Skip to content

Commit 6c55dcf

Browse files
stefanbergerstefanberger
committed
cli: Add --allow_symlinks option to all signing and verifying methods
Add --allow_symlinks option to all signing and verifying methods. Signed-off-by: Stefan Berger <[email protected]>
1 parent cab39d5 commit 6c55dcf

File tree

2 files changed

+49
-8
lines changed

2 files changed

+49
-8
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ All versions prior to 1.0.0 are untracked.
1818
- Added tests for verifying signatures created with v0.3.1
1919
- cli: `model_signing sign` now supports the `--oauth_force_oob` option (default: False)
2020
- Added support for specifying `--client_id` and `--client_secret` for OIDC authentication.
21+
- cli: Added support for `--allow-symlinks` option
2122

2223
## [1.0.1] - 2024-04-18
2324

src/model_signing/_cli.py

Lines changed: 48 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,14 @@
115115
help="Path to the signing certificate, as a PEM-encoded file.",
116116
)
117117

118+
# Decorator for the commonly used option to allow symlinks
119+
_allow_symlinks_option = click.option(
120+
"--allow_symlinks",
121+
type=bool,
122+
is_flag=True,
123+
help="Whether to allow following symlinks when signing or verifying files.",
124+
)
125+
118126

119127
class _PKICmdGroup(click.Group):
120128
"""A custom group to configure the supported PKI methods."""
@@ -194,6 +202,7 @@ def _sign() -> None:
194202
@_model_path_argument
195203
@_ignore_paths_option
196204
@_ignore_git_paths_option
205+
@_allow_symlinks_option
197206
@_write_signature_option
198207
@_sigstore_staging_option
199208
@click.option(
@@ -236,6 +245,7 @@ def _sign_sigstore(
236245
model_path: pathlib.Path,
237246
ignore_paths: Iterable[pathlib.Path],
238247
ignore_git_paths: bool,
248+
allow_symlinks: bool,
239249
signature: pathlib.Path,
240250
use_ambient_credentials: bool,
241251
use_staging: bool,
@@ -269,10 +279,12 @@ def _sign_sigstore(
269279
client_id=client_id,
270280
client_secret=client_secret,
271281
).set_hashing_config(
272-
model_signing.hashing.Config().set_ignored_paths(
282+
model_signing.hashing.Config()
283+
.set_ignored_paths(
273284
paths=list(ignore_paths) + [signature],
274285
ignore_git_paths=ignore_git_paths,
275286
)
287+
.set_allow_symlinks(allow_symlinks)
276288
).sign(model_path, signature)
277289
except Exception as err:
278290
click.echo(f"Signing failed with error: {err}", err=True)
@@ -285,6 +297,7 @@ def _sign_sigstore(
285297
@_model_path_argument
286298
@_ignore_paths_option
287299
@_ignore_git_paths_option
300+
@_allow_symlinks_option
288301
@_write_signature_option
289302
@_private_key_option
290303
@click.option(
@@ -297,6 +310,7 @@ def _sign_private_key(
297310
model_path: pathlib.Path,
298311
ignore_paths: Iterable[pathlib.Path],
299312
ignore_git_paths: bool,
313+
allow_symlinks: bool,
300314
signature: pathlib.Path,
301315
private_key: pathlib.Path,
302316
password: Optional[str] = None,
@@ -318,10 +332,12 @@ def _sign_private_key(
318332
model_signing.signing.Config().use_elliptic_key_signer(
319333
private_key=private_key, password=password
320334
).set_hashing_config(
321-
model_signing.hashing.Config().set_ignored_paths(
335+
model_signing.hashing.Config()
336+
.set_ignored_paths(
322337
paths=list(ignore_paths) + [signature],
323338
ignore_git_paths=ignore_git_paths,
