sigstore-conformance is a conformance testing suite for Sigstore clients.

Simply create a new workflow file at .github/workflows/conformance.yml and add the trailofbits/sigstore-conformance action to it.

jobs:
  conformance:
    permissions:
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: install
        run: python -m pip install .
      - uses: trailofbits/[email protected]
        with:
          entrypoint: sigstore

The only required configuration is the entrypoint parameter which provides a command to invoke the client. sigstore-conformance expects that the client exposes a CLI that conforms to the protocol outlined here.

In the example above, the workflow is installing sigstore-python and providing sigstore as the entrypoint since this is the command used to invoke the client.

The workflow that uses this action must be at .github/workflows/conformance.yml. This is a current limitation of the test suite and is required to reliably verify signing certificates.

The relevant job must have permission to request the OIDC token to authenticate with. This can be done by adding a permission setting within the job that invokes the trailofbits/sigstore-conformance action.

conformance:
  permissions:
    id-token: write

More information about permission settings can be found here.

sigstore-conformance is licensed under the Apache 2.0 License.

Everyone interacting with this project is expected to follow the sigstore Code of Conduct

Should you discover any security issues, please refer to sigstore's security process.