cli: Adjust paths when signing and verifying in model_path '.'

stefanberger · stefanberger · commit b0637de5a2e1 · 2025-05-02T14:07:32.000-05:00
All paths have to be adjusted when signing or verifying when the model_path is '.'. This is the case when signing while the current working directory is the model's directory. Resolves: #451 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/model_signing/_cli.py b/src/model_signing/_cli.py
@@ -16,6 +16,7 @@
 
 from collections.abc import Iterable, Sequence
 import logging
+import os
 import pathlib
 import sys
 from typing import Optional
@@ -119,6 +120,27 @@
 )
 
 
+def adjust_paths(
+    model_path: pathlib.Path,
+    signature: pathlib.Path,
+    ignore_paths: Iterable[pathlib.Path],
+) -> tuple[pathlib.Path, pathlib.Path, Iterable[pathlib.Path]]:
+    """Adjust paths to use 'cwd' in case dirname is empty."""
+    if os.path.basename(model_path) == ".":
+        model_path = pathlib.Path(os.getcwd())
+    if os.path.dirname(signature) == "":
+        signature = pathlib.Path(
+            os.path.join(os.getcwd(), os.path.basename(signature))
+        )
+    ignore_paths = [
+        p
+        if os.path.dirname(p) != ""
+        else pathlib.Path(os.path.join(os.getcwd(), os.path.basename(p)))
+        for p in ignore_paths
+    ]
+    return model_path, signature, ignore_paths
+
+
 class _PKICmdGroup(click.Group):
     """A custom group to configure the supported PKI methods."""
 
@@ -239,6 +261,9 @@ def _sign_sigstore(
     Passing the `--use_staging` flag would use that instance instead of the
     production one.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.signing.Config().use_sigstore_signer(
             use_ambient_credentials=use_ambient_credentials,
@@ -290,6 +315,9 @@ def _sign_private_key(
     signer, outside of pairing the keys. Also note that we don't offer key
     management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.signing.Config().use_elliptic_key_signer(
             private_key=private_key, password=password
@@ -332,6 +360,9 @@ def _sign_pkcs11_key(
     signer, outside of pairing the keys. Also note that we don't offer key
     management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.signing.Config().use_pkcs11_signer(
             pkcs11_uri=pkcs11_uri
@@ -380,6 +411,9 @@ def _sign_certificate(
 
     Note that we don't offer certificate and key management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.signing.Config().use_certificate_signer(
             private_key=private_key,
@@ -432,6 +466,9 @@ def _sign_pkcs11_certificate(
 
     Note that we don't offer certificate and key management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.signing.Config().use_pkcs11_certificate_signer(
             pkcs11_uri=pkcs11_uri,
@@ -505,6 +542,9 @@ def _verify_sigstore(
     provider for the signature. If these don't match what is provided in the
     signature, verification would fail.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.verifying.Config().use_sigstore_verifier(
             identity=identity,
@@ -555,6 +595,9 @@ def _verify_private_key(
     signer, outside of pairing the keys. Also note that we don't offer key
     management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.verifying.Config().use_elliptic_key_verifier(
             public_key=public_key
@@ -606,6 +649,9 @@ def _verify_certificate(
 
     Note that we don't offer certificate and key management protocols.
     """
+    model_path, signature, ignore_paths = adjust_paths(
+        model_path, signature, ignore_paths
+    )
     try:
         model_signing.verifying.Config().use_certificate_verifier(
             certificate_chain=certificate_chain,
