├── .editorconfig ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ └── release-checklist.md └── workflows │ ├── byob-slsa.yaml │ ├── ci.yaml │ ├── cifuzz.yaml │ ├── conformance.yml │ ├── depsreview.yml │ ├── examples.yaml │ ├── gradle-wrapper-validation.yaml │ ├── release-sigstore-gradle-plugin-from-tag.yaml │ ├── release-sigstore-java-from-tag.yaml │ └── tuf-conformance.yml ├── .gitignore ├── .idea └── icon.png ├── CHANGELOG.md ├── DEVELOPMENT.md ├── LICENSE ├── README.md ├── RELEASING.md ├── build-logic-commons ├── .gitignore ├── gradle-plugin │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ └── build-logic.kotlin-dsl-gradle-plugin.gradle.kts ├── gradle.properties └── settings.gradle.kts ├── build-logic ├── .gitignore ├── README.md ├── basics │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ ├── ToolchainProperties.kt │ │ ├── build-logic.repositories.gradle.kts │ │ ├── build-logic.reproducible-builds.gradle.kts │ │ └── configureToolchain.kt ├── build-parameters │ └── build.gradle.kts ├── build.gradle.kts ├── gradle.properties ├── jvm │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ ├── build-logic.build-info.gradle.kts │ │ ├── build-logic.dokka-javadoc.gradle.kts │ │ ├── build-logic.errorprone.gradle.kts │ │ ├── build-logic.forbidden-apis.gradle.kts │ │ ├── build-logic.java-library.gradle.kts │ │ ├── build-logic.java.gradle.kts │ │ ├── build-logic.kotlin.gradle.kts │ │ ├── build-logic.spotless-base.gradle.kts │ │ ├── build-logic.test-junit5.gradle.kts │ │ ├── build-logic.testing.gradle.kts │ │ └── buildlogic │ │ ├── BuildInfoTask.kt │ │ └── CopySpecExtensions.kt ├── publishing │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ ├── build-logic.depends-on-local-sigstore-java-repo.gradle.kts │ │ ├── build-logic.depends-on-local-sigstore-maven-plugin-repo.gradle.kts │ │ ├── build-logic.java-published-library.gradle.kts │ │ ├── build-logic.kotlin-dsl-published-gradle-plugin.gradle.kts │ │ ├── build-logic.publish-to-central.gradle.kts │ │ ├── build-logic.publish-to-tmp-maven-repo.gradle.kts │ │ └── build-logic.signing.gradle.kts ├── root-build │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ └── build-logic.root-build.gradle.kts └── settings.gradle.kts ├── build.gradle.kts ├── config ├── conscryptLicenseHeader ├── forbiddenApis.txt ├── licenseHeader ├── licenseHeaderRaw └── webPKILicenseHeader ├── examples ├── hello-world │ ├── README.md │ ├── build.gradle.kts │ ├── gradle │ │ └── wrapper │ │ │ ├── gradle-wrapper.jar │ │ │ └── gradle-wrapper.properties │ ├── gradlew │ ├── gradlew.bat │ ├── pom.xml │ ├── settings.gradle.kts │ ├── src │ │ └── main │ │ │ └── java │ │ │ └── com │ │ │ └── example │ │ │ └── Hello.java │ └── test.sh └── pgp │ ├── README.md │ ├── keygen.input │ ├── private.key │ └── public.key ├── fuzzing ├── build.gradle.kts ├── oss_fuzz_build.sh ├── src │ └── main │ │ └── java │ │ ├── fuzzing │ │ ├── BundleReaderFuzzer.java │ │ ├── BundleVerifierFuzzer.java │ │ ├── CertificateEntryFuzzer.java │ │ ├── CertificatesFuzzer.java │ │ ├── DigitallySignedFuzzer.java │ │ ├── FulcioCertificateMatcherFuzzer.java │ │ ├── FulcioVerifierFuzzer.java │ │ ├── JsonCanonicalizerFuzzer.java │ │ ├── KeysParsingFuzzer.java │ │ ├── RekorTypesFuzzer.java │ │ ├── RekorVerifierFuzzer.java │ │ ├── SerializationFuzzer.java │ │ ├── SignerVerifierFuzzer.java │ │ └── TufVerifierFuzzer.java │ │ └── util │ │ └── Tuf.java └── test.sh ├── gradle.properties ├── gradle └── wrapper │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat ├── renovate.json ├── sandbox ├── .gitignore ├── .idea │ └── icon.png ├── README.md ├── gradle-precompiled-plugin │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── kotlin │ │ └── sigstore-conventions.gradle.kts ├── gradle-sign-file │ └── build.gradle.kts ├── gradle-sign-java-library │ ├── build.gradle.kts │ └── src │ │ └── main │ │ └── java │ │ └── com │ │ └── example │ │ └── Main.java ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── gradlew ├── gradlew.bat └── settings.gradle.kts ├── scripts └── update_versions.sh ├── settings.gradle.kts ├── sigstore-cli ├── README.md ├── build.gradle.kts └── src │ └── main │ └── java │ └── dev │ └── sigstore │ └── cli │ ├── Sign.java │ ├── Sigstore.java │ └── Verify.java ├── sigstore-gradle ├── .gitignore ├── README.md ├── sigstore-gradle-sign-base-plugin │ ├── build.gradle.kts │ └── src │ │ ├── main │ │ └── kotlin │ │ │ ├── dev.sigstore.sign-base.gradle.kts │ │ │ └── dev │ │ │ └── sigstore │ │ │ └── sign │ │ │ ├── DefaultDerivedArtifactFile.kt │ │ │ ├── GitHubActionsOidc.kt │ │ │ ├── OidcClientConfiguration.kt │ │ │ ├── OidcClientExtension.kt │ │ │ ├── SigstoreSignExtension.kt │ │ │ ├── SigstoreSignature.kt │ │ │ ├── WebOidc.kt │ │ │ ├── services │ │ │ └── SigstoreSigningService.kt │ │ │ ├── tasks │ │ │ └── SigstoreSignFilesTask.kt │ │ │ ├── titlecase.kt │ │ │ └── work │ │ │ └── SignWorkAction.kt │ │ └── test │ │ └── kotlin │ │ └── dev │ │ └── sigstore │ │ └── gradle │ │ ├── OidcDslTest.kt │ │ ├── PluginSmokeTest.kt │ │ └── SigstoreSignTest.kt └── sigstore-gradle-sign-plugin │ ├── build.gradle.kts │ └── src │ ├── main │ └── kotlin │ │ └── dev.sigstore.sign.gradle.kts │ └── test │ └── kotlin │ └── dev │ └── sigstore │ └── gradle │ ├── RemoveSigstoreAscTest.kt │ └── SigstorePublishSignTest.kt ├── sigstore-java ├── build.gradle.kts └── src │ ├── main │ ├── java │ │ └── dev │ │ │ └── sigstore │ │ │ ├── KeylessSigner.java │ │ │ ├── KeylessSignerException.java │ │ │ ├── KeylessVerificationException.java │ │ │ ├── KeylessVerifier.java │ │ │ ├── SigningConfigProvider.java │ │ │ ├── TrustedRootProvider.java │ │ │ ├── VerificationOptions.java │ │ │ ├── bundle │ │ │ ├── Bundle.java │ │ │ ├── BundleParseException.java │ │ │ ├── BundleReader.java │ │ │ ├── BundleVerifier.java │ │ │ └── BundleWriter.java │ │ │ ├── dsse │ │ │ └── InTotoPayload.java │ │ │ ├── encryption │ │ │ ├── Keys.java │ │ │ ├── certificates │ │ │ │ ├── Certificates.java │ │ │ │ └── transparency │ │ │ │ │ ├── CTConstants.java │ │ │ │ │ ├── CTLogInfo.java │ │ │ │ │ ├── CTLogStore.java │ │ │ │ │ ├── CTVerificationResult.java │ │ │ │ │ ├── CTVerifier.java │ │ │ │ │ ├── CertificateEntry.java │ │ │ │ │ ├── DigitallySigned.java │ │ │ │ │ ├── Serialization.java │ │ │ │ │ ├── SerializationException.java │ │ │ │ │ ├── SignedCertificateTimestamp.java │ │ │ │ │ ├── VerifiedSCT.java │ │ │ │ │ └── package-info.java │ │ │ └── signers │ │ │ │ ├── EcdsaSigner.java │ │ │ │ ├── EcdsaVerifier.java │ │ │ │ ├── RsaSigner.java │ │ │ │ ├── RsaVerifier.java │ │ │ │ ├── Signer.java │ │ │ │ ├── Signers.java │ │ │ │ ├── Verifier.java │ │ │ │ └── Verifiers.java │ │ │ ├── forbidden │ │ │ └── SuppressForbidden.java │ │ │ ├── fulcio │ │ │ └── client │ │ │ │ ├── CertificateRequest.java │ │ │ │ ├── FulcioCertificateMatcher.java │ │ │ │ ├── FulcioClient.java │ │ │ │ ├── FulcioClientGrpc.java │ │ │ │ ├── FulcioVerificationException.java │ │ │ │ ├── FulcioVerifier.java │ │ │ │ └── UnsupportedAlgorithmException.java │ │ │ ├── http │ │ │ ├── GrpcChannels.java │ │ │ ├── HttpClients.java │ │ │ ├── HttpParams.java │ │ │ └── UnsuccessfulResponseHandler.java │ │ │ ├── json │ │ │ ├── GsonByteArrayAdapter.java │ │ │ ├── GsonSupplier.java │ │ │ ├── ProtoJson.java │ │ │ └── canonicalizer │ │ │ │ ├── JsonCanonicalizer.java │ │ │ │ ├── NumberToJSON.java │ │ │ │ └── package-info.java │ │ │ ├── oidc │ │ │ └── client │ │ │ │ ├── GithubActionsOidcClient.java │ │ │ │ ├── OidcClient.java │ │ │ │ ├── OidcClients.java │ │ │ │ ├── OidcException.java │ │ │ │ ├── OidcToken.java │ │ │ │ ├── OidcTokenMatcher.java │ │ │ │ ├── TokenStringOidcClient.java │ │ │ │ └── WebOidcClient.java │ │ │ ├── proto │ │ │ └── ProtoMutators.java │ │ │ ├── rekor │ │ │ └── client │ │ │ │ ├── Checkpoints.java │ │ │ │ ├── HashedRekordRequest.java │ │ │ │ ├── RekorClient.java │ │ │ │ ├── RekorClientHttp.java │ │ │ │ ├── RekorEntry.java │ │ │ │ ├── RekorEntryBody.java │ │ │ │ ├── RekorEntryFetcher.java │ │ │ │ ├── RekorParseException.java │ │ │ │ ├── RekorResponse.java │ │ │ │ ├── RekorTypeException.java │ │ │ │ ├── RekorTypes.java │ │ │ │ ├── RekorVerificationException.java │ │ │ │ └── RekorVerifier.java │ │ │ ├── strings │ │ │ ├── RegexSyntaxException.java │ │ │ └── StringMatcher.java │ │ │ ├── timestamp │ │ │ └── client │ │ │ │ ├── HashAlgorithm.java │ │ │ │ ├── TimestampClient.java │ │ │ │ ├── TimestampClientHttp.java │ │ │ │ ├── TimestampException.java │ │ │ │ ├── TimestampRequest.java │ │ │ │ ├── TimestampResponse.java │ │ │ │ ├── TimestampVerificationException.java │ │ │ │ ├── TimestampVerifier.java │ │ │ │ └── UnsupportedHashAlgorithmException.java │ │ │ ├── trustroot │ │ │ ├── CertificateAuthority.java │ │ │ ├── LegacySigningConfig.java │ │ │ ├── LogId.java │ │ │ ├── PublicKey.java │ │ │ ├── Service.java │ │ │ ├── SigstoreConfigurationException.java │ │ │ ├── SigstoreSigningConfig.java │ │ │ ├── SigstoreTrustedRoot.java │ │ │ ├── Subject.java │ │ │ ├── TransparencyLog.java │ │ │ └── ValidFor.java │ │ │ └── tuf │ │ │ ├── DuplicateKeyIdsException.java │ │ │ ├── Fetcher.java │ │ │ ├── FileExceedsMaxLengthException.java │ │ │ ├── FileNotFoundException.java │ │ │ ├── FileSystemTufStore.java │ │ │ ├── HttpFetcher.java │ │ │ ├── InvalidHashesException.java │ │ │ ├── MetaFetchResult.java │ │ │ ├── MetaFetcher.java │ │ │ ├── MetaReader.java │ │ │ ├── MetaStore.java │ │ │ ├── PassthroughCacheMetaStore.java │ │ │ ├── RoleExpiredException.java │ │ │ ├── RollbackVersionException.java │ │ │ ├── RootProvider.java │ │ │ ├── SignatureVerificationException.java │ │ │ ├── SigstoreTufClient.java │ │ │ ├── SnapshotTargetMissingException.java │ │ │ ├── SnapshotTargetVersionException.java │ │ │ ├── SnapshotVersionMismatchException.java │ │ │ ├── TargetMetadataMissingException.java │ │ │ ├── TargetReader.java │ │ │ ├── TargetStore.java │ │ │ ├── TrustedMetaStore.java │ │ │ ├── TufException.java │ │ │ ├── Updater.java │ │ │ ├── encryption │ │ │ ├── EcdsaVerifier.java │ │ │ ├── Ed25519Verifier.java │ │ │ ├── RsaPssVerifier.java │ │ │ ├── Verifier.java │ │ │ └── Verifiers.java │ │ │ └── model │ │ │ ├── DelegationRole.java │ │ │ ├── Delegations.java │ │ │ ├── Hashes.java │ │ │ ├── Key.java │ │ │ ├── Role.java │ │ │ ├── Root.java │ │ │ ├── RootMeta.java │ │ │ ├── RootRole.java │ │ │ ├── Signature.java │ │ │ ├── SignedTufMeta.java │ │ │ ├── Snapshot.java │ │ │ ├── SnapshotMeta.java │ │ │ ├── TargetMeta.java │ │ │ ├── Targets.java │ │ │ ├── Timestamp.java │ │ │ ├── TimestampMeta.java │ │ │ └── TufMeta.java │ ├── proto │ │ ├── fulcio.proto │ │ └── google │ │ │ └── api │ │ │ ├── README.md │ │ │ ├── annotations.proto │ │ │ ├── field_behavior.proto │ │ │ └── http.proto │ └── resources │ │ ├── dev │ │ └── sigstore │ │ │ └── tuf │ │ │ ├── .editorconfig │ │ │ ├── README.md │ │ │ ├── sigstore-tuf-root │ │ │ └── root.json │ │ │ └── tuf-root-staging │ │ │ └── root.json │ │ └── rekor │ │ └── model │ │ ├── dsse │ │ └── v0.0.1 │ │ │ └── dsse.json │ │ └── hashedRekord │ │ └── v0.0.1 │ │ └── hashedRekord.json │ └── test │ ├── java │ └── dev │ │ └── sigstore │ │ ├── KeylessSignerTest.java │ │ ├── KeylessTest.java │ │ ├── KeylessVerifierTest.java │ │ ├── bundle │ │ ├── AllRequiredFieldsInBundleTest.java │ │ ├── BundleReaderTest.java │ │ └── BundleVerifierTest.java │ │ ├── encryption │ │ ├── KeysTest.java │ │ ├── certificates │ │ │ ├── CertificatesTest.java │ │ │ └── transparency │ │ │ │ ├── CTVerifierTest.java │ │ │ │ └── SerializationTest.java │ │ └── signers │ │ │ ├── SignerTest.java │ │ │ └── VerifiersTest.java │ │ ├── fulcio │ │ └── client │ │ │ ├── FulcioCertificateMatcherTest.java │ │ │ ├── FulcioClientGrpcTest.java │ │ │ └── FulcioVerifierTest.java │ │ ├── http │ │ └── UnsuccessfulResponseHandlerTest.java │ │ ├── json │ │ └── GsonSupplierTest.java │ │ ├── oidc │ │ └── client │ │ │ ├── GithubActionsOidcClientTest.java │ │ │ ├── OidcTokenMatcherTest.java │ │ │ ├── OidcTokenTest.java │ │ │ └── WebOidcClientTest.java │ │ ├── rekor │ │ └── client │ │ │ ├── CheckpointsTest.java │ │ │ ├── RekorClientHttpTest.java │ │ │ ├── RekorTypesTest.java │ │ │ └── RekorVerifierTest.java │ │ ├── strings │ │ └── StringMatcherTest.java │ │ ├── testing │ │ ├── CertGenerator.java │ │ ├── FakeCTLogServer.java │ │ ├── FulcioWrapper.java │ │ ├── MockOAuth2ServerExtension.java │ │ ├── grpc │ │ │ └── GrpcTypes.java │ │ └── matchers │ │ │ └── ByteArrayListMatcher.java │ │ ├── timestamp │ │ └── client │ │ │ ├── TimestampClientHttpTest.java │ │ │ └── TimestampVerifierTest.java │ │ ├── trustroot │ │ ├── PublicKeyTest.java │ │ ├── ServiceTest.java │ │ ├── SigstoreSigningConfigTest.java │ │ ├── SigstoreTrustedRootTest.java │ │ └── ValidForTest.java │ │ └── tuf │ │ ├── FileSystemTufStoreTest.java │ │ ├── HttpFetcherTest.java │ │ ├── PassthroughCacheMetaStoreTest.java │ │ ├── SigstoreTufClientTest.java │ │ ├── UpdaterTest.java │ │ ├── encryption │ │ ├── EcdsaVerifierTest.java │ │ ├── Ed25519VerifierTest.java │ │ ├── RsaPssVerifierTest.java │ │ └── VerifiersTest.java │ │ └── model │ │ └── TestTufJsonLoading.java │ └── resources │ └── dev │ └── sigstore │ ├── oidc │ └── server │ │ └── config.json │ ├── samples │ ├── bundles │ │ ├── artifact.txt │ │ ├── bundle-no-digest.sigstore │ │ ├── bundle-with-bad-checkpoint-signature.sigstore │ │ ├── bundle-with-mismatched-set.sigstore │ │ ├── bundle-with-timestamp.sigstore │ │ ├── bundle-with-wrong-tlog-entry.sigstore │ │ ├── bundle.dsse.bad-signature.sigstore │ │ ├── bundle.dsse.mismatched-envelope.sigstore │ │ ├── bundle.dsse.mismatched-signature.sigstore │ │ ├── bundle.dsse.sigstore │ │ ├── bundle.sigstore │ │ ├── bundle.v1.no.inclusion.sigstore │ │ ├── bundle.v1.sigstore │ │ ├── bundle.v2.no.inclusion.sigstore │ │ ├── bundle.v2.sigstore │ │ ├── bundle.v3.no.inclusion.sigstore │ │ ├── bundle.v3.sigstore │ │ ├── bundle.v3_1.no.inclusion.sigstore │ │ └── bundle.v3_1.sigstore │ ├── certificatetransparency │ │ ├── ca-cert.pem │ │ ├── cert-ct-embedded.pem │ │ ├── cert-ct-poisoned.pem │ │ ├── cert-key.pem │ │ ├── cert.pem │ │ └── ct-server-key-public.pem │ ├── certs │ │ ├── cert-githuboidc.pem │ │ ├── cert-single.pem │ │ ├── cert.der │ │ └── cert.pem │ ├── checkpoints │ │ ├── error_header_body_separator.txt │ │ ├── error_header_count.txt │ │ ├── error_no_newline_after_signature.txt │ │ ├── error_no_signatures.txt │ │ ├── error_not_a_number.txt │ │ ├── error_signature_format_invalid.txt │ │ ├── error_signature_length_insufficient.txt │ │ ├── valid.txt │ │ └── valid_multi_sig.txt │ ├── fulcio-response │ │ └── valid │ │ │ ├── cert.pem │ │ │ ├── certWithSct.pem │ │ │ ├── ctfe.pub │ │ │ └── fulcio.crt.pem │ ├── keys │ │ ├── test-ec.pub │ │ └── test-rsa.pub │ ├── rekor-response │ │ └── valid │ │ │ ├── entry-no-inclusion-proof.json │ │ │ ├── entry.json │ │ │ ├── jar-entry.json │ │ │ └── rekor.pub │ └── timestamp-response │ │ ├── invalid │ │ └── sigstore_tsa_response_invalid.tsr │ │ └── valid │ │ ├── freetsa_response.tsr │ │ ├── sigstage_tsa_response_with_embedded_certs.tsr │ │ ├── sigstage_tsa_response_without_embedded_certs.tsr │ │ ├── sigstore_tsa_response_with_embedded_certs.tsr │ │ └── sigstore_tsa_response_without_embedded_certs.tsr │ ├── trustroot │ ├── README.me │ ├── staging_signing_config.v0.2.json │ ├── staging_trusted_root.json │ ├── staging_trusted_root_with_one_tsa.json │ ├── staging_trusted_root_with_outdated_tsa.json │ ├── trusted_root.json │ ├── trusted_root_with_multiple_tsas.json │ └── trusted_root_with_outdated_tsa.json │ └── tuf │ ├── .editorconfig │ ├── model │ ├── root.json │ ├── snapshot.json │ └── targets.json │ └── synthetic │ ├── no-size-no-hash-snapshot-timestamp │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── README.md │ └── timestamp.json │ ├── root-signing-workspace │ ├── README.md │ ├── keys │ │ ├── root.json │ │ ├── snapshot.json │ │ ├── targets.json │ │ └── timestamp.json │ └── repository │ │ ├── 1.root.json │ │ ├── 1.snapshot.json │ │ ├── 1.targets.json │ │ ├── 2.root.json │ │ ├── 2.snapshot.json │ │ ├── 2.targets.json │ │ ├── 3.snapshot.json │ │ ├── 3.targets.json │ │ ├── root.json │ │ ├── snapshot.json │ │ ├── targets.json │ │ ├── targets │ │ ├── 32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2.test.txt.v2 │ │ ├── 53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a.test2.txt │ │ └── 860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt │ │ └── timestamp.json │ ├── root-too-big │ ├── 2.root.json │ └── README.md │ ├── root-unsigned │ ├── 2.root.json │ └── README.md │ ├── root-update-with-empty-signature │ ├── 2.root.json │ └── README.md │ ├── root-update-with-invalid-signature │ ├── 2.root.json │ └── README.md │ ├── root-update-with-unknown-fields │ ├── 4.root.json │ ├── 5.root.json │ └── README.md │ ├── root-wrong-version │ ├── 2.root.json │ └── README.md │ ├── snapshot-expired │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── README.md │ └── timestamp.json │ ├── snapshot-invalid-hash │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── README.md │ └── timestamp.json │ ├── snapshot-target-missing │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 4.snapshot.json │ ├── README.md │ └── timestamp.json │ ├── snapshot-target-version-rollback │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── README.md │ └── timestamp.json │ ├── snapshot-version-mismatch │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── README.md │ ├── snapshot.json │ └── timestamp.json │ ├── targets-download-invalid-hash │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ ├── targets │ │ └── 860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt │ └── timestamp.json │ ├── targets-download-invalid-length │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ ├── targets │ │ └── 860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt │ └── timestamp.json │ ├── targets-download-missing-target-metadata │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ └── timestamp.json │ ├── targets-expired │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ └── timestamp.json │ ├── targets-invalid-hash │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ └── timestamp.json │ ├── targets-sha256-or-sha512 │ ├── 1.root.json │ ├── 1.targets.json │ ├── 2.root.json │ ├── 2.snapshot.json │ ├── root.json │ ├── targets │ │ ├── 2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514.test2.txt │ │ └── 55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4.test.txt │ └── timestamp.json │ ├── targets-snapshot-version-mismatch │ ├── 2.root.