Support --cert-identity (#289)

* _cli, _verify: add `--cert-identity` Closes #108. Signed-off-by: William Woodruff <william@trailofbits.com> * README: `sigstore verify --help` Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com>
sigstore · Nov 3, 2022 · 85a96dd · 85a96dd
1 parent efc5502
commit 85a96dd
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -151,7 +151,8 @@ Verifying:
 <!-- @begin-sigstore-verify-help@ -->
 ```
 usage: sigstore verify [-h] [--certificate FILE] [--signature FILE]
-                       [--rekor-bundle FILE] [--cert-email EMAIL]
+                       [--rekor-bundle FILE]
+                       [--cert-identity IDENTITY | --cert-email EMAIL]
                        [--cert-oidc-issuer URL] [--require-rekor-offline]
                        [--staging] [--rekor-url URL]
                        FILE [FILE ...]
@@ -172,6 +173,9 @@ Verification inputs:
                         multiple inputs (default: None)
 
 Extended verification options:
+  --cert-identity IDENTITY
+                        The identity to check for in the certificate's Subject
+                        Alternative Name (default: None)
   --cert-email EMAIL    The email address to check for in the certificate's
                         Subject Alternative Name (default: None)
   --cert-oidc-issuer URL

diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -272,7 +272,18 @@ def _parser() -> argparse.ArgumentParser:
     )
 
     verification_options = verify.add_argument_group("Extended verification options")
-    verification_options.add_argument(
+
+    # NOTE: `--cert-email` and `--cert-identity` are mutually exclusive, until
+    # `--cert-email` is removed entirely.
+    cert_identity_options = verification_options.add_mutually_exclusive_group()
+    cert_identity_options.add_argument(
+        "--cert-identity",
+        metavar="IDENTITY",
+        type=str,
+        default=os.getenv("SIGSTORE_CERT_IDENTITY"),
+        help="The identity to check for in the certificate's Subject Alternative Name",
+    )
+    cert_identity_options.add_argument(
         "--cert-email",
         metavar="EMAIL",
         type=str,
@@ -464,6 +475,14 @@ def _verify(args: argparse.Namespace) -> None:
             "upcoming release of sigstore-python in favor of Sigstore-style bundles"
         )
 
+    # `--cert-email` is a deprecated alias for `--cert-identity`.
+    if args.cert_email and not args.cert_identity:
+        logger.warning(
+            "--cert-email is a deprecated alias for --cert-identity, and will be removed "
+            "in an upcoming release of sigstore-python"
+        )
+        args.cert_identity = args.cert_email
+
     # The presence of --rekor-bundle implies --require-rekor-offline.
     args.require_rekor_offline = args.require_rekor_offline or args.rekor_bundle
 
@@ -543,7 +562,7 @@ def _verify(args: argparse.Namespace) -> None:
             input_=file.read_bytes(),
             certificate=certificate,
             signature=signature,
-            expected_cert_email=args.cert_email,
+            expected_cert_identity=args.cert_identity,
             expected_cert_oidc_issuer=args.cert_oidc_issuer,
             offline_rekor_entry=entry,
         )

diff --git a/sigstore/_verify.py b/sigstore/_verify.py
@@ -122,7 +122,7 @@ def verify(
         input_: bytes,
         certificate: bytes,
         signature: bytes,
-        expected_cert_email: Optional[str] = None,
+        expected_cert_identity: Optional[str] = None,
         expected_cert_oidc_issuer: Optional[str] = None,
         offline_rekor_entry: Optional[RekorEntry] = None,
     ) -> VerificationResult:
@@ -134,7 +134,8 @@ def verify(
 
         `signature` is a base64-encoded signature for `file`.
 
-        `expected_cert_email` is the expected Subject Alternative Name (SAN) within `certificate`.
+        `expected_cert_identity` is the expected Subject Alternative Name (SAN)
+        within `certificate`.
 
         `expected_cert_oidc_issuer` is the expected OIDC Issuer Extension within `certificate`.
 
@@ -206,12 +207,14 @@ def verify(
                 reason="Extended usage does not contain `code signing`"
             )
 
-        if expected_cert_email is not None:
+        if expected_cert_identity is not None:
             # Check that SubjectAlternativeName contains signer identity
             san_ext = cert.extensions.get_extension_for_class(SubjectAlternativeName)
-            if expected_cert_email not in san_ext.value.get_values_for_type(RFC822Name):
+            if expected_cert_identity not in san_ext.value.get_values_for_type(
+                RFC822Name
+            ):
                 return VerificationFailure(
-                    reason=f"Subject name does not contain identity: {expected_cert_email}"
+                    reason=f"Subject name does not contain identity: {expected_cert_identity}"
                 )
 
         if expected_cert_oidc_issuer is not None: