Class: Sigstore::CLI

Inherits:

Thor

• Object
• Thor
• Sigstore::CLI

Defined in:

lib/sigstore/cli.rb,
lib/sigstore/cli/id_token.rb

Defined Under Namespace

Classes: IdToken, ShellWrapper, TUF

Class Method Summary

• .exit_on_failure? ⇒ Boolean
• .start(given_args = ARGV, config = {}) ⇒ Object

Instance Method Summary

• #display(*files) ⇒ Object
• #initialize ⇒ CLI constructor

  A new instance of CLI.

• #sign(file) ⇒ Object
• #verify(*files) ⇒ Object

Constructor Details

#initialize ⇒ CLI

Returns a new instance of CLI.

# File 'lib/sigstore/cli.rb', line 37

def initialize(*)
  super
  Sigstore.logger.reopen ShellWrapper.new(shell)
  Sigstore.logger.level = options[:debug] ? Logger::DEBUG : Logger::INFO
end

Class Method Details

.exit_on_failure? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/sigstore/cli.rb', line 8

def self.exit_on_failure?
  true
end

.start(given_args = ARGV, config = {}) ⇒ Object

# File 'lib/sigstore/cli.rb', line 12

def self.start(given_args = ARGV, config = {})
  super
rescue Sigstore::Error => e
  raise if config[:debug] || ENV["THOR_DEBUG"] == "1"

  detailed_message = e.respond_to?(:detailed_message) ? e.detailed_message : e.message
  config[:shell].error(detailed_message)

  exit(false)
end

Instance Method Details

#display(*files) ⇒ Object

# File 'lib/sigstore/cli.rb', line 110

def display(*files)
  files.each do |file|
    bundle_bytes = Gem.read_binary(file)
    bundle = SBundle.new Bundle::V1::Bundle.decode_json(bundle_bytes, registry: Sigstore::REGISTRY)

    say "--- Bundle #{file} ---"
    say "Media Type: #{bundle.media_type}"
    say bundle.leaf_certificate.to_text

    case bundle.content
    when :message_signature
      say "Signature over: #{bundle.message_signature.message_digest.algorithm} " \
          "#{Internal::Util.hex_encode bundle.message_signature.message_digest.digest}"
    when :dsse_envelope
      say bundle.dsse_envelope.payloadType
      say bundle.dsse_envelope.payload
    else raise Error::InvalidBundle, "expected either message_signature or dsse_envelope"
    end
  end
end

#sign(file) ⇒ Object

# File 'lib/sigstore/cli.rb', line 88

def sign(file)
  self.options = options.merge(identity_token: IdToken.detect_credential).freeze if options[:identity_token].nil?
  unless options[:identity_token]
    raise Error::InvalidIdentityToken,
          "Failed to detect an ambient identity token, please provide one via --identity-token"
  end

  contents = File.binread(file)
  bundle = Sigstore::Signer.new(
    jwt: options[:identity_token],
    trusted_root:
  ).sign(contents)

  File.binwrite(options[:bundle], bundle.to_json) if options[:bundle]
  if options[:signature]
    File.binwrite(options[:signature], Internal::Util.base64_encode(bundle.message_signature.signature))
  end
  File.binwrite(options[:certificate], bundle.verification_material.certificate.raw_bytes) if options[:certificate]
end

#verify(*files) ⇒ Object

# File 'lib/sigstore/cli.rb', line 57

def verify(*files)
  verifier, files_with_materials = collect_verification_state(files)
  policy = Sigstore::Policy::Identity.new(
    identity: options[:certificate_identity],
    issuer: options[:certificate_oidc_issuer]
  )

  verified = files_with_materials.all? do |file, input|
    result = verifier.verify(input:, policy:, offline: options[:offline])

    if result.verified?
      say "OK: #{file}"
      true
    else
      say "FAIL: #{file}"
      say "\t#{result.reason}"
      false
    end
  end
  exit(false) unless verified
end