Skip to content

Commit a3c5347

Browse files
stefanbergerstefanberger
committed
cli: Adjust paths when signing and verifying in model_path '.'
All paths have to be adjusted when signing or verifying when the model_path is '.'. This is the case when signing while the current working directory is the model's directory. Do the adjustments inside the library. Extend test case with signing while in model directory. Resolves: #451 Signed-off-by: Stefan Berger <[email protected]>
1 parent 29bb50e commit a3c5347

File tree

3 files changed

+101
-2
lines changed

3 files changed

+101
-2
lines changed

scripts/tests/test-sign-verify

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,3 +84,76 @@ if [ "${res}" != "${exp}" ]; then
8484
echo "Actual : ${res}"
8585
exit 1
8686
fi
87+
88+
# Enter the model directory and sign and verify there
89+
pushd "${TMPDIR}" &>/dev/null || exit 1
90+
91+
echo
92+
echo "Testing 'sign key' when in model directory"
93+
94+
if ! python -m model_signing \
95+
sign key \
96+
--signature "$(basename "${sigfile}")" \
97+
--private_key "${DIR}/keys/certificate/signing-key.pem" \
98+
--ignore-paths "$(basename "${ignorefile}")" \
99+
. ; then
100+
echo "Error: 'sign key' failed"
101+
exit 1
102+
fi
103+
104+
if ! python -m model_signing \
105+
verify key \
106+
--signature "$(basename "${sigfile}")" \
107+
--public_key "${DIR}/keys/certificate/signing-key-pub.pem" \
108+
--ignore-paths "$(basename "${ignorefile}")" \
109+
. ; then
110+
echo "Error: 'verify key' failed"
111+
exit 1
112+
fi
113+
114+
# Check which files are part of signature
115+
res=$(get_signed_files "${sigfile}")
116+
exp='["signme-1","signme-2"]'
117+
if [ "${res}" != "${exp}" ]; then
118+
echo "Error: Unexpected files were signed"
119+
echo "Expected: ${exp}"
120+
echo "Actual : ${res}"
121+
exit 1
122+
fi
123+
124+
echo
125+
echo "Testing 'sign/verify' certificate when in model directory"
126+
127+
if ! python -m model_signing \
128+
sign certificate \
129+
--signature "$(basename "${sigfile}")" \
130+
--private_key "${DIR}/keys/certificate/signing-key.pem" \
131+
--signing_certificate "${DIR}/keys/certificate/signing-key-cert.pem" \
132+
--certificate_chain "${DIR}/keys/certificate/int-ca-cert.pem" \
133+
--ignore-paths "$(basename "${ignorefile}")" \
134+
. ; then
135+
echo "Error: 'sign key' failed"
136+
exit 1
137+
fi
138+
139+
if ! python -m model_signing \
140+
verify certificate \
141+
--signature "$(basename "${sigfile}")" \
142+
--certificate_chain "${DIR}/keys/certificate/ca-cert.pem" \
143+
--ignore-paths "$(basename "${ignorefile}")" \
144+
. ; then
145+
echo "Error: 'sign key' failed"
146+
exit 1
147+
fi
148+
149+
# Check which files are part of signature
150+
res=$(get_signed_files "${sigfile}")
151+
exp='["signme-1","signme-2"]'
152+
if [ "${res}" != "${exp}" ]; then
153+
echo "Error: Unexpected files were signed"
154+
echo "Expected: ${exp}"
155+
echo "Actual : ${res}"
156+
exit 1
157+
fi
158+
159+
popd || exit 1

scripts/tests/test-verify-v1.0.0-sigstore

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,4 +11,20 @@ if ! python -m model_signing \
1111
exit 1
1212
fi
1313

14-
exit 0
14+
pushd v1.0.0-sigstore 1>/dev/null || exit 1
15+
16+
echo
17+
echo "Testing 'verify sigstore' while in model directory"
18+
if ! python -m model_signing \
19+
verify sigstore \
20+
--identity [email protected] \
21+
--identity_provider https://sigstore.verify.ibm.com/oauth2 \
22+
--signature model.sig \
23+
. ; then
24+
echo "Error: 'verify sigstore' failed on v1.0.0"
25+
exit 1
26+
fi
27+
28+
popd 1>/dev/null || exit 1
29+
30+
exit 0

src/model_signing/hashing.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,9 @@ def __init__(self):
142142

143143
def hash(self, model_path: PathLike) -> manifest.Manifest:
144144
"""Hashes a model using the current configuration."""
145+
if os.path.basename(model_path) == ".":
146+
model_path = pathlib.Path(os.getcwd())
147+
145148
ignored_paths = [path for path in self._ignored_paths]
146149
if self._ignore_git_paths:
147150
ignored_paths.extend(
@@ -327,6 +330,13 @@ def set_ignored_paths(
327330
Returns:
328331
The new hashing configuration with a new set of ignored paths.
329332
"""
330-
self._ignored_paths = frozenset({pathlib.Path(p) for p in paths})
333+
paths = [
334+
p
335+
if os.path.dirname(p) != ""
336+
else pathlib.Path(os.path.join(os.getcwd(), os.path.basename(p)))
337+
for p in paths
338+
]
339+
self._ignored_paths = frozenset(paths)
340+
331341
self._ignore_git_paths = ignore_git_paths
332342
return self

0 commit comments

Comments
 (0)