diff --git a/src/bundle/mod.rs b/src/bundle/mod.rs index c8c8ea64b0..61ad0c48b3 100644 --- a/src/bundle/mod.rs +++ b/src/bundle/mod.rs @@ -12,112 +12,14 @@ // See the License for the specific language governing permissions and // limitations under the License. -//! Common types for Sigstore Bundle support. +//! Sigstore bundle support. -use std::fmt::Display; -use std::str::FromStr; - -use base64::{engine::general_purpose::STANDARD as base64, Engine as _}; -use json_syntax::Print; pub use sigstore_protobuf_specs::dev::sigstore::bundle::v1::Bundle; -use sigstore_protobuf_specs::dev::sigstore::{ - common::v1::LogId, - rekor::v1::{Checkpoint, InclusionPromise, InclusionProof, KindVersion, TransparencyLogEntry}, -}; - -use crate::rekor::models::{ - log_entry::InclusionProof as RekorInclusionProof, LogEntry as RekorLogEntry, -}; - -// Known Sigstore bundle media types. -#[derive(Clone, Copy, Debug)] -pub enum Version { - Bundle0_1, - Bundle0_2, -} - -impl Display for Version { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - f.write_str(match &self { - Version::Bundle0_1 => "application/vnd.dev.sigstore.bundle+json;version=0.1", - Version::Bundle0_2 => "application/vnd.dev.sigstore.bundle+json;version=0.2", - }) - } -} - -impl FromStr for Version { - type Err = (); - - fn from_str(s: &str) -> Result { - match s { - "application/vnd.dev.sigstore.bundle+json;version=0.1" => Ok(Version::Bundle0_1), - "application/vnd.dev.sigstore.bundle+json;version=0.2" => Ok(Version::Bundle0_2), - _ => Err(()), - } - } -} - -#[inline] -fn decode_hex>(hex: S) -> Result, ()> { - hex::decode(hex.as_ref()).or(Err(())) -} - -impl TryFrom for InclusionProof { - type Error = (); - - fn try_from(value: RekorInclusionProof) -> Result { - let hashes = value - .hashes - .iter() - .map(decode_hex) - .collect::, _>>()?; - - Ok(InclusionProof { - checkpoint: Some(Checkpoint { - envelope: value.checkpoint, - }), - hashes, - log_index: value.log_index, - root_hash: decode_hex(value.root_hash)?, - tree_size: value.tree_size, - }) - } -} -/// Convert log entries returned from Rekor into Sigstore Bundle format entries. -impl TryFrom for TransparencyLogEntry { - type Error = (); +mod models; - fn try_from(value: RekorLogEntry) -> Result { - let canonicalized_body = { - let mut body = json_syntax::to_value(value.body).or(Err(()))?; - body.canonicalize(); - body.compact_print().to_string().into_bytes() - }; - let inclusion_promise = Some(InclusionPromise { - signed_entry_timestamp: base64 - .decode(value.verification.signed_entry_timestamp) - .or(Err(()))?, - }); - let inclusion_proof = value - .verification - .inclusion_proof - .map(|p| p.try_into()) - .transpose()?; +#[cfg(feature = "sign")] +pub mod sign; - Ok(TransparencyLogEntry { - canonicalized_body, - inclusion_promise, - inclusion_proof, - integrated_time: value.integrated_time, - kind_version: Some(KindVersion { - kind: "hashedrekord".to_owned(), - version: "0.0.1".to_owned(), - }), - log_id: Some(LogId { - key_id: decode_hex(value.log_i_d)?, - }), - log_index: value.log_index, - }) - } -} +#[cfg(feature = "verify")] +pub mod verify; diff --git a/src/bundle/models.rs b/src/bundle/models.rs new file mode 100644 index 0000000000..79d27933dc --- /dev/null +++ b/src/bundle/models.rs @@ -0,0 +1,107 @@ +use std::fmt::Display; +use std::str::FromStr; + +use base64::{engine::general_purpose::STANDARD as base64, Engine as _}; +use json_syntax::Print; + +use sigstore_protobuf_specs::dev::sigstore::{ + common::v1::LogId, + rekor::v1::{Checkpoint, InclusionPromise, InclusionProof, KindVersion, TransparencyLogEntry}, +}; + +use crate::rekor::models::{ + log_entry::InclusionProof as RekorInclusionProof, LogEntry as RekorLogEntry, +}; + +// Known Sigstore bundle media types. +#[derive(Clone, Copy, Debug)] +pub enum Version { + Bundle0_1, + Bundle0_2, +} + +impl Display for Version { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.write_str(match &self { + Version::Bundle0_1 => "application/vnd.dev.sigstore.bundle+json;version=0.1", + Version::Bundle0_2 => "application/vnd.dev.sigstore.bundle+json;version=0.2", + }) + } +} + +impl FromStr for Version { + type Err = (); + + fn from_str(s: &str) -> Result { + match s { + "application/vnd.dev.sigstore.bundle+json;version=0.1" => Ok(Version::Bundle0_1), + "application/vnd.dev.sigstore.bundle+json;version=0.2" => Ok(Version::Bundle0_2), + _ => Err(()), + } + } +} + +#[inline] +fn decode_hex>(hex: S) -> Result, ()> { + hex::decode(hex.as_ref()).or(Err(())) +} + +impl TryFrom for InclusionProof { + type Error = (); + + fn try_from(value: RekorInclusionProof) -> Result { + let hashes = value + .hashes + .iter() + .map(decode_hex) + .collect::, _>>()?; + + Ok(InclusionProof { + checkpoint: Some(Checkpoint { + envelope: value.checkpoint, + }), + hashes, + log_index: value.log_index, + root_hash: decode_hex(value.root_hash)?, + tree_size: value.tree_size, + }) + } +} + +/// Convert log entries returned from Rekor into Sigstore Bundle format entries. +impl TryFrom for TransparencyLogEntry { + type Error = (); + + fn try_from(value: RekorLogEntry) -> Result { + let canonicalized_body = { + let mut body = json_syntax::to_value(value.body).or(Err(()))?; + body.canonicalize(); + body.compact_print().to_string().into_bytes() + }; + let inclusion_promise = Some(InclusionPromise { + signed_entry_timestamp: base64 + .decode(value.verification.signed_entry_timestamp) + .or(Err(()))?, + }); + let inclusion_proof = value + .verification + .inclusion_proof + .map(|p| p.try_into()) + .transpose()?; + + Ok(TransparencyLogEntry { + canonicalized_body, + inclusion_promise, + inclusion_proof, + integrated_time: value.integrated_time, + kind_version: Some(KindVersion { + kind: "hashedrekord".to_owned(), + version: "0.0.1".to_owned(), + }), + log_id: Some(LogId { + key_id: decode_hex(value.log_i_d)?, + }), + log_index: value.log_index, + }) + } +} diff --git a/src/sign.rs b/src/bundle/sign.rs similarity index 76% rename from src/sign.rs rename to src/bundle/sign.rs index 30f75737c7..02d7a8e13a 100644 --- a/src/sign.rs +++ b/src/bundle/sign.rs @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -//! Types for signing artifacts and producing Sigstore Bundles. +//! Types for signing artifacts and producing Sigstore bundles. use std::io::{self, Read}; use std::time::SystemTime; @@ -38,7 +38,7 @@ use x509_cert::attr::{AttributeTypeAndValue, AttributeValue}; use x509_cert::builder::{Builder, RequestBuilder as CertRequestBuilder}; use x509_cert::ext::pkix as x509_ext; -use crate::bundle::Version; +use crate::bundle::models::Version; use crate::errors::{Result as SigstoreResult, SigstoreError}; use crate::fulcio::oauth::OauthTokenProvider; use crate::fulcio::{self, FulcioClient, FULCIO_ROOT}; @@ -50,22 +50,22 @@ use crate::rekor::models::{hashedrekord, proposed_entry::ProposedEntry as Propos /// An asynchronous Sigstore signing session. /// /// Sessions hold a provided user identity and key materials tied to that identity. A single -/// session may be used to sign multiple