Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigstore: Create API stubs #8

Merged
merged 8 commits into from
Mar 22, 2022
Merged

sigstore: Create API stubs #8

merged 8 commits into from
Mar 22, 2022

Conversation

tetsuo-cpp
Copy link
Collaborator

Closes #7

@tetsuo-cpp tetsuo-cpp marked this pull request as draft March 22, 2022 14:11
tetsuo-cpp
tetsuo-cpp commented Mar 22, 2022
View reviewed changes
sigstore/rekor/_client.py Outdated
"""


class RekorClient:
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rekor's API seems to be a lot more complicated. The Rekor client in Go is generated via Swagger here.

We might have to figure out the main things we want/need to support for the beta.

tetsuo-cpp
tetsuo-cpp commented Mar 22, 2022
View reviewed changes
sigstore/fulcio/_client.py Outdated
Client implementation for interacting with Fulcio.
"""

from dataclasses import dataclass
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These types are modelled after:
https://github.com/sigstore/sigstore-java
https://github.com/sigstore/fulcio/blob/main/pkg/api/client.go

@tetsuo-cpp
Copy link
Collaborator Author

@di @woodruffw
What do you think of this package structure? At the moment I have:

  • fulcio: Client API for interacting with Fulcio
  • rekor: Client API for interacting with Rekor
  • pysign: API for signing Python packages (builds on top of fulcio and rekor). The code in _cli.py should be a thin wrapper that contains argument parsing and calls into this module.

I'm thinking of adding oidc for the auth stuff too. But we can leave that for later.

@di
Copy link
Member

di commented Mar 22, 2022

Hmm, what do you want the code signing CLI tool to be called? I don't think we can just call it sigstore as that will potentially clash with other things.

I think the importable, public API should probably be from sigstore import sign, verify

@di di marked this pull request as ready for review March 22, 2022 16:19
@di di merged commit 293dfa6 into main Mar 22, 2022
@di di deleted the alex/api-stubs branch March 22, 2022 19:15
@tetsuo-cpp
Copy link
Collaborator Author

I think the importable, public API should probably be from sigstore import sign, verify

Sure, but what about the tool itself? It's ok to use it like python -m sigstore sign <blah>. But if we're going to install something in the user PATH, I think it has to be more specific than sigstore.

javanlacerda pushed a commit to javanlacerda/sigstore-python that referenced this pull request Feb 23, 2024
@woodruffw
git, dependabot, conformance: add sigstore-python nightly submod, tra…
56e63f4 
…ck (sigstore#8)

* git, dependabot, conformance: add sigstore-python nightly submod, track

Signed-off-by: William Woodruff <william@trailofbits.com>

* dependabot: remove custom Docker registry

Seems to only be needed when the registry requires a password,
which this one doesn't.

Signed-off-by: William Woodruff <william@trailofbits.com>

Signed-off-by: William Woodruff <william@trailofbits.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create API stubs
2 participants
@tetsuo-cpp @di