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── README.md │ └── timestamp.json │ ├── targets-with-subdirs │ ├── 1.root.json │ ├── 1.snapshot.json │ ├── 1.targets.json │ ├── README.md │ ├── root.json │ ├── targets │ │ └── subdir │ │ │ └── 860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt │ └── timestamp.json │ ├── test-template │ ├── 1.root.json │ ├── 1.snapshot.json │ ├── 1.targets.json │ ├── 1.timestamp.json │ ├── 2.root.json │ ├── 2.snapshot.json │ ├── 2.targets.json │ ├── 2.timestamp.json │ ├── 3.snapshot.json │ ├── 3.targets.json │ ├── root.json │ ├── snapshot.json │ ├── targets.json │ ├── targets │ │ ├── 32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2.test.txt.v2 │ │ ├── 53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a.test2.txt │ │ └── 860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt │ └── timestamp.json │ ├── test │ ├── keys │ │ ├── root.json │ │ ├── snapshot.json │ │ ├── targets.json │ │ └── timestamp.json │ └── repository │ │ ├── 1.root.json │ │ ├── 2.root.json │ │ ├── root.json │ │ ├── snapshot.json │ │ ├── targets.json │ │ ├── targets │ │ ├── 2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514.test2.txt │ │ └── 55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4.test.txt │ │ └── timestamp.json │ ├── timestamp-rollback-version │ ├── 2.root.json │ ├── README.md │ └── timestamp.json │ ├── timestamp-unsigned │ ├── 2.root.json │ ├── README.md │ └── timestamp.json │ ├── tmp │ ├── 2.root.json │ └── 3.snapshot.json │ └── trusted-root.json ├── sigstore-maven-plugin ├── README.md ├── build.gradle.kts └── src │ ├── main │ └── java │ │ └── dev │ │ └── sigstore │ │ └── plugin │ │ ├── FulcioOidHelper.java │ │ └── SigstoreSignAttachedMojo.java │ └── test │ ├── java │ └── dev │ │ └── sigstore │ │ └── plugin │ │ ├── SigningTest.java │ │ └── test │ │ └── MavenTestProject.java │ └── resources │ └── maven │ ├── projects │ └── simple │ │ └── pom.xml │ └── settings.xml ├── sigstore-testkit ├── build.gradle.kts └── src │ └── main │ ├── java │ └── dev │ │ └── sigstore │ │ └── testkit │ │ └── tuf │ │ └── TestResources.java │ └── kotlin │ └── dev │ └── sigstore │ └── testkit │ ├── BaseGradleTest.kt │ ├── EnableIfOidcExistsCondition.kt │ ├── TestedGradle.kt │ ├── TestedGradleAndSigstoreJava.kt │ ├── TestedSigstoreJava.kt │ ├── annotations │ ├── DisabledIfSkipStaging.kt │ ├── EnabledIfOidcExists.kt │ └── OidcProviderType.kt │ └── gradle │ └── Project.kt └── tuf-cli ├── README.md ├── build.gradle.kts ├── src └── main │ └── java │ └── dev │ └── sigstore │ └── tuf │ └── cli │ ├── Download.java │ ├── Init.java │ ├── Refresh.java │ └── Tuf.java └── tuf-cli.xfails /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | trim_trailing_whitespace = true 5 | insert_final_newline = true 6 | charset = utf-8 7 | indent_style = space 8 | 9 | [*.md] 10 | # Trailing whitespace is significant for Markdown 11 | trim_trailing_whitespace = false 12 | 13 | [{*.sh,gradlew}] 14 | end_of_line = lf 15 | 16 | [{*.bat,*.cmd}] 17 | end_of_line = crlf 18 | 19 | [*.java] 20 | indent_size = 2 21 | ij_continuation_indent_size = 4 22 | # Doc: https://youtrack.jetbrains.com/issue/IDEA-170643#focus=streamItem-27-3708697.0-0 23 | # $ means "static" 24 | ij_java_imports_layout = $*,|,* 25 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # 2 | # https://help.github.com/articles/dealing-with-line-endings/ 3 | # 4 | * text=auto 5 | 6 | # Configure eol for well-known files 7 | gradlew text eol=lf 8 | *.sh text eol=lf 9 | *.bat text eol=crlf 10 | *.cmd text eol=crlf 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/release-checklist.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Release Checklist 3 | about: All the tasks required to complete a release of sigstore-java and maven/gradle plugins 4 | title: Release v 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | Full release instructions are at: [RELEASING.md](/sigstore/sigstore-java/blob/main/RELEASING.md) 11 | 12 | ## Tag Release 13 | - [ ] `v` 14 | 15 | ## Publish Release 16 | - [ ] `sigstore-java`, `sigstore-maven-plugin` to Maven Central ([action](https://github.com/sigstore/sigstore-java/actions/workflows/release-sigstore-java-from-tag.yaml)) 17 | - [ ] `sigstore-gradle-plugin` to Gradle Plugin Portal ([action](https://github.com/sigstore/sigstore-java/actions/workflows/release-sigstore-gradle-plugin-from-tag.yaml)) 18 | 19 | ## Verify Releases Published 20 | - [ ] [sigstore-java](https://repo1.maven.org/maven2/dev/sigstore/sigstore-java) 21 | - [ ] [sigstore-maven-plugin](https://repo1.maven.org/maven2/dev/sigstore/sigstore-maven-plugin) 22 | - [ ] sigstore-gradle-plugin [[base](https://plugins.gradle.org/plugin/dev.sigstore.sign-base)], [[sign](https://plugins.gradle.org/plugin/dev.sigstore.sign)] 23 | 24 | ## Post Release 25 | - [ ] Update README if required 26 | - [ ] Update versions (`./scripts/update_version.sh`) 27 | - [ ] Update CHANGELOG.md 28 | -------------------------------------------------------------------------------- /.github/workflows/byob-slsa.yaml: -------------------------------------------------------------------------------- 1 | # This builds a SLSA provenance statement based on BYOB. 2 | # For now it is under heavy development and is not yet suited for releases. 3 | --- 4 | name: SLSA Provenance 5 | on: 6 | - workflow_dispatch 7 | 8 | permissions: read-all 9 | 10 | env: 11 | GH_TOKEN: ${{ github.token }} 12 | ISSUE_REPOSITORY: ${{ github.repository }} 13 | jobs: 14 | usetrw: 15 | permissions: 16 | contents: write 17 | id-token: write 18 | actions: read 19 | packages: write 20 | uses: AdamKorcz/java-slsa-generator/.github/workflows/gradle-trw.yml@main 21 | with: 22 | rekor-log-public: true 23 | artifact-list: | 24 | ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION.module, 25 | ./sigstore-java/build/libs/sigstore-java-GRADLE_VERSION.jar, 26 | ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION.pom, 27 | ./sigstore-java/build/local-maven-repo/dev/sigstore/sigstore-java/GRADLE_VERSION/sigstore-java-GRADLE_VERSION-sources.jar, 28 | ./sigstore-java/build/libs/sigstore-java-GRADLE_VERSION-javadoc.jar 29 | -------------------------------------------------------------------------------- /.github/workflows/cifuzz.yaml: -------------------------------------------------------------------------------- 1 | name: CIFuzz 2 | on: [pull_request] 3 | jobs: 4 | Fuzzing: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - name: Build Fuzzers 8 | id: build 9 | uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master 10 | with: 11 | oss-fuzz-project-name: 'sigstore-java' 12 | dry-run: false 13 | language: jvm 14 | - name: Run Fuzzers 15 | uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master 16 | with: 17 | oss-fuzz-project-name: 'sigstore-java' 18 | fuzz-seconds: 1200 19 | dry-run: false 20 | language: jvm 21 | - name: Upload Crash 22 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 23 | if: failure() && steps.build.outcome == 'success' 24 | with: 25 | name: artifacts 26 | path: ./out/artifacts 27 | -------------------------------------------------------------------------------- /.github/workflows/depsreview.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 The Sigstore Authors. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | name: 'Dependency Review' 16 | on: [pull_request] 17 | 18 | permissions: 19 | contents: read 20 | 21 | jobs: 22 | dependency-review: 23 | name: License and Vulnerability Scan 24 | uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@55b19bf31b07f74c544dab4c77c33b03f2182e0a 25 | -------------------------------------------------------------------------------- /.github/workflows/gradle-wrapper-validation.yaml: -------------------------------------------------------------------------------- 1 | name: "Validate Gradle Wrapper" 2 | on: 3 | push: 4 | branches: [main] 5 | pull_request: {} 6 | 7 | jobs: 8 | validation: 9 | name: "Validation" 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 13 | with: 14 | persist-credentials: false 15 | - uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326 # v4.4.0 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .gradle 2 | .kotlin 3 | /**/.kotlin 4 | /build 5 | /**/build 6 | /out 7 | /**/out 8 | /http 9 | 10 | /target 11 | /**/target 12 | .mvn/timing.properties 13 | .mvn/wrapper/maven-wrapper.jar 14 | 15 | # For occasional use of https://github.com/melix/includegit-gradle-plugin 16 | /checkouts 17 | 18 | # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored) 19 | !gradle-wrapper.jar 20 | 21 | # Ignore ide configs 22 | *.iml 23 | *.ipr 24 | *.iws 25 | /.idea/* 26 | .settings/ 27 | .classpath 28 | .project 29 | .DS_Store 30 | .vscode 31 | .factorypath 32 | 33 | # except this icon 34 | !/.idea/icon.png 35 | 36 | # vscode java output directories 37 | /**/bin 38 | -------------------------------------------------------------------------------- /.idea/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/.idea/icon.png -------------------------------------------------------------------------------- /build-logic-commons/.gitignore: -------------------------------------------------------------------------------- 1 | /*/build/ 2 | -------------------------------------------------------------------------------- /build-logic-commons/gradle-plugin/build.gradle.kts: -------------------------------------------------------------------------------- 1 | import org.gradle.kotlin.dsl.support.expectedKotlinDslPluginsVersion 2 | 3 | plugins { 4 | `kotlin-dsl` 5 | } 6 | 7 | group = "dev.sigstore.build-logic" 8 | 9 | dependencies { 10 | // We use precompiled script plugins (== plugins written as src/kotlin/build-logic.*.gradle.kts files, 11 | // and we need to declare dependency on org.gradle.kotlin.kotlin-dsl:org.gradle.kotlin.kotlin-dsl.gradle.plugin 12 | // to make it work. 13 | // See https://github.com/gradle/gradle/issues/17016 regarding expectedKotlinDslPluginsVersion 14 | implementation("org.gradle.kotlin.kotlin-dsl:org.gradle.kotlin.kotlin-dsl.gradle.plugin:$expectedKotlinDslPluginsVersion") 15 | } 16 | 17 | // We need to figure out a version that is supported by the current JVM, and by the Kotlin Gradle plugin 18 | // So we settle on 21, 17, or 11 if the current JVM supports it 19 | listOf(21, 17, 11) 20 | .firstOrNull { JavaVersion.toVersion(it) <= JavaVersion.current() } 21 | ?.let { buildScriptJvmTarget -> 22 | java { 23 | toolchain { 24 | languageVersion.set(JavaLanguageVersion.of(buildScriptJvmTarget)) 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /build-logic-commons/gradle-plugin/src/main/kotlin/build-logic.kotlin-dsl-gradle-plugin.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("java-library") 3 | id("org.gradle.kotlin.kotlin-dsl") // this is 'kotlin-dsl' without version 4 | } 5 | 6 | tasks.validatePlugins { 7 | failOnWarning.set(true) 8 | enableStricterValidation.set(true) 9 | } 10 | 11 | // We need to figure out a version that is supported by the current JVM, and by the Kotlin Gradle plugin 12 | // So we settle on 21, 17, or 11 if the current JVM supports it 13 | listOf(21, 17, 11) 14 | .firstOrNull { JavaVersion.toVersion(it) <= JavaVersion.current() } 15 | ?.let { buildScriptJvmTarget -> 16 | java { 17 | toolchain { 18 | languageVersion.set(JavaLanguageVersion.of(buildScriptJvmTarget)) 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /build-logic-commons/gradle.properties: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/build-logic-commons/gradle.properties -------------------------------------------------------------------------------- /build-logic-commons/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | dependencyResolutionManagement { 2 | repositories { 3 | gradlePluginPortal() 4 | } 5 | } 6 | 7 | rootProject.name = "build-logic-commons" 8 | 9 | include("gradle-plugin") 10 | -------------------------------------------------------------------------------- /build-logic/.gitignore: -------------------------------------------------------------------------------- 1 | /*/build/ 2 | -------------------------------------------------------------------------------- /build-logic/README.md: -------------------------------------------------------------------------------- 1 | # Build logic for Sigstore Java 2 | 3 | This is a subset of extra plugins for factoring out 4 | the common patterns from the common build logic. 5 | 6 | The recommended approach is to use build composition, so every build script 7 | should list all its prerequisites in the top-most `plugins { ... }` block. 8 | 9 | The use of `allprojects` and `subprojects` is an anti-pattern as it makes it hard to identify 10 | the configuration for a given project. 11 | 12 | Let us consider an example (see `/sigstore-gradle-sign-base-plugin/build.gradle.kts`): 13 | 14 | ```kotlin 15 | plugins { 16 | id("build-logic.kotlin-dsl-published-gradle-plugin") 17 | id("build-logic.test-junit5") 18 | } 19 | 20 | description = "Gradle plugin with the base set of tasks and configurations for Sigstore singing (no signing is done by default)" 21 | 22 | dependencies { 23 | compileOnly(project(":sigstore-java")) 24 | implementation("com.fasterxml.jackson.core:jackson-databind:2.13.3") 25 | 26 | testImplementation(project(":sigstore-testkit")) 27 | } 28 | ``` 29 | 30 | It means that we deal with a Gradle plugin written in Kotlin that will be published to Central, 31 | and which uses JUnit 5 for testing. 32 | 33 | If you want to see what the logic does, you could open `buildlogic.kotlin-dsl-published-plugin.gradle.kts` 34 | and `buildlogic.test-junit5.gradle.kts`. 35 | -------------------------------------------------------------------------------- /build-logic/basics/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-gradle-plugin") 3 | } 4 | 5 | dependencies { 6 | implementation(project(":build-parameters")) 7 | } 8 | -------------------------------------------------------------------------------- /build-logic/basics/src/main/kotlin/ToolchainProperties.kt: -------------------------------------------------------------------------------- 1 | import buildparameters.BuildParametersExtension 2 | import org.gradle.api.JavaVersion 3 | 4 | class ToolchainProperties( 5 | val version: Int, 6 | val vendor: String?, 7 | val implementation: String?, 8 | ) 9 | 10 | val BuildParametersExtension.buildJdk: ToolchainProperties? 11 | get() = jdkBuildVersion.takeIf { it != 0 } 12 | ?.let { ToolchainProperties(it, jdkBuildVendor.orNull, jdkBuildImplementation.orNull) } 13 | 14 | val BuildParametersExtension.buildJdkVersion: Int 15 | get() = buildJdk?.version ?: JavaVersion.current().majorVersion.toInt() 16 | 17 | val BuildParametersExtension.testJdk: ToolchainProperties? 18 | get() = jdkTestVersion.orNull?.takeIf { it != 0 } 19 | ?.let { ToolchainProperties(it, jdkTestVendor.orNull, jdkTestImplementation.orNull) } 20 | ?: buildJdk 21 | 22 | val BuildParametersExtension.testJdkVersion: Int 23 | get() = jdkTestVersion.orNull ?: buildJdkVersion 24 | -------------------------------------------------------------------------------- /build-logic/basics/src/main/kotlin/build-logic.repositories.gradle.kts: -------------------------------------------------------------------------------- 1 | repositories { 2 | mavenCentral() 3 | } 4 | -------------------------------------------------------------------------------- /build-logic/basics/src/main/kotlin/build-logic.reproducible-builds.gradle.kts: -------------------------------------------------------------------------------- 1 | tasks.withType().configureEach { 2 | // Ensure builds are reproducible 3 | isPreserveFileTimestamps = false 4 | isReproducibleFileOrder = true 5 | dirPermissions { 6 | user { 7 | read = true 8 | write = true 9 | execute = true 10 | } 11 | group { 12 | read = true 13 | write = true 14 | execute = true 15 | } 16 | other { 17 | read = true 18 | execute = true 19 | } 20 | } 21 | filePermissions { 22 | user { 23 | read = true 24 | write = true 25 | } 26 | group { 27 | read = true 28 | write = true 29 | } 30 | other { 31 | read = true 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /build-logic/basics/src/main/kotlin/configureToolchain.kt: -------------------------------------------------------------------------------- 1 | import org.gradle.api.provider.Provider 2 | import org.gradle.jvm.toolchain.JavaLanguageVersion 3 | import org.gradle.jvm.toolchain.JavaLauncher 4 | import org.gradle.jvm.toolchain.JavaToolchainService 5 | import org.gradle.jvm.toolchain.JavaToolchainSpec 6 | import org.gradle.jvm.toolchain.JvmImplementation 7 | import org.gradle.jvm.toolchain.JvmVendorSpec 8 | 9 | fun JavaToolchainService.launcherFor(jdk: ToolchainProperties): Provider = launcherFor { 10 | configureToolchain(jdk) 11 | } 12 | 13 | fun JavaToolchainSpec.configureToolchain(jdk: ToolchainProperties?) { 14 | if (jdk == null) { 15 | return 16 | } 17 | languageVersion.set(JavaLanguageVersion.of(jdk.version)) 18 | jdk.vendor?.let { 19 | vendor.set(JvmVendorSpec.matching(it)) 20 | } 21 | if (jdk.implementation.equals("J9", ignoreCase = true)) { 22 | implementation.set(JvmImplementation.J9) 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /build-logic/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | `embedded-kotlin` apply false 3 | } 4 | -------------------------------------------------------------------------------- /build-logic/gradle.properties: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/build-logic/gradle.properties -------------------------------------------------------------------------------- /build-logic/jvm/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-gradle-plugin") 3 | } 4 | 5 | repositories { 6 | gradlePluginPortal() 7 | } 8 | 9 | dependencies { 10 | implementation(project(":basics")) 11 | implementation(project(":build-parameters")) 12 | implementation("com.diffplug.spotless:com.diffplug.spotless.gradle.plugin:7.0.3") 13 | implementation("com.github.vlsi.gradle-extensions:com.github.vlsi.gradle-extensions.gradle.plugin:1.90") 14 | implementation("de.thetaphi.forbiddenapis:de.thetaphi.forbiddenapis.gradle.plugin:3.9") 15 | implementation("org.jetbrains.kotlin:kotlin-gradle-plugin") 16 | implementation("org.jetbrains.dokka-javadoc:org.jetbrains.dokka-javadoc.gradle.plugin:2.0.0") 17 | implementation("com.github.autostyle:com.github.autostyle.gradle.plugin:4.0") 18 | implementation("net.ltgt.errorprone:net.ltgt.errorprone.gradle.plugin:4.2.0") 19 | } 20 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.build-info.gradle.kts: -------------------------------------------------------------------------------- 1 | import buildlogic.BuildInfoTask 2 | 3 | plugins { 4 | java 5 | } 6 | 7 | val generateBuildInfo by tasks.registering(BuildInfoTask::class) { 8 | version.set(project.version.toString()) 9 | genDir.set(project.layout.buildDirectory.dir("generated/buildinfo")) 10 | } 11 | 12 | sourceSets.main { 13 | java.srcDir(generateBuildInfo) 14 | } 15 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.dokka-javadoc.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("java-base") 3 | id("org.jetbrains.dokka-javadoc") 4 | id("build-logic.build-params") 5 | } 6 | 7 | java { 8 | if (!buildParameters.skipJavadoc) { 9 | // Workaround https://github.com/gradle/gradle/issues/21933, so it adds javadocElements configuration 10 | withJavadocJar() 11 | } 12 | } 13 | 14 | val dokkaJar by tasks.registering(Jar::class) { 15 | group = LifecycleBasePlugin.BUILD_GROUP 16 | description = "Assembles a jar archive containing javadoc" 17 | from(tasks.dokkaGeneratePublicationJavadoc) 18 | archiveClassifier.set("javadoc") 19 | } 20 | 21 | if (!buildParameters.skipJavadoc) { 22 | configurations[JavaPlugin.JAVADOC_ELEMENTS_CONFIGURATION_NAME].outgoing.artifact(dokkaJar) 23 | } 24 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.errorprone.gradle.kts: -------------------------------------------------------------------------------- 1 | import net.ltgt.gradle.errorprone.errorprone 2 | 3 | plugins { 4 | java 5 | id("build-logic.build-params") 6 | } 7 | 8 | if (!project.hasProperty("skipErrorprone") && buildParameters.enableErrorprone) { 9 | apply(plugin = "net.ltgt.errorprone") 10 | 11 | dependencies { 12 | "errorprone"("com.google.errorprone:error_prone_core:2.38.0") 13 | "annotationProcessor"("com.google.guava:guava-beta-checker:1.0") 14 | } 15 | 16 | tasks.withType().configureEach { 17 | if ("Test" in name) { 18 | // Ignore warnings in test code 19 | options.errorprone.isEnabled.set(false) 20 | } else { 21 | options.compilerArgs.addAll(listOf("-Xmaxerrs", "10000", "-Xmaxwarns", "10000")) 22 | options.errorprone { 23 | disableWarningsInGeneratedCode.set(true) 24 | enable( 25 | "PackageLocation" 26 | ) 27 | } 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.forbidden-apis.gradle.kts: -------------------------------------------------------------------------------- 1 | import de.thetaphi.forbiddenapis.gradle.CheckForbiddenApisExtension 2 | 3 | plugins { 4 | id("build-logic.build-params") 5 | } 6 | 7 | if (!buildParameters.skipForbiddenApis) { 8 | apply(plugin = "de.thetaphi.forbiddenapis") 9 | 10 | configure { 11 | failOnUnsupportedJava = false 12 | // ForbiddenApiException: Check for forbidden API calls failed while scanning class 'Dev_sigstore_sign_base_gradle' 13 | // (dev.sigstore.sign-base.gradle.kts): java.lang.ClassNotFoundException: kotlin.script.experimental.jvm.RunnerKt 14 | // (while looking up details about referenced class 'kotlin.script.experimental.jvm.RunnerKt') 15 | failOnMissingClasses = false 16 | // See https://github.com/policeman-tools/forbidden-apis/wiki/BundledSignatures 17 | bundledSignatures.addAll( 18 | listOf( 19 | "jdk-deprecated", 20 | "jdk-internal", 21 | "jdk-non-portable", 22 | "jdk-unsafe" 23 | ) 24 | ) 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.java-library.