search

sigstore / sigstore-conformance

Conformance testing for Sigstore clients
https://sigstore.dev
7 stars 10 forks source link

Add a test for verifying v0.3 bundles #138

Closed segiddins closed 5 months ago

segiddins commented 5 months ago

Generated with

/Users/segiddins/Development/github.com/sigstore/sigstore-python/env/bin/sigstore sign test/assets/a.txt --bundle test/assets/a.txt.good.v0.3.sigstore --identity-token "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ikh5cTROQVRBanNucUM3bWRydEFoaHJDUjJfUSIsImtpZCI6IjFGMkFCODM0MDRDMDhFQzlFQTBCQjk5REFFRDAyMTg2QjA5MURCRjQifQ.eyJqdGkiOiI2ZDg3MWM5Ny05OTUwLTRiOWEtYmQ1Ny03Zjc1N2QyMWJhODMiLCJzdWIiOiJyZXBvOnNpZ3N0b3JlLWNvbmZvcm1hbmNlL2V4dHJlbWVseS1kYW5nZXJvdXMtcHVibGljLW9pZGMtYmVhY29uOnJlZjpyZWZzL2hlYWRzL21haW4iLCJhdWQiOiJzaWdzdG9yZSIsInJlZiI6InJlZnMvaGVhZHMvbWFpbiIsInNoYSI6ImM3YjNkZmIzMzVmMDUxZTFjODZiZGE0YzcxNmZhYzk3ZGY2MmFkODEiLCJyZXBvc2l0b3J5Ijoic2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24iLCJyZXBvc2l0b3J5X293bmVyIjoic2lnc3RvcmUtY29uZm9ybWFuY2UiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiMTMxODA0NTYzIiwicnVuX2lkIjoiODM0NzQ4MTYyOCIsInJ1bl9udW1iZXIiOiIxMDM3MDAiLCJydW5fYXR0ZW1wdCI6IjEiLCJyZXBvc2l0b3J5X3Zpc2liaWxpdHkiOiJwdWJsaWMiLCJyZXBvc2l0b3J5X2lkIjoiNjMyNTk2ODk3IiwiYWN0b3JfaWQiOiI0MTg5ODI4MiIsImFjdG9yIjoiZ2l0aHViLWFjdGlvbnNbYm90XSIsIndvcmtmbG93IjoiRXh0cmVtZWx5IGRhbmdlcm91cyBPSURDIGJlYWNvbiIsImhlYWRfcmVmIjoiIiwiYmFzZV9yZWYiOiIiLCJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZWZfcHJvdGVjdGVkIjoidHJ1ZSIsInJlZl90eXBlIjoiYnJhbmNoIiwid29ya2Zsb3dfcmVmIjoic2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluIiwid29ya2Zsb3dfc2hhIjoiYzdiM2RmYjMzNWYwNTFlMWM4NmJkYTRjNzE2ZmFjOTdkZjYyYWQ4MSIsImpvYl93b3JrZmxvd19yZWYiOiJzaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi8uZ2l0aHViL3dvcmtmbG93cy9leHRyZW1lbHktZGFuZ2Vyb3VzLW9pZGMtYmVhY29uLnltbEByZWZzL2hlYWRzL21haW4iLCJqb2Jfd29ya2Zsb3dfc2hhIjoiYzdiM2RmYjMzNWYwNTFlMWM4NmJkYTRjNzE2ZmFjOTdkZjYyYWQ4MSIsInJ1bm5lcl9lbnZpcm9ubWVudCI6ImdpdGh1Yi1ob3N0ZWQiLCJpc3MiOiJodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwibmJmIjoxNzEwODY4NDg4LCJleHAiOjE3MTA4NjkzODgsImlhdCI6MTcxMDg2OTA4OH0.ekOKylNncBuQpoS9TzqiJed0cUX3vEGitXZZket_paETLNSDz0rl9yZapPgRmKds4WirKpDhZDDgKNCV2bOCXZQ_mcU4dDshUQe8ppIJIkCCs6AUkxODVkioGmfJ6ggClzgZGR0qGd3gW0WgmRHSDfmUNeoWEgM4F_mIErTwhnVmmVWRc0iZtsDTQd8KFzSXeVRhKeibDcuCHTN1SmJEkAKfyjz3RWMlxnPCEs1oONtbzzaH9OvDoB0UkIs-IhiMNjuJcuH5b7HFL2aY-crPt0hE2rHvIIPWZeFKYtoD9_82tebx5VCrCBvU9Z5vGXpSwK6BeNnQzukNCu-5b0iopw" --overwrite

Summary

So clients can begin testing their v0.3 bundle verification

Release Note

Add a test for verifying v0.3 bundles

Documentation

woodruffw commented 5 months ago

LGTM behaviorally -- mind adding an xfail here?

https://github.com/sigstore/sigstore-conformance/blob/27a73d1d411654562900a781186ba95862203bb9/.github/workflows/conformance.yml#L37

segiddins commented 5 months ago

I think this is blocked by https://github.com/sigstore/sigstore-conformance/pull/136, I verified that HEAD of sigstore-python (and https://github.com/segiddins/sigstore-cosign-verify) pass the new spec