Merge pull request #1062 from sigstore/cli-rekor-v2

cli: Add working directory and enable Rekor v2

Author: aaronlew02

sigstore-cli/src/main/java/dev/sigstore/cli/ConformanceServer.java

@@ -88,28 +88,16 @@ private static void handleExecute(HttpServletRequest request, HttpServletRespons
       System.setErr(errPs);
 
       Path cwd = Paths.get(executeRequest.cwd);
-      java.util.List<String> resolvedArgs = new java.util.ArrayList<>();
+      java.util.List<String> args = new java.util.ArrayList<>();
 
       for (int i = 0; i < executeRequest.args.length; i++) {
         String arg = executeRequest.args[i];
-
-        if (arg.equals("--bundle") && i + 1 < executeRequest.args.length) {
-          resolvedArgs.add(arg);
-          String filePath = executeRequest.args[++i];
-          resolvedArgs.add(cwd.resolve(filePath).toAbsolutePath().toString());
-        } else if (i == executeRequest.args.length - 1 && !arg.startsWith("-")) {
-          if (arg.contains(":")) {
-            resolvedArgs.add(arg);
-          } else {
-            resolvedArgs.add(cwd.resolve(arg).toAbsolutePath().toString());
-          }
-        } else {
-          resolvedArgs.add(arg);
-        }
+        args.add(arg);
       }
+      args.add("--working-directory");
+      args.add(cwd.toAbsolutePath().toString());
 
-      int exitCode =
-          new picocli.CommandLine(new Sigstore()).execute(resolvedArgs.toArray(new String[0]));
+      int exitCode = new picocli.CommandLine(new Sigstore()).execute(args.toArray(new String[0]));
 
       Map<String, Object> responseMap =
           Map.of(

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -16,6 +16,7 @@
 package dev.sigstore.cli;
 
 import dev.sigstore.KeylessSigner;
+import dev.sigstore.SigningConfigProvider;
 import dev.sigstore.TrustedRootProvider;
 import dev.sigstore.oidc.client.OidcClients;
 import dev.sigstore.oidc.client.TokenStringOidcClient;
@@ -70,19 +71,52 @@ static class Target {
     String stagingWithTufUrlOverride;
   }
 
+  @Option(
+      names = {"--signing-config"},
+      description = "a custom signing config",
+      required = false)
+  Path signingConfig;
+
   @Option(
       names = {"--identity-token"},
       description = "the OIDC identity token to use",
       required = false)
   String identityToken;
 
+  @Option(
+      names = {"--working-directory"},
+      description = "the working directory",
+      required = false)
+  Path workingDirectory;
+
   @Override
   public Integer call() throws Exception {
+    if (workingDirectory != null) {
+      artifact = workingDirectory.resolve(artifact);
+      bundleFile = workingDirectory.resolve(bundleFile);
+      if (signingConfig != null) {
+        signingConfig = workingDirectory.resolve(signingConfig);
+      }
+      if (target != null && target.trustedRoot != null) {
+        target.trustedRoot = workingDirectory.resolve(target.trustedRoot);
+      }
+    }
     KeylessSigner.Builder signerBuilder;
     if (target == null) {
-      signerBuilder = new KeylessSigner.Builder().sigstorePublicDefaults();
+      signerBuilder = new KeylessSigner.Builder().sigstorePublicDefaults().enableRekorV2(true);
+    } else if ((target.trustedRoot != null && signingConfig == null)
+        || (target.trustedRoot == null && signingConfig != null)) {
+      throw new IllegalArgumentException(
+          "Trusted root and signing config are both required if one is provided");
+    } else if (target.trustedRoot != null && signingConfig != null) {
+      signerBuilder =
+          new KeylessSigner.Builder()
+              .sigstoreStagingDefaults()
+              .enableRekorV2(true)
+              .trustedRootProvider(TrustedRootProvider.from(target.trustedRoot))
+              .signingConfigProvider(SigningConfigProvider.from(signingConfig));
     } else if (target.staging) {
-      signerBuilder = new KeylessSigner.Builder().sigstoreStagingDefaults();
+      signerBuilder = new KeylessSigner.Builder().sigstoreStagingDefaults().enableRekorV2(true);
     } else if (target.publicGoodWithTufUrlOverride != null) {
       var tufClientBuilder =
           SigstoreTufClient.builder()
@@ -93,6 +127,7 @@ public Integer call() throws Exception {
       signerBuilder =
           KeylessSigner.builder()
               .sigstorePublicDefaults()
+              .enableRekorV2(true)
               .trustedRootProvider(TrustedRootProvider.from(tufClientBuilder));
     } else if (target.stagingWithTufUrlOverride != null) {
       var tufClientBuilder =
@@ -104,6 +139,7 @@ public Integer call() throws Exception {
       signerBuilder =
           KeylessSigner.builder()
               .sigstoreStagingDefaults()
+              .enableRekorV2(true)
               .trustedRootProvider(TrustedRootProvider.from(tufClientBuilder));
     } else {
       throw new IllegalStateException("Unable to initialize signer");

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

@@ -107,12 +107,30 @@ static class Policy {
     String certificateIssuer;
   }
 
+  @Option(
+      names = {"--working-directory"},
+      description = "the working directory",
+      required = false)
+  Path workingDirectory;
+
   @Override
   public Integer call() throws Exception {
-    byte[] digest =
-        artifact.startsWith(SHA256_PREFIX)
-            ? Hex.decodeHex(artifact.substring(SHA256_PREFIX.length()))
-            : asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes();
+    byte[] digest;
+    if (artifact.startsWith(SHA256_PREFIX)) {
+      digest = Hex.decodeHex(artifact.substring(SHA256_PREFIX.length()));
+    } else {
+      if (workingDirectory != null) {
+        artifact = workingDirectory.resolve(artifact).toString();
+      }
+      digest = asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes();
+    }
+
+    if (workingDirectory != null) {
+      bundleFile = workingDirectory.resolve(bundleFile);
+      if (target != null && target.trustedRoot != null) {
+        target.trustedRoot = workingDirectory.resolve(target.trustedRoot);
+      }
+    }
 
     Bundle bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);