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.java") 3 | id("java-library") 4 | } 5 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.kotlin.gradle.kts: -------------------------------------------------------------------------------- 1 | import org.jetbrains.kotlin.gradle.dsl.JvmTarget 2 | import org.jetbrains.kotlin.gradle.tasks.KotlinJvmCompile 3 | 4 | plugins { 5 | id("java-library") 6 | id("build-logic.java") 7 | id("build-logic.testing") 8 | id("com.github.vlsi.gradle-extensions") 9 | id("com.github.autostyle") 10 | kotlin("jvm") 11 | } 12 | 13 | java { 14 | withSourcesJar() 15 | } 16 | 17 | autostyle { 18 | kotlin { 19 | file("$rootDir/config/licenseHeaderRaw").takeIf { it.exists() }?.let { 20 | licenseHeader(it.readText()) 21 | } 22 | trimTrailingWhitespace() 23 | endWithNewline() 24 | } 25 | } 26 | 27 | tasks.withType().configureEach { 28 | compilerOptions { 29 | val targetJdkRelease = buildParameters.targetJavaVersion.toString() 30 | freeCompilerArgs.add("-Xjdk-release=$targetJdkRelease") 31 | jvmTarget = JvmTarget.fromTarget(targetJdkRelease) 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.spotless-base.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("com.diffplug.spotless") 3 | } 4 | 5 | spotless { 6 | kotlinGradle { 7 | target("*.gradle.kts") // default target for kotlinGradle 8 | ktlint() 9 | } 10 | format("misc") { 11 | target("*.md", ".gitignore", "**/*.yaml") 12 | 13 | trimTrailingWhitespace() 14 | leadingTabsToSpaces() 15 | endWithNewline() 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.test-junit5.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | `java-library` 3 | id("build-logic.testing") 4 | } 5 | 6 | dependencies { 7 | testImplementation("org.junit.jupiter:junit-jupiter-api") 8 | testImplementation("org.junit.jupiter:junit-jupiter-params") 9 | testRuntimeOnly("org.junit.platform:junit-platform-launcher") { 10 | because("It is needed for junit in runtime, see https://github.com/junit-team/junit5/issues/4335#issuecomment-2676780444") 11 | } 12 | testImplementation("org.assertj:assertj-core") 13 | } 14 | 15 | tasks.withType().configureEach { 16 | useJUnitPlatform() 17 | } 18 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/build-logic.testing.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("java-library") 3 | id("build-logic.build-params") 4 | } 5 | 6 | tasks.withType().configureEach { 7 | buildParameters.testJdk?.let { 8 | javaLauncher.convention(javaToolchains.launcherFor(it)) 9 | } 10 | if (project.hasProperty("skipOidc")) { 11 | systemProperty("sigstore-java.test.skipOidc", project.findProperty("skipOidc")!!) 12 | } 13 | if (project.hasProperty("org.gradle.jvmargs")) { 14 | systemProperty("sigstore-java.test.org.gradle.jvmargs", project.findProperty("org.gradle.jvmargs")!!) 15 | } 16 | if (project.hasProperty("skipStaging")) { 17 | systemProperty("sigstore-java.test.skipStaging", project.findProperty("skipStaging")!!) 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/buildlogic/BuildInfoTask.kt: -------------------------------------------------------------------------------- 1 | package buildlogic 2 | 3 | import org.gradle.api.DefaultTask 4 | import org.gradle.api.file.DirectoryProperty 5 | import org.gradle.api.file.RegularFile 6 | import org.gradle.api.provider.Property 7 | import org.gradle.api.provider.Provider 8 | import org.gradle.api.tasks.Input 9 | import org.gradle.api.tasks.InputDirectory 10 | import org.gradle.api.tasks.OutputDirectory 11 | import org.gradle.api.tasks.OutputFile 12 | import org.gradle.api.tasks.TaskAction 13 | 14 | abstract class BuildInfoTask : DefaultTask() { 15 | @get:Input 16 | abstract val packageName: Property 17 | 18 | @get:Input 19 | abstract val version: Property 20 | 21 | @get:OutputDirectory 22 | abstract val genDir: DirectoryProperty 23 | 24 | @TaskAction 25 | fun run() { 26 | val output = """ 27 | package ${packageName.get()}; 28 | 29 | public class BuildInfo { 30 | public static final String VERSION = "${version.get()}"; 31 | } 32 | """.trimIndent() 33 | val outputPath = genDir.file(packageName.get().replace(".", "/").plus("/BuildInfo.java")).get().asFile 34 | outputPath.parentFile.mkdirs() 35 | outputPath.writeText(output) 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /build-logic/jvm/src/main/kotlin/buildlogic/CopySpecExtensions.kt: -------------------------------------------------------------------------------- 1 | package buildlogic 2 | 3 | import org.apache.tools.ant.filters.FixCrLfFilter 4 | import org.gradle.api.file.CopySpec 5 | import org.gradle.kotlin.dsl.filter 6 | 7 | /** 8 | * Converts end-of-line markers in the current [CopySpec] to the given value. 9 | * See [org.apache.tools.ant.filters.FixCrLfFilter.CrLf] for the possible values of `eol`. 10 | * See https://github.com/gradle/gradle/issues/8688. 11 | */ 12 | fun CopySpec.filterEolSimple(eol: String) { 13 | filteringCharset = "UTF-8" 14 | filter( 15 | FixCrLfFilter::class, mapOf( 16 | "eol" to FixCrLfFilter.CrLf.newInstance(eol), 17 | "fixlast" to true, 18 | "ctrlz" to FixCrLfFilter.AddAsisRemove.newInstance("asis") 19 | ) 20 | ) 21 | } 22 | -------------------------------------------------------------------------------- /build-logic/publishing/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-gradle-plugin") 3 | } 4 | 5 | repositories { 6 | gradlePluginPortal() 7 | } 8 | 9 | dependencies { 10 | implementation(project(":build-parameters")) 11 | implementation(project(":basics")) 12 | implementation(project(":jvm")) 13 | implementation("dev.sigstore.build-logic:gradle-plugin") 14 | implementation("dev.sigstore:sigstore-gradle-sign-plugin:1.3.0") 15 | implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.3.1") 16 | } 17 | -------------------------------------------------------------------------------- /build-logic/publishing/src/main/kotlin/build-logic.java-published-library.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.build-params") 3 | id("build-logic.repositories") 4 | id("build-logic.java-library") 5 | id("build-logic.reproducible-builds") 6 | id("build-logic.publish-to-central") 7 | id("build-logic.signing") 8 | } 9 | 10 | java { 11 | if (!buildParameters.skipJavadoc) { 12 | withJavadocJar() 13 | } 14 | withSourcesJar() 15 | } 16 | 17 | publishing { 18 | publications { 19 | create("mavenJava") { 20 | from(components["java"]) 21 | } 22 | } 23 | } 24 | 25 | signing.sign(publishing.publications["mavenJava"]) 26 | -------------------------------------------------------------------------------- /build-logic/publishing/src/main/kotlin/build-logic.kotlin-dsl-published-gradle-plugin.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("com.gradle.plugin-publish") 3 | id("build-logic.repositories") 4 | id("build-logic.kotlin") 5 | id("build-logic.kotlin-dsl-gradle-plugin") 6 | id("build-logic.reproducible-builds") 7 | id("build-logic.dokka-javadoc") 8 | id("build-logic.publish-to-central") 9 | id("build-logic.depends-on-local-sigstore-java-repo") 10 | } 11 | -------------------------------------------------------------------------------- /build-logic/publishing/src/main/kotlin/build-logic.signing.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("signing") 3 | id("dev.sigstore.sign") 4 | } 5 | 6 | signing { 7 | val signingKey: String? by project 8 | val signingPassword: String? by project 9 | useInMemoryPgpKeys(signingKey, signingPassword) 10 | } 11 | 12 | tasks.withType().configureEach { 13 | onlyIf("Is a release") { 14 | project.hasProperty("release") 15 | } 16 | onlyIf("Signing is not skipped") { 17 | !project.hasProperty("skipSigning") 18 | } 19 | onlyIf("PGP Signing is not skipped") { 20 | !project.hasProperty("skipPgpSigning") 21 | } 22 | } 23 | 24 | tasks.withType().configureEach { 25 | onlyIf("Is a release") { 26 | project.hasProperty("release") 27 | } 28 | onlyIf("Signing is not skipped") { 29 | !project.hasProperty("skipSigning") 30 | } 31 | onlyIf("Sigstore Signing is not skipped") { 32 | !project.hasProperty("skipSigstoreSigning") 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /build-logic/root-build/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-gradle-plugin") 3 | } 4 | -------------------------------------------------------------------------------- /build-logic/root-build/src/main/kotlin/build-logic.root-build.gradle.kts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/build-logic/root-build/src/main/kotlin/build-logic.root-build.gradle.kts -------------------------------------------------------------------------------- /build-logic/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | dependencyResolutionManagement { 2 | repositories { 3 | gradlePluginPortal() 4 | } 5 | } 6 | 7 | rootProject.name = "build-logic" 8 | 9 | includeBuild("../build-logic-commons") 10 | include("build-parameters") 11 | include("basics") 12 | include("jvm") 13 | include("publishing") 14 | include("root-build") 15 | -------------------------------------------------------------------------------- /build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.root-build") 3 | // The Kotlin Gradle plugin was loaded multiple times in different subprojects, which is not supported and may break the build. 4 | `embedded-kotlin` apply false 5 | } 6 | 7 | val calculatedVersion = property("version") as String + (if (hasProperty("release")) "" else "-SNAPSHOT") 8 | 9 | allprojects { 10 | version = calculatedVersion 11 | } 12 | 13 | val parameters by tasks.registering { 14 | group = HelpTasksPlugin.HELP_GROUP 15 | description = "Displays build parameters (i.e. -P flags) that can be used to customize the build" 16 | dependsOn(gradle.includedBuild("build-logic").task(":build-parameters:parameters")) 17 | } 18 | -------------------------------------------------------------------------------- /config/conscryptLicenseHeader: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright $YEAR The Sigstore Authors. 3 | * Copyright 2015 The Android Open Source Project. 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | -------------------------------------------------------------------------------- /config/forbiddenApis.txt: -------------------------------------------------------------------------------- 1 | com.google.protobuf.util.JsonFormat#parser() @ Use dev.sigstore.json.ProtoJson#parser() instead 2 | -------------------------------------------------------------------------------- /config/licenseHeader: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright $YEAR The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | -------------------------------------------------------------------------------- /config/licenseHeaderRaw: -------------------------------------------------------------------------------- 1 | Copyright 2022 The Sigstore Authors. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /config/webPKILicenseHeader: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright $YEAR The Sigstore Authors. 3 | * Copyright 2006-2018 WebPKI.org (http://webpki.org). 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | -------------------------------------------------------------------------------- /examples/hello-world/README.md: -------------------------------------------------------------------------------- 1 | # Sigstore Examples 2 | 3 | Simple sigstore signing examples 4 | 5 | These examples sign with sigstore (and PGP as required by Maven Central) 6 | 7 | ## gradle 8 | 9 | ``` 10 | $ export ORG_GRADLE_PROJECT_signingKey=$(cat ../pgp/private.key) 11 | $ export ORG_GRADLE_PROJECT_signingPassword=pass123 12 | 13 | $ ./gradlew clean publishMavenPublicationToExamplesRepository 14 | 15 | $ ls build/example-repo/com/example/hello-world/1.0.0/*.sigstore.json 16 | hello-world-1.0.0.jar.sigstore.json 17 | hello-world-1.0.0.modules.sigstore.json 18 | hello-world-1.0.0.pom.sigstore.json 19 | ``` 20 | 21 | ## maven 22 | 23 | ``` 24 | $ export MAVEN_GPG_KEY=$(cat ../pgp/private.key) 25 | $ export MAVEN_GPG_PASSPHRASE=pass123 26 | 27 | $ mvn clean deploy 28 | 29 | $ ls target/example-repo/com/example/hello-world/1.0.0/*.sigstore.json 30 | hello-world-1.0.0.jar.sigstore.json 31 | hello-world-1.0.0.pom.sigstore.json 32 | ``` 33 | -------------------------------------------------------------------------------- /examples/hello-world/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | `java-library` 3 | `maven-publish` 4 | val sigstoreVersion = System.getProperty("sigstore.version") ?: "1.3.0" 5 | id("dev.sigstore.sign") version "$sigstoreVersion" 6 | signing 7 | } 8 | 9 | version = "1.0.0" 10 | group = "com.example" 11 | 12 | // required to resolve sigstore-java 13 | repositories { 14 | mavenLocal() // for testing against dev builds 15 | mavenCentral() 16 | } 17 | 18 | publishing { 19 | publications { 20 | create("maven") { 21 | from(components["java"]) 22 | } 23 | } 24 | repositories { 25 | maven { 26 | name = "examples" 27 | url = uri(layout.buildDirectory.dir("example-repo")) 28 | } 29 | } 30 | } 31 | 32 | // sigstore signing doesn't require additional setup in build.gradle.kts 33 | 34 | // PGP signing setup for the purposes of this example. 35 | signing { 36 | val signingKey: String? by project 37 | val signingPassword: String? by project 38 | useInMemoryPgpKeys(signingKey, signingPassword) 39 | sign(publishing.publications["maven"]) 40 | } 41 | -------------------------------------------------------------------------------- /examples/hello-world/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/examples/hello-world/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /examples/hello-world/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip 4 | networkTimeout=10000 5 | validateDistributionUrl=true 6 | zipStoreBase=GRADLE_USER_HOME 7 | zipStorePath=wrapper/dists 8 | -------------------------------------------------------------------------------- /examples/hello-world/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | rootProject.name = "hello-world" 2 | 3 | pluginManagement { 4 | repositories { 5 | mavenLocal() // for use in development 6 | gradlePluginPortal() 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /examples/hello-world/src/main/java/com/example/Hello.java: -------------------------------------------------------------------------------- 1 | package com.example; 2 | 3 | public class Hello { 4 | public String hello() { 5 | return "hello world"; 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /examples/pgp/README.md: -------------------------------------------------------------------------------- 1 | ## PGP test keys for examples 2 | 3 | ``` 4 | $ gpg --quick-gen-key "Test Key (DO NOT USE) " rsa1024 sign never 5 | 6 | passphrase:pass123 7 | 8 | $ gpg --output private.key --armor --export-secret-key test@example.com 9 | $ gpg --output public.key --armor --export test@example.com 10 | ``` 11 | -------------------------------------------------------------------------------- /examples/pgp/keygen.input: -------------------------------------------------------------------------------- 1 | Key-Type: RSA 2 | Key-Length: 4096 3 | Key-Expiration: 0 4 | Name: Example Test Key 5 | Email Address: test@example.com 6 | Comment: DO NOT USE 7 | Passphrase: pass123 8 | Repeat the passphrase: pass123 9 | -------------------------------------------------------------------------------- /examples/pgp/private.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PRIVATE KEY BLOCK----- 2 | 3 | lQIGBGa87ksBBACstX51gCUmdttBgisnx3zurn7+8hB6PnGrlZGgFBPn+SFopGCe 4 | u1cZgzMpZ67uDSXp2kxSgpCisBPYeUMLQ1WTijIo7E6mowKhBsnepa/siVeiJXP1 5 | LvvtLmQyMVDAArBcsSF4nTqb6voOuqxePvC/k0FwNIBqx0lGL9tBjg4KNwARAQAB 6 | /gcDAmxZ2B3s2wUt//cWOHgEPQQrzvTqJ3Gmx7eSlk3J7ITj62XxgtBbjyWXnPEN 7 | klWMyY7BpLWYzaJ3pVoHtLLEIAZpHkV0TUS6z6dqDqGs9RtzsYFBDGKk6BXGx6A7 8 | NLJZmMJuhyjScTNc62ul5zkFFK/51P4OE09ZTErticmD+TGxUNTO4dM2zWvb17mv 9 | 9uL3lRX94DNAO1dv6fC4dJXT8XMeuc9IKacLXCaWq0cgE+rA1gAhGmMPIqOgTC1s 10 | AKngqROhuaJhXLR/bucPVCFRc29cb42RN+ujgaw/vv0M2MGCclrlyG5ic7K0YqmJ 11 | opsf+dXm6ktCYj+bGDjm1avZ1qCb9vqpNyZ4DGFf/zBl+f7Cf2fdLpuYFUNN6VNt 12 | adL06NbSJ8LJhaloLN8W2G226Av4NhS9l69PVkEBYBwgwvGg7b1GORdi+iIsG6Z/ 13 | 3jS9xAPUgvYymIQdsNOw7Hv83F7pw/2gPPlBG7xhdfAm/uWFijtYOCC0KFRlc3Qg 14 | S2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoAOBYhBBv4 15 | 2FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B 16 | AheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1tM7JMZ04q 17 | Qa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42uY67SGEV 18 | pd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPXbPLV5R4c 19 | Q7cN 20 | =sfrl 21 | -----END PGP PRIVATE KEY BLOCK----- 22 | -------------------------------------------------------------------------------- /examples/pgp/public.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mI0EZrzuSwEEAKy1fnWAJSZ220GCKyfHfO6ufv7yEHo+cauVkaAUE+f5IWikYJ67 4 | VxmDMylnru4NJenaTFKCkKKwE9h5QwtDVZOKMijsTqajAqEGyd6lr+yJV6Ilc/Uu 5 | ++0uZDIxUMACsFyxIXidOpvq+g66rF4+8L+TQXA0gGrHSUYv20GODgo3ABEBAAG0 6 | KFRlc3QgS2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoA 7 | OBYhBBv42FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQW 8 | AgMBAh4BAheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1t 9 | M7JMZ04qQa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42 10 | uY67SGEVpd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPX 11 | bPLV5R4cQ7cN 12 | =vt0B 13 | -----END PGP PUBLIC KEY BLOCK----- 14 | -------------------------------------------------------------------------------- /fuzzing/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.java") 3 | } 4 | 5 | repositories { 6 | mavenCentral() 7 | } 8 | 9 | dependencies { 10 | implementation(project(":sigstore-java")) 11 | implementation("com.code-intelligence:jazzer-api:0.24.0") 12 | implementation("com.google.guava:guava:33.4.8-jre") 13 | } 14 | 15 | // copy to the fuzzing builder's output directory. This is an existing directory with 16 | // files in it, so don't use sync 17 | tasks.register("copyToFuzzOut") { 18 | dependsOn(tasks.build) 19 | into(project.findProperty("fuzzOut") ?: project.layout.buildDirectory.dir("fuzzOut")) 20 | from(sourceSets.main.get().runtimeClasspath) 21 | } 22 | -------------------------------------------------------------------------------- /fuzzing/src/main/java/fuzzing/BundleReaderFuzzer.