CLI: sigstore verify github (#381)

* _cli: skeleton for `sigstore verify github`

Signed-off-by: William Woodruff <[email protected]>

* _cli: reorg options, devolve into more groups

Signed-off-by: William Woodruff <[email protected]>

* _cli: more factoring out, basic GH functionality

Signed-off-by: William Woodruff <[email protected]>

* README, Makefile: `sigstore verify github --help`

Signed-off-by: William Woodruff <[email protected]>

* README: more docs

Signed-off-by: William Woodruff <[email protected]>

* sigstore, README: remove `--cert-email`

Long deprecated.

Signed-off-by: William Woodruff <[email protected]>

* _cli: tweak "helpful" error messages

Now that we manage keys with TUF, the most likely
error here is misconfiguration: someone asking
us to verify a sig/cert that was issued against
a different instance of Fulcio than we're verifying with.

Signed-off-by: William Woodruff <[email protected]>

* _cli, README: tweak `sigstore verify github` flags

Signed-off-by: William Woodruff <[email protected]>

* CHANGELOG: record changes

Signed-off-by: William Woodruff <[email protected]>

* CHANGELOG, cli: record more changes

Signed-off-by: William Woodruff <[email protected]>

* _cli: add notes to help text

Signed-off-by: William Woodruff <[email protected]>

* README: update `--help` text

Signed-off-by: William Woodruff <[email protected]>

* _cli: fix fallback behavior

Signed-off-by: William Woodruff <[email protected]>

* _cli: lintage

Signed-off-by: William Woodruff <[email protected]>

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

CHANGELOG.md

@@ -30,6 +30,16 @@ All versions prior to 0.9.0 are untracked.
    version of `sigstore-python`
    ([#383](https://github.com/sigstore/sigstore-python/pull/383))
 
+* The per-subcommand options `--rekor-url` and `--rekor-root-pubkey` have been
+  moved to the top-level `sigstore` command. Their subcommand forms are unchanged
+  and will continue to work, but will be marked deprecated in a future stable
+  version of `sigstore-python`
+  ([#381](https://github.com/sigstore/sigstore-python/pull/383))
+
+* `sigstore verify github` has been added, allowing for verification of
+  GitHub-specific claims within given certificate(s)
+  ([#381](https://github.com/sigstore/sigstore-python/pull/381))
+
 ### Changed
 
 * The default behavior of `SIGSTORE_LOGLEVEL` has changed; the logger

Makefile

@@ -127,6 +127,16 @@ check-readme:
 	    $(MAKE) -s run ARGS="verify identity --help" \
 	  )
 
+	# sigstore verify github --help
+	@diff \
+	  <( \
+	    awk '/@begin-sigstore-verify-github-help@/{f=1;next} /@end-sigstore-verify-github-help@/{f=0} f' \
+	      < README.md | sed '1d;$$d' \
+	  ) \
+	  <( \
+	    $(MAKE) -s run ARGS="verify github --help" \
+	  )
+
 
 .PHONY: edit
 edit:

README.md

@@ -71,7 +71,8 @@ Top-level:
 
 <!-- @begin-sigstore-help@ -->
 ```
-usage: sigstore [-h] [-V] [-v] [--staging]
+usage: sigstore [-h] [-V] [-v] [--staging] [--rekor-url URL]
+                [--rekor-root-pubkey FILE]
                 {sign,verify,get-identity-token} ...
 
 a tool for signing and verifying Python package distributions
@@ -88,6 +89,11 @@ optional arguments:
 Sigstore instance options:
   --staging             Use sigstore's staging instances, instead of the
                         default production instances (default: False)
+  --rekor-url URL       The Rekor instance to use (conflicts with --staging)
+                        (default: https://rekor.sigstore.dev)
+  --rekor-root-pubkey FILE
+                        A PEM-encoded root public key for Rekor itself
+                        (conflicts with --staging) (default: None)
 ```
 <!-- @end-sigstore-help@ -->
 
@@ -146,11 +152,15 @@ Sigstore instance options:
                         default production instances. This option will be
                         deprecated in favor of the global `--staging` option
                         in a future release. (default: False)
-  --rekor-url URL       The Rekor instance to use (conflicts with --staging)
-                        (default: https://rekor.sigstore.dev)
+  --rekor-url URL       The Rekor instance to use (conflicts with --staging).
+                        This option will be deprecated in favor of the global
+                        `--rekor-url` option in a future release. (default:
+                        None)
   --rekor-root-pubkey FILE
                         A PEM-encoded root public key for Rekor itself
-                        (conflicts with --staging) (default: None)
+                        (conflicts with --staging). This option will be
+                        deprecated in favor of the global `--rekor-root-
+                        pubkey` option in a future release. (default: None)
   --fulcio-url URL      The Fulcio instance to use (conflicts with --staging)
                         (default: https://fulcio.sigstore.dev)
   --ctfe FILE           A PEM-encoded public key for the CT log (conflicts
@@ -160,7 +170,7 @@ Sigstore instance options:
 
