Remove conformance tests that use detached materials (#173)

docs/cli_protocol.md

@@ -29,20 +29,6 @@ conformance suite in the order that they are specified in the templates below.
 
 ### Sign
 
-#### Signature and certificate flow
-
-```console
-${ENTRYPOINT} sign [--staging] --identity-token TOKEN --signature FILE --certificate FILE FILE
-```
-
-| Option | Description |
-| --- | --- |
-| `--staging`        | Presence indicates client should use Sigstore staging infrastructure |
-| `--identity-token` | The OIDC identity token to use |
-| `--signature FILE` | The path to write the signature to |
-| `--certificate FILE` | The path to write the signing certificate to |
-| `FILE` | The artifact to sign |
-
 #### Bundle flow
 
 ```console
@@ -58,22 +44,6 @@ ${ENTRYPOINT} sign-bundle [--staging] --identity-token TOKEN --bundle FILE FILE
 
 ### Verify
 
-#### Signature and certificate flow
-
-```console
-${ENTRYPOINT} verify [--staging] --signature FILE --certificate FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE
-```
-
-| Option | Description |
-| --- | --- |
-| `--staging`        | Presence indicates client should use Sigstore staging infrastructure |
-| `--signature FILE` | The path to the signature to verify |
-| `--certificate FILE` | The path to the signing certificate to verify |
-| `--certificate-identity IDENTITY` | The expected identity in the signing certificate's SAN extension |
-| `--certificate-oidc-issuer URL` | The expected OIDC issuer for the signing certificate |
-| `--trusted-root` | The path of the custom trusted root to use to verify the signature |
-| `FILE` | The path to the artifact to verify |
-
 #### Bundle flow
 
 ```console

test/client.py

@@ -38,8 +38,7 @@ class ClientUnexpectedSuccess(Exception):
 
 class VerificationMaterials:
     """
-    A wrapper around verification materials. Materials can be either bundles
-    or detached pairs of signatures and certificates.
+    A wrapper around verification materials. Materials are bundles.
     """
 
     @classmethod
@@ -83,27 +82,6 @@ def exists(self) -> bool:
         return self.bundle.exists()
 
 
-class SignatureCertificateMaterials(VerificationMaterials):
-    """
-    Materials for commands that produce or consume signatures and certificates.
-    """
-
-    signature: Path
-    certificate: Path
-    trusted_root: Path
-
-    @classmethod
-    def from_input(cls, input: Path) -> SignatureCertificateMaterials:
-        mats = cls()
-        mats.signature = input.parent / f"{input.name}.sig"
-        mats.certificate = input.parent / f"{input.name}.crt"
-
-        return mats
-
-    def exists(self) -> bool:
-        return self.signature.exists() and self.certificate.exists()
-
-
 class SigstoreClient:
     """
     A wrapper around the Sigstore client under test that provides helpers to
@@ -112,9 +90,8 @@ class SigstoreClient:
     The `sigstore-conformance` test suite expects that clients expose a CLI that
     adheres to the protocol outlined at `docs/cli_protocol.md`.
 
-    The `sign` and `verify` methods are dispatched over the two flows that clients
-    should support: signature/certificate and bundle. The overloads of those
-    methods should not be called directly.
+    The `sign` and `verify` methods are dispatched over the one flows that clients
+    support: bundles. The overloads of those methods should not be called directly.
     """
 
     def __init__(self, entrypoint: str, identity_token: str, staging: bool) -> None:
@@ -170,43 +147,15 @@ def raises(self):
     @singledispatchmethod
     def sign(self, materials: VerificationMaterials, artifact: os.PathLike) -> None:
         """
-        Sign an artifact with the Sigstore client. Dispatches to `_sign_for_sigcrt`
-        when given `SignatureCertificateMaterials`, or `_sign_for_bundle` when given
-        `BundleMaterials`.
+        Sign an artifact with the Sigstore client. Dispatches to `_sign_for_bundle` when
+        given `BundleMaterials`.
 