items. For more information, see [`AsyncSigningSession::sign`](Self::sign). +/// session may be used to sign multiple items. For more information, see [`SigningSession::sign`]. /// -/// This signing session operates asynchronously. To construct a synchronous [SigningSession], -/// use [`SigningContext::signer()`]. -pub struct AsyncSigningSession<'ctx> { +/// This signing session operates asynchronously. To construct a synchronous [`blocking::SigningSession`], +/// use [`SigningContext::blocking_signer()`]. +pub struct SigningSession<'ctx> { context: &'ctx SigningContext, identity_token: IdentityToken, private_key: ecdsa::SigningKey, certs: fulcio::CertificateResponse, } -impl<'ctx> AsyncSigningSession<'ctx> { +impl<'ctx> SigningSession<'ctx> { async fn new( context: &'ctx SigningContext, identity_token: IdentityToken, - ) -> SigstoreResult> { + ) -> SigstoreResult> { let (private_key, certs) = Self::materials(&context.fulcio, &identity_token).await?; Ok(Self { context, @@ -176,7 +176,7 @@ impl<'ctx> AsyncSigningSession<'ctx> { } /// Signs for the input with the session's identity. If the identity is expired, - /// [SigstoreError::ExpiredSigningSession] is returned. + /// [`SigstoreError::ExpiredSigningSession`] is returned. pub async fn sign( &self, input: R, @@ -197,48 +197,52 @@ impl<'ctx> AsyncSigningSession<'ctx> { } } -/// A synchronous Sigstore signing session. -/// -/// Sessions hold a provided user identity and key materials tied to that identity. A single -/// session may be used to sign multiple items. For more information, see [`SigningSession::sign`](Self::sign). -/// -/// This signing session operates synchronously, thus it cannot be used in an asynchronous context. -/// To construct an asynchronous [SigningSession], use [`SigningContext::async_signer()`]. -pub struct SigningSession<'ctx> { - inner: AsyncSigningSession<'ctx>, - rt: tokio::runtime::Runtime, -} +pub mod blocking { + use super::{SigningSession as AsyncSigningSession, *}; -impl<'ctx> SigningSession<'ctx> { - fn new(ctx: &'ctx SigningContext, token: IdentityToken) -> SigstoreResult { - let rt = tokio::runtime::Builder::new_current_thread() - .enable_all() - .build()?; - let inner = rt.block_on(AsyncSigningSession::new(ctx, token))?; - Ok(Self { inner, rt }) - } - - /// Check if the session's identity token or key material is expired. + /// A synchronous Sigstore signing session. /// - /// If the session is expired, it cannot be used for signing operations, and a new session - /// must be created with a fresh identity token. - pub fn is_expired(&self) -> bool { - self.inner.is_expired() + /// Sessions hold a provided user identity and key materials tied to that identity. A single + /// session may be used to sign multiple items. For more information, see [`SigningSession::sign`]. + /// + /// This signing session operates synchronously, thus it cannot be used in an asynchronous context. + /// To construct an asynchronous [`SigningSession`], use [`SigningContext::signer()`]. + pub struct SigningSession<'ctx> { + inner: AsyncSigningSession<'ctx>, + rt: tokio::runtime::Runtime, } - /// Signs for the input with the session's identity. If the identity is expired, - /// [SigstoreError::ExpiredSigningSession] is returned. - pub fn sign(&self, mut input: R) -> SigstoreResult { - let mut hasher = Sha256::new(); - io::copy(&mut input, &mut hasher)?; - self.rt.block_on(self.inner.sign_digest(hasher)) + impl<'ctx> SigningSession<'ctx> { + pub(crate) fn new(ctx: &'ctx SigningContext, token: IdentityToken) -> SigstoreResult { + let rt = tokio::runtime::Builder::new_current_thread() + .enable_all() + .build()?; + let inner = rt.block_on(AsyncSigningSession::new(ctx, token))?; + Ok(Self { inner, rt }) + } + + /// Check if the session's identity token or key material is expired. + /// + /// If the session is expired, it cannot be used for signing operations, and a new session + /// must be created with a fresh identity token. + pub fn is_expired(&self) -> bool { + self.inner.is_expired() + } + + /// Signs for the input with the session's identity. If the identity is expired, + /// [`SigstoreError::ExpiredSigningSession`] is returned. + pub fn sign(&self, mut input: R) -> SigstoreResult { + let mut hasher = Sha256::new(); + io::copy(&mut input, &mut hasher)?; + self.rt.block_on(self.inner.sign_digest(hasher)) + } } } /// A Sigstore signing context. /// /// Contexts hold Fulcio (CA) and Rekor (CT) configurations which signing sessions can be -/// constructed against. Use [`SigningContext::production`](Self::production) to create a context against +/// constructed against. Use [`SigningContext::production`] to create a context against /// the public-good Sigstore infrastructure. pub struct SigningContext { fulcio: FulcioClient, @@ -246,7 +250,7 @@ pub struct SigningContext { } impl SigningContext { - /// Manually constructs a [SigningContext] from its constituent data. + /// Manually constructs a [`SigningContext`] from its constituent data. pub fn new(fulcio: FulcioClient, rekor_config: RekorConfiguration) -> Self { Self { fulcio, @@ -254,7 +258,7 @@ impl SigningContext { } } - /// Returns a [SigningContext] configured against the public-good production Sigstore + /// Returns a [`SigningContext`] configured against the public-good production Sigstore /// infrastructure. pub fn production() -> SigstoreResult { Ok(Self::new( @@ -266,19 +270,19 @@ impl SigningContext { )) } - /// Configures and returns an [AsyncSigningSession] with the held context. - pub async fn async_signer( + /// Configures and returns a [`SigningSession`] with the held context. + pub async fn signer( &self, identity_token: IdentityToken, - ) -> SigstoreResult { - AsyncSigningSession::new(self, identity_token).await + ) -> SigstoreResult { + SigningSession::new(self, identity_token).await } - /// Configures and returns a [SigningContext] with the held context. + /// Configures and returns a [`blocking::SigningSession`] with the held context. /// - /// Async contexts must use [`SigningContext::async_signer`](Self::async_signer). - pub fn signer(&self, identity_token: IdentityToken) -> SigstoreResult { - SigningSession::new(self, identity_token) + /// Async contexts must use [`SigningContext::signer`]. + pub fn blocking_signer(&self, identity_token: IdentityToken) -> SigstoreResult { + blocking::SigningSession::new(self, identity_token) } } @@ -291,9 +295,9 @@ pub struct SigningArtifact { } impl SigningArtifact { - /// Consumes the signing artifact and produces a Sigstore [Bundle]. + /// Consumes the signing artifact and produces a Sigstore [`Bundle`]. /// - /// The resulting bundle can be serialized with [serde_json]. + /// The resulting bundle can be serialized with [`serde_json`]. pub fn to_bundle(self) -> Bundle { // NOTE: We explicitly only include the leaf certificate in the bundle's "chain" // here: the specs explicitly forbid the inclusion of the root certificate, diff --git a/src/verify/mod.rs b/src/bundle/verify/mod.rs similarity index 86% rename from src/verify/mod.rs