From 1d65b94c230815a94e45dbc2068b792abc7bd77c Mon Sep 17 00:00:00 2001 From: Martin Sablotny Date: Wed, 21 Aug 2024 09:35:19 -0700 Subject: [PATCH] comments 4 Signed-off-by: Martin Sablotny --- README.model_signing.md | 3 +++ src/model_signing/model.py | 10 +++------- src/sign.py | 2 +- tests/signing/in_toto_signature_test.py | 8 ++++---- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/README.model_signing.md b/README.model_signing.md index 6a028e36..82624239 100644 --- a/README.model_signing.md +++ b/README.model_signing.md @@ -47,6 +47,9 @@ The verification part reads the sigstore bundle file and firstly verifies that t signature is valid and secondly compute the model's file hashes again to compare against the signed ones. +**Note**: The signature is stored as `./model.sig` by default and can be adjusted +by setting the `--sig_out` flag. + ### Usage There are two scripts one can be used to create and sign a bundle and the other to diff --git a/src/model_signing/model.py b/src/model_signing/model.py index 12a492fa..113e1179 100644 --- a/src/model_signing/model.py +++ b/src/model_signing/model.py @@ -14,7 +14,7 @@ # limitations under the License. import pathlib -from typing import Callable, TypeAlias +from typing import Callable, TypeAlias, Iterable from model_signing.manifest import manifest from model_signing.serialization import serialization @@ -32,7 +32,7 @@ def sign( signer: signing.Signer, payload_generator: PayloadGeneratorFunc, serializer: serialization.Serializer, - ignore_paths: list[pathlib.Path] | None = None, + ignore_paths: Iterable[pathlib.Path] = frozenset(), ) -> signing.Signature: """Provides a wrapper function for the steps necessary to sign a model. @@ -47,8 +47,6 @@ def sign( Returns: The model's signature. """ - if not ignore_paths: - ignore_paths = [] manifest = serializer.serialize(model_path, ignore_paths=ignore_paths) payload = payload_generator(manifest) sig = signer.sign(payload) @@ -60,7 +58,7 @@ def verify( verifier: signing.Verifier, model_path: pathlib.Path, serializer: serialization.Serializer, - ignore_paths: list[pathlib.Path] | None = None, + ignore_paths: Iterable[pathlib.Path] = frozenset(), ): """Provides a simple wrapper to verify models. @@ -75,8 +73,6 @@ def verify( Raises: verifying.VerificationError: on any verification error. """ - if not ignore_paths: - ignore_paths = [] peer_manifest = verifier.verify(sig) local_manifest = serializer.serialize(model_path, ignore_paths=ignore_paths) if peer_manifest != local_manifest: diff --git a/src/sign.py b/src/sign.py index a72eda07..15d1c49a 100644 --- a/src/sign.py +++ b/src/sign.py @@ -47,7 +47,7 @@ def _arguments() -> argparse.Namespace: help="the output file, it defaults ./signature.json", required=False, type=pathlib.Path, - default=pathlib.Path("./signature.json"), + default=pathlib.Path("./model.sig"), dest="sig_out", ) diff --git a/tests/signing/in_toto_signature_test.py b/tests/signing/in_toto_signature_test.py index 4fe25c76..42f90e14 100644 --- a/tests/signing/in_toto_signature_test.py +++ b/tests/signing/in_toto_signature_test.py @@ -34,7 +34,7 @@ def _shard_hasher_factory( def _hasher_factory(self, path: pathlib.Path) -> file.FileHasher: return file.SimpleFileHasher(path, memory.SHA256()) - def test_sharded_payload_to_manifest(self, sample_model_folder): + def test_sign_and_verify_sharded_manifest(self, sample_model_folder): signer = in_toto_signature.IntotoSigner(fake.FakeSigner()) verifier = in_toto_signature.IntotoVerifier(fake.FakeVerifier()) shard_serializer = serialize_by_file_shard.ManifestSerializer( @@ -50,7 +50,7 @@ def test_sharded_payload_to_manifest(self, sample_model_folder): manifest = sig.to_manifest() assert shard_manifest == manifest - def test_digest_sharded_payload_to_manifest(self, sample_model_folder): + def test_sign_and_verify_digest_sharded_manifest(self, sample_model_folder): signer = in_toto_signature.IntotoSigner(fake.FakeSigner()) verifier = in_toto_signature.IntotoVerifier(fake.FakeVerifier()) shard_serializer = serialize_by_file_shard.ManifestSerializer( @@ -66,7 +66,7 @@ def test_digest_sharded_payload_to_manifest(self, sample_model_folder): manifest = sig.to_manifest() assert shard_manifest == manifest - def test_digest_of_digest_payload_to_manifest(self, sample_model_folder): + def test_sign_and_verify_digest_of_digest_manifest(self, sample_model_folder): signer = in_toto_signature.IntotoSigner(fake.FakeSigner()) verifier = in_toto_signature.IntotoVerifier(fake.FakeVerifier()) file_serializer = serialize_by_file.ManifestSerializer( @@ -82,7 +82,7 @@ def test_digest_of_digest_payload_to_manifest(self, sample_model_folder): manifest = sig.to_manifest() assert file_manifest == manifest - def test_digest_payload_to_manifest(self, sample_model_folder): + def test_sign_and_verify_digest_manifest(self, sample_model_folder): signer = in_toto_signature.IntotoSigner(fake.FakeSigner()) verifier = in_toto_signature.IntotoVerifier(fake.FakeVerifier()) file_serializer = serialize_by_file.ManifestSerializer(