         `artifact` is a path to the file to sign.
         `materials` contains paths to write the generated materials to.
         """
 
         raise NotImplementedError(f"Cannot sign with {type(materials)}")
 
-    @sign.register
-    def _sign_for_sigcrt(
-        self, materials: SignatureCertificateMaterials, artifact: os.PathLike
-    ) -> None:
-        """
-        Sign an artifact with the Sigstore client, producing a signature and certificate.
-
-        This is an overload of `sign` for the signature/certificate flow and should not
-        be called directly.
-        """
-        args: list[str | os.PathLike] = ["sign"]
-        if self.staging:
-            args.append("--staging")
-        args.extend(
-            [
-                "--identity-token",
-                self.identity_token,
-                "--signature",
-                materials.signature,
-                "--certificate",
-                materials.certificate,
-                artifact,
-            ]
-        )
-
-        self.run(*args)
-
     @sign.register
     def _sign_for_bundle(self, materials: BundleMaterials, artifact: os.PathLike) -> None:
         """
@@ -233,8 +182,7 @@ def _sign_for_bundle(self, materials: BundleMaterials, artifact: os.PathLike) ->
     @singledispatchmethod
     def verify(self, materials: VerificationMaterials, artifact: os.PathLike | str) -> None:
         """
-        Verify an artifact with the Sigstore client. Dispatches to `_verify_for_sigcrt`
-        when given `SignatureCertificateMaterials`, or
+        Verify an artifact with the Sigstore client. Dispatches to
          `_verify_{artifact|digest}_for_bundle` when given `BundleMaterials`.
 
         `artifact` is the path to the file to verify, or its digest.
@@ -243,40 +191,6 @@ def verify(self, materials: VerificationMaterials, artifact: os.PathLike | str)
 
         raise NotImplementedError(f"Cannot verify with {type(materials)}")
 
-    @verify.register
-    def _verify_for_sigcrt(
-        self, materials: SignatureCertificateMaterials, artifact: os.PathLike
-    ) -> None:
-        """
-        Verify an artifact given a signature and certificate with the Sigstore client.
-
-        This is an overload of `verify` for the signature/certificate flow and should
-        not be called directly.
-        """
-
-        args: list[str | os.PathLike] = ["verify"]
-        if self.staging:
-            args.append("--staging")
-        args.extend(
-            [
-                "--signature",
-                materials.signature,
-                "--certificate",
-                materials.certificate,
-                "--certificate-identity",
-                CERTIFICATE_IDENTITY,
-                "--certificate-oidc-issuer",
-                CERTIFICATE_OIDC_ISSUER,
-            ]
-        )
-
-        if getattr(materials, "trusted_root", None) is not None:
-            args.extend(["--trusted-root", materials.trusted_root])
-
-        # The identity and OIDC issuer cannot be specified by the test since they remain constant
-        # across the GitHub Actions job.
-        self.run(*args, artifact)
-
     @verify.register
     def _verify_artifact_for_bundle(
         self, materials: BundleMaterials, artifact: os.PathLike

test/conftest.py

@@ -18,7 +18,6 @@
 
 from .client import (
     BundleMaterials,
-    SignatureCertificateMaterials,
     SigstoreClient,
     VerificationMaterials,
 )
@@ -190,12 +189,12 @@ def _make_materials_by_type(
     return _make_materials_by_type
 
 
-@pytest.fixture(params=[BundleMaterials, SignatureCertificateMaterials])
+@pytest.fixture(params=[BundleMaterials])
 def make_materials(request, make_materials_by_type) -> _MakeMaterials:
     """
     Returns a function that constructs `VerificationMaterials` alongside an
     appropriate input path. The subclass of `VerificationMaterials` that is returned
-    is parameterized across `BundleMaterials` and `SignatureCertificateMaterials`.
+    is parameterized across `BundleMaterials`.
 
     See `make_materials_by_type` for a fixture that uses a specific subclass of
     `VerificationMaterials`.