sigstore: allow inclusion_promise to be None

...but only if inclusion_proof is not None.

Signed-off-by: William Woodruff <[email protected]>

sigstore/_internal/set.py

@@ -35,8 +35,13 @@ class InvalidSETError(Exception):
 
 def verify_set(client: RekorClient, entry: LogEntry) -> None:
     """
-    Verify the Signed Entry Timestamp for a given Rekor `entry` using the given `client`.
+    Verify the inclusion promise (Signed Entry Timestamp) for a given transparency log
+    `entry` using the given `client`.
+
+    Fails if the given log entry does not contain an inclusion promise.
     """
+    if entry.inclusion_promise is None:
+        raise InvalidSETError("invalid log entry: no inclusion promise")
 
     signed_entry_ts = base64.b64decode(entry.inclusion_promise)
 

sigstore/sign.py

@@ -353,7 +353,9 @@ def _to_bundle(self) -> Bundle:
                 signed_entry_timestamp=base64.b64decode(
                     self.log_entry.inclusion_promise
                 )
-            ),
+            )
+            if self.log_entry.inclusion_promise
+            else None,
             inclusion_proof=inclusion_proof,
             canonicalized_body=base64.b64decode(self.log_entry.body),
         )

sigstore/transparency.py

@@ -34,6 +34,10 @@ class LogEntry:
 
     Log entries are retrieved from the transparency log after signing or verification events,
     or loaded from "Sigstore" bundles provided by the user.
+
+    This representation allows for either a missing inclusion promise or a missing
+    inclusion proof, but not both: attempting to construct a `LogEntry` without
+    at least one will fail.
     """
 
     uuid: Optional[str]
@@ -66,19 +70,23 @@ class LogEntry:
     The index of this entry within the log.
     """
 
-    inclusion_proof: Optional[LogInclusionProof]
+    inclusion_proof: LogInclusionProof | None
     """
-    An optional inclusion proof for this log entry.
+    An inclusion proof for this log entry, if present.
     """
 
-    inclusion_promise: B64Str
+    inclusion_promise: B64Str | None
     """
-    An inclusion promise for this log entry.
+    An inclusion promise for this log entry, if present.
 
     Internally, this is a base64-encoded Signed Entry Timestamp (SET) for this
     log entry.
     """
 
+    def __post_init__(self) -> None:
+        if self.inclusion_proof is None and self.inclusion_promise is None:
+            raise ValueError("Log entry must have either inclusion proof or promise")
+
     @classmethod
     def _from_response(cls, dict_: dict[str, Any]) -> LogEntry:
         """

sigstore/verify/models.py

@@ -361,7 +361,7 @@ def has_rekor_entry(self) -> bool:
 
     def rekor_entry(self, client: RekorClient) -> LogEntry:
         """
-        Returns a `RekorEntry` for the current signing materials.
+        Returns a `LogEntry` for the current signing materials.
         """
 
         # The Rekor entry we use depends on a few different states:

sigstore/verify/verifier.py

@@ -277,10 +277,13 @@ def verify(
             )
 
         # 6) Verify the Signed Entry Timestamp (SET) supplied by Rekor for this artifact
-        try:
-            verify_set(self._rekor, entry)
-        except InvalidSETError as inval_set:
-            return VerificationFailure(reason=f"invalid Rekor entry SET: {inval_set}")
+        if entry.inclusion_promise:
+            try:
+                verify_set(self._rekor, entry)
+            except InvalidSETError as inval_set:
+                return VerificationFailure(
+                    reason=f"invalid Rekor entry SET: {inval_set}"
+                )
 
         # 7) Verify that the signing certificate was valid at the time of signing
         integrated_time = datetime.datetime.utcfromtimestamp(entry.integrated_time)