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package fuzzing; 17 | 18 | import com.code_intelligence.jazzer.api.FuzzedDataProvider; 19 | import dev.sigstore.bundle.Bundle; 20 | import dev.sigstore.bundle.BundleParseException; 21 | import java.io.StringReader; 22 | 23 | public class BundleReaderFuzzer { 24 | public static void fuzzerTestOneInput(FuzzedDataProvider data) { 25 | try { 26 | String string = data.consumeRemainingAsString(); 27 | Bundle.from(new StringReader(string)); 28 | } catch (BundleParseException | IllegalArgumentException e) { 29 | // Known exception 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /fuzzing/src/main/java/fuzzing/BundleVerifierFuzzer.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package fuzzing; 17 | 18 | import com.code_intelligence.jazzer.api.FuzzedDataProvider; 19 | import dev.sigstore.bundle.BundleVerifier; 20 | 21 | public class BundleVerifierFuzzer { 22 | public static void fuzzerTestOneInput(FuzzedDataProvider data) { 23 | try { 24 | String string = data.consumeRemainingAsString(); 25 | BundleVerifier.allMissingFields(string); 26 | } catch (IllegalArgumentException e) { 27 | // Known exception 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /fuzzing/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | # TODO AdamKorcz: Make the build script a gradle module 4 | 5 | # build the fuzzing classes and extract dependencies into the build/fuzzRoot 6 | BUILD_OUT="./build/fuzzRoot" 7 | 8 | for fuzzer in $(find "$BUILD_OUT" -name '*Fuzzer.class' | xargs realpath --relative-to "$BUILD_OUT"); do 9 | echo $fuzzer 10 | fuzzer_basename=$(basename -s .class $fuzzer) 11 | echo $fuzzer_basename 12 | dir_name=$(dirname $fuzzer) 13 | fuzzer_package=${dir_name//\//\.} 14 | echo $fuzzer_package 15 | fuzzer_target="${fuzzer_package}.${fuzzer_basename}" 16 | echo $fuzzer_target 17 | done 18 | -------------------------------------------------------------------------------- /gradle.properties: -------------------------------------------------------------------------------- 1 | org.gradle.parallel=true 2 | org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m 3 | 4 | group=dev.sigstore 5 | 6 | # use the ./scripts/update_version.sh script to update all versions 7 | version=1.4.0 8 | 9 | # Kotlin Dokka is experemental, and we want silence the build warning 10 | org.jetbrains.dokka.experimental.gradle.pluginMode=V2Enabled 11 | org.jetbrains.dokka.experimental.gradle.pluginMode.noWarn=true 12 | -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionSha256Sum=845952a9d6afa783db70bb3b0effaae45ae5542ca2bb7929619e8af49cb634cf 4 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.1-bin.zip 5 | networkTimeout=10000 6 | validateDistributionUrl=true 7 | zipStoreBase=GRADLE_USER_HOME 8 | zipStorePath=wrapper/dists 9 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base" 5 | ], 6 | "labels": ["dependencies"], 7 | "schedule": ["every 3 weeks on Monday"], 8 | "packageRules": [ 9 | { 10 | "matchPackagePrefixes": ["org.immutables"], 11 | "groupName": "immutables" 12 | }, 13 | { 14 | "matchPackagePrefixes": ["org.bouncycastle"], 15 | "groupName": "bouncycastle" 16 | }, 17 | { 18 | "matchPackagePrefixes": ["io.grpc", "com.google.protobuf", "com.google.api.grpc"], 19 | "groupName": "protobuf_grpc" 20 | }, 21 | { 22 | "matchPackagePrefixes": ["info.picocli"], 23 | "groupName": "picocli" 24 | }, 25 | { 26 | "matchPackagePrefixes": ["io.github.netmikey.logunit"], 27 | "groupName": "logunit" 28 | } 29 | ] 30 | } 31 | -------------------------------------------------------------------------------- /sandbox/.gitignore: -------------------------------------------------------------------------------- 1 | */build/ 2 | /.idea/* 3 | 4 | # except this icon 5 | !/.idea/icon.png 6 | -------------------------------------------------------------------------------- /sandbox/.idea/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sandbox/.idea/icon.png -------------------------------------------------------------------------------- /sandbox/README.md: -------------------------------------------------------------------------------- 1 | # Sigstore Gradle plugin samples 2 | 3 | ## Samples 4 | 5 | * [Sign Java Library](gradle-sign-java-library) 6 | Shows the way to configure sigstore signing. 7 | 8 | Try running `./gradlew :gradle-sign-java-library:publishAllPublicationsToTmpRepository` 9 | The output will be put into `gradle-sign-java-library/build/tmp-repo` 10 | 11 | * [Sign file](gradle-sign-file) 12 | Shows the way to sign a single file via Gradle task. 13 | 14 | Try running `./gradlew :gradle-sign-file:signFile`. 15 | The output will be put into `gradle-sign-file/build/sigstore/signFile` 16 | 17 | * [Precompiled plugin](gradle-precompiled-plugin) 18 | Shows the way `dev.sigstore.sign` can be a part of a 19 | [precompiled script plugin](https://docs.gradle.org/current/userguide/custom_plugins.html#sec:precompiled_plugins). 20 | -------------------------------------------------------------------------------- /sandbox/gradle-precompiled-plugin/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | `kotlin-dsl` 3 | } 4 | 5 | repositories { 6 | gradlePluginPortal() 7 | } 8 | 9 | dependencies { 10 | // dev.sigstore.sign:dev.sigsore.sign.gradle.plugin is preferable, 11 | // however Gradle does not recognize .gradle.plugin within included build, 12 | // so we use the fallback 13 | implementation("dev.sigstore:sigstore-gradle-sign-plugin") 14 | } 15 | -------------------------------------------------------------------------------- /sandbox/gradle-precompiled-plugin/src/main/kotlin/sigstore-conventions.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("dev.sigstore.sign") 3 | } 4 | 5 | sigstoreSign { 6 | oidcClient { 7 | gitHub() 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /sandbox/gradle-sign-file/build.gradle.kts: -------------------------------------------------------------------------------- 1 | import dev.sigstore.sign.tasks.SigstoreSignFilesTask 2 | 3 | plugins { 4 | id("java-base") 5 | id("dev.sigstore.sign-base") 6 | } 7 | 8 | group = "com.example.sigstore-gradle-sandbox" 9 | version = "1.0.0" 10 | 11 | repositories { 12 | // A repository is required for fetching sigstore-java dependencies 13 | mavenCentral() 14 | } 15 | 16 | dependencies { 17 | // Optional configuration of a sigstore-java version to use 18 | // sigstoreClientClasspath("dev.sigstore:sigstore-java:0.1.0") 19 | } 20 | 21 | val hello by tasks.registering(WriteProperties::class) { 22 | group = LifecycleBasePlugin.BUILD_GROUP 23 | description = "Generates a sample $name.properties file to sign" 24 | outputFile = layout.buildDirectory.file( 25 | "props/$name.properties" 26 | ).get().asFile 27 | property("hello", "world") 28 | } 29 | 30 | val signFile by tasks.registering(SigstoreSignFilesTask::class) { 31 | group = LifecycleBasePlugin.BUILD_GROUP 32 | description = "Signs file via Sigstore" 33 | signFile(hello.map { it.outputFile }) 34 | } 35 | -------------------------------------------------------------------------------- /sandbox/gradle-sign-java-library/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("java-library") 3 | id("maven-publish") 4 | id("dev.sigstore.sign") 5 | } 6 | 7 | group = "com.example.sigstore-gradle-sandbox" 8 | version = "1.0.0" 9 | 10 | repositories { 11 | // A repository is required for fetching sigstore-java dependencies 12 | mavenCentral() 13 | } 14 | 15 | dependencies { 16 | // Optional configuration of a sigstore-java version to use 17 | // sigstoreClientClasspath("dev.sigstore:sigstore-java:0.1.0") 18 | } 19 | 20 | publishing { 21 | publications { 22 | create("javaLib") { 23 | from(components["java"]) 24 | } 25 | } 26 | // This creates a repository under build/ directory for inspecting the results 27 | // You could use ./gradlew publishAllPublicationsToTmpRepository to publish artifacts to the repository 28 | repositories { 29 | maven { 30 | name = "tmp" 31 | setUrl(layout.buildDirectory.dir("tmp-repo")) 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /sandbox/gradle-sign-java-library/src/main/java/com/example/Main.java: -------------------------------------------------------------------------------- 1 | package com.example; 2 | 3 | public class Main { 4 | public static void main(String[] args) { 5 | System.out.println("Hello, world"); 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /sandbox/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sandbox/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /sandbox/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | distributionBase=GRADLE_USER_HOME 2 | distributionPath=wrapper/dists 3 | distributionSha256Sum=845952a9d6afa783db70bb3b0effaae45ae5542ca2bb7929619e8af49cb634cf 4 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.1-bin.zip 5 | networkTimeout=10000 6 | validateDistributionUrl=true 7 | zipStoreBase=GRADLE_USER_HOME 8 | zipStorePath=wrapper/dists 9 | -------------------------------------------------------------------------------- /sandbox/settings.gradle.kts: -------------------------------------------------------------------------------- 1 | rootProject.name = "sigstore-sandbox" 2 | 3 | include("gradle-sign-file") 4 | include("gradle-sign-java-library") 5 | include("gradle-precompiled-plugin") 6 | 7 | // Include dev.sigstore.sign plugin 8 | includeBuild("../") 9 | -------------------------------------------------------------------------------- /settings.gradle.kts: -------------------------------------------------------------------------------- 1 | rootProject.name = "sigstore-java-root" 2 | 3 | includeBuild("build-logic-commons") 4 | includeBuild("build-logic") 5 | 6 | include("sigstore-java") 7 | include("sigstore-gradle:sigstore-gradle-sign-base-plugin") 8 | include("sigstore-gradle:sigstore-gradle-sign-plugin") 9 | include("sigstore-testkit") 10 | include("sigstore-maven-plugin") 11 | 12 | include("sigstore-cli") 13 | include("tuf-cli") 14 | 15 | include("fuzzing") 16 | -------------------------------------------------------------------------------- /sigstore-cli/README.md: -------------------------------------------------------------------------------- 1 | # Sigstore-Java CLI 2 | 3 | Used for conformance testing and internal processes. This is not meant for public consumption, we will not support 4 | any usecase that uses this. 5 | 6 | ## Usage 7 | 8 | ### Help 9 | ``` 10 | ./gradlew sigstore-cli:run 11 | ``` 12 | 13 | ### Sign 14 | 15 | #### bundle 16 | ``` 17 | ./gradlew sigstore-cli:run --args="sign --bundle=bundle.json " 18 | ``` 19 | 20 | #### separate cert and sig files 21 | ``` 22 | ./gradlew sigstore-cli:run --args="sign --certificate=cert.pem --signature=sig " 23 | ``` 24 | 25 | ### Verify 26 | 27 | #### bundle 28 | ``` 29 | ./gradlew sigstore-cli:run --args="verify --bundle=bundle.json " 30 | ``` 31 | 32 | #### separate cert and sig files 33 | ``` 34 | ./gradlew sigstore-cli:run --args="verify --certificate=cert.pem --signature=sig " 35 | ``` 36 | 37 | #### verify with policy 38 | ``` 39 | ./gradlew sigstore-cli:run --args="verify <...> --certificate-identity="goose@example.com" --certificate-oidc-issuer="https://accounts.example.com" " 40 | ``` 41 | -------------------------------------------------------------------------------- /sigstore-cli/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.java") 3 | id("application") 4 | } 5 | 6 | repositories { 7 | mavenCentral() 8 | } 9 | 10 | dependencies { 11 | implementation(project(":sigstore-java")) 12 | implementation("info.picocli:picocli:4.7.6") 13 | implementation("com.google.guava:guava:33.4.8-jre") 14 | 15 | implementation(platform("com.google.oauth-client:google-oauth-client-bom:1.39.0")) 16 | implementation("com.google.oauth-client:google-oauth-client") 17 | 18 | annotationProcessor("info.picocli:picocli-codegen:4.7.6") 19 | } 20 | 21 | tasks.compileJava { 22 | options.compilerArgs.add("-Aproject=${project.group}/${project.name}") 23 | } 24 | 25 | application { 26 | mainClass.set("dev.sigstore.cli.Sigstore") 27 | } 28 | tasks.run.configure { 29 | workingDir = rootProject.projectDir 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-cli/src/main/java/dev/sigstore/cli/Sigstore.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.cli; 17 | 18 | import picocli.CommandLine; 19 | import picocli.CommandLine.Command; 20 | import picocli.CommandLine.Model.CommandSpec; 21 | import picocli.CommandLine.Spec; 22 | 23 | @Command( 24 | name = "sigstore", 25 | mixinStandardHelpOptions = true, 26 | subcommands = {Sign.class, Verify.class}) 27 | public class Sigstore { 28 | @Spec CommandSpec spec; 29 | 30 | public static void main(String[] args) { 31 | int exitCode = new CommandLine(new Sigstore()).execute(args); 32 | System.exit(exitCode); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /sigstore-gradle/.gitignore: -------------------------------------------------------------------------------- 1 | /*/build/ 2 | /*/out/ 3 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-base-plugin/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-published-gradle-plugin") 3 | id("build-logic.test-junit5") 4 | } 5 | 6 | description = "Gradle plugin with the base set of tasks and configurations for Sigstore singing (no signing is done by default)" 7 | 8 | dependencies { 9 | compileOnly(project(":sigstore-java")) 10 | 11 | sigstoreJavaRuntime(project(":sigstore-java")) { 12 | because("Test code needs access locally-built sigstore-java as a Maven repository") 13 | } 14 | testImplementation(project(":sigstore-testkit")) 15 | } 16 | 17 | gradlePlugin { 18 | website.set("https://github.com/sigstore/sigstore-java") 19 | vcsUrl.set("https://github.com/sigstore/sigstore-java.git") 20 | plugins { 21 | named("dev.sigstore.sign-base") { 22 | displayName = "Base tasks and configurations for signing artifacts via Sigstore" 23 | description = "The plugin provides tasks and configurations so you can wire your own Sigstore signing. " + 24 | "If you want sign everything with standard configuration, then consider dev.sigstore.sign plugin instead" 25 | tags.set(listOf("sigstore", "sign")) 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/OidcClientConfiguration.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.sign 18 | 19 | import org.gradle.api.Named 20 | 21 | interface OidcClientConfiguration : Named { 22 | /** 23 | * Creates OidcClient. The return type is [Any] 24 | * since plugin code has only `compileOny` dependency on `sigstore-java`. 25 | */ 26 | fun build(): Any 27 | 28 | /** 29 | * Returns object that can be used to compare this configuration with another one. 30 | */ 31 | fun key(): Any 32 | } 33 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/services/SigstoreSigningService.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.sign.services 18 | 19 | import org.gradle.api.services.BuildService 20 | import org.gradle.api.services.BuildServiceParameters 21 | 22 | /** 23 | * The service enables to prevent concurrent execution of signing tasks from different projects. 24 | * 25 | */ 26 | abstract class SigstoreSigningService: BuildService { 27 | companion object { 28 | const val SERVICE_NAME = "sigstoreJavaSigningService" 29 | } 30 | 31 | interface Params: BuildServiceParameters { 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/titlecase.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.sign 18 | 19 | internal fun CharSequence.titlecase(): String = when { 20 | isEmpty() -> "" 21 | else -> get(0).let { initial -> 22 | when { 23 | initial != Character.toTitleCase(initial) -> Character.toTitleCase(initial) + substring(1) 24 | else -> toString() 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-plugin/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin-dsl-published-gradle-plugin") 3 | id("build-logic.test-junit5") 4 | } 5 | 6 | description = "Gradle plugin to that automatically signs all Publications in Sigstore" 7 | 8 | dependencies { 9 | api(project(":sigstore-gradle:sigstore-gradle-sign-base-plugin")) 10 | 11 | sigstoreJavaRuntime(project(":sigstore-java")) { 12 | because("Test code needs access locally-built sigstore-java as a Maven repository") 13 | } 14 | 15 | testImplementation(project(":sigstore-testkit")) 16 | } 17 | 18 | gradlePlugin { 19 | website.set("https://github.com/sigstore/sigstore-java") 20 | vcsUrl.set("https://github.com/sigstore/sigstore-java.git") 21 | plugins { 22 | named("dev.sigstore.sign") { 23 | displayName = "Sign artifacts via Sigstore" 24 | description = "The plugin signs all artifacts with Sigstore and attaches signature bundles" 25 | tags.set(listOf("sigstore", "sign")) 26 | } 27 | } 28 | } 29 | configure { 30 | repositories { 31 | maven(layout.buildDirectory.dir("tmp-repo")) { 32 | name = "tmp" 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /sigstore-gradle/sigstore-gradle-sign-plugin/src/main/kotlin/dev.sigstore.sign.gradle.kts: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | plugins { 18 | id("dev.sigstore.sign-base") 19 | id("maven-publish") 20 | } 21 | 22 | plugins.withId("publishing") { 23 | sigstoreSign { 24 | sign(publications = publishing.publications) 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/KeylessSignerException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore; 17 | 18 | public class KeylessSignerException extends Exception { 19 | public KeylessSignerException(String message) { 20 | super(message); 21 | } 22 | 23 | public KeylessSignerException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public KeylessSignerException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/KeylessVerificationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore; 17 | 18 | public class KeylessVerificationException extends Exception { 19 | public KeylessVerificationException(String message) { 20 | super(message); 21 | } 22 | 23 | public KeylessVerificationException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public KeylessVerificationException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/bundle/BundleParseException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.bundle; 17 | 18 | public class BundleParseException extends Exception { 19 | public BundleParseException(String message) { 20 | super(message); 21 | } 22 | 23 | public BundleParseException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public BundleParseException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/encryption/certificates/transparency/CTLogStore.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * Copyright 2015 The Android Open Source Project. 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | package dev.sigstore.encryption.certificates.transparency; 18 | 19 | public interface CTLogStore { 20 | CTLogInfo getKnownLog(byte[] logId); 21 | } 22 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/encryption/certificates/transparency/SerializationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * Copyright 2015 The Android Open Source Project. 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | package dev.sigstore.encryption.certificates.transparency; 18 | 19 | public class SerializationException extends Exception { 20 | private static final long serialVersionUID = -5317873136664833411L; 21 | 22 | public SerializationException() {} 23 | 24 | public SerializationException(String message) { 25 | super(message); 26 | } 27 | 28 | public SerializationException(String message, Throwable cause) { 29 | super(message, cause); 30 | } 31 | 32 | public SerializationException(Throwable cause) { 33 | super(cause); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/encryption/certificates/transparency/VerifiedSCT.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * Copyright 2015 The Android Open Source Project. 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * http://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | package dev.sigstore.encryption.certificates.transparency; 18 | 19 | /** Verification result for a single SCT. */ 20 | public final class VerifiedSCT { 21 | public enum Status { 22 | VALID, 23 | INVALID_SIGNATURE, 24 | UNKNOWN_LOG, 25 | INVALID_SCT 26 | } 27 | 28 | public final SignedCertificateTimestamp sct; 29 | public final Status status; 30 | 31 | public VerifiedSCT(SignedCertificateTimestamp sct, Status status) { 32 | this.sct = sct; 33 | this.status = status; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/encryption/certificates/transparency/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * Classes used for SCT verification. 3 | * 4 | *