324339
)
340+
.set_allow_symlinks(allow_symlinks)
325341
).sign(model_path, signature)
326342
except Exception as err:
327343
click.echo(f"Signing failed with error: {err}", err=True)
@@ -334,12 +350,14 @@ def _sign_private_key(
334350
@_model_path_argument
335351
@_ignore_paths_option
336352
@_ignore_git_paths_option
353+
@_allow_symlinks_option
337354
@_write_signature_option
338355
@_pkcs11_uri_option
339356
def _sign_pkcs11_key(
340357
model_path: pathlib.Path,
341358
ignore_paths: Iterable[pathlib.Path],
342359
ignore_git_paths: bool,
360+
allow_symlinks: bool,
343361
signature: pathlib.Path,
344362
pkcs11_uri: str,
345363
) -> None:
@@ -360,10 +378,12 @@ def _sign_pkcs11_key(
360378
model_signing.signing.Config().use_pkcs11_signer(
361379
pkcs11_uri=pkcs11_uri
362380
).set_hashing_config(
363-
model_signing.hashing.Config().set_ignored_paths(
381+
model_signing.hashing.Config()
382+
.set_ignored_paths(
364383
paths=list(ignore_paths) + [signature],
365384
ignore_git_paths=ignore_git_paths,
366385
)
386+
.set_allow_symlinks(allow_symlinks)
367387
).sign(model_path, signature)
368388
except Exception as err:
369389
click.echo(f"Signing failed with error: {err}", err=True)
@@ -376,6 +396,7 @@ def _sign_pkcs11_key(
376396
@_model_path_argument
377397
@_ignore_paths_option
378398
@_ignore_git_paths_option
399+
@_allow_symlinks_option
379400
@_write_signature_option
380401
@_private_key_option
381402
@_signing_certificate_option
@@ -384,6 +405,7 @@ def _sign_certificate(
384405
model_path: pathlib.Path,
385406
ignore_paths: Iterable[pathlib.Path],
386407
ignore_git_paths: bool,
408+
allow_symlinks: bool,
387409
signature: pathlib.Path,
388410
private_key: pathlib.Path,
389411
signing_certificate: pathlib.Path,
@@ -411,10 +433,12 @@ def _sign_certificate(
411433
signing_certificate=signing_certificate,
412434
certificate_chain=certificate_chain,
413435
).set_hashing_config(
414-
model_signing.hashing.Config().set_ignored_paths(
436+
model_signing.hashing.Config()
437+
.set_ignored_paths(
415438
paths=list(ignore_paths) + [signature],
416439
ignore_git_paths=ignore_git_paths,
417440
)
441+
.set_allow_symlinks(allow_symlinks)
418442
).sign(model_path, signature)
419443
except Exception as err:
420444
click.echo(f"Signing failed with error: {err}", err=True)
@@ -427,6 +451,7 @@ def _sign_certificate(
427451
@_model_path_argument
428452
@_ignore_paths_option
429453
@_ignore_git_paths_option
454+
@_allow_symlinks_option
430455
@_write_signature_option
431456
@_pkcs11_uri_option
432457
@_signing_certificate_option
@@ -435,6 +460,7 @@ def _sign_pkcs11_certificate(
435460
model_path: pathlib.Path,
436461
ignore_paths: Iterable[pathlib.Path],
437462
ignore_git_paths: bool,
463+
allow_symlinks: bool,
438464
signature: pathlib.Path,
439465
pkcs11_uri: str,
440466
signing_certificate: pathlib.Path,
@@ -463,10 +489,12 @@ def _sign_pkcs11_certificate(
463489
signing_certificate=signing_certificate,
464490
certificate_chain=certificate_chain,
465491
).set_hashing_config(
466-
model_signing.hashing.Config().set_ignored_paths(
492+
model_signing.hashing.Config()
493+
.set_ignored_paths(
467494
paths=list(ignore_paths) + [signature],
468495
ignore_git_paths=ignore_git_paths,
469496
)
497+
.set_allow_symlinks(allow_symlinks)
470498
).sign(model_path, signature)
471499
except Exception as err:
