Add sigstore attest CLI subcommand to sign using DSSE envelopes (#1115

)

Co-authored-by: William Woodruff <[email protected]>

CHANGELOG.md

@@ -16,6 +16,12 @@ All versions prior to 0.9.0 are untracked.
   statement's predicate, which `sigstore-python` does not verify and should be
   verified by the user.
 
+* CLI: The `sigstore attest` subcommand has been added. This command is
+  similar to `cosign attest` in that it signs over an artifact and a
+  predicate using a DSSE envelope. This commands requires the user to pass
+  a path to the file containing the predicate, and the predicate type.
+  Currently only the SLSA Provenance v0.2 and v1.0 types are supported.
+
 ## [3.2.0]
 
 ### Added

Makefile

@@ -135,6 +135,16 @@ check-readme:
 	    $(MAKE) -s run ARGS="sign --help" \
 	  )
 
+	# sigstore attest --help
+	@diff \
+	  <( \
+	    awk '/@begin-sigstore-attest-help@/{f=1;next} /@end-sigstore-attest-help@/{f=0} f' \
+	      < README.md | sed '1d;$$d' \
+	  ) \
+	  <( \
+	    $(MAKE) -s run ARGS="attest --help" \
+	  )
+
 	# sigstore verify identity --help
 	@diff \
 	  <( \

README.md

@@ -103,6 +103,7 @@ a tool for signing and verifying Python package distributions
 
 positional arguments:
   COMMAND              the operation to perform
+    attest             sign one or more inputs using DSSE
     sign               sign one or more inputs
     verify             verify one or more inputs
     get-identity-token
@@ -179,6 +180,58 @@ Output options:
 ```
 <!-- @end-sigstore-sign-help@ -->
 
+
+### Signing with DSSE envelopes
+
+<!-- @begin-sigstore-attest-help@ -->
+```
+usage: sigstore attest [-h] [-v] --predicate FILE --predicate-type TYPE
+                       [--identity-token TOKEN] [--oidc-client-id ID]
+                       [--oidc-client-secret SECRET]
+                       [--oidc-disable-ambient-providers] [--oidc-issuer URL]
+                       [--oauth-force-oob] [--bundle FILE] [--overwrite]
+                       FILE [FILE ...]
+
+positional arguments:
+  FILE                  The file to sign
+
+optional arguments:
+  -h, --help            show this help message and exit
+  -v, --verbose         run with additional debug logging; supply multiple
+                        times to increase verbosity (default: 0)
+
+DSSE options:
+  --predicate FILE      Path to the predicate file (default: None)
+  --predicate-type TYPE
+                        Specify a predicate type
+                        (https://slsa.dev/provenance/v0.2,
+                        https://slsa.dev/provenance/v1) (default: None)
+
+OpenID Connect options:
+  --identity-token TOKEN
+                        the OIDC identity token to use (default: None)
+  --oidc-client-id ID   The custom OpenID Connect client ID to use during
+                        OAuth2 (default: sigstore)
+  --oidc-client-secret SECRET
+                        The custom OpenID Connect client secret to use during
+                        OAuth2 (default: None)
+  --oidc-disable-ambient-providers
+                        Disable ambient OpenID Connect credential detection
+                        (e.g. on GitHub Actions) (default: False)
+  --oidc-issuer URL     The OpenID Connect issuer to use (conflicts with
+                        --staging) (default: https://oauth2.sigstore.dev/auth)
+  --oauth-force-oob     Force an out-of-band OAuth flow and do not
+                        automatically start the default web browser (default:
+                        False)
+
+Output options:
+  --bundle FILE         Write a single Sigstore bundle to the given file; does
+                        not work with multiple input files (default: None)
+  --overwrite           Overwrite preexisting bundle outputs, if present
+                        (default: False)
+```
+<!-- @end-sigstore-attest-help@ -->
+
 ### Verifying
 
 #### Generic identities