rename to src/bundle/verify/mod.rs index 0504d10060..a6ba64330f 100644 --- a/src/verify/mod.rs +++ b/src/bundle/verify/mod.rs @@ -13,12 +13,14 @@ // See the License for the specific language governing permissions and // limitations under the License. -//! Verifier for Sigstore bundles and associated types and policies. +//! Types for verifying Sigstore bundles with policies. + mod models; + pub use models::{VerificationError, VerificationResult}; pub mod policy; pub use policy::{PolicyError, VerificationPolicy}; mod verifier; -pub use verifier::{AsyncVerifier, Verifier}; +pub use verifier::*; diff --git a/src/verify/models.rs b/src/bundle/verify/models.rs similarity index 99% rename from src/verify/models.rs rename to src/bundle/verify/models.rs index 01fdc8b660..198e9c05ee 100644 --- a/src/verify/models.rs +++ b/src/bundle/verify/models.rs @@ -16,7 +16,7 @@ use std::str::FromStr; use crate::{ - bundle::{Bundle, Version as BundleVersion}, + bundle::{models::Version as BundleVersion, Bundle}, crypto::certificate::{is_leaf, is_root_ca, CertificateValidationError}, rekor::models as rekor, }; diff --git a/src/verify/policy.rs b/src/bundle/verify/policy.rs similarity index 99% rename from src/verify/policy.rs rename to src/bundle/verify/policy.rs index c6c1806df8..267badc042 100644 --- a/src/verify/policy.rs +++ b/src/bundle/verify/policy.rs @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -//! Verifiers for certificate metadata. +//! Verification constraints for certificate metadata. //! //! diff --git a/src/verify/verifier.rs b/src/bundle/verify/verifier.rs similarity index 72% rename from src/verify/verifier.rs rename to src/bundle/verify/verifier.rs index ac4d4f62b3..619f63c31f 100644 --- a/src/verify/verifier.rs +++ b/src/bundle/verify/verifier.rs @@ -12,6 +12,8 @@ // See the License for the specific language governing permissions and // limitations under the License. +//! Verifiers: async and blocking. + use std::io::{self, Read}; use sha2::{Digest, Sha256}; @@ -26,30 +28,26 @@ use crate::{ errors::Result as SigstoreResult, rekor::apis::configuration::Configuration as RekorConfiguration, trust::TrustRoot, - verify::{ - models::{CertificateErrorKind, SignatureErrorKind}, - VerificationError, - }, }; #[cfg(feature = "sigstore-trust-root")] use crate::trust::sigstore::SigstoreTrustRoot; -use super::{models::CheckedBundle, policy::VerificationPolicy, VerificationResult}; +use super::{models::{CheckedBundle, CertificateErrorKind, SignatureErrorKind}, policy::VerificationPolicy, VerificationResult, VerificationError}; /// An asynchronous Sigstore verifier. /// /// For synchronous usage, see [`Verifier`]. -pub struct AsyncVerifier { +pub struct Verifier { #[allow(dead_code)] rekor_config: RekorConfiguration, cert_pool: CertificatePool, } -impl AsyncVerifier { - /// Constructs an [`AsyncVerifier`]. +impl Verifier { + /// Constructs a [`Verifier`]. /// - /// For verifications against the public-good trust root, use [`AsyncVerifier::production`]. + /// For verifications against the public-good trust root, use [`Verifier::production()`]. pub fn new( rekor_config: RekorConfiguration, trust_repo: R, @@ -201,87 +199,89 @@ impl AsyncVerifier { } } -impl AsyncVerifier { - /// Constructs an [`AsyncVerifier`] against the public-good trust root. +impl Verifier { + /// Constructs an [`Verifier`] against the public-good trust root. #[cfg(feature = "sigstore-trust-root")] - pub async fn production() -> SigstoreResult { + pub async fn production() -> SigstoreResult { let updater = SigstoreTrustRoot::new(None).await?; - AsyncVerifier::new(Default::default(), updater) + Verifier::new(Default::default(), updater) } } -/// A synchronous Sigstore verifier. -/// -/// Async callers must use [`AsyncVerifier`]. Async usage of [`Verifier`] will result in a deadlock. -pub struct Verifier { - inner: AsyncVerifier, - rt: tokio::runtime::Runtime, -} +pub mod blocking { + use super::{Verifier as AsyncVerifier, *}; -impl Verifier { - /// Constructs a synchronous Sigstore verifier. - /// - /// For verifications against the public-good trust root, use [`Verifier::production`]. - pub fn new( - rekor_config: RekorConfiguration, - trust_repo: R, - ) -> SigstoreResult { - let rt = tokio::runtime::Builder::new_current_thread() - .enable_all() - .build()?; - let inner = AsyncVerifier::new(rekor_config, trust_repo)?; - - Ok(Self { rt, inner }) + /// A synchronous Sigstore verifier. + pub struct Verifier { + inner: AsyncVerifier, + rt: tokio::runtime::Runtime, } - /// Verifies an input digest against the given Sigstore Bundle, ensuring conformance to the - /// provided [`VerificationPolicy`]. - pub fn verify_digest

( - &self, - input_digest: Sha256, - bundle: Bundle, - policy: &P, - offline: bool, - ) -> VerificationResult - where - P: VerificationPolicy, - { - self.rt.block_on( - self.inner - .verify_digest(input_digest, bundle, policy, offline), - ) - } + impl Verifier { + /// Constructs a synchronous Sigstore verifier. + /// + /// For verifications against the public-good trust root, use [`Verifier::production()`]. + pub fn new( + rekor_config: RekorConfiguration, + trust_repo: R, + ) -> SigstoreResult { + let rt = tokio::runtime::Builder::new_current_thread() + .enable_all() + .build()?; + let inner = AsyncVerifier::new(rekor_config, trust_repo)?; + + Ok(Self { rt, inner }) + } - /// Verifies an input against the given Sigstore Bundle, ensuring conformance to the provided - /// [`VerificationPolicy`]. - pub fn verify( - &self, - mut input: R, - bundle: Bundle, - policy: &P, - offline: bool, - ) -> VerificationResult - where - R: Read, - P: VerificationPolicy, - { - let mut hasher = Sha256::new(); - io::copy(&mut input, &mut hasher).map_err(VerificationError::Input)?; + /// Verifies an input digest against the given Sigstore Bundle, ensuring conformance to the + /// provided [`VerificationPolicy`]. + pub fn verify_digest

( + &self, + input_digest: Sha256, + bundle: Bundle, + policy: &P, + offline: bool, + ) -> VerificationResult + where + P: VerificationPolicy, + { + self.rt.block_on( + self.inner + .verify_digest(input_digest, bundle, policy, offline), + ) + } - self.verify_digest(hasher, bundle, policy, offline) + /// Verifies an input against the given Sigstore Bundle, ensuring conformance to the provided + /// [`VerificationPolicy`]. + pub fn verify( + &self, + mut input: R, + bundle: Bundle, + policy: &P, + offline: bool, + ) -> VerificationResult + where + R: Read, + P: VerificationPolicy, + { + let mut hasher = Sha256::new(); + io::copy(&mut input, &mut hasher).map_err(VerificationError::Input)?; + + self.verify_digest(hasher, bundle, policy, offline) + } } -} -impl Verifier { - /// Constructs a synchronous [`Verifier`] against the public-good trust root. - #[cfg(feature = "sigstore-trust-root")] - pub fn production() -> SigstoreResult { - let rt = tokio::runtime::Builder::new_current_thread() - .enable_all() - .build()?; - let inner = rt.block_on(AsyncVerifier::production())?; + impl Verifier { + /// Constructs a