cli: Adjust model name when signing and verifying in model_path '.'

stefanberger · stefanberger · commit 434bf61a1406 · 2025-05-19T17:42:21.000-05:00
When signing or verifying in model_path '.' then the model_path.name becomes an empty string and cannot be used for the name of the model in the Manifest. In this case, derive the name of the model from the model paths' absolute path and use the last directory's name. Use the same method for the model_path '..'. Extend a test case with signing while in the model directory and add a test case when signing while in a sub-directory of the model directory while using '.. for the model path. Resolves: #451 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/scripts/tests/test-sign-verify b/scripts/tests/test-sign-verify
@@ -84,3 +84,117 @@ if [ "${res}" != "${exp}" ]; then
 	echo "Actual  : ${res}"
 	exit 1
 fi
+
+# Enter the model directory and sign and verify there
+pushd "${TMPDIR}" &>/dev/null || exit 1
+
+echo
+echo "Testing 'sign key' when in model directory"
+
+if ! python -m model_signing \
+	sign key \
+	--signature "$(basename "${sigfile}")" \
+	--private_key "${DIR}/keys/certificate/signing-key.pem" \
+	--ignore-paths "$(basename "${ignorefile}")" \
+	. ; then
+	echo "Error: 'sign key' failed"
+	exit 1
+fi
+
+if ! python -m model_signing \
+	verify key \
+	--signature "$(basename "${sigfile}")" \
+	--public_key "${DIR}/keys/certificate/signing-key-pub.pem" \
+	--ignore-paths "$(basename "${ignorefile}")" \
+	. ; then
+	echo "Error: 'verify key' failed"
+	exit 1
+fi
+
+# Check which files are part of signature
+res=$(get_signed_files "${sigfile}")
+exp='["signme-1","signme-2"]'
+if [ "${res}" != "${exp}" ]; then
+	echo "Error: Unexpected files were signed"
+	echo "Expected: ${exp}"
+	echo "Actual  : ${res}"
+	exit 1
+fi
+
+echo
+echo "Testing 'sign/verify' certificate when in model directory"
+
+if ! python -m model_signing \
+	sign certificate \
+	--signature "$(basename "${sigfile}")" \
+	--private_key "${DIR}/keys/certificate/signing-key.pem" \
+	--signing_certificate "${DIR}/keys/certificate/signing-key-cert.pem" \
+	--certificate_chain "${DIR}/keys/certificate/int-ca-cert.pem" \
+	--ignore-paths "$(basename "${ignorefile}")" \
+	. ; then
+	echo "Error: 'sign key' failed"
+	exit 1
+fi
+
+if ! python -m model_signing \
+	verify certificate \
+	--signature "$(basename "${sigfile}")" \
+	--certificate_chain "${DIR}/keys/certificate/ca-cert.pem" \
+	--ignore-paths "$(basename "${ignorefile}")" \
+	. ; then
+	echo "Error: 'sign key' failed"
+	exit 1
+fi
+
+# Check which files are part of signature
+res=$(get_signed_files "${sigfile}")
+exp='["signme-1","signme-2"]'
+if [ "${res}" != "${exp}" ]; then
+	echo "Error: Unexpected files were signed"
+	echo "Expected: ${exp}"
+	echo "Actual  : ${res}"
+	exit 1
+fi
+
+echo
+echo "Testing 'sign/verify' certificate when in subdir of model directory and using '..'"
+
+rm -f "$(basename "${sigfile}")"
+mkdir subdir
+pushd subdir 1>/dev/null || exit 1
+
+if ! python -m model_signing \
+	sign certificate \
+	--signature "../$(basename "${sigfile}")" \
+	--private_key "${DIR}/keys/certificate/signing-key.pem" \
+	--signing_certificate "${DIR}/keys/certificate/signing-key-cert.pem" \
+	--certificate_chain "${DIR}/keys/certificate/int-ca-cert.pem" \
+	--ignore-paths "../$(basename "${ignorefile}")" \
+	.. ; then
+	echo "Error: 'sign key' failed"
+	exit 1
+fi
+
+popd 1>/dev/null || exit 1   # exit subdir
+
+if ! python -m model_signing \
+	verify certificate \
+	--signature "$(basename "${sigfile}")" \
+	--certificate_chain "${DIR}/keys/certificate/ca-cert.pem" \
+	--ignore-paths "$(basename "${ignorefile}")" \
+	. ; then
+	echo "Error: 'sign key' failed"
+	exit 1
+fi
+
+# Check which files are part of signature
+res=$(get_signed_files "${sigfile}")
+exp='["signme-1","signme-2"]'
+if [ "${res}" != "${exp}" ]; then
+	echo "Error: Unexpected files were signed"
+	echo "Expected: ${exp}"
+	echo "Actual  : ${res}"
+	exit 1
+fi
+
+popd 1>/dev/null || exit 1
diff --git a/scripts/tests/test-verify-v1.0.0-sigstore b/scripts/tests/test-verify-v1.0.0-sigstore
@@ -11,4 +11,20 @@ if ! python -m model_signing \
 	exit 1
 fi
 
-exit 0
+pushd v1.0.0-sigstore 1>/dev/null || exit 1
+
+echo
+echo "Testing 'verify sigstore' while in model directory"
+if ! python -m model_signing \
+	verify sigstore \
+	--identity stefanb@us.ibm.com \
+	--identity_provider https://sigstore.verify.ibm.com/oauth2 \
+	--signature model.sig \
+	. ; then
+	echo "Error: 'verify sigstore' failed on v1.0.0"
+	exit 1
+fi
+
+popd 1>/dev/null || exit 1
+
+exit 0
diff --git a/src/model_signing/_serialization/file.py b/src/model_signing/_serialization/file.py
@@ -129,8 +129,12 @@ def serialize(
                 frozenset(list(self._ignore_paths) + rel_ignore_paths),
             )
 
+        model_name = model_path.name
+        if not model_name or model_name == "..":
+            model_name = os.path.basename(model_path.resolve())
+
         return manifest.Manifest(
-            model_path.name, manifest_items, self._serialization_description
+            model_name, manifest_items, self._serialization_description
         )
 
     def _compute_hash(

Original file line number	Diff line number	Diff line change
`@@ -129,8 +129,12 @@ def serialize(`
`129`	`129`	`frozenset(list(self._ignore_paths) + rel_ignore_paths),`
`130`	`130`	`)`
`131`	`131`
	`132`	`+ model_name = model_path.name`
	`133`	`+ if not model_name or model_name == "..":`
	`134`	`+ model_name = os.path.basename(model_path.resolve())`
	`135`	`+`
`132`	`136`	`return manifest.Manifest(`
`133`		`- model_path.name, manifest_items, self._serialization_description`
	`137`	`+ model_name, manifest_items, self._serialization_description`
`134`	`138`	`)`
`135`	`139`
`136`	`140`	`def _compute_hash(`