Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

conformance: add conformance CLI and action #287

Merged
merged 6 commits into from
Aug 2, 2023
Merged

conformance: add conformance CLI and action #287

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
02e3665
conformance: cli
jleightcap Jul 28, 2023
b33b1de
conformance: add action+entrypoint
jleightcap Jul 28, 2023
d6a7b54
conformance: use child binary crate
jleightcap Jul 28, 2023
7e8b6cf
conformance: remove async main
jleightcap Aug 1, 2023
32b897c
conformance: trailing newlines
jleightcap Aug 1, 2023
f35ca2b
conformance: workflow dispatch trigger
jleightcap Aug 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/conformance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
on: [push, pull_request]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should leave that commented, at least until the full specification is implemented. Otherwise it could be confusing to see the failures happen on PR and on the main branch

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me -- perhaps we should make it workflow_dispatch for the time being, so that it isn't triggered automatically but can be still done manually.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this currently doesn't make sense. Thanks for the workflow_dispatch pointer @woodruffw (0e0ee5e)


name: Conformance Suite

jobs:
conformance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
profile: minimal
toolchain: stable
override: true
- uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with:
command: build
args: --manifest-path=tests/conformance/Cargo.toml
- uses: sigstore/sigstore-conformance@main
with:
entrypoint: ${{ github.workspace }}/tests/conformance/target/debug/sigstore
15 changes: 15 additions & 0 deletions tests/conformance/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[package]
name = "sigstore-conformance"
description = "sigstore conformance testing workflow"
version = "0.0.1"
edition = "2021"
authors = ["sigstore-rs developers"]
license = "Apache-2.0"

[dependencies]
clap = { version = "4.0.8", features = ["derive"] }
sigstore = { path = "../../" }

[[bin]]
name = "sigstore"
path = "conformance.rs"
109 changes: 109 additions & 0 deletions tests/conformance/conformance.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
//
// Copyright 2023 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// CLI implemented to specification:
// https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md

use clap::{Parser, Subcommand};

#[derive(Parser, Debug)]
struct Cli {
#[command(subcommand)]
command: Commands,
}

#[derive(Subcommand, Debug)]
enum Commands {
Sign(Sign),
SignBundle(SignBundle),
Verify(Verify),
VerifyBundle(VerifyBundle),
}

#[derive(Parser, Debug)]
struct Sign {
// The OIDC identity token to use
#[clap(long)]
identity_token: String,

// The path to write the signature to
#[clap(long)]
signature: String,

// The path to write the signing certificate to
#[clap(long)]
certificate: String,

// The artifact to sign
artifact: String,
}

#[derive(Parser, Debug)]
struct SignBundle {
// The OIDC identity token to use
#[clap(long)]
identity_token: String,

// The path to write the bundle to
#[clap(long)]
bundle: String,

// The artifact to sign
artifact: String,
}

#[derive(Parser, Debug)]
struct Verify {
// The path to the signature to verify
#[clap(long)]
signature: String,

// The path to the signing certificate to verify
#[clap(long)]
certificate: String,

// The expected identity in the signing certificate's SAN extension
#[clap(long)]
certificate_identity: String,

// The expected OIDC issuer for the signing certificate
#[clap(long)]
certificate_oidc_issuer: String,

// The path to the artifact to verify
artifact: String,
}

#[derive(Parser, Debug)]
struct VerifyBundle {
// The path to the Sigstore bundle to verify
#[clap(long)]
bundle: String,

// The expected identity in the signing certificate's SAN extension
#[clap(long)]
certificate_identity: String,

// The expected OIDC issuer for the signing certificate
#[clap(long)]
certificate_oidc_issuer: String,

// The path to the artifact to verify
artifact: String,
}

fn main() {
let cli = Cli::parse();
}