Add binary digests as signing payloads. (#262)

* Add binary digests as signing payloads.

This converts `DigestManifest`s to signing payloads in the style used by
the existing `serialize_v0`/`serialize_v1` implementations: just the
digest as a binary `BytesIO` object.

For Sigstore signing, this payload can be signed via `sign_artifact` to
produce just a Sigstore bundle with the signature.

Signed-off-by: Mihai Maruseac <[email protected]>

* Fix copy-paste typo

Signed-off-by: Mihai Maruseac <[email protected]>

---------

Signed-off-by: Mihai Maruseac <[email protected]>

Author: mihaimaruseac

model_signing/signing/as_bytes.py

@@ -0,0 +1,62 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Signing payload that is just a bytes view on the digest.
+
+In general, this should only be used if we want to sign a model where we have
+the hash computed from somewhere else and want to avoid the in-toto types.
+"""
+
+from typing import Self
+from typing_extensions import override
+
+from model_signing.manifest import manifest as manifest_module
+from model_signing.signing import signing
+
+
+class BytesPayload(signing.SigningPayload):
+    """A payload that is a view into the bytes of a digest."""
+
+    def __init__(self, digest: bytes):
+        """Builds an instance of this payload.
+
+        Don't call this directly in production. Use `from_manifest()` instead.
+
+        Args:
+            digest: The digest bytes as extracted from the manifest.
+        """
+        self.digest = digest
+
+    @classmethod
+    @override
+    def from_manifest(cls, manifest: manifest_module.Manifest) -> Self:
+        """Converts a manifest to the signing payload used for signing.
+
+        The manifest must be a `DigestManifest` instance.
+
+        Args:
+            manifest: the manifest to convert to signing payload.
+
+        Returns:
+            An instance of `BytesPayload`.
+
+        Raises:
+            TypeError: If the manifest is not `DigestManifest`.
+        """
+        if not isinstance(manifest, manifest_module.DigestManifest):
+            raise TypeError("Only DigestManifest is supported")
+
+        # guaranteed to have exactly one item
+        subject = list(manifest.resource_descriptors())[0]
+        return cls(subject.digest.digest_value)

model_signing/signing/as_bytes_test.py

@@ -0,0 +1,72 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Tests for binary signing payloads.
+
+NOTE: This test uses a goldens setup to compare expected results with data from
+files. If the golden tests are failing, regenerate the golden files with
+
+  pytest model_signing/ --update_goldens
+"""
+
+import pytest
+
+from model_signing import test_support
+from model_signing.hashing import file
+from model_signing.hashing import memory
+from model_signing.serialization import serialize_by_file
+from model_signing.signing import as_bytes
+
+
+class TestBytesPayload:
+
+    @pytest.mark.parametrize("model_fixture_name", test_support.all_test_models)
+    def test_known_models(self, request, model_fixture_name):
+        # Set up variables (arrange)
+        testdata_path = request.path.parent / "testdata"
+        test_path = testdata_path / "as_bytes"
+        test_class_path = test_path / "TestBytesPayload"
+        golden_path = test_class_path / model_fixture_name
+        should_update = request.config.getoption("update_goldens")
+        model = request.getfixturevalue(model_fixture_name)
+
+        # Compute payload (act)
+        file_hasher = file.SimpleFileHasher(
+            test_support.UNUSED_PATH, memory.SHA256()
+        )
+        serializer = serialize_by_file.DigestSerializer(
+            file_hasher, memory.SHA256, allow_symlinks=True
+        )
+        manifest = serializer.serialize(model)
+        payload = as_bytes.BytesPayload.from_manifest(manifest)
+
+        # Compare with golden, or write to golden (approximately "assert")
+        if should_update:
+            with open(golden_path, "w", encoding="utf-8") as f:
+                f.write(f"{payload.digest.hex()}\n")
+        else:
+            with open(golden_path, "r", encoding="utf-8") as f:
+                expected_bytes = bytes.fromhex(f.read().strip())
+
+            assert payload.digest == expected_bytes
+
+    def test_only_runs_on_expected_manifest_types(self, sample_model_folder):
+        serializer = serialize_by_file.ManifestSerializer(
+            lambda f: file.SimpleFileHasher(f, memory.SHA256()),
+            allow_symlinks=True,
+        )
+        manifest = serializer.serialize(sample_model_folder)
+
+        with pytest.raises(TypeError, match="Only DigestManifest is supported"):
+            as_bytes.BytesPayload.from_manifest(manifest)

model_signing/signing/testdata/as_bytes/TestBytesPayload/deep_model_folder

@@ -0,0 +1 @@
+36eed9389ebbbe15ac15d33c81dabb60ccb7c945ff641d78f59db9aa9dc47ac9

model_signing/signing/testdata/as_bytes/TestBytesPayload/empty_model_file

@@ -0,0 +1 @@
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

model_signing/signing/testdata/as_bytes/TestBytesPayload/empty_model_folder

@@ -0,0 +1 @@
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

model_signing/signing/testdata/as_bytes/TestBytesPayload/model_folder_with_empty_file

@@ -0,0 +1 @@
+68efd863f20e083173846a5e98ad11387a1979efe20ded426a7930bab8358a9c

model_signing/signing/testdata/as_bytes/TestBytesPayload/sample_model_file

@@ -0,0 +1 @@
+3aab065c7181a173b5dd9e9d32a9f79923440b413be1e1ffcdba26a7365f719b

model_signing/signing/testdata/as_bytes/TestBytesPayload/sample_model_folder

@@ -0,0 +1 @@
+310af4fc4c52bf63cd1687c67076ed3e56bc5480a1b151539e6c550506ae0301

model_signing/signing/testdata/as_bytes/TestBytesPayload/symlink_model_folder

@@ -0,0 +1 @@
+8372365be7578241d18db47ec83b735bb450a10a1b4298d9b7b0d8bf543b7271