This converts DigestManifests objects to an in-toto format where the model is identified by its complete digest (as result of the serialization).
For Sigstore signing, this payload can be signed via sign_intoto, producing a Sigstore Bundle as the signature.
CC @susperius for converting manifest to in-toto. This should cover #111, #224, and #248 (first part of the machinery). CC @laurentsimon to make sure I did not mishandle in-toto.
Note: Looking at the goldens, I see that some of the hashes are not properly converted to the one we use in serialization (should always be file-sha256 in the current testing scenario). I was planning to debug that before pushing this work, but given #260 I'll send it now to reduce work duplication and will debug the issue next week.
Note: Disabling C0103 and E1101 in the pylint configuration. The first one is about the name of the class constant, it wants it to be all uppercase, but that goes against established style for class/instance variables. Worse, the second one fails to detect that protobuf generated code has certain attributes/names. This is because pylint does not use .pyi files, which is what protobuf generates, but we can disable it given this missing attribute would be detected by pytype, which works correctly. Maybe when switching linter we'd get rid of this issue.
Summary
This converts
DigestManifests objects to an in-toto format where the model is identified by its complete digest (as result of the serialization).For Sigstore signing, this payload can be signed via
sign_intoto, producing a SigstoreBundleas the signature.CC @susperius for converting manifest to in-toto. This should cover #111, #224, and #248 (first part of the machinery). CC @laurentsimon to make sure I did not mishandle in-toto.
Note: Looking at the goldens, I see that some of the hashes are not properly converted to the one we use in serialization (should always be
file-sha256in the current testing scenario). I was planning to debug that before pushing this work, but given #260 I'll send it now to reduce work duplication and will debug the issue next week.Note: Disabling C0103 and E1101 in the pylint configuration. The first one is about the name of the class constant, it wants it to be all uppercase, but that goes against established style for class/instance variables. Worse, the second one fails to detect that protobuf generated code has certain attributes/names. This is because pylint does not use .pyi files, which is what protobuf generates, but we can disable it given this missing attribute would be detected by pytype, which works correctly. Maybe when switching linter we'd get rid of this issue.
Release Note
NONE
Documentation
NONE