472500
click.echo(f"Signing failed with error: {err}", err=True)
@@ -497,6 +525,7 @@ def _verify() -> None:
497525
@_read_signature_option
498526
@_ignore_paths_option
499527
@_ignore_git_paths_option
528+
@_allow_symlinks_option
500529
@_sigstore_staging_option
501530
@click.option(
502531
"--identity",
@@ -517,6 +546,7 @@ def _verify_sigstore(
517546
signature: pathlib.Path,
518547
ignore_paths: Iterable[pathlib.Path],
519548
ignore_git_paths: bool,
549+
allow_symlinks: bool,
520550
identity: str,
521551
identity_provider: str,
522552
use_staging: bool,
@@ -537,10 +567,12 @@ def _verify_sigstore(
537567
oidc_issuer=identity_provider,
538568
use_staging=use_staging,
539569
).set_hashing_config(
540-
model_signing.hashing.Config().set_ignored_paths(
570+
model_signing.hashing.Config()
571+
.set_ignored_paths(
541572
paths=list(ignore_paths) + [signature],
542573
ignore_git_paths=ignore_git_paths,
543574
)
575+
.set_allow_symlinks(allow_symlinks)
544576
).verify(model_path, signature)
545577
except Exception as err:
546578
click.echo(f"Verification failed with error: {err}", err=True)
@@ -554,6 +586,7 @@ def _verify_sigstore(
554586
@_read_signature_option
555587
@_ignore_paths_option
556588
@_ignore_git_paths_option
589+
@_allow_symlinks_option
557590
@click.option(
558591
"--public_key",
559592
type=pathlib.Path,
@@ -566,6 +599,7 @@ def _verify_private_key(
566599
signature: pathlib.Path,
567600
ignore_paths: Iterable[pathlib.Path],
568601
ignore_git_paths: bool,
602+
allow_symlinks: bool,
569603
public_key: pathlib.Path,
570604
) -> None:
571605
"""Verity using a public key (paired with a private one).
@@ -585,10 +619,12 @@ def _verify_private_key(
585619
model_signing.verifying.Config().use_elliptic_key_verifier(
586620
public_key=public_key
587621
).set_hashing_config(
588-
model_signing.hashing.Config().set_ignored_paths(
622+
model_signing.hashing.Config()
623+
.set_ignored_paths(
589624
paths=list(ignore_paths) + [signature],
590625
ignore_git_paths=ignore_git_paths,
591626
)
627+
.set_allow_symlinks(allow_symlinks)
592628
).verify(model_path, signature)
593629
except Exception as err:
594630
click.echo(f"Verification failed with error: {err}", err=True)
@@ -602,6 +638,7 @@ def _verify_private_key(
602638
@_read_signature_option
603639
@_ignore_paths_option
604640
@_ignore_git_paths_option
641+
@_allow_symlinks_option
605642
@_certificate_root_of_trust_option
606643
@click.option(
607644
"--log_fingerprints",
@@ -616,6 +653,7 @@ def _verify_certificate(
616653
signature: pathlib.Path,
617654
ignore_paths: Iterable[pathlib.Path],
618655
ignore_git_paths: bool,
656+
allow_symlinks: bool,
619657
certificate_chain: Iterable[pathlib.Path],
620658
log_fingerprints: bool,
621659
) -> None:
@@ -640,10 +678,12 @@ def _verify_certificate(
640678
certificate_chain=certificate_chain,
641679
log_fingerprints=log_fingerprints,
642680
).set_hashing_config(
643-
model_signing.hashing.Config().set_ignored_paths(
681+
model_signing.hashing.Config()
682+
.set_ignored_paths(
644683
paths=list(ignore_paths) + [signature],
645684
ignore_git_paths=ignore_git_paths,
646685
)
686+
.set_allow_symlinks(allow_symlinks)
647687
).verify(model_path, signature)
648688
except Exception as err:
649689
click.echo(f"Verification failed with error: {err}", err=True)

0 commit comments

Comments
 (0)