Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump sigstore, remove deprecated email identity setting #37

Merged
merged 11 commits into from
Nov 28, 2022
Merged

Bump sigstore, remove deprecated email identity setting #37

merged 11 commits into from
Nov 28, 2022

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Nov 24, 2022
edited
Loading

WIP. This is probably going to break the CI, since we still do verifications by default but don't always pass in the necessary options.

Removes the verify-oidc-email setting, since it maps to a now-removed sigstore CLI option. This release family of sigstore also makes the various verification options mandatory, so we no longer allow a user to pass verify: true without also passing the specific verification fields they'd like to verify with.

@woodruffw
treewide: bump to sigstore 0.8.3, remove deprecated setting
f00d523 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/selftest: remove old selftest
8abc53d 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw self-assigned this Nov 24, 2022
tetsuo-cpp
tetsuo-cpp reviewed Nov 24, 2022
View reviewed changes
README.md Outdated Show resolved Hide resolved
@woodruffw
README: fix accidental edit
5101a9e 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

cc @tetsuo-cpp: with these changes, I think we have a couple of options:

  • Disable verification by default: we were doing it primarily as a "smoke test" for the action, but I think the state of our CI both here and on sigstore-python itself now provides sufficient confidence.
  • Keep verification enabled, and infer the correct verification options to pass. When an ambient credential is used this is very easy; when the user passes in their own OIDC identity then we'll also need to enforce that they supply verify-oidc-issuer and verify-cert-identity.

Thoughts?

@woodruffw
action: toggle verification
67d2b1d 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
action: lintage
9502583 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/selftest: exercise verification
edde6df 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

woodruffw commented Nov 28, 2022
edited
Loading

I've tweaked the PR to disable verification by default, just to demonstrate what I'm thinking.

Edit: I've also added a matrix of xfail tests, to demonstrate expected failure modes.

@woodruffw
action: prevent users from specifying ineffective verification options
377effd 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/selftest: experiment with xfails
13c7f89 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/selftest: more experimenting
dc118b6 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
selftest: fix xfail
d5589f8 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
workflows/selftest: xfail matrix
9d89335 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw marked this pull request as ready for review November 28, 2022 16:47
@woodruffw woodruffw requested a review from di November 28, 2022 16:59
@woodruffw woodruffw merged commit 7a26f57 into main Nov 28, 2022
@woodruffw woodruffw deleted the ww/bump branch November 28, 2022 18:21
@woodruffw woodruffw mentioned this pull request Nov 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tetsuo-cpp tetsuo-cpp tetsuo-cpp left review comments

@di di di approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @di @tetsuo-cpp