 ### Verifying
 
-#### Identities
+#### Generic identities
 
 This is the most common verification done with `sigstore`, and therefore
 the one you probably want: you can use it to verify that a signature was
@@ -170,17 +180,13 @@ to by a particular OIDC provider (like `https://github.com/login/oauth`).
 <!-- @begin-sigstore-verify-identity-help@ -->
 ```
 usage: sigstore verify identity [-h] [--certificate FILE] [--signature FILE]
-                                [--rekor-bundle FILE]
+                                [--rekor-bundle FILE] --cert-identity IDENTITY
+                                [--require-rekor-offline] --cert-oidc-issuer
+                                URL [--staging] [--rekor-url URL]
+                                [--rekor-root-pubkey FILE]
                                 [--certificate-chain FILE]
-                                [--cert-email EMAIL] --cert-identity IDENTITY
-                                --cert-oidc-issuer URL
-                                [--require-rekor-offline] [--staging]
-                                [--rekor-url URL] [--rekor-root-pubkey FILE]
                                 FILE [FILE ...]
 
-positional arguments:
-  FILE                  The file to verify
-
 optional arguments:
   -h, --help            show this help message and exit
 
@@ -192,41 +198,114 @@ Verification inputs:
                         multiple inputs (default: None)
   --rekor-bundle FILE   The offline Rekor bundle to verify with; not used with
                         multiple inputs (default: None)
+  FILE                  The file to verify
 
-Extended verification options:
-  --certificate-chain FILE
-                        Path to a list of CA certificates in PEM format which
-                        will be needed when building the certificate chain for
-                        the signing certificate (default: None)
-  --cert-email EMAIL    Deprecated; causes an error. Use --cert-identity
-                        instead (default: None)
+Verification options:
   --cert-identity IDENTITY
                         The identity to check for in the certificate's Subject
                         Alternative Name (default: None)
-  --cert-oidc-issuer URL
-                        The OIDC issuer URL to check for in the certificate's
-                        OIDC issuer extension (default: None)
   --require-rekor-offline
                         Require offline Rekor verification with a bundle;
                         implied by --rekor-bundle (default: False)
+  --cert-oidc-issuer URL
+                        The OIDC issuer URL to check for in the certificate's
+                        OIDC issuer extension (default: None)
 
 Sigstore instance options:
   --staging             Use sigstore's staging instances, instead of the
                         default production instances. This option will be
                         deprecated in favor of the global `--staging` option
                         in a future release. (default: False)
-  --rekor-url URL       The Rekor instance to use (conflicts with --staging)
-                        (default: https://rekor.sigstore.dev)
+  --rekor-url URL       The Rekor instance to use (conflicts with --staging).
+                        This option will be deprecated in favor of the global
+                        `--rekor-url` option in a future release. (default:
+                        None)
   --rekor-root-pubkey FILE
                         A PEM-encoded root public key for Rekor itself
-                        (conflicts with --staging) (default: None)
+                        (conflicts with --staging). This option will be
+                        deprecated in favor of the global `--rekor-root-
+                        pubkey` option in a future release. (default: None)
+  --certificate-chain FILE
+                        Path to a list of CA certificates in PEM format which
+                        will be needed when building the certificate chain for
+                        the Fulcio signing certificate (default: None)
 ```
 <!-- @end-sigstore-verify-identity-help@ -->
 
 For backwards compatibility, `sigstore verify [args ...]` is equivalent to
 `sigstore verify identity [args ...]`, but the latter form is **strongly**
 preferred.
 
+#### Signatures from GitHub Actions
+
+If your signatures are coming from GitHub Actions (e.g., a workflow
+that uses its [ambient credentials](#signing-with-ambient-credentials)),
+then you can use the `sigstore verify github` subcommand to verify
+claims more precisely than `sigstore verify identity` allows:
+
+<!-- @begin-sigstore-verify-github-help@ -->
+```
+usage: sigstore verify github [-h] [--certificate FILE] [--signature FILE]
+                              [--rekor-bundle FILE] --cert-identity IDENTITY
+                              [--require-rekor-offline] [--trigger EVENT]
+                              [--sha SHA] [--name NAME] [--repository REPO]
+                              [--ref REF] [--staging] [--rekor-url URL]
+                              [--rekor-root-pubkey FILE]
+                              [--certificate-chain FILE]
+                              FILE [FILE ...]
+
+optional arguments:
+  -h, --help            show this help message and exit
+
+Verification inputs:
+  --certificate FILE, --cert FILE
+                        The PEM-encoded certificate to verify against; not
+                        used with multiple inputs (default: None)
+  --signature FILE      The signature to verify against; not used with
+                        multiple inputs (default: None)
+  --rekor-bundle FILE   The offline Rekor bundle to verify with; not used with
+                        multiple inputs (default: None)
+  FILE                  The file to verify
+
+Verification options:
+  --cert-identity IDENTITY
+                        The identity to check for in the certificate's Subject
+                        Alternative Name (default: None)
+  --require-rekor-offline
+                        Require offline Rekor verification with a bundle;
+                        implied by --rekor-bundle (default: False)
+  --trigger EVENT       The GitHub Actions event name that triggered the
+                        workflow (default: None)
+  --sha SHA             The `git` commit SHA that the workflow run was invoked
+                        with (default: None)
+  --name NAME           The name of the workflow that was triggered (default:
+                        None)
+  --repository REPO     The repository slug that the workflow was triggered
+                        under (default: None)
+  --ref REF             The `git` ref that the workflow was invoked with
+                        (default: None)
+
+Sigstore instance options:
+  --staging             Use sigstore's staging instances, instead of the
+                        default production instances. This option will be
+                        deprecated in favor of the global `--staging` option
+                        in a future release. (default: False)
+  --rekor-url URL       The Rekor instance to use (conflicts with --staging).
+                        This option will be deprecated in favor of the global
+                        `--rekor-url` option in a future release. (default:
+                        None)
+  --rekor-root-pubkey FILE
+                        A PEM-encoded root public key for Rekor itself
+                        (conflicts with --staging). This option will be
+                        deprecated in favor of the global `--rekor-root-
+                        pubkey` option in a future release. (default: None)
+  --certificate-chain FILE
+                        Path to a list of CA certificates in PEM format which
+                        will be needed when building the certificate chain for
+                        the Fulcio signing certificate (default: None)
+```
+<!-- @end-sigstore-verify-github-help@ -->
+
 ## Example uses
 
 `sigstore` supports a wide variety of workflows and usages. Some common ones are