conformance: Support --trusted-root

conformance clients are given "--trusted-root" but sigstore-python
requires "--trust-config". Build a trust config and provide that in the
conformance client script.

The conformance scipt is getting closer and closer to the point where
just tweaking argv is not really the smart thing to do... but it's still
manageable.

This revealed a new bug so one test remains "xfail".

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

.github/workflows/conformance.yml

@@ -27,4 +27,4 @@ jobs:
       - uses: sigstore/sigstore-conformance@fd90e6b0f3046f2276a6659481de6df495dea3b9 # v0.0.18
         with:
           entrypoint: ${{ github.workspace }}/test/integration/sigstore-python-conformance
-          xfail: "test_verify_with_trust_root test_verify_dsse_bundle_with_trust_root" # see issue 821
+          xfail: "test_verify_dsse_bundle_with_trust_root" # see issue 1442

test/integration/sigstore-python-conformance

@@ -4,9 +4,29 @@
 A wrapper to convert `sigstore-conformance` CLI protocol invocations to match `sigstore-python`.
 """
 
-
 import os
 import sys
+from contextlib import suppress
+from string import Template
+from tempfile import NamedTemporaryFile
+
+# The signing config in the template is just filler: it is not used
+TRUST_CONFIG_TEMPLATE = Template("""
+{
+    "mediaType": "application/vnd.dev.sigstore.clienttrustconfig.v0.1+json",
+    "trustedRoot": ${trusted_root},
+    "signing_config": {
+        "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json",
+        "caUrls": [{ "url": "https://fulcio.example.com" }],
+        "oidcUrls": [],
+        "rekorTlogUrls": [{ "url": "https://rekor.example.com" }],
+        "tsaUrls": [],
+        "rekorTlogConfig": {"selector": "ANY"},
+        "tsaConfig": {"selector": "ANY"}
+    }
+}
+""")
+
 
 SUBCMD_REPLACEMENTS = {
     "sign-bundle": "sign",
@@ -32,17 +52,36 @@ if "--staging" in fixed_args:
     command.append("--staging")
     fixed_args.remove("--staging")
 
-# Fix-up the subcommand: the conformance suite uses `verify`, but
-# `sigstore` requires `verify identity` for identity based verifications.
-subcommand, *fixed_args = fixed_args
-if subcommand == "sign":
-    command.append("sign")
-elif subcommand == "verify":
-    command.extend(["verify", "identity"])
-else:
-    raise ValueError(f"unsupported subcommand: {subcommand}")
+# We may get "--trusted-root" as argument but sigstore-python wants "--trust-config":
+trusted_root = None
+with suppress(ValueError):
+    i = fixed_args.index("--trusted-root")
+    trusted_root = fixed_args[i+1]
+    fixed_args.pop(i)
+    fixed_args.pop(i)
+
+# If we did get a trustedroot, write a matching trustconfig into a temp file
+with NamedTemporaryFile(mode="wt") as temp_file:
+    if trusted_root is not None:
+        with open(trusted_root) as f:
+            content = TRUST_CONFIG_TEMPLATE.substitute(trusted_root=f.read())
+        temp_file.write(content)
+        command.extend(["--trust-config", temp_file.name])
+        temp_file.flush()
+
+    # Fix-up the subcommand: the conformance suite uses `verify`, but
+    # `sigstore` requires `verify identity` for identity based verifications.
+    subcommand, *fixed_args = fixed_args
+    if subcommand == "sign":
+        command.append("sign")
+    elif subcommand == "verify":
+        command.extend(["verify", "identity"])
+    else:
+        raise ValueError(f"unsupported subcommand: {subcommand}")
 
-# Replace incompatible flags.
-command.extend(ARG_REPLACEMENTS[arg] if arg in ARG_REPLACEMENTS else arg for arg in fixed_args)
+    # Replace incompatible flags.
+    command.extend(
+        ARG_REPLACEMENTS[arg] if arg in ARG_REPLACEMENTS else arg for arg in fixed_args
+    )
 
-os.execvp("sigstore", command)
+    os.execvp("sigstore", command)