This code is originally from the Conscrypt project (https://github.com/google/conscrypt) 5 | * 6 | *

The code was forked to remove architecture native dependencies. Those code paths were 7 | * reimplemented in Java (using bouncy castle primitives). 8 | * 9 | *

We also remove the code that deals with OSCP and TLS modes for SCTs certs because we don't 10 | * care about or use those. 11 | * 12 | * @see 14 | * certificate transparency directory at commit 86ff4e3fd4b6b3bb76a7ec0e91290384401ccbf3 15 | */ 16 | package dev.sigstore.encryption.certificates.transparency; 17 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/forbidden/SuppressForbidden.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.forbidden; 17 | 18 | import java.lang.annotation.ElementType; 19 | import java.lang.annotation.Retention; 20 | import java.lang.annotation.RetentionPolicy; 21 | import java.lang.annotation.Target; 22 | 23 | /** 24 | * Annotation to suppress forbidden apis errors. Try to scope this as tightly as possible to the 25 | * class, method or field in question. 26 | */ 27 | @Retention(RetentionPolicy.CLASS) 28 | @Target({ElementType.CONSTRUCTOR, ElementType.FIELD, ElementType.METHOD, ElementType.TYPE}) 29 | public @interface SuppressForbidden { 30 | String reason(); 31 | } 32 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioClient.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.fulcio.client; 17 | 18 | import java.net.URI; 19 | import java.security.cert.CertPath; 20 | import java.security.cert.CertificateException; 21 | 22 | /** A client to communicate with a fulcio service instance. */ 23 | public interface FulcioClient { 24 | URI PUBLIC_GOOD_URI = URI.create("https://fulcio.sigstore.dev"); 25 | URI STAGING_URI = URI.create("https://fulcio.sigstage.dev"); 26 | 27 | CertPath signingCertificate(CertificateRequest request) 28 | throws InterruptedException, CertificateException; 29 | } 30 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioVerificationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.fulcio.client; 17 | 18 | public class FulcioVerificationException extends Exception { 19 | public FulcioVerificationException(String message) { 20 | super(message); 21 | } 22 | 23 | public FulcioVerificationException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public FulcioVerificationException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/fulcio/client/UnsupportedAlgorithmException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.fulcio.client; 17 | 18 | import java.util.Arrays; 19 | import java.util.Set; 20 | 21 | public class UnsupportedAlgorithmException extends Exception { 22 | public UnsupportedAlgorithmException(Set allowedAlgorithms, String algorithm) { 23 | super( 24 | algorithm 25 | + " is not from supported list of " 26 | + Arrays.toString(allowedAlgorithms.toArray())); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/json/ProtoJson.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.json; 17 | 18 | import com.google.protobuf.util.JsonFormat; 19 | import dev.sigstore.forbidden.SuppressForbidden; 20 | 21 | /** Use this instead of JsonFormat to pick up default formatter options for sigstore-java. */ 22 | public class ProtoJson { 23 | 24 | /** Default parser to use for sigstore parsing that doesn't fail with unknown fields */ 25 | @SuppressForbidden(reason = "JsonFormat#parser") 26 | public static JsonFormat.Parser parser() { 27 | return JsonFormat.parser().ignoringUnknownFields(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/json/canonicalizer/package-info.java: -------------------------------------------------------------------------------- 1 | /** 2 | * This package is forked from 3 | * https://github.com/cyberphone/json-canonicalization/tree/master/java/canonicalizer. 4 | * 5 | *

The reason for the fork is to deal with the fact TUF isn't canonicalizing to the spec but 6 | * rather to OLPC. Slack 7 | * thread and related 8 | * issue. 9 | * 10 | *

There is just a minor edit to {@link dev.sigstore.json.canonicalizer.JsonCanonicalizer} line 11 | * 43. 12 | */ 13 | package dev.sigstore.json.canonicalizer; 14 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcClient.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.oidc.client; 17 | 18 | import java.util.Map; 19 | 20 | public interface OidcClient { 21 | 22 | /** 23 | * Determine if this client can be used in the current environment. For example, we can ignore 24 | * Oidc Clients that are scoped to a specific CI environment 25 | * 26 | * @param env the configured system environment 27 | * @return true if we should use credentials from this client 28 | */ 29 | boolean isEnabled(Map env); 30 | 31 | OidcToken getIDToken(Map env) throws OidcException; 32 | } 33 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.oidc.client; 17 | 18 | public class OidcException extends Exception { 19 | public OidcException(String message) { 20 | super(message); 21 | } 22 | 23 | public OidcException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcToken.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.oidc.client; 17 | 18 | import org.immutables.value.Value; 19 | 20 | /** A token from a provider with both openid and email scope claims. */ 21 | @Value.Immutable 22 | public interface OidcToken { 23 | /** The subject or email claim from the token to include in the SAN on the certificate. */ 24 | String getSubjectAlternativeName(); 25 | 26 | /** The issuer of the id token. */ 27 | String getIssuer(); 28 | 29 | /** The full oidc token obtained from the provider. */ 30 | @Value.Redacted 31 | String getIdToken(); 32 | } 33 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorParseException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.rekor.client; 17 | 18 | public class RekorParseException extends Exception { 19 | public RekorParseException(String message) { 20 | super(message); 21 | } 22 | 23 | public RekorParseException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorTypeException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.rekor.client; 17 | 18 | public class RekorTypeException extends Exception { 19 | public RekorTypeException(String message) { 20 | super(message); 21 | } 22 | 23 | public RekorTypeException(String message, Throwable reason) { 24 | super(message, reason); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorVerificationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.rekor.client; 17 | 18 | public class RekorVerificationException extends Exception { 19 | public RekorVerificationException(String message) { 20 | super(message); 21 | } 22 | 23 | public RekorVerificationException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public RekorVerificationException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/strings/RegexSyntaxException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2024 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.strings; 17 | 18 | /** Check exception wrapper around {@link java.util.regex.PatternSyntaxException}. */ 19 | public class RegexSyntaxException extends Exception { 20 | public RegexSyntaxException(String message, Throwable cause) { 21 | super(message, cause); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/timestamp/client/TimestampClient.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.timestamp.client; 17 | 18 | /** A client to communicate with a timestamp service instance. */ 19 | public interface TimestampClient { 20 | /** 21 | * Request a timestanp for a timestamp authority. 22 | * 23 | * @param tsReq a structured request for a timestamp 24 | * @return a {@link TimestampResponse} from the timestamp authority 25 | */ 26 | TimestampResponse timestamp(TimestampRequest tsReq) throws TimestampException; 27 | } 28 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/timestamp/client/TimestampException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.timestamp.client; 17 | 18 | public class TimestampException extends Exception { 19 | public TimestampException(String message) { 20 | super(message); 21 | } 22 | 23 | public TimestampException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public TimestampException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/timestamp/client/TimestampVerificationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.timestamp.client; 17 | 18 | public class TimestampVerificationException extends Exception { 19 | public TimestampVerificationException(String message) { 20 | super(message); 21 | } 22 | 23 | public TimestampVerificationException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public TimestampVerificationException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/timestamp/client/UnsupportedHashAlgorithmException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.timestamp.client; 17 | 18 | public class UnsupportedHashAlgorithmException extends Exception { 19 | public UnsupportedHashAlgorithmException(String algorithm) { 20 | super("Unsupported hash algorithm: " + algorithm); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/trustroot/LogId.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.trustroot; 17 | 18 | import org.immutables.value.Value.Immutable; 19 | 20 | @Immutable 21 | public interface LogId { 22 | byte[] getKeyId(); 23 | 24 | static LogId from(dev.sigstore.proto.common.v1.LogId proto) { 25 | return ImmutableLogId.builder().keyId(proto.getKeyId().toByteArray()).build(); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreConfigurationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2025 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.trustroot; 17 | 18 | public class SigstoreConfigurationException extends Exception { 19 | public SigstoreConfigurationException(String message) { 20 | super(message); 21 | } 22 | 23 | public SigstoreConfigurationException(String message, Throwable cause) { 24 | super(message, cause); 25 | } 26 | 27 | public SigstoreConfigurationException(Throwable cause) { 28 | super(cause); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/trustroot/Subject.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.trustroot; 17 | 18 | import dev.sigstore.proto.common.v1.DistinguishedName; 19 | import org.immutables.value.Value.Immutable; 20 | 21 | @Immutable 22 | public interface Subject { 23 | String getOrganization(); 24 | 25 | String getCommonName(); 26 | 27 | static Subject from(DistinguishedName proto) { 28 | return ImmutableSubject.builder() 29 | .commonName(proto.getCommonName()) 30 | .organization(proto.getOrganization()) 31 | .build(); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/Fetcher.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2024 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.io.IOException; 19 | 20 | public interface Fetcher { 21 | 22 | String getSource(); 23 | 24 | byte[] fetchResource(String filename, int maxLength) 25 | throws IOException, FileExceedsMaxLengthException; 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/FileNotFoundException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.util.Locale; 19 | 20 | /** Thrown when a metadata resources was unexpectedly missing. */ 21 | public class FileNotFoundException extends TufException { 22 | 23 | public FileNotFoundException(String fileName, String source) { 24 | super(String.format(Locale.ROOT, "file (%s) was not found at source (%s).", fileName, source)); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/RootProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import com.google.common.io.Resources; 19 | import java.io.IOException; 20 | import java.nio.charset.StandardCharsets; 21 | import java.nio.file.Files; 22 | import java.nio.file.Path; 23 | 24 | /** An interface for providing the tuf root to a client. */ 25 | @FunctionalInterface 26 | public interface RootProvider { 27 | String get() throws IOException; 28 | 29 | static RootProvider fromResource(String resourceName) { 30 | return () -> Resources.toString(Resources.getResource(resourceName), StandardCharsets.UTF_8); 31 | } 32 | 33 | static RootProvider fromFile(Path path) { 34 | return () -> Files.readString(path); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/SnapshotTargetMissingException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.util.Locale; 19 | 20 | public class SnapshotTargetMissingException extends TufException { 21 | public SnapshotTargetMissingException(String targetName) { 22 | super( 23 | String.format( 24 | Locale.ROOT, 25 | "Snapshot target [%s] was missing from updated snapshot.json", 26 | targetName)); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/SnapshotTargetVersionException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.util.Locale; 19 | 20 | public class SnapshotTargetVersionException extends TufException { 21 | public SnapshotTargetVersionException(String targetName, int invalidVersion, int currentVersion) { 22 | super( 23 | String.format( 24 | Locale.ROOT, 25 | "The updated target [%s] version [%d] is not equal to or greater than the current version [%d].", 26 | targetName, 27 | invalidVersion, 28 | currentVersion)); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/SnapshotVersionMismatchException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.util.Locale; 19 | 20 | public class SnapshotVersionMismatchException extends TufException { 21 | public SnapshotVersionMismatchException(int expectedVersion, int actualVersion) { 22 | super( 23 | String.format( 24 | Locale.ROOT, 25 | "Snapshot version (%d) did not match Timestamp resource (%d)", 26 | actualVersion, 27 | expectedVersion)); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/TargetMetadataMissingException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.util.Locale; 19 | 20 | public class TargetMetadataMissingException extends TufException { 21 | public TargetMetadataMissingException(String targetName) { 22 | super(String.format(Locale.ROOT, "The target (%s) has no metadata", targetName)); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/TufException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | /** Catch-all TUF Exception. */ 19 | public class TufException extends RuntimeException { 20 | public TufException(String message) { 21 | super(message); 22 | } 23 | 24 | public TufException(Throwable cause) { 25 | super(cause); 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Hashes.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import javax.annotation.Nullable; 19 | import org.immutables.gson.Gson; 20 | import org.immutables.value.Value; 21 | 22 | /** The Hash values for some given thing. */ 23 | @Gson.TypeAdapters 24 | @Value.Immutable 25 | public interface Hashes { 26 | 27 | /** SHA_256 hash of the thing. * */ 28 | @Nullable 29 | String getSha256(); 30 | 31 | /** SHA_512 hash of the thing. * */ 32 | @Nullable 33 | String getSha512(); 34 | } 35 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Role.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import java.util.List; 19 | 20 | /** 21 | * TUF uses roles to define the set of actions a party can perform. The concept of roles allows TUF 22 | * to only trust information provided by the correctly designated party. The root role indicates 23 | * which roles can sign for which projects. 24 | * 25 | * @see TUF Role docs 26 | */ 27 | public interface Role { 28 | 29 | /** A list of trusted keys for this role. */ 30 | List getKeyids(); 31 | 32 | /** The minimum number of keys required to trust this role's metadata. */ 33 | int getThreshold(); 34 | } 35 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Root.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import com.google.common.base.Preconditions; 19 | import org.immutables.gson.Gson; 20 | import org.immutables.value.Value; 21 | import org.immutables.value.Value.Derived; 22 | 23 | /** Signed envelope of the Root metadata. */ 24 | @Gson.TypeAdapters 25 | @Value.Immutable 26 | public interface Root extends SignedTufMeta { 27 | @Override 28 | @Gson.Ignore 29 | @Derived 30 | default RootMeta getSignedMeta() { 31 | return getSignedMeta(RootMeta.class); 32 | } 33 | 34 | @Value.Check 35 | default void checkType() { 36 | Preconditions.checkState(getSignedMeta().getType().equals("root")); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/RootRole.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import org.immutables.gson.Gson; 19 | import org.immutables.value.Value; 20 | 21 | /** 22 | * Represents the {@link Role} type as contained in the Root list of Roles. 23 | * 24 | *

