cli: Add --rekor-version to sign arguments (#1471)

* cli: Add --rekor-version to sign arguments

This should not be needed... but it could be handy if
* SigningConfig already contains rekor v2
* user for some reason does not want rekor v2 entries in
  the bundle

This option only does anything if there are multiple Rekor versions
listed in SigningConfig.

The test is changed since the "ANY" selector is now considered to not be
an error if there are 0 services:
* This is not a problem since for both TSAs and tlogs we have a check
  that there is at least one service
* This improves the error message when --rekor-version is used with
  a version that is not found in signingconfig

Signed-off-by: Jussi Kukkonen <[email protected]>

* README: Update help output

Signed-off-by: Jussi Kukkonen <[email protected]>

* cli: Improve help output for --rekor-version

Avoid saying "default: None", mention the valid values instead.

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

README.md

@@ -94,7 +94,8 @@ optional arguments:
 
 <!-- @begin-sigstore-sign-help@ -->
 ```
-usage: sigstore sign [-h] [-v] [--identity-token TOKEN] [--oidc-client-id ID]
+usage: sigstore sign [-h] [-v] [--rekor-version VERSION]
+                     [--identity-token TOKEN] [--oidc-client-id ID]
                      [--oidc-client-secret SECRET]
                      [--oidc-disable-ambient-providers] [--oidc-issuer URL]
                      [--oauth-force-oob] [--no-default-files]
@@ -109,6 +110,10 @@ optional arguments:
   -h, --help            show this help message and exit
   -v, --verbose         run with additional debug logging; supply multiple
                         times to increase verbosity (default: 0)
+  --rekor-version VERSION
+                        Force the rekor transparency log version. Valid values
+                        are [1, 2]. By default the highest available version
+                        is used
 
 OpenID Connect options:
   --identity-token TOKEN
@@ -151,9 +156,9 @@ Output options:
 
 <!-- @begin-sigstore-attest-help@ -->
 ```
-usage: sigstore attest [-h] [-v] --predicate FILE --predicate-type TYPE
-                       [--identity-token TOKEN] [--oidc-client-id ID]
-                       [--oidc-client-secret SECRET]
+usage: sigstore attest [-h] [-v] [--rekor-version VERSION] --predicate FILE
+                       --predicate-type TYPE [--identity-token TOKEN]
+                       [--oidc-client-id ID] [--oidc-client-secret SECRET]
                        [--oidc-disable-ambient-providers] [--oidc-issuer URL]
                        [--oauth-force-oob] [--bundle FILE] [--overwrite]
                        FILE [FILE ...]
@@ -165,6 +170,10 @@ optional arguments:
   -h, --help            show this help message and exit
   -v, --verbose         run with additional debug logging; supply multiple
                         times to increase verbosity (default: 0)
+  --rekor-version VERSION
+                        Force the rekor transparency log version. Valid values
+                        are [1, 2]. By default the highest available version
+                        is used
 
 DSSE options:
   --predicate FILE      Path to the predicate file (default: None)

sigstore/_cli.py

@@ -286,6 +286,13 @@ def _parser() -> argparse.ArgumentParser:
         formatter_class=argparse.ArgumentDefaultsHelpFormatter,
         parents=[parent_parser],
     )
+    attest.add_argument(
+        "--rekor-version",
+        type=int,
+        metavar="VERSION",
+        default=argparse.SUPPRESS,
+        help="Force the rekor transparency log version. Valid values are [1, 2]. By default the highest available version is used",
+    )
     attest.add_argument(
         "files",
         metavar="FILE",
@@ -346,6 +353,13 @@ def _parser() -> argparse.ArgumentParser:
         formatter_class=argparse.ArgumentDefaultsHelpFormatter,
         parents=[parent_parser],
     )
+    sign.add_argument(
+        "--rekor-version",
+        type=int,
+        metavar="VERSION",
+        default=argparse.SUPPRESS,
+        help="Force the rekor transparency log version. Valid values are [1, 2]. By default the highest available version is used",
+    )
 
     oidc_options = sign.add_argument_group("OpenID Connect options")
     oidc_options.add_argument(
@@ -1203,11 +1217,16 @@ def _get_trust_config(args: argparse.Namespace) -> ClientTrustConfig:
     offline = getattr(args, "offline", False)
 
     if args.trust_config:
-        return ClientTrustConfig.from_json(args.trust_config.read_text())
+        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
     elif args.staging:
-        return ClientTrustConfig.staging(offline=offline)
+        trust_config = ClientTrustConfig.staging(offline=offline)
     else:
-        return ClientTrustConfig.production(offline=offline)
+        trust_config = ClientTrustConfig.production(offline=offline)
+
+    # Enforce rekor version if --rekor-version is used
+    trust_config.force_tlog_version = getattr(args, "rekor_version", None)
+
+    return trust_config
 
 
 def _get_identity(

sigstore/_internal/trust.py

@@ -315,10 +315,15 @@ def __str__(self) -> str:
             """Returns the variant's string value."""
             return self.value
 
-    def __init__(self, inner: trustroot_v1.SigningConfig):
+    def __init__(
+        self, inner: trustroot_v1.SigningConfig, tlog_version: int | None = None
+    ):
         """
         Construct a new `SigningConfig`.
 
+        tlog_version is an optional argument that enforces that only specified
+        versions of rekor are included in the transparency logs.
+
         @api private
         """
         self._inner = inner
@@ -331,8 +336,13 @@ def __init__(self, inner: trustroot_v1.SigningConfig):
 
         # Create lists of service protos that are valid, selected by the service
         # configuration & supported by this client
+        if tlog_version is None:
+            tlog_versions = REKOR_VERSIONS
+        else:
+            tlog_versions = [tlog_version]
+
         self._tlogs = self._get_valid_services(
-            self._inner.rekor_tlog_urls, REKOR_VERSIONS, self._inner.rekor_tlog_config
+            self._inner.rekor_tlog_urls, tlog_versions, self._inner.rekor_tlog_config
         )
         if not self._tlogs:
             raise Error("No valid Rekor transparency log found in signing config")
@@ -396,7 +406,11 @@ def _get_valid_services(
             if config.selector == trustroot_v1.ServiceSelector.EXACT and config.count
             else 1
         )
-        if len(result) < count:
+
+        if (
+            config.selector == trustroot_v1.ServiceSelector.EXACT
+            and len(result) < count
+        ):
             raise ValueError(
                 f"Expected {count} services in signing config, found {len(result)}"
             )
@@ -633,6 +647,9 @@ def __init__(self, inner: trustroot_v1.ClientTrustConfig) -> None:
         """
         self._inner = inner
 
+        # This can be used to enforce a specific rekor major version in signingconfig
+        self.force_tlog_version: int | None = None
+
     @property
     def trusted_root(self) -> TrustedRoot:
         """
@@ -645,4 +662,6 @@ def signing_config(self) -> SigningConfig:
         """
         Return the interior root of trust, as a `SigningConfig`.
         """
-        return SigningConfig(self._inner.signing_config)
+        return SigningConfig(
+            self._inner.signing_config, tlog_version=self.force_tlog_version
+        )

test/unit/internal/test_trust.py

@@ -186,11 +186,6 @@ def test_get_valid_services(self, services, versions, config, expected_result):
     @pytest.mark.parametrize(
         "services, versions, config",
         [
-            (  # ANY selector without services
-                [],
-                [1],
-                ServiceConfiguration(selector=ServiceSelector.ANY),
-            ),
             (  # EXACT selector without enough services
                 [_service_v1_op1],
                 [1],