From d6893b202c93bac0e60d0bcfcf2250de493027db Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Sat, 11 Oct 2025 19:20:28 +0300 Subject: [PATCH 1/2] CI: Add test that checks old version can verify Signed-off-by: Jussi Kukkonen --- .github/workflows/cross-version-verify.yaml | 89 +++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/cross-version-verify.yaml diff --git a/.github/workflows/cross-version-verify.yaml b/.github/workflows/cross-version-verify.yaml new file mode 100644 index 00000000..9ccc4a23 --- /dev/null +++ b/.github/workflows/cross-version-verify.yaml @@ -0,0 +1,89 @@ +# Copyright 2025 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Cross-version verify +on: + push: + branches: + - main + - series/* + pull_request: + workflow_dispatch: + +permissions: {} + +jobs: + sign: + name: Sign + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + with: + python-version: "3.x" + cache: "pip" + cache-dependency-path: pyproject.toml + - run: pip install . + - name: Fetch testing oidc token + uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@b517a742e5a3db9e3cbf8e2e1c792b36982f78db # main + - name: Sign + run: | + python -m sigstore --staging sign --bundle artifact.sigstore.json --identity-token $(cat oidc-token.txt) test/assets/a.txt + python -m sigstore --staging sign --bundle artifact-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 test/assets/a.txt + - name: upload signature bundle + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: bundle + path: artifact*.sigstore.json + if-no-files-found: error + retention-days: 1 + verify: + name: Verify with ${{ matrix.version }} + if: ${{ always() }} # don't stop some verification if one of the signing jobs failed + needs: [sign] + runs-on: ubuntu-latest + strategy: + fail-fast: false # Don't cancel other jobs if one fails + matrix: + version: [v3.6.5, v4.0.0, v4.1.0] + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + ref: ${{matrix.version}} + fetch-tags: true + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + with: + python-version: "3.x" + cache: "pip" + cache-dependency-path: pyproject.toml + - run: pip install . + - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 + with: + name: bundle + - name: Verify + if: matrix.version != 'v3.6.5' + run: | + python -m sigstore --staging verify github --verbose \ + --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \ + --bundle artifact.sigstore.json \ + test/assets/a.txt + - name: Verify (rekor v1) + run: | + python -m sigstore --staging verify github --verbose \ + --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \ + --bundle artifact-rekor1.sigstore.json \ + test/assets/a.txt From b66ff4d3feb6dc831391cf57bb4d1af3c44efaa6 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Fri, 17 Oct 2025 10:51:34 +0300 Subject: [PATCH 2/2] cross-version workflow: Add more signposts for used rekor version Signed-off-by: Jussi Kukkonen --- .github/workflows/cross-version-verify.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cross-version-verify.yaml b/.github/workflows/cross-version-verify.yaml index 9ccc4a23..e3f16524 100644 --- a/.github/workflows/cross-version-verify.yaml +++ b/.github/workflows/cross-version-verify.yaml @@ -41,7 +41,7 @@ jobs: uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@b517a742e5a3db9e3cbf8e2e1c792b36982f78db # main - name: Sign run: | - python -m sigstore --staging sign --bundle artifact.sigstore.json --identity-token $(cat oidc-token.txt) test/assets/a.txt + python -m sigstore --staging sign --bundle artifact-rekor2.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=2 test/assets/a.txt python -m sigstore --staging sign --bundle artifact-rekor1.sigstore.json --identity-token $(cat oidc-token.txt) --rekor-version=1 test/assets/a.txt - name: upload signature bundle uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -74,14 +74,14 @@ jobs: - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: bundle - - name: Verify + - name: Verify (Rekor v2) if: matrix.version != 'v3.6.5' run: | python -m sigstore --staging verify github --verbose \ --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \ - --bundle artifact.sigstore.json \ + --bundle artifact-rekor2.sigstore.json \ test/assets/a.txt - - name: Verify (rekor v1) + - name: Verify (Rekor v1) run: | python -m sigstore --staging verify github --verbose \ --cert-identity "https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" \