This concrete class exists for GSON serialization reasons. GSON won't allow {@link 25 | * DelegationRole} and {@link Role} to both be JSON serializable since {@link DelegationRole} 26 | * extends {@link Role}. 27 | */ 28 | @Gson.TypeAdapters 29 | @Value.Immutable 30 | public interface RootRole extends Role { 31 | String ROOT = "root"; 32 | String SNAPSHOT = "snapshot"; 33 | String TIMESTAMP = "timestamp"; 34 | String TARGETS = "targets"; 35 | } 36 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Signature.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import org.immutables.gson.Gson; 19 | import org.immutables.value.Value; 20 | 21 | /** Represents a signature for a {@code Role}. */ 22 | @Gson.TypeAdapters 23 | @Value.Immutable 24 | public interface Signature { 25 | 26 | /** The key ID */ 27 | @Gson.Named("keyid") 28 | String getKeyId(); 29 | 30 | /** A hex-encoded signature of the canonical form of the metadata for {@code Role} */ 31 | @Gson.Named("sig") 32 | String getSignature(); 33 | } 34 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Snapshot.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import com.google.common.base.Preconditions; 19 | import org.immutables.gson.Gson; 20 | import org.immutables.value.Value; 21 | import org.immutables.value.Value.Derived; 22 | 23 | /** Signed envelope of the Snapshot metadata. */ 24 | @Gson.TypeAdapters 25 | @Value.Immutable 26 | public interface Snapshot extends SignedTufMeta { 27 | @Override 28 | @Derived 29 | @Gson.Ignore 30 | default SnapshotMeta getSignedMeta() { 31 | return getSignedMeta(SnapshotMeta.class); 32 | } 33 | 34 | @Value.Check 35 | default void checkType() { 36 | Preconditions.checkState(getSignedMeta().getType().equals("snapshot")); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Targets.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import com.google.common.base.Preconditions; 19 | import org.immutables.gson.Gson; 20 | import org.immutables.value.Value; 21 | import org.immutables.value.Value.Derived; 22 | 23 | /** Signed envelope of the Targets metadata. */ 24 | @Gson.TypeAdapters 25 | @Value.Immutable 26 | public interface Targets extends SignedTufMeta { 27 | @Override 28 | @Derived 29 | @Gson.Ignore 30 | default TargetMeta getSignedMeta() { 31 | return getSignedMeta(TargetMeta.class); 32 | } 33 | 34 | @Value.Check 35 | default void checkType() { 36 | Preconditions.checkState(getSignedMeta().getType().equals("targets")); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /sigstore-java/src/main/java/dev/sigstore/tuf/model/Timestamp.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf.model; 17 | 18 | import com.google.common.base.Preconditions; 19 | import org.immutables.gson.Gson; 20 | import org.immutables.value.Value; 21 | import org.immutables.value.Value.Derived; 22 | 23 | /** Signed envelope of the Timestamp metadata. */ 24 | @Gson.TypeAdapters 25 | @Value.Immutable 26 | public interface Timestamp extends SignedTufMeta { 27 | 28 | @Override 29 | @Derived 30 | @Gson.Ignore 31 | default TimestampMeta getSignedMeta() { 32 | return getSignedMeta(TimestampMeta.class); 33 | } 34 | 35 | @Value.Check 36 | default void checkType() { 37 | Preconditions.checkState(getSignedMeta().getType().equals("timestamp")); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /sigstore-java/src/main/proto/google/api/README.md: -------------------------------------------------------------------------------- 1 | These files are copied from https://github.com/googleapis/googleapis/ because the pre-compiled 2 | version of these available from https://github.com/googleapis/api-common-protos as 3 | `com.google.api.grpc:proto-google-common-protos` has gone out of date and I can't tell if there's 4 | an intention on keeping up to date. We require `field_behavior.proto` for 5 | `dev.sigstore:protobuf-specs` and {`annotations.proto`, `field_behavior.proto`, `http.proto`} 6 | for `fulcio.proto`. This change is current required to keep our dependencies up to date. Newer 7 | protobuf tools don't work with the very old `proto-google-common-protos` dependency. 8 | 9 | The main issue with including these protos here are that a consumer of `sigstore-java` importing 10 | the same protos from another library might experience some sort of dependency clashing. 11 | -------------------------------------------------------------------------------- /sigstore-java/src/main/proto/google/api/annotations.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | syntax = "proto3"; 16 | 17 | package google.api; 18 | 19 | import "google/api/http.proto"; 20 | import "google/protobuf/descriptor.proto"; 21 | 22 | option go_package = "google.golang.org/genproto/googleapis/api/annotations;annotations"; 23 | option java_multiple_files = true; 24 | option java_outer_classname = "AnnotationsProto"; 25 | option java_package = "com.google.api"; 26 | option objc_class_prefix = "GAPI"; 27 | 28 | extend google.protobuf.MethodOptions { 29 | // See `HttpRule`. 30 | HttpRule http = 72295728; 31 | } 32 | -------------------------------------------------------------------------------- /sigstore-java/src/main/resources/dev/sigstore/tuf/.editorconfig: -------------------------------------------------------------------------------- 1 | # don't add new lines to tuf json resource files as it will break integrity checks 2 | [*.json] 3 | insert_final_newline = false 4 | -------------------------------------------------------------------------------- /sigstore-java/src/main/resources/dev/sigstore/tuf/README.md: -------------------------------------------------------------------------------- 1 | # TUF Store 2 | 3 | Seed roots for sigstore public good and staging. 4 | -------------------------------------------------------------------------------- /sigstore-java/src/test/java/dev/sigstore/oidc/client/OidcTokenTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2024 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.oidc.client; 17 | 18 | import org.junit.jupiter.api.Assertions; 19 | import org.junit.jupiter.api.Test; 20 | 21 | public class OidcTokenTest { 22 | 23 | @Test 24 | public void test_redacted() { 25 | var testToken = 26 | ImmutableOidcToken.builder() 27 | .issuer("issuer") 28 | .idToken("secret") 29 | .subjectAlternativeName("name") 30 | .build(); 31 | Assertions.assertEquals( 32 | "OidcToken{subjectAlternativeName=name, issuer=issuer}", testToken.toString()); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /sigstore-java/src/test/java/dev/sigstore/testing/grpc/GrpcTypes.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.testing.grpc; 17 | 18 | import dev.sigstore.fulcio.v2.CertificateChain; 19 | import java.util.List; 20 | 21 | public class GrpcTypes { 22 | public static CertificateChain PemToCertificateChain(String pemCertChain) { 23 | var builder = CertificateChain.newBuilder(); 24 | var certs = pemCertChain.split("(?<=-----END CERTIFICATE-----)"); 25 | builder.addAllCertificates(List.of(certs)); 26 | return builder.build(); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /sigstore-java/src/test/java/dev/sigstore/tuf/HttpFetcherTest.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2023 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | package dev.sigstore.tuf; 17 | 18 | import java.net.URL; 19 | import org.junit.jupiter.api.Assertions; 20 | import org.junit.jupiter.params.ParameterizedTest; 21 | import org.junit.jupiter.params.provider.CsvSource; 22 | 23 | class HttpFetcherTest { 24 | 25 | @ParameterizedTest 26 | @CsvSource({"http://example.com", "http://example.com/"}) 27 | public void newFetcher_urlNoTrailingSlash(String url) throws Exception { 28 | var fetcher = HttpFetcher.newFetcher(new URL(url)); 29 | Assertions.assertEquals("http://example.com/", fetcher.getSource()); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/oidc/server/config.json: -------------------------------------------------------------------------------- 1 | { 2 | "tokenProvider" : { 3 | "keyProvider" : { 4 | "initialKeys" : "{\"alg\": \"ES256\",\"kty\": \"EC\",\"d\": \"o9INzHyU_I97djF36YQRpHCJxFTgDTbS1OtwUnHc34U\",\"use\":\"sig\",\"crv\": \"P-256\",\"kid\": \"test-default\",\"x\": \"umybCYzE-VX_UAIJaX3wc-GTOgB7WDp7A3JJAKW_hqU\",\"y\": \"m_sCzuMjiBSQ7At9yNktMQvE1cCKq68jO7wnRczwKw8\"}", 5 | "algorithm" : "ES256" 6 | } 7 | }, 8 | "tokenCallbacks" : [ 9 | { 10 | "issuerId": "test-default", 11 | "tokenExpiry": 120, 12 | "requestMappings": [ 13 | { 14 | "requestParam": "scope", 15 | "match": "openid email", 16 | "claims": { 17 | "audience": "sigstore", 18 | "email": "test.person@test.com", 19 | "email_verified": true 20 | } 21 | } 22 | ] 23 | }] 24 | } -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/bundles/artifact.txt: -------------------------------------------------------------------------------- 1 | DO NOT MODIFY ME! 2 | 3 | this is "a.txt", a sample input for sigstore-conformance's test suite. 4 | 5 | DO NOT MODIFY ME! 6 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/certificatetransparency/cert-key.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k 3 | WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X 4 | EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB 5 | AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g 6 | PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf 7 | flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU 8 | X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ 9 | pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA 10 | b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt 11 | 9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR 12 | 83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs 13 | n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ 14 | 1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== 15 | -----END RSA PRIVATE KEY----- 16 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/certificatetransparency/ct-server-key-public.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3U 3 | yEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/certs/cert-single.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICDDCCAZOgAwIBAgIUAIvUkAVYOwDVHphHIn5N5NzIYSIwCgYIKoZIzj0EAwMw 3 | KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y 4 | MjA0MTUxODE5MDlaFw0yMjA0MTUxODI5MDhaMAAwWTATBgcqhkjOPQIBBggqhkjO 5 | PQMBBwNCAARghXRYr4TadV+uo3OsmalnfR/ecBv1XN+wox1JnGP98hQGOwH9KlmB 6 | JGgJAqseoT1E1bHuJdjd1rFYjaz40epbo4HAMIG9MA4GA1UdDwEB/wQEAwIHgDAT 7 | BgNVHSUEDDAKBggrBgEFBQcDAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSKGqxF 8 | +53UeDOrzntfWQitFvTqWzAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF 9 | +jAdBgNVHREBAf8EEzARgQ9hcHB1QGdvb2dsZS5jb20wKQYKKwYBBAGDvzABAQQb 10 | aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMAoGCCqGSM49BAMDA2cAMGQCMEQl 11 | cTYSVsDN7CEbdVuHzkFuyAyex3rmpeN7+PKxE3EwaXqNbAP2UNwzfhS8W/Gh6AIw 12 | JwY+/cXCVdouT9J9nU6lJJiT59v+7HBpC7NLqn4mR36UyjEgCR8TSLWv1P5Jcw0+ 13 | -----END CERTIFICATE----- 14 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/certs/cert.der: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/certs/cert.der -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_header_body_separator.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 6 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_header_count.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 4 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 5 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_no_newline_after_signature.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_no_signatures.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_not_a_number.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | abcdefg 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_signature_format_invalid.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/error_signature_length_insufficient.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | — rekor.sigstore.dev wNI9aj 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/valid.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/checkpoints/valid_multi_sig.txt: -------------------------------------------------------------------------------- 1 | rekor.sigstore.dev - 2605736670972794746 2 | 37795272 3 | 60ll7idWI1jYRZzxc+jKflYoW+4jWxgZaGR15ASsWt4= 4 | Timestamp: 1697034484441201852 5 | 6 | — rekor.sigstore.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIXph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 7 | — bob.loblaw.dev wNI9ajBGAiEAlWUH2HSPa6IMIRBgFcIRph3Mj9xM70WR0VVADvGIl/oCIQCgfvUUjR/X5jewlqpAWI8NuJIicKpTG64vo6UM5fpSgQ== 8 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/fulcio-response/valid/ctfe.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3Pyu 3 | dDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w== 4 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ec.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3Pyu 3 | dDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w== 4 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-rsa.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4nQrw9lJuwQsGVZ8gTJy 3 | nduXFD5hNKUJEowi9bBgIK07FRCRgqs+U6dBihkNWWR32Ld1oYAnJK1pZE67GoYY 4 | wD+9HJpplafqibLlryaNuSKpgPle9Iz07Q+8MQihqlwKSwvan5X7t8Ce/f6JHynP 5 | Bpc/TAA7fsDU7hihJjsSygOXLPtfQP7WtFzZERZkRaGYRi2iQfkKLH/OwTI91XdI 6 | H9ZUy88jVXjuf9Jjy/BokiT0FouHS0fZ1e2gLZThwe8N33E8UP55Xsk3wiJX4Plx 7 | I0c1U4YuhxEz77zazN04CWLBYnSCCueOXwTfuh1CsgjD+MnvIDEX4eCF4V4c+M2c 8 | DwIDAQAB 9 | -----END PUBLIC KEY----- 10 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/rekor-response/valid/rekor.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDODRU688UYGuy54mNUlaEBiQdTE9 3 | nYLr0lg6RXowI/QV/RE1azBn4Eg5/2uTOMbhB1/gfcHzijzFi9Tk+g1Prg== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/invalid/sigstore_tsa_response_invalid.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/invalid/sigstore_tsa_response_invalid.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/freetsa_response.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/freetsa_response.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstage_tsa_response_with_embedded_certs.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstage_tsa_response_with_embedded_certs.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstage_tsa_response_without_embedded_certs.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstage_tsa_response_without_embedded_certs.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstore_tsa_response_with_embedded_certs.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstore_tsa_response_with_embedded_certs.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstore_tsa_response_without_embedded_certs.tsr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sigstore/sigstore-java/0268f99de38fd208cb37ec8bf7ffe1ddf7b49ed5/sigstore-java/src/test/resources/dev/sigstore/samples/timestamp-response/valid/sigstore_tsa_response_without_embedded_certs.tsr -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/trustroot/README.me: -------------------------------------------------------------------------------- 1 | trusted_root.json was pulled from prod in April 2023 2 | https://github.com/sigstore/root-signing/blob/f50a9debad1db8c4e44d571147968c4061344f5f/targets/trusted_root.json 3 | 4 | staging_trusted_root.json was pulled in Aug 2023 5 | https://github.com/sigstore/root-signing/blob/43f495fab8ad5490f6efb3fd92f58f3de3011a4c/staging/targets/trusted_root.json 6 | 7 | stating_signing_config.v0.2.json was pulled in May 2025 8 | https://github.com/sigstore/root-signing-staging/blob/ca57424fe325bd8dbee4cbd0b522bbddc6687769/targets/signing_config.v0.2.json 9 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/trustroot/staging_signing_config.v0.2.json: -------------------------------------------------------------------------------- 1 | { 2 | "mediaType": "application/vnd.dev.sigstore.signingconfig.v0.2+json", 3 | "caUrls": [ 4 | { 5 | "url": "https://fulcio.sigstage.dev", 6 | "majorApiVersion": 1, 7 | "validFor": { 8 | "start": "2022-04-14T21:38:40Z" 9 | } 10 | } 11 | ], 12 | "oidcUrls": [ 13 | { 14 | "url": "https://oauth2.sigstage.dev/auth", 15 | "majorApiVersion": 1, 16 | "validFor": { 17 | "start": "2025-04-16T00:00:00Z" 18 | } 19 | } 20 | ], 21 | "rekorTlogUrls": [ 22 | { 23 | "url": "https://rekor.sigstage.dev", 24 | "majorApiVersion": 1, 25 | "validFor": { 26 | "start": "2021-01-12T11:53:27Z" 27 | } 28 | } 29 | ], 30 | "tsaUrls": [ 31 | { 32 | "url": "https://timestamp.sigstage.dev/api/v1/timestamp", 33 | "majorApiVersion": 1, 34 | "validFor": { 35 | "start": "2025-04-09T00:00:00Z" 36 | } 37 | } 38 | ], 39 | "rekorTlogConfig": { 40 | "selector": "ANY" 41 | }, 42 | "tsaConfig": { 43 | "selector": "ANY" 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/.editorconfig: -------------------------------------------------------------------------------- 1 | # don't add new lines to tuf json resource files as it will break integrity checks 2 | [*.json] 3 | insert_final_newline = false 4 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/no-size-no-hash-snapshot-timestamp/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"30440220356cee8ca30ff061640f3d88a64cd42f6b3cd3b714e6f5e67596ba798e67f9a702204583f6194190c379ebc248753c64141bfcaf37153de86b7d8249afd15aa9efed"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/no-size-no-hash-snapshot-timestamp/README.md: -------------------------------------------------------------------------------- 1 | 2 | ```shell 3 | cp ../test-template/2.root.json . 4 | cp -R ../root-signing-workspace tmp 5 | cd tmp 6 | # remove hashes and length from snapshots and timestamp 7 | jq -rc '.signed.meta."targets.json" |= del(.length, .hashes)' repository/snapshot.json | sponge repository/snapshot.json 8 | jq -rc '.signed.meta."snapshot.json" |= del(.length, .hashes)' repository/timestamp.json | sponge repository/timestamp.json 9 | # get valid sigs on the new snapshot metadata. 10 | tuf payload snapshot.json > payload.snapshot.json 11 | tuf sign-payload --role=snapshot payload.snapshot.json > snapshot.sigs 12 | tuf add-signatures --signatures snapshot.sigs snapshot.json 13 | cp staged/snapshot.json ../3.snapshot.json 14 | # get valid sigs on the new timestamps metadata. 15 | tuf payload timestamp.json > payload.timestamp.json 16 | tuf sign-payload --role=timestamp payload.timestamp.json > timestamp.sigs 17 | tuf add-signatures --signatures timestamp.sigs timestamp.json 18 | cp staged/timestamp.json ../timestamp.json 19 | cd .. 20 | rm -rf tmp 21 | ``` 22 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/no-size-no-hash-snapshot-timestamp/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3044022060e8b160acae47d6ecc249881c5e7b7beb790e05c519f139bf6c2c98e39cbe54022001a19e057697e5c5023911bc64616f462aed4db0424b6c784c5c03a0fb968fe6"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/keys/snapshot.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIOlqh3mCcsDdhGb8+BO61h7wnP2TCsyADuC/mpvK/kkzoAoGCCqGSM49\nAwEHoUQDQgAEJsV+S1syZdtx5HjiFN5YqRAqD2By4R0xDtXptW+UJlJQdfQCGAHv\nqtpac0edkcWVREhktEqIMbCaYSd75E/JRA==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJsV+S1syZdtx5HjiFN5YqRAqD2By\n4R0xDtXptW+UJlJQdfQCGAHvqtpac0edkcWVREhktEqIMbCaYSd75E/JRA==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/keys/targets.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIAwzu9uZEOxcOfa/NlYJPgnlBQavXkQQ4bOlrcB9Jz9boAoGCCqGSM49\nAwEHoUQDQgAEbGNtqWi9Xu7romi12qG+fHYj4SCpUCKAOJxXKagVyQNlS6TdJCMH\nWOJ+0BReT1lQsw6J/SMtc9a5J6Vj7fksBw==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbGNtqWi9Xu7romi12qG+fHYj4SCp\nUCKAOJxXKagVyQNlS6TdJCMHWOJ+0BReT1lQsw6J/SMtc9a5J6Vj7fksBw==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/keys/timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIJN9d9AzCob9Rii41Cw/vKQdbviY+L0akoFSYj5F0cM1oAoGCCqGSM49\nAwEHoUQDQgAEs1Stkp5CNyERUPWDa9KF47KjECsxoobAYi8NUUh5+0Rl34nYR3Y/\n2IQWu8l2pi9f73Qqsq3kk1cGQMCKRJu1wA==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEs1Stkp5CNyERUPWDa9KF47KjECsx\noobAYi8NUUh5+0Rl34nYR3Y/2IQWu8l2pi9f73Qqsq3kk1cGQMCKRJu1wA==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/1.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":1,"expires":"2023-04-13T14:36:15Z","meta":{"targets.json":{"length":527,"hashes":{"sha512":"a3431882ba40a485359fed308a66a0088cc3f27f2716a6cac5809761560661aed1d54830eef1c90bd8e297f13181827581ff083000180de8d2e443cd7e0ea12c"},"version":1}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"30440220563998ef5a37e8b1dc1b1fc65001e3e107a22610d5e97cf3fd45e8edd7468eac022079a3e8243275e73373a7fff108270ac29e6011ded253b88edc090621126b167b"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/1.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":1,"expires":"2023-05-12T14:36:10Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"304502207e86480c099814a6a71e4f5d5beae8eb6328f14480feecd89fa09914b5d4fb3602210085df8df7eb8a088f4741262e3518bdd77c1622655191810a0155f5c7fc78dca7"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/2.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2023-02-19T15:37:40Z","meta":{"targets.json":{"length":704,"hashes":{"sha512":"b4a9036ac75cff22d255880218f2761c1b517f80d4efdd4c00b62cbcfcce5f4159613353a880d1ba4ccf60049c4b32bd720db270b1765c7221a7b3e14dfd81ba"},"version":2}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304502204f4ef856be4834b24c91025eefd65c8ebdfd3141c3f094c10628ff184db0a296022100ef6ee4a20e256b0002bf8ba7347fadbb16da4bb2b92b3176b16415fb28535491"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/2.