Add Rekor v2 client #1422
Open
Add Rekor v2 client #1422
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
* Make sure the exposed signatures actually are abstract: the request payload can be just a dict so both clients actually implement the same API * There is still a "EntryRequest" NewType being used instead of dict just to make the intent clear Signed-off-by: Jussi Kukkonen <[email protected]>
* Don't pretend these are unit tests: just have something simple that proves the client roughly does what it should * We should have real unit tests (that don't require the whole staging infra as current tests do) and integration tests but this is what I have now Signed-off-by: Jussi Kukkonen <[email protected]>
* The timeout was a little misleading (since requests timeout is not the total maximum time of the request) and we don't have specific timeouts elsewhere either. * Also remove some unused variables Signed-off-by: Jussi Kukkonen <[email protected]>
As of right now this is not in a released protobuf-specs: just preparing for when it is Signed-off-by: Jussi Kukkonen <[email protected]>
I've been testing with sigstore/protobuf-specs#661 -- looks fine so far |
jku
commented
Jun 6, 2025
This was dropped from generated protobuf code Signed-off-by: Jussi Kukkonen <[email protected]>
We only generate secp256r1 so can skip checking all of the other types for now. Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
jku
commented
Jun 6, 2025
jku
commented
Jun 6, 2025
|
I'm marking this ready for review: it depends on a protobuf-specs PR so is not ready to merge but should be otherwise reasonable |
jku
commented
Jun 6, 2025
This reverts commit 3d9a1b8. protobuf-specs now contains CreateEntryRequest: no need to workaround Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
This is a backwards compatible change (RekorClient is a RekorLogSumbitter), but also allows using a RekorV2Client. Signed-off-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Jussi Kukkonen <[email protected]>
This was referenced Jun 9, 2025
woodruffw
reviewed
Jun 9, 2025
Comment on lines
+23
to
+24
| * Added a `RekorV2Client` for posting new entries to a Rekor V2 instance. | ||
| [#1400](https://github.com/sigstore/sigstore-python/pull/1400) |
There was a problem hiding this comment.
FWIW we technically don't need an entry here, since the Rekor client APIs are private. But we could also save the CL cleanup until release time 🙂
woodruffw
reviewed
Jun 9, 2025
| @@ -38,7 +38,7 @@ dependencies = [ | |||
| "rfc8785 ~= 0.1.2", | |||
| "rfc3161-client >= 1.0.2,< 1.1.0", | |||
| # NOTE(ww): Both under active development, so strictly pinned. | |||
| "sigstore-protobuf-specs == 0.4.2", | |||
| "sigstore-protobuf-specs @ git+https://github.com/sigstore/protobuf-specs.git@main#subdirectory=gen/pb-python", | |||
There was a problem hiding this comment.
Can we switch back to a release here? PyPI won't let us publish with a git dependency, so we'll need to at some point anyways.
There was a problem hiding this comment.
yes, absolutely -- this is the caveat I had for this PR: has to wait for protobuf-specs to release
There was a problem hiding this comment.
Oh whoops, missed that in the PR desc. Sorry 🤦
woodruffw
reviewed
Jun 9, 2025
Comment on lines
+93
to
+95
| """Determine PublicKeyDetails from a certificate | ||
|
|
||
| We know that sign.Signer only uses secp256r1 so do not support anything else""" |
There was a problem hiding this comment.
For consistency with the other docstrings:
Suggested change
| """Determine PublicKeyDetails from a certificate | |
| We know that sign.Signer only uses secp256r1 so do not support anything else""" | |
| """ | |
| Determine PublicKeyDetails from a certificate | |
| We know that sign.Signer only uses secp256r1 so do not support anything else | |
| """ |
woodruffw
reviewed
Jun 9, 2025
Comment on lines
+216
to
+217
| proposed_entry = self._signing_ctx._rekor._build_dsse_request( | ||
| envelope=content, certificate=cert |
There was a problem hiding this comment.
This is a lot cleaner, thanks!
ramonpetgrave64
suggested changes
Jun 9, 2025
|
|
||
| __all__ = [ | ||
| "_hashedrekord_from_parts", | ||
| ] | ||
|
|
||
| EntryRequest = NewType("EntryRequest", dict[str, Any]) |
There was a problem hiding this comment.
Suggested change
| EntryRequest = NewType("EntryRequest", dict[str, Any]) | |
| EntryRequestBody = NewType("EntryRequestBody", dict[str, Any]) |
| ).build() | ||
|
|
||
| with sign_ctx.signer(identity) as signer: | ||
| bundle = signer.sign_dsse(stmt) |
There was a problem hiding this comment.
One thing I wanted to ensure that the certificate, not only the public key, was used in the request. It's no problem to not include that here, though.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a continuation of Ramons #1400 , I'm moving it here in hopes of getting staging tests running.
The PR adds a new RekorV2Client for adding entries to a rekor-tiles log.
create_entry()and methods for constructing the requests for dsse/hashedrekordRekorLogSubmitter-- we could name it RekorClient but obviously would then need to rename the original V1 client...TODO: