root-signing icon indicating copy to clipboard operation
root-signing copied to clipboard
verified publisher icon sigstore

Add test for sigstore-rs

Open jku opened this issue 10 months ago • 1 comments

There's a few reasons why sigstore-rs is not yet tested (is experimental, does not support staging, does not support configuring TUF urls, the "bundle" example that we could use has not been released yet) but we keep breaking sigstore-rs (#1431) so we should still do it.

I will push a draft PR. It's a little tricky to test right now.

jku avatar Feb 03 '25 13:02 jku

An attempt was made but:

  • sigstore-rs does not support signing in GitHub Actions so we need to test verify only and use a bundle made by another client
  • There is a signature bundle available for this purpose. It's produced by sigstore-python so is bundle v0.3: sigstore-rs only supports <=0.2

so a sigstore-rs test is not currently included.

Either

  • sigstore-rs needs to support bundle v0.3 OR
  • sigstore-rs needs to support GHA signing (https://github.com/sigstore/sigstore-rs/pull/412 gets pretty close) OR
  • we need some changes in our testing infra

jku avatar Feb 06 '25 09:02 jku