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":2,"expires":"2023-05-12T14:37:34Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"30440220673b003c46baae1c794e9096411d9f89cdf42bca53658fd8ba6def603d4911fa02206d8a39c70a1a562377b93e095e5cba619b6348ff93f44ea580e8fc070a8c96c7"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/targets/32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2.test.txt.v2: -------------------------------------------------------------------------------- 1 | test target v2 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/targets/53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a.test2.txt: -------------------------------------------------------------------------------- 1 | another test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-signing-workspace/repository/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-too-big/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | fallocate -l 100KiB 2.root.json 5 | ``` 6 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-unsigned/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | ## remove sigs 6 | jq -r '.signatures |= []' 2.root.json > 2.root.json.new 7 | rm 2.root.json && mv 2.root.json.new 2.root.json 8 | ``` 9 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-update-with-empty-signature/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json 2.root.json 5 | ``` 6 | 7 | edit the values of signatures so they are wrong, but still match the threshold 8 | ```diff 9 | "signatures": [ 10 | { 11 | "keyid": "0b5108e406f6d2f59ef767797b314be99d35903950ba43a2d51216eeeb8da98c", 12 | + "sig": "" 13 | - "sig": "304502204ee7d150bbbf40dc641d1a208be4708be14022da6a86883d2c5a7282eda2659802210095a15450c1e63ff20bd5164979007fbea8a7deea68ebba7a67f8cd2901b686ca" 14 | }, 15 | ``` 16 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-update-with-invalid-signature/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json 2.root.json 5 | ``` 6 | 7 | edit the values of signatures so they are wrong, but still match the threshold 8 | ```diff 9 | "signatures": [ 10 | { 11 | "keyid": "0b5108e406f6d2f59ef767797b314be99d35903950ba43a2d51216eeeb8da98c", 12 | + "sig": "abcd123" 13 | - "sig": "304502204ee7d150bbbf40dc641d1a208be4708be14022da6a86883d2c5a7282eda2659802210095a15450c1e63ff20bd5164979007fbea8a7deea68ebba7a67f8cd2901b686ca" 14 | }, 15 | ``` 16 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-update-with-unknown-fields/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | There are generated by root-signing-staging and were tests that may not exist on the main branch anymore 4 | 5 | `4.root.json` : https://github.com/sigstore/root-signing-staging/blob/fecfda76bb9a1721b37dd581f713b72e41270447/metadata/root_history/4.root.json 6 | `5.root.json` : https://github.com/sigstore/root-signing-staging/blob/fecfda76bb9a1721b37dd581f713b72e41270447/metadata/root_history/5.root.json 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/root-wrong-version/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/1.root.json 2.root.json 5 | ``` 6 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-expired/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2022-11-19T18:07:27Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402200781b2c4ce52a4ab318cb24f6580bc5f6c605dae2e3fb609ae1e26a848168e8f0220400823e4c6db58c6f0367dc88493101545e92769cd206138f09b6ec19a453b22"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-expired/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp -R ../root-signing-workspace tmp 6 | cd tmp 7 | jq -r '.signed.expires |= "2022-11-19T18:07:27Z"' repository/snapshot.json | sponge repository/snapshot.json 8 | # get valid sigs on the new snapshot metadata. 9 | tuf payload snapshot.json > payload.snapshot.json 10 | tuf sign-payload --role=snapshot payload.snapshot.json > snapshot.sigs 11 | tuf add-signatures --signatures snapshot.sigs snapshot.json 12 | cp staged/snapshot.json ../3.snapshot.json 13 | # update the snapshot hash and size in timestamp so it's valid. 14 | jq -r --arg sha "$(sha512sum staged/snapshot.json | awk '{ print $1 }')" '.signed.meta."snapshot.json".hashes.sha512 |= $sha' repository/timestamp.json | sponge repository/timestamp.json 15 | jq -r --argjson length $(wc -c staged/snapshot.json | awk '{ print $1 }') '.signed.meta."snapshot.json".length |= $length' repository/timestamp.json | sponge repository/timestamp.json 16 | # re-sign the timestamp.json now that we've altered it 17 | tuf payload timestamp.json > payload.timestamp.json 18 | tuf sign-payload --role=timestamp payload.timestamp.json > timestamp.sigs 19 | tuf add-signatures --signatures timestamp.sigs timestamp.json 20 | cp staged/timestamp.json ../. 21 | cd .. 22 | rm -rf tmp 23 | ``` 24 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-expired/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"d9970b312b72a3c5a9848025d15bb7e28768d1448483fb109a04cfa60621efaa69363be6ce1558441950d9c94102ba38d71ee741eb47c8ba9404dd5162df1fe4"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3046022100eef2ee034e693ccdfbc4fc98ced3abe83a1f0c885db9c8eecc412c1d1a67bd82022100bcc7f0902c95457cbd0eac8813ea62457c3c581b636445ba4dcd5f9db5172265"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-invalid-hash/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2025-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202568eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-invalid-hash/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/3.snapshot.json . 6 | cp ../test-template/timestamp.json . 7 | # modify the snapshot.json so the hash doesn't match 8 | sed -i 's/2023/2025/g' 3.snapshot.json 9 | ``` 10 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-invalid-hash/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-target-missing/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":4,"expires":"2023-02-19T15:37:48Z","meta":{}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"30450220054fe7289672198dd8b17a1d5d7c4e1ac06a7b4b6582d10a9930ef9f4324ce38022100e63ee1df32cf6661536bbdba81871cf8cc1c70e80822e884b3535f9815fc1e89"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-target-missing/4.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":4,"expires":"2023-02-19T15:37:48Z","meta":{}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"3046022100ee9d1463251c76a5c9eb8b84a8f3bff0714fd0deeeb7e9bedeefee8498e4370c022100be41c3ab218c1796c35d7f1d407daeb8ddb6f6149643570043654d5432809a13"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-target-missing/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"264ef00a5642ed6a19494b6be94fec84c7649ee091c2637109a7aa465cd6cc7c99b665dd1670b6026c4cc4e609a3a55c5438ab8a8edebc72cb56705fb89f4e92"},"version":4}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"30460221009f967d9828e0260dc66f0a15bc3a9fe3430e4aa755f995e6d09596fb2eb83a2f022100c6db30994f1609fdaecee11f8d35a60e6d7dce3b84d6e16c713cd7b2624130c1"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-target-version-rollback/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":1}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402203a308bf2f5fb6a202efc66f1c4b8d69bcc50dd8cba13ddf4f09ba07a949c310702205c0444dc5c5b58524af0b7cc7331877a8db2939076b2e6c1e4d9c3f69fa8b523"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-target-version-rollback/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"74ccc1a600fe09b1d561a06db5b3823a39b03df1ef545fd09c8eb2014acebdc51554fbf3d647f6688157e0bd780682f425e06405e9a20f908d9905ff48de8eb3"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022100f2a07593ae2d45f2258de66fb133a0c4430a115976a23671d5a135f954e265b10220475bb3a31f4c9b5b7479c4bbffa08bfaaf1fb083afa6aaef66b57eb6c3443912"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-version-mismatch/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"3046022100e46948a66816ff7a3eda2e3cfef96d94e136996b39bc404f1a9d2ebe8e7ed089022100b6b4151060ca520a20ff07322109a55d5fb65353f0cd8702816e3d7607998cea"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-version-mismatch/snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"3046022100e46948a66816ff7a3eda2e3cfef96d94e136996b39bc404f1a9d2ebe8e7ed089022100b6b4151060ca520a20ff07322109a55d5fb65353f0cd8702816e3d7607998cea"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/snapshot-version-mismatch/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":544,"hashes":{"sha512":"e4b58341cfa0fdf2df2ec300c1fe09658115a7066a162dfd8275ee9afa3cfe80a52a35be69813c01da4c0e92cd793bf48be4f6352865bef5215b8625372046e4"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3044021f5d76b79582263f410d9d8320fd8c8e3aa69f00006fca1821518fe3632ac6a8022100de92b166abd0fff8740c9e3aca38f806bfe23749160eec2fdc8b0ff549d68cb8"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-hash/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-hash/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-hash/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/timestamp.json . 6 | cp ../test-template/3.snapshot.json . 7 | cp ../test-template/3.targets.json . 8 | mkdir targets 9 | cp ../test-template/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt targets/. 10 | # Modify test.txt target so has is invalid 11 | cat targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt | tr 'f' 'm' | sponge targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt 12 | ``` 13 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-hash/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt: -------------------------------------------------------------------------------- 1 | test mile 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-hash/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-length/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-length/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-length/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/timestamp.json . 6 | cp ../test-template/3.snapshot.json . 7 | cp ../test-template/3.targets.json . 8 | mkdir targets 9 | cp ../test-template/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt targets/. 10 | echo "\n" >> targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt 11 | ``` 12 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-length/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | 3 | 4 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-invalid-length/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-missing-target-metadata/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":723,"hashes":{"sha512":"4f6ad8f026176ed279143a33b40bb22b43c14d7960d5b288e2f52cfe10e69425dc38162fc660ea538a220257932ecd2a6ab783bc3233b75bfc18eabd16d4ce5e"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"3046022100bbef4b5649da9cf635a02399f8116dc2926f738938faf0b92ca24927503c4ec3022100818b31ef245e0ed2da17068b0d6cab06d61d82bdcff1ddd5b2d1b7ff183c0a09"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-missing-target-metadata/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"30460221008e10494d9d4a85eab67a608a884c613f9d6c06cf348329e054565d748ef1815d022100c5a3066089ea4f235133f71dbde84a8d678f82c8dbbd4f39088a2c8828bde4eb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-download-missing-target-metadata/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":544,"hashes":{"sha512":"2c25bc16190512785218144104adf5592af8cf84e2fa76806a24a2f45097805b116e8775dc15cef86a7d94c9cc2c40cf5a1351d90e5cbbcb83dcdefba8026260"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3046022100a3ddde42b338182c8de5a09292a39debcf1fea74232da2fe35b955b16411f25f022100d692d12cc62c5d48c3c8beea045d5e8d481de7118d0dec105cd68ffc9e961170"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-expired/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":883,"hashes":{"sha512":"f8ef614799139072b68603f447d332b8f96814ed84e2e7bdc531a7fc73d5568d9dde0fb7d9cdc1a4c307b528c891f87a0636dc35c195bf1145bb6b3173d3f2fb"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304502204619f76d93e180528e768835cb4a8efbeb3188995e8bfaa512a9e3119edc74fe0221009565e03f8db80b1d34f46c25b40ad5ed0e55873aabfe8811b680fc0ce506fb7e"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-expired/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2022-11-19T18:07:27Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3045022100d524cdb16b189dc08c6412f4e3f53dce471eb94eed4c544b349266e81422c3ac022047d36b98b7d2ace4484221f624061bda97ce186be73289cb15c4035024109b53"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-expired/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":542,"hashes":{"sha512":"8dda3033414c1e374f5288502865e7cecaa7fd836143d51955f8be0942ed9a5fc9e3b2174f3fdaf727f8087ff559288e49cc7f316067bcb67120f947f8e358e7"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022013c8dd3ed7da90ac3f85f6ad332c0913f68cdb2163b3a8cffbed2ca89233efac022100f48f6db76d6beac10343c3b34de0681dc1d4a53af816dd9abe548a37fb630d49"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-invalid-hash/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-invalid-hash/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2024-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-invalid-hash/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/timestamp.json . 6 | cp ../test-template/3.snapshot.json . 7 | cp ../test-template/3.targets.json . 8 | # modify the file so the hash doesn't match 9 | sed -i 's/2023/2024/g' 3.targets.json 10 | ``` 11 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-invalid-hash/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-sha256-or-sha512/1.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":1,"expires":"2024-11-22T21:34:24Z","targets":{"test.txt":{"length":10,"hashes":{"sha256":"55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4"}},"test2.txt":{"length":6,"hashes":{"sha512":"2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514"}}}},"signatures":[{"keyid":"5e284914a20f614e375b4f82808333a687afeee15d7f43d187dc173353682fd5","sig":"304602210092fbb2a4cfc04497f640314d41207d79a17ea5b3331faf157e24da738c124dbc022100b237f54ea3d3fb5687b3e47fbc3549a216dbda9c0ab05e94196f2ab6990894da"}]} 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-sha256-or-sha512/2.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2024-08-29T20:36:55Z","meta":{"targets.json":{"length":642,"hashes":{"sha512":"4cdbc10a77607ab1effe79645e367c61d1195af568995b9ce0dec5fd684af4359198add5597e92e61aa8f2c96598ed48552847ad14fe35354868446b60a0e498"},"version":1}}},"signatures":[{"keyid":"1dec63309978fb7e4f8264f403798fce160174c65ac85398ae39b07daeaa2482","sig":"30460221008fa6b790fb813c483b9672afc045b5bd3e0c719bb8ddf63ab7f97ae632015a3b022100bcaa73f6b2de9e67cdd1d336cb31a0d86f73ec935d3bd03a9fd0a08fbb516754"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-sha256-or-sha512/targets/2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514.test2.txt: -------------------------------------------------------------------------------- 1 | test2 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-sha256-or-sha512/targets/55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-sha256-or-sha512/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":2,"expires":"2024-08-23T20:36:58Z","meta":{"snapshot.json":{"length":544,"hashes":{"sha512":"03f128cfbfe1892a698079944a1c849f88997af2d4a82934063b007da42a3ec934c78965faa2d5a93cbda0ee06f952fbefe156d7416e89f8c0ff1cbf5b5169d2"},"version":2}}},"signatures":[{"keyid":"f48d3de6cc0c9f9dbb6b8af8f3de96a1f12d24c9f5980f2d8ce7afdf19b07e03","sig":"3046022100d9147f558bcb36b33fe10456529457d841d04efec9a0f6f00dcefd907d01e6e7022100b5ffac27ce56a2977c6c5b107ee4b97b07b0bf5ed1bb39789058b794e68fe6a5"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-snapshot-version-mismatch/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"3646b408d88b648df6448af4ba95c3e5630c34003f0fc2d335d87757d7160b27de99b5628a0f8f43a1deabbb768e22d747c0e3b6c13204c5e62b0e235f34f366"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402205b39cfb96c83d5ba2435e281b8e774368ffb776d07bf989f2c3254f7f8f7155102207b1c3c4d2ae114778cdef7a2c4d69d8fccd95ce6254ed1aa89b3eb112d0eb131"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-snapshot-version-mismatch/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":2,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"304602210087f08ea63b96fcfc336ad69e0f3b0c7c42c1aed8a6febb902f41f6daff7d2904022100bcb1535d28a37f756f154f735899b2050894cc1e6821d37c09c1a9da82e64c43"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-snapshot-version-mismatch/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"1689bc9026f563c9a49ce0ab4f394d4eee32edb8df88894e8752cdc04d9ffd6f358abbf35d6575083677448bc9c3abdc6d8036ace767ae4efe6a8bdced7b988a"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"30450220737292dc88d68e0a3888e558d6cd2ebfa384fddf85932d28331d685f1301a6c9022100b3970a613eafe6c5ecbe82b56edf94eeeb0dac5c5dbb30f72336912b04dd620b"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-with-subdirs/1.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":1,"expires":"2025-01-19T18:36:49Z","meta":{"targets.json":{"length":532,"hashes":{"sha512":"53d5256dd4926de0b79662f0d911ed42a2dd19c6480bce690199ac2eec9228aa97f5e3709746ef615d6dd758115d221790bbc7e4976907f62fc742a7406a0062"},"version":1}}},"signatures":[{"keyid":"f944fd2f09223b2d8a7f7673bb31f625ed12026fb6d2a4c251a3cfd6e43f9119","sig":"3046022100cfdb316b9407245c20f3b4ebe24cbc524e5324e1ceadd7ba0298384d8218ec76022100a596bc5912fa9a78fab28223d5bb36b7667dfa3ca5f63017eddcf9b427990b24"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-with-subdirs/1.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":1,"expires":"2025-02-20T18:36:39Z","targets":{"subdir/test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}}}},"signatures":[{"keyid":"97b9f13f07972ce34e386ca1fc74fa1f293ca9b1b23c23b1da178a31e8b77d0b","sig":"304402206393d229300c00882ee9e0d20a4364b554a76f8fc744cf1a5d042867946b2e05022029c8b3c4288cbdc585bb900e16236e95307050f611ea8e9261c4980aa8830ec0"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-with-subdirs/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | tuf init 5 | tuf gen-key --expires=90 --scheme="ecdsa-sha2-nistp256" root 6 | tuf gen-key --expires=90 --scheme="ecdsa-sha2-nistp256" targets 7 | tuf gen-key --expires=90 --scheme="ecdsa-sha2-nistp256" snapshot 8 | tuf gen-key --expires=90 --scheme="ecdsa-sha2-nistp256" timestamp 9 | mkdir -p staged/targets/subdir 10 | echo "test file" > staged/targets/subdir/test.txt 11 | tuf add "subdir/test.txt" 12 | tuf snapshot --expires=60 13 | tuf timestamp --expires=30 14 | tuf commit 15 | ``` 16 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-with-subdirs/targets/subdir/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/targets-with-subdirs/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":1,"expires":"2024-12-20T18:36:58Z","meta":{"snapshot.json":{"length":544,"hashes":{"sha512":"4467bf790a07dc4220baac68918d6f1bb7f6cb2a2f2663436e5817f3800ddbdc9c18b33e0a869e66eee523f9b3745799db9c7753393378fd3387ce5d74c5c3b0"},"version":1}}},"signatures":[{"keyid":"3332a046bd204e13b3c749c87179351a5b5fbf20735b37137d9694835a846c42","sig":"30450220386af40c0096bc8c7e9a5397ccd79de0ef40b04ab63f7c1c1243a9ea247e34d50221008767dabffb2022c732e7a9874a2f48bd1073c0a6cbcf86a1d6f604130f12f1d1"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/1.