change the envelope creation and add a RawPayload type that can be signed and wrapped into a DSSE envelope

Signed-off-by: Martin Sablotny <[email protected]>

Author: susperius

Diff for: sigstore/dsse.py

@@ -20,6 +20,7 @@
 from __future__ import annotations
 
 import logging
+from dataclasses import dataclass
 from typing import Any, Dict, List, Literal, Optional, Union
 
 from cryptography.exceptions import InvalidSignature
@@ -187,6 +188,17 @@ def build(self) -> Statement:
         return Statement(stmt.model_dump_json(by_alias=True).encode())
 
 
+@dataclass
+class RawPayload:
+    """
+    Represents a raw payload.
+
+    This type can be signed and wrapped into a `Envelope`.
+    """
+    type: str
+    data: bytes
+
+
 class Envelope:
     """
     Represents a DSSE envelope.
@@ -212,7 +224,9 @@ def _from_json(cls, contents: bytes | str) -> Envelope:
         return cls(inner)
 
     @classmethod
-    def from_payload(cls, payload_type: str, payload: bytes) -> Envelope:
+    def _from_payload(
+        cls, payload: RawPayload, sigs: list[Signature]
+    ) -> Envelope:
         """Return an unsigned DSSE envelope.
 
         Args:
@@ -223,8 +237,9 @@ def from_payload(cls, payload_type: str, payload: bytes) -> Envelope:
             Envelope: An unsigned DSSE envelope
         """
         inner = _Envelope(
-            payload=payload,
-            payload_type=payload_type,
+            payload=payload.data,
+            payload_type=payload.type,
+            signatures=sigs,
         )
         return cls(inner)
 
@@ -274,16 +289,17 @@ def _sign(key: ec.EllipticCurvePrivateKey, stmt: Statement) -> Envelope:
     )
 
 
-def _sign_envelope(
-        key: ec.EllipticCurvePrivateKey, envelope: Envelope) -> Envelope:
+def _sign_payload(
+        key: ec.EllipticCurvePrivateKey, payload: RawPayload) -> Envelope:
     """
     Sign the given envelope's payload and set the signature field
     with the generated signature.
     """
-    pae = _pae(envelope._inner.payload_type, envelope._inner.payload)
-    signature = key.sign(pae, ec.ECDS(hashes.SHA256()))
-    envelope._inner.signaures = [Signature(sig=signature)]
-    return envelope
+    pae = _pae(payload.payload_type, payload.payload)
+    signature = key.sign(pae, ec.ECDSA(hashes.SHA256()))
+    return Envelope._from_payload(
+        payload_=payload,
+        sigs=[Signature(sig=signature)])
 
 
 def _verify(key: ec.EllipticCurvePublicKey, evp: Envelope) -> bytes:

Diff for: sigstore/sign.py

@@ -195,10 +195,10 @@ def _finalize_sign(
 
     def sign_dsse(
         self,
-        input_: dsse.Statement,
+        input_: dsse.Statement | dsse.RawPayload,
     ) -> Bundle:
         """
-        Sign the given in-toto statement as a DSSE envelope, and return a
+        Sign the given in-toto statement or DSSE envelope, and return a
         `Bundle` containing the signed result.
 
         This API is **only** for in-toto statements; to sign arbitrary artifacts,
@@ -212,22 +212,26 @@ def sign_dsse(
         )
 
         # Sign the statement, producing a DSSE envelope
-        content = dsse._sign(self._private_key, input_)
-
-        # Create the proposed DSSE log entry
-        proposed_entry = rekor_types.Dsse(
-            spec=rekor_types.dsse.DsseSchema(
-                # NOTE: mypy can't see that this kwarg is correct due to two interacting
-                # behaviors/bugs (one pydantic, one datamodel-codegen):
-                # See: <https://github.com/pydantic/pydantic/discussions/7418#discussioncomment-9024927>
-                # See: <https://github.com/koxudaxi/datamodel-code-generator/issues/1903>
-                proposed_content=rekor_types.dsse.ProposedContent(  # type: ignore[call-arg]
-                    envelope=content.to_json(),
-                    verifiers=[b64_cert.decode()],
+        content: dsse.Envelope = None
+        proposed_entry: rekor_types.ProposedEntry = None
+        if type(input_) is dsse.Statement:
+            content = dsse._sign(self._private_key, input_)
+            # Create the proposed DSSE log entry
+            proposed_entry = rekor_types.Dsse(
+                spec=rekor_types.dsse.DsseSchema(
+                    # NOTE: mypy can't see that this kwarg is correct due to two interacting
+                    # behaviors/bugs (one pydantic, one datamodel-codegen):
+                    # See: <https://github.com/pydantic/pydantic/discussions/7418#discussioncomment-9024927>
+                    # See: <https://github.com/koxudaxi/datamodel-code-generator/issues/1903>
+                    proposed_content=rekor_types.dsse.ProposedContent(  # type: ignore[call-arg]
+                        envelope=content.to_json(),
+                        verifiers=[b64_cert.decode()],
+                    ),
                 ),
-            ),
-        )
-
+            )
+        elif type(input_) is dsse.RawPayload:
+            content = dsse._sign_payload(self._private_key, input_)
+            # TODO: figure out an entry that works.
         return self._finalize_sign(cert, content, proposed_entry)
 
     def sign_dsse_envelope(

Diff for: test/unit/test_sign.py

@@ -21,7 +21,7 @@
 from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm
 
 import sigstore.oidc
-from sigstore.dsse import _StatementBuilder, _Subject, Envelope
+from sigstore.dsse import _StatementBuilder, _Subject, RawPayload
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
 from sigstore.sign import SigningContext
@@ -178,12 +178,11 @@ def test_sign_dsse_envelope(staging):
     sign_ctx, _, identity = staging
 
     ctx = sign_ctx()
-    payload = b"Hello World!"
-    payload_type = "type/custom/my_payload"
-
-    env = Envelope.from_payload(payload_type, payload)
+    payload = RawPayload(
+        payload_type="type/custom/my_payload",
+        payload=b"Hello World!")
 
     with ctx.signer(identity) as signer:
-        bundle = signer.sign_dsse_envelope(env)
+        bundle = signer.sign_dsse(payload)
 
         bundle.to_json()