_signature(self, signature: Signature, data: bytes) -> None:
-        from sigstore.verify import VerificationMaterials, Verifier
-        from sigstore.verify.policy import Identity
-        from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle
+        # pylint: disable=import-outside-toplevel
+        try:
+            from sigstore.verify import VerificationMaterials, Verifier
+            from sigstore.verify.policy import Identity
+            from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle
+        except ImportError as e:
+            raise UnsupportedLibraryError(IMPORT_ERROR) from e
 
         verifier = Verifier.production()
         identity = Identity(
@@ -150,7 +157,11 @@ def sign(self, payload: bytes) -> Signature:
             ``Signature` interface, which expect the attribute to be of type `str`.
 
         """
-        from sigstore.sign import Signer as _Signer
+        # pylint: disable=import-outside-toplevel
+        try:
+            from sigstore.sign import Signer as _Signer
+        except ImportError as e:
+            raise UnsupportedLibraryError(IMPORT_ERROR) from e
 
         signer = _Signer.production()
         result = signer.sign(io.BytesIO(payload), self._token)

diff --git a/tests/check_sigstore_signer.py b/tests/check_sigstore_signer.py
@@ -8,7 +8,7 @@
 import os
 import unittest
 
-from sigstore.oidc import detect_credential
+from sigstore.oidc import detect_credential  # pylint: disable=import-error
 
 from securesystemslib.signer import (
     KEY_FOR_TYPE_AND_SCHEME,