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":1,"expires":"2023-04-13T14:36:15Z","meta":{"targets.json":{"length":527,"hashes":{"sha512":"a3431882ba40a485359fed308a66a0088cc3f27f2716a6cac5809761560661aed1d54830eef1c90bd8e297f13181827581ff083000180de8d2e443cd7e0ea12c"},"version":1}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"30440220563998ef5a37e8b1dc1b1fc65001e3e107a22610d5e97cf3fd45e8edd7468eac022079a3e8243275e73373a7fff108270ac29e6011ded253b88edc090621126b167b"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/1.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":1,"expires":"2023-05-12T14:36:10Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"304502207e86480c099814a6a71e4f5d5beae8eb6328f14480feecd89fa09914b5d4fb3602210085df8df7eb8a088f4741262e3518bdd77c1622655191810a0155f5c7fc78dca7"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/1.timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":1,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"86ecb76e92bea85f8018fb25e0fd1e2d441758068f02032ead3ba94d13c546b0c2d30a85e794bfc02487314759fa0144636ea9d3a74651ead1c5067804a46414"},"version":1}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3046022100de5e6722ef1c7e1b6e314924705bb7b4aba39146654286326d68f855ec2d2b890221008359fc83d887721aab09e5e0260456a79af8d4b8f521301212da8787bf93e3a2"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/2.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2023-02-19T15:37:40Z","meta":{"targets.json":{"length":704,"hashes":{"sha512":"b4a9036ac75cff22d255880218f2761c1b517f80d4efdd4c00b62cbcfcce5f4159613353a880d1ba4ccf60049c4b32bd720db270b1765c7221a7b3e14dfd81ba"},"version":2}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304502204f4ef856be4834b24c91025eefd65c8ebdfd3141c3f094c10628ff184db0a296022100ef6ee4a20e256b0002bf8ba7347fadbb16da4bb2b92b3176b16415fb28535491"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/2.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":2,"expires":"2023-05-12T14:37:34Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"30440220673b003c46baae1c794e9096411d9f89cdf42bca53658fd8ba6def603d4911fa02206d8a39c70a1a562377b93e095e5cba619b6348ff93f44ea580e8fc070a8c96c7"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/2.timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":2,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":542,"hashes":{"sha512":"e4651ad8630a8e9b98b73dc1c65542c3d2ebab8c93ff8bdc062e242b688b931d98eb9f3051dc9664470dfa3a06bfde6def4fb631e7149de1bd7a00941f2b9092"},"version":2}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"304502205f8d3b405c13c014ac66c820ef83d6633714e348b61ebf0ab92afd700db1b18e022100ea6cf02cc651c2967bd898544554b567427cfe907382d409998a9b6f0c62b26a"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/3.targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"length":885,"hashes":{"sha512":"16ee6491433f7063c7aafad520a3d3722ec59b5e2f0235295f2a429d0604d73ebbb8ff2f0021dd05efa9aa2f716510d2ffbc6367a826671899ebc66af4fc76bd"},"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"304402201337b51d0af97ea915b610c9f667870e557020bd5529446162c4f0973ec3a1ea02202368eb21295e6eb3b7250018eeeeeccdecdc03bba479bf9b23e5653a8b04e93f"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":3,"expires":"2023-05-12T14:37:48Z","targets":{"test.txt":{"length":10,"hashes":{"sha512":"860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885"}},"test.txt.v2":{"length":15,"hashes":{"sha512":"32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2"}},"test2.txt":{"length":18,"hashes":{"sha512":"53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a"}}}},"signatures":[{"keyid":"a9c5c80b93210eeb34e6264b4b261ff6899d4dbfb8e308f8546722a2bae30687","sig":"3046022100c42ba4040959cb31add11fd9258e3eea25584da5ebe1f6c3e4c47bd0066cec12022100f478b39c2b24529471f5ecb7cb93b2b705f44785883e787b3749cdb3ac6bc163"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/targets/32005f02eac21b4cf161a02495330b6c14b548622b5f7e19d59ecfa622de650603ecceea39ed86cc322749a813503a72ad14ce5462c822b511eaf2f2cd2ad8f2.test.txt.v2: -------------------------------------------------------------------------------- 1 | test target v2 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/targets/53904bc6216230bf8da0ec42d34004a3f36764de698638641870e37d270e4fd13e1079285f8bca73c2857a279f6f7fbc82038274c3eb48ec5bb2da9b2e30491a.test2.txt: -------------------------------------------------------------------------------- 1 | another test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/targets/860de8f9a858eea7190fcfa1b53fe55914d3c38f17f8f542273012d19cc9509bb423f37b7c13c577a56339ad7f45273b479b1d0df837cb6e20a550c27cce0885.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test-template/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":3,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"60ae0f31d2edb9f86a306528e611a811b7bffa3cff013c9a34a45cde7cef060199ed0dd791813211824f6488d31692d96ad6efffc6aaa5861b8206b0ad2291aa"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3045022000bf30ff23da1b2ad7caab816879e35b10b47cf105db1437ddd7336294bd50f4022100dbf332fcad9b10ffec8a6fd78cde785d3a0451d49ed6f32d3bf771ddf7d3fdeb"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/keys/snapshot.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIE+0DoWvedC/M6PszNPKVSj3Y6JF7n/+yMgGF8LhJPBzoAoGCCqGSM49\nAwEHoUQDQgAE+iObJwvwNaRlcYTWQm06PwkG/JXZHbs3NbF6q88yX8/9cFWkPM7f\ne6ywqnUPvjB3SB/TRBA247JOorXq9GnkoA==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+iObJwvwNaRlcYTWQm06PwkG/JXZ\nHbs3NbF6q88yX8/9cFWkPM7fe6ywqnUPvjB3SB/TRBA247JOorXq9GnkoA==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/keys/targets.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIOk/sjjYbsFJxa/eoiY2/JusnCB+HWbREB3PUYYSRDhSoAoGCCqGSM49\nAwEHoUQDQgAEidXjF3GT4NNDHaqLnAHmKHNcYM+vCtWgjXPUxZ/ra6X3JWDIAxyS\nTW8kIxqBDuZjdPx2Cb3iGsYKvv1uU2ACTw==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEidXjF3GT4NNDHaqLnAHmKHNcYM+v\nCtWgjXPUxZ/ra6X3JWDIAxySTW8kIxqBDuZjdPx2Cb3iGsYKvv1uU2ACTw==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/keys/timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "encrypted": false, 3 | "data": [ 4 | { 5 | "keytype": "ecdsa-sha2-nistp256", 6 | "scheme": "ecdsa-sha2-nistp256", 7 | "keyid_hash_algorithms": [ 8 | "sha256", 9 | "sha512" 10 | ], 11 | "keyval": { 12 | "private": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGUllPXu7zZF6G0fs545XhxHZYdQ0kEdPfCnwQhvYQLJoAoGCCqGSM49\nAwEHoUQDQgAEDYVTdtFRilKwjrgFU4BmfC+3dN7BnxvAzhcHNKr1BtgjlbD4ih10\nlM3mMfMy6xXEIgHG08hpz12NePg1JPaHFw==\n-----END EC PRIVATE KEY-----\n", 13 | "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDYVTdtFRilKwjrgFU4BmfC+3dN7B\nnxvAzhcHNKr1BtgjlbD4ih10lM3mMfMy6xXEIgHG08hpz12NePg1JPaHFw==\n-----END PUBLIC KEY-----\n" 14 | } 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/repository/snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":2,"expires":"2024-08-29T20:36:55Z","meta":{"targets.json":{"length":642,"hashes":{"sha512":"4cdbc10a77607ab1effe79645e367c61d1195af568995b9ce0dec5fd684af4359198add5597e92e61aa8f2c96598ed48552847ad14fe35354868446b60a0e498"},"version":1}}},"signatures":[{"keyid":"1dec63309978fb7e4f8264f403798fce160174c65ac85398ae39b07daeaa2482","sig":"30460221008fa6b790fb813c483b9672afc045b5bd3e0c719bb8ddf63ab7f97ae632015a3b022100bcaa73f6b2de9e67cdd1d336cb31a0d86f73ec935d3bd03a9fd0a08fbb516754"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/repository/targets.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"targets","spec_version":"1.0","version":1,"expires":"2024-11-22T21:34:24Z","targets":{"test.txt":{"length":10,"hashes":{"sha256":"55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4"}},"test2.txt":{"length":6,"hashes":{"sha512":"2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514"}}}},"signatures":[{"keyid":"5e284914a20f614e375b4f82808333a687afeee15d7f43d187dc173353682fd5","sig":"304602210092fbb2a4cfc04497f640314d41207d79a17ea5b3331faf157e24da738c124dbc022100b237f54ea3d3fb5687b3e47fbc3549a216dbda9c0ab05e94196f2ab6990894da"}]} 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/repository/targets/2dff935df7d1e1221ef52c753091c487c6fdaabbb0b0e2b193764de8cd7c1222776c61d7ef21f20a4d031a6a6bfa631713df7c4f71b4ee21d362152d4618d514.test2.txt: -------------------------------------------------------------------------------- 1 | test2 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/repository/targets/55f8718109829bf506b09d8af615b9f107a266e19f7a311039d1035f180b22d4.test.txt: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/test/repository/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":2,"expires":"2024-08-23T20:36:58Z","meta":{"snapshot.json":{"length":544,"hashes":{"sha512":"03f128cfbfe1892a698079944a1c849f88997af2d4a82934063b007da42a3ec934c78965faa2d5a93cbda0ee06f952fbefe156d7416e89f8c0ff1cbf5b5169d2"},"version":2}}},"signatures":[{"keyid":"f48d3de6cc0c9f9dbb6b8af8f3de96a1f12d24c9f5980f2d8ce7afdf19b07e03","sig":"3046022100d9147f558bcb36b33fe10456529457d841d04efec9a0f6f00dcefd907d01e6e7022100b5ffac27ce56a2977c6c5b107ee4b97b07b0bf5ed1bb39789058b794e68fe6a5"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/timestamp-rollback-version/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/1.timestamp.json timestamp.json 6 | ``` 7 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/timestamp-rollback-version/timestamp.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"timestamp","spec_version":"1.0","version":1,"expires":"2023-02-13T15:37:48Z","meta":{"snapshot.json":{"length":540,"hashes":{"sha512":"86ecb76e92bea85f8018fb25e0fd1e2d441758068f02032ead3ba94d13c546b0c2d30a85e794bfc02487314759fa0144636ea9d3a74651ead1c5067804a46414"},"version":3}}},"signatures":[{"keyid":"7aecf5f0720acfb4fa873896ba05a2d8914f5b6ca90d26ac8bc0f1e491378740","sig":"3046022100e329151045ba39ef8788d53b5933121e036a285f85f967b2b83939d5972be0bf022100f547c85774e73caf59bbbe1d261de0faa05c21d39d4c4a06615c37d0c4e2aec3"}]} -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/timestamp-unsigned/README.md: -------------------------------------------------------------------------------- 1 | # Setup test data 2 | 3 | ```shell 4 | cp ../test-template/2.root.json . 5 | cp ../test-template/timestamp.json . 6 | ## remove sigs 7 | jq -r '.signatures |= []' timestamp.json > timestamp.new 8 | rm timestamp.json && mv timestamp.new timestamp.json 9 | ``` 10 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/timestamp-unsigned/timestamp.json: -------------------------------------------------------------------------------- 1 | { 2 | "signed": { 3 | "_type": "timestamp", 4 | "spec_version": "1.0", 5 | "version": 3, 6 | "expires": "2022-12-10T18:07:30Z", 7 | "meta": { 8 | "snapshot.json": { 9 | "length": 542, 10 | "hashes": { 11 | "sha512": "19584e474aafefce00d504cdb2c6103fd964872c3806639d66a8852f68bf42071c7324fdffbb85a7257cdca839d3cea35172c9eba9007963fecc041899375482" 12 | }, 13 | "version": 3 14 | } 15 | } 16 | }, 17 | "signatures": [] 18 | } 19 | -------------------------------------------------------------------------------- /sigstore-java/src/test/resources/dev/sigstore/tuf/synthetic/tmp/3.snapshot.json: -------------------------------------------------------------------------------- 1 | {"signed":{"_type":"snapshot","spec_version":"1.0","version":3,"expires":"2023-02-19T15:37:48Z","meta":{"targets.json":{"version":3}}},"signatures":[{"keyid":"9354bd3deaa572ed06306ddfad457037918534ece677cf962526a6fd40112d7a","sig":"3046022100a894577e33d9f0771a15f14ea4932daaf31fa86c8a2d6fd2f6b22042a8673722022100a12583f21fb237627dee73a7c5a101006b64e67894b93b596d491aecab21c3d5"}]} -------------------------------------------------------------------------------- /sigstore-maven-plugin/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.java-published-library") 3 | id("build-logic.test-junit5") 4 | id("build-logic.depends-on-local-sigstore-java-repo") 5 | id("build-logic.depends-on-local-sigstore-maven-plugin-repo") 6 | id("de.benediktritter.maven-plugin-development") version "0.4.3" 7 | } 8 | 9 | description = "A Maven plugin for signing with Sigstore" 10 | 11 | dependencies { 12 | compileOnly("org.apache.maven:maven-plugin-api:3.9.9") 13 | compileOnly("org.apache.maven:maven-core:3.9.9") 14 | compileOnly("org.apache.maven.plugin-tools:maven-plugin-annotations:3.14.0") 15 | 16 | implementation(project(":sigstore-java")) 17 | implementation("org.bouncycastle:bcutil-jdk18on:1.80") 18 | implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.7") 19 | 20 | testImplementation("org.apache.maven.shared:maven-verifier:1.8.0") 21 | 22 | testImplementation(project(":sigstore-testkit")) 23 | 24 | sigstoreJavaRuntime(project(":sigstore-java")) { 25 | because("Test code needs access locally-built sigstore-java as a Maven repository") 26 | } 27 | sigstoreMavenPluginRuntime(project(":sigstore-maven-plugin")) { 28 | because("Test code needs access locally-built sigstore-java as a Maven repository") 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /sigstore-testkit/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.kotlin") 3 | id("build-logic.repositories") 4 | id("build-logic.test-junit5") 5 | } 6 | 7 | dependencies { 8 | implementation(project(":sigstore-java")) 9 | implementation("com.google.code.gson:gson:2.13.1") 10 | implementation("com.google.guava:guava:33.4.8-jre") 11 | 12 | // This is different from typical "testImplementation" dependencies, because 13 | // testkit exposes junit5 dependencies in its API (e.g. annotations) 14 | api(platform("org.junit:junit-bom:5.12.2")) 15 | api("org.junit.jupiter:junit-jupiter-api") 16 | api("org.junit.jupiter:junit-jupiter-params") 17 | implementation("org.junit.jupiter:junit-jupiter") 18 | api("org.assertj:assertj-core:3.27.3") 19 | api(gradleTestKit()) 20 | } 21 | -------------------------------------------------------------------------------- /sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/TestedGradle.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.testkit 18 | 19 | import org.gradle.util.GradleVersion 20 | 21 | /** 22 | * Lists Gradle versions and its configuration for backward compatibility testing of Sigstore Gradle plugin. 23 | */ 24 | data class TestedGradle( 25 | val version: GradleVersion, 26 | val configurationCache: BaseGradleTest.ConfigurationCache, 27 | val projectIsolation: BaseGradleTest.ProjectIsolation, 28 | ) 29 | -------------------------------------------------------------------------------- /sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/TestedGradleAndSigstoreJava.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.testkit 18 | 19 | /** 20 | * Lists Gradle versions and Sigstore Gradle plugin versions. 21 | */ 22 | data class TestedGradleAndSigstoreJava( 23 | val gradle: TestedGradle, 24 | val sigstoreJava: TestedSigstoreJava, 25 | ) 26 | -------------------------------------------------------------------------------- /sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/annotations/DisabledIfSkipStaging.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.testkit.annotations 18 | 19 | import org.junit.jupiter.api.condition.DisabledIfSystemProperty 20 | 21 | @Target(AnnotationTarget.CLASS, AnnotationTarget.FUNCTION) 22 | @DisabledIfSystemProperty( 23 | named = "sigstore-java.test.skipStaging", 24 | matches = "^\\s*+(true|y|on|)\\s*+$", 25 | disabledReason = "sigstore-java.test.skipStaging system property is present", 26 | ) 27 | annotation class DisabledIfSkipStaging {} 28 | -------------------------------------------------------------------------------- /sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/annotations/OidcProviderType.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.testkit.annotations 18 | 19 | enum class OidcProviderType { 20 | ANY, 21 | MANUAL, 22 | CI, 23 | AWS, 24 | AZURE, 25 | GITHUB, 26 | } 27 | -------------------------------------------------------------------------------- /sigstore-testkit/src/main/kotlin/dev/sigstore/testkit/gradle/Project.kt: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2022 The Sigstore Authors. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | */ 17 | package dev.sigstore.testkit.gradle 18 | 19 | import org.gradle.api.Project 20 | import org.gradle.testfixtures.ProjectBuilder 21 | 22 | fun project(block: Project.() -> T): T = 23 | ProjectBuilder.builder().build().run(block) 24 | -------------------------------------------------------------------------------- /tuf-cli/README.md: -------------------------------------------------------------------------------- 1 | # Sigstore-Java Tuf CLI 2 | 3 | Used for conformance testing and internal processes. This is not meant for public consumption, we will not support 4 | any usecase that uses this. 5 | 6 | ## Usage 7 | 8 | ### Help 9 | ``` 10 | ./gradlew tuf-cli:run 11 | ``` 12 | -------------------------------------------------------------------------------- /tuf-cli/build.gradle.kts: -------------------------------------------------------------------------------- 1 | plugins { 2 | id("build-logic.java") 3 | id("application") 4 | } 5 | 6 | repositories { 7 | mavenCentral() 8 | } 9 | 10 | dependencies { 11 | implementation(project(":sigstore-java")) 12 | implementation("info.picocli:picocli:4.7.6") 13 | implementation("com.google.guava:guava:33.4.8-jre") 14 | 15 | implementation(platform("com.google.oauth-client:google-oauth-client-bom:1.39.0")) 16 | implementation("com.google.oauth-client:google-oauth-client") 17 | 18 | annotationProcessor("info.picocli:picocli-codegen:4.7.6") 19 | } 20 | 21 | tasks.compileJava { 22 | options.compilerArgs.add("-Aproject=${project.group}/${project.name}") 23 | } 24 | 25 | application { 26 | mainClass.set("dev.sigstore.tuf.cli.Tuf") 27 | } 28 | 29 | distributions.main { 30 | contents { 31 | from("tuf-cli.xfails") { 32 | into("bin") 33 | } 34 | } 35 | } 36 | 37 | tasks.run.configure { 38 | workingDir = rootProject.projectDir 39 | } 40 | -------------------------------------------------------------------------------- /tuf-cli/tuf-cli.xfails: -------------------------------------------------------------------------------- 1 | test_metadata_bytes_match 2 | test_unusual_role_name[?] 3 | test_unusual_role_name[#] 4 | test_unusual_role_name[/delegatedrole] 5 | test_unusual_role_name[../delegatedrole] 6 | test_snapshot_rollback[basic] 7 | test_snapshot_rollback[with 8 | test_static_repository[tuf-on-ci-0.11] 9 | test_graph_traversal[basic-delegation] 10 | test_graph_traversal[single-level-delegations] 11 | test_graph_traversal[two-level-delegations] 12 | test_graph_traversal[two-level-test-DFS-order-of-traversal] 13 | test_graph_traversal[three-level-delegation-test-DFS-order-of-traversal] 14 | test_graph_traversal[two-level-terminating-ignores-all-but-roles-descendants] 15 | test_graph_traversal[three-level-terminating-ignores-all-but-roles-descendants] 16 | test_graph_traversal[two-level-ignores-all-branches-not-matching-paths] 17 | test_graph_traversal[three-level-ignores-all-branches-not-matching-paths] 18 | test_graph_traversal[cyclic-graph] 19 | test_graph_traversal[two-roles-delegating-to-a-third] 20 | test_graph_traversal[two-roles-delegating-to-a-third-different-paths] 21 | test_targetfile_search[targetpath matches wildcard] 22 | test_targetfile_search[targetpath with separators x] 23 | test_targetfile_search[targetpath with separators y] 24 | test_targetfile_search[targetpath is not delegated by all roles in the chain] 25 | test_snapshot_rollback[with hashes] 26 | --------------------------------------------------------------------------------