Merge pull request #3 from smallstep/jdoss/sigstore-python_2.0.1

Update sigstore-python to 2.0.1
smallstep · Oct 19, 2023 · 46e86ca · 46e86ca
2 parents 274d533 + 8f01e25
commit 46e86ca
Show file tree

Hide file tree

Showing 9 changed files with 63 additions and 39 deletions.
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -0,0 +1,18 @@
+name: pre-commit
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "main"
+  pull_request:
+
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - uses: pre-commit/action@v3.0.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,19 @@
+repos:
+  - repo: https://github.com/psf/black
+    rev: 23.7.0
+    hooks:
+      - id: black
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.0.286
+    hooks:
+      - id: ruff
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ verify_artifact_cert_identity: user@example.com # The identity to check for in t
 verify_artifact_cert_oidc_issuer: https://oidc.example.com # The OIDC issuer URL to check for in the certificate's OIDC issuer extension (Required)
 verify_artifact_fail_run: True # If set to False it will _not_ fail the playbook run if verification fails (Defaults to True)
 verify_artifact_pip_sigstore_install: True # Ensure the pip sigstore package is installed (Defaults to True)
-verify_artifact_pip_sigstore_version: 1.1.2 # Specific version to install. (Defaults to 1.1.2)
+verify_artifact_pip_sigstore_version: 2.0.1 # Specific version to install. (Defaults to 2.0.1)
 ```
 
 ### Example Playbook
@@ -82,7 +82,7 @@ verify_artifact_pip_sigstore_version: 1.1.2 # Specific version to install. (Defa
       verify_artifact_cert_oidc_issuer: https://oidc.example.com
       verify_artifact_fail_run: True
       verify_artifact_pip_sigstore_install: True
-      verify_artifact_pip_sigstore_version: 1.1.2
+      verify_artifact_pip_sigstore_version: 2.0.1
 ```
 
 ## Testing

diff --git a/plugins/modules/sigstore_verify.py b/plugins/modules/sigstore_verify.py
@@ -98,20 +98,19 @@
             sample: True
 """
 
-from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.basic import missing_required_lib
-from ansible.module_utils.common.text.converters import to_native
-from ansible_collections.smallstep.sigstore.plugins.module_utils.sigstore import (
+import base64  # noqa: E402
+import binascii  # noqa: E402
+import traceback  # noqa: E402
+from pathlib import Path  # noqa: E402
+
+from ansible.module_utils.basic import AnsibleModule, missing_required_lib  # noqa: E402
+from ansible.module_utils.common.text.converters import to_native  # noqa: E402
+from ansible_collections.smallstep.sigstore.plugins.module_utils.sigstore import (  # noqa: E402
     Sigstore,
 )
 
-import base64
-import binascii
-import traceback
-from pathlib import Path
-
 try:
-    from sigstore.verify import Verifier, VerificationMaterials
+    from sigstore.verify import VerificationMaterials, Verifier
     from sigstore.verify.policy import Identity
 except ImportError:
     HAS_SIGSTORE = False
@@ -149,10 +148,14 @@ def verify_artifact(self) -> list:
             # The signature to verify
             signature = Path(params["signature"])
 
-            with artifact.open("rb") as a, cert.open("r") as c, signature.open("rb") as s:
+            with artifact.open("rb") as a, cert.open("r") as c, signature.open(
+                "rb"
+            ) as s:
                 try:
                     cert_data = c.read()
-                    cert_data_processed = base64.b64decode(cert_data, validate=True).decode("utf-8")
+                    cert_data_processed = base64.b64decode(
+                        cert_data, validate=True
+                    ).decode("utf-8")
                 except binascii.Error:
                     cert_data_processed = cert_data
                 materials = VerificationMaterials(
@@ -209,7 +212,9 @@ def define_module():
 def main():
     module = AnsibleSigstoreVerify.define_module()
     if not HAS_SIGSTORE:
-        module.fail_json(msg=missing_required_lib("sigstore"), exception=SIGSTORE_IMPORT_ERROR)
+        module.fail_json(
+            msg=missing_required_lib("sigstore"), exception=SIGSTORE_IMPORT_ERROR
+        )
 
     sigstore = AnsibleSigstoreVerify(module)
 

diff --git a/requirements.txt b/requirements.txt
@@ -1 +1 @@
-sigstore=1.1.2
+sigstore=2.0.1
diff --git a/roles/verify_artifact/README.md b/roles/verify_artifact/README.md
@@ -19,7 +19,7 @@ verify_artifact_cert_identity: user@example.com # The identity to check for in t
 verify_artifact_cert_oidc_issuer: https://oidc.example.com # The OIDC issuer URL to check for in the certificate's OIDC issuer extension (Required)
 verify_artifact_fail_run: True # If set to False it will _not_ fail the playbook run if verification fails (Defaults to True)
 verify_artifact_pip_sigstore_install: True # Ensure the pip sigstore package is installed (Defaults to True)
-verify_artifact_pip_sigstore_version: 1.1.2 # Specific version to install. (Defaults to 1.1.2)
+verify_artifact_pip_sigstore_version: 2.0.1 # Specific version to install. (Defaults to 2.0.1)
 ```
 
 ## Example Playbook
@@ -40,7 +40,7 @@ Here is how you can include this role in your playbook to verify an archive with
       verify_artifact_cert_oidc_issuer: https://oidc.example.com
       verify_artifact_fail_run: True
       verify_artifact_pip_sigstore_install: True
-      verify_artifact_pip_sigstore_version: 1.1.2
+      verify_artifact_pip_sigstore_version: 2.0.1
 ```
 
 ## Author Information
@@ -50,6 +50,6 @@ Smallstep Engineering
 
 ## License
 
-[Apache License Version 2.0](http://www.apache.org/licenses/LICENSE-2.0>)
+[Apache License Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
 Copyright 2023 Smallstep Labs Inc.
diff --git a/roles/verify_artifact/defaults/main.yml b/roles/verify_artifact/defaults/main.yml
@@ -2,4 +2,4 @@
 # defaults file for verify_artifact
 verify_artifact_fail_run: True
 verify_artifact_pip_sigstore_install: True
-verify_artifact_pip_sigstore_version: 1.1.2
+verify_artifact_pip_sigstore_version: 2.0.1
diff --git a/roles/verify_artifact/tests/test.yml b/roles/verify_artifact/tests/test.yml
@@ -12,4 +12,4 @@
       verify_artifact_cert_oidc_issuer: https://oidc.example.com
       verify_artifact_fail_run: True
       verify_artifact_pip_sigstore_install: True
-      verify_artifact_pip_sigstore_version: 1.1.2
+      verify_artifact_pip_sigstore_version: 2.0.1