synchronous [`Verifier`] against the public-good trust root. + #[cfg(feature = "sigstore-trust-root")] + pub fn production() -> SigstoreResult { + let rt = tokio::runtime::Builder::new_current_thread() + .enable_all() + .build()?; + let inner = rt.block_on(AsyncVerifier::production())?; - Ok(Verifier { inner, rt }) + Ok(Verifier { inner, rt }) + } } } diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs index 0ab7664728..1a688d9139 100644 --- a/src/cosign/client_builder.rs +++ b/src/cosign/client_builder.rs @@ -28,7 +28,7 @@ use crate::trust::TrustRoot; /// ## Rekor integration /// /// Rekor integration can be enabled by specifying Rekor's public key. -/// This can be provided via a [`crate::sigstore::ManualTrustRoot`]. +/// This can be provided via a [`crate::trust::ManualTrustRoot`]. /// /// > Note well: the [`sigstore`](crate::sigstore) module provides helper structs and methods /// > to obtain this data from the official TUF repository of the Sigstore project. diff --git a/src/fulcio/mod.rs b/src/fulcio/mod.rs index 13fd6c945e..9166fa0a1d 100644 --- a/src/fulcio/mod.rs +++ b/src/fulcio/mod.rs @@ -203,7 +203,7 @@ impl FulcioClient { /// /// TODO(tnytown): This (and other API clients) should be autogenerated. See sigstore-rs#209. /// - /// https://github.com/sigstore/fulcio/blob/main/fulcio.proto + /// /// /// Additionally, it might not be reasonable to expect callers to correctly construct and pass /// in an X509 CSR. diff --git a/src/lib.rs b/src/lib.rs index 1fee312ca5..fa336c1029 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -284,9 +284,3 @@ pub mod rekor; #[cfg(any(feature = "sign", feature = "verify"))] pub mod bundle; - -#[cfg(feature = "verify")] -pub mod verify; - -#[cfg(feature = "sign")] -pub mod sign; diff --git a/src/trust/sigstore/mod.rs b/src/trust/sigstore/mod.rs index 81954a9891..4315587799 100644 --- a/src/trust/sigstore/mod.rs +++ b/src/trust/sigstore/mod.rs @@ -20,22 +20,6 @@ //! //! These can later be given to [`cosign::ClientBuilder`](crate::cosign::ClientBuilder) //! to enable Fulcio and Rekor integrations. -//! -//! # Example -//! -//! The `SigstoreRootTrust` instance can be created via the [`SigstoreTrustRoot::prefetch`] -//! method. -//! -/// ```rust -/// # use sigstore::trust::sigstore::SigstoreTrustRoot; -/// # use sigstore::errors::Result; -/// # #[tokio::main] -/// # async fn main() -> std::result::Result<(), anyhow::Error> { -/// let repo: Result = SigstoreTrustRoot::new(None).await; -/// // Now, get Fulcio and Rekor trust roots with the returned `SigstoreRootTrust` -/// # Ok(()) -/// # } -/// ``` use futures_util::TryStreamExt; use sha2::{Digest, Sha256}; use std::path::PathBuf; diff --git a/tests/conformance/conformance.rs b/tests/conformance/conformance.rs index e8ab9d3697..cccc0fcf7c 100644 --- a/tests/conformance/conformance.rs +++ b/tests/conformance/conformance.rs @@ -20,9 +20,9 @@ use std::{fs, process::exit}; use clap::{Parser, Subcommand}; use sigstore::{ + bundle::sign::SigningContext, + bundle::verify::{blocking::Verifier, policy}, oauth::IdentityToken, - sign::SigningContext, - verify::{policy, Verifier}, }; #[derive(Parser, Debug)] @@ -140,7 +140,7 @@ fn sign_bundle(args: SignBundle) -> anyhow::Result<()> { let mut artifact = fs::File::open(artifact)?; let context = SigningContext::production()?; - let signer = context.signer(identity_token); + let signer = context.blocking_signer(identity_token); let signing_artifact = signer?.sign(&mut artifact)?; let bundle_data = signing_artifact.to_bundle();