Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
45d82d9
feat(sigstore): extract verify_sigstore_bundle_with_policy + add tinf…
lsd-cat May 19, 2026
157022f
chore(conformance): declare 3 new capability flags
lsd-cat May 20, 2026
a27d2c1
feat(conformance): add verify-measurement subcommand (SPEC §7)
lsd-cat May 22, 2026
6ba3a91
feat(conformance): add verify-hardware-measurements subcommand (SPEC §6)
lsd-cat May 22, 2026
d341fcf
chore(conformance): repoint to tinfoilsh/tinfoil-conformance
lsd-cat May 29, 2026
005a7b8
chore(conformance): declare attestation_tdx capability (Phase 1, false)
lsd-cat May 29, 2026
f81eab7
feat(conformance): wire verify-attestation-tdx — structural path (Pha…
lsd-cat May 29, 2026
ab050bd
feat(conformance): tdx error classifier for Phase 2A fixtures
lsd-cat May 29, 2026
9589df6
chore(conformance): declare attestation_tdx.tcb_evaluation_supported …
lsd-cat May 30, 2026
c450b87
feat(conformance): tdx Phase 4 — SPEC §4.8 extended-TD policy enforce…
lsd-cat May 31, 2026
d53d294
feat(conformance): wire full §4.7 TCB evaluation path for tinfoil-python
lsd-cat May 31, 2026
92b03c1
feat(conformance): SPEC §4.8.1/§4.8.2 normative enforcement (Phase 4B)
lsd-cat Jun 3, 2026
3950678
feat(conformance): verify-attestation-sev subcommand (SPEC §3)
lsd-cat Jun 5, 2026
3dc9b2f
feat(conformance): verify-full subcommand (SPEC §11)
lsd-cat Jun 5, 2026
c8b33bd
Improve TDX conformance classifications
lsd-cat Jun 7, 2026
37f01cf
Add TDX public API conformance path
lsd-cat Jun 7, 2026
aec6545
chore(conformance): isolate Python sigstore hooks
lsd-cat Jun 8, 2026
5ba0f04
chore(conformance): declare ehbp transport + bundle flow capability
lsd-cat Jun 15, 2026
0c4d6d8
feat(conformance): verify-ehbp-key-binding handler (SPEC §14.2)
lsd-cat Jun 15, 2026
1b3cf89
feat(conformance): SEV public-api execution mode (SPEC §3)
lsd-cat Jun 15, 2026
42fc7ca
fix(conformance): apply SEV §3.7 policy pins in the public-api path
lsd-cat Jun 15, 2026
73ec86c
feat(conformance): TDX public-api full-flow path (50/65 fixtures)
lsd-cat Jun 15, 2026
706c7a4
conformance: V2-preferred OIDC issuer + homogenize 069
lsd-cat Jun 28, 2026
7a299e8
conformance: reject duplicate-log SCTs (SPEC §5.2)
lsd-cat Jun 28, 2026
dd84667
conformance: fix stale scts_count_distinguish_missing_vs_duplicate (py)
lsd-cat Jun 28, 2026
d183552
conformance: reject legacy x509CertificateChain bundle format (SPEC §…
lsd-cat Jun 28, 2026
982122c
conformance: reject in-toto statements with unknown top-level fields …
lsd-cat Jul 1, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions .github/workflows/tinfoil-conformance.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: Tinfoil Conformance

# Runs the cross-SDK Tinfoil conformance suite
# (https://github.com/tinfoilsh/tinfoil-conformance) against this SDK's
# `tinfoil-conformance` binary. Speaks the Tinfoil policy-layer CLI
# contract (JSON-in / JSON-out); distinct from the test/audit workflows
# which exercise the consumer-facing verifier API.

on:
push:
branches: [main]
pull_request:
branches: [main]

permissions: {}

jobs:
conformance:
name: Tinfoil Conformance
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout SDK
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Set up uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
python-version: "3.11"

- name: Install tinfoil (provides the tinfoil-conformance binary)
run: uv sync --locked

- name: Checkout tinfoil-conformance suite
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: tinfoilsh/tinfoil-conformance
ref: main
path: tinfoil-conformance
persist-credentials: false

- name: Set up Python for the harness
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.12"
cache: "pip"
cache-dependency-path: tinfoil-conformance/harness/pyproject.toml

- name: Install harness
run: pip install ./tinfoil-conformance/harness

- name: Show SDK capabilities
run: |
tinfoil-conformance capabilities \
--sdk "tinfoil-py=uv run --no-sync tinfoil-conformance"

- name: Run conformance vectors
run: |
tinfoil-conformance run \
--sdk "tinfoil-py=uv run --no-sync tinfoil-conformance" \
--vectors tinfoil-conformance/vectors/sigstore

- name: Upload results
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: tinfoil-conformance-results
path: results/

- name: Append summary
if: always()
run: |
if [ -f results/latest/results.md ]; then
cat results/latest/results.md >> "$GITHUB_STEP_SUMMARY"
fi
6 changes: 6 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ dependencies = [
"urllib3>=2.7.0",
]

[project.scripts]
# Cross-SDK conformance binary (separate from the consumer-facing SDK API).
# Speaks the JSON-in / JSON-out CLI contract defined in
# https://github.com/tinfoilsh/tinfoil-conformance .
tinfoil-conformance = "tinfoil.conformance.cli:main"

[dependency-groups]
dev = [
"pytest",
Expand Down
7 changes: 7 additions & 0 deletions src/tinfoil/conformance/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
"""tinfoil-conformance binary for tinfoil-python.

Implements the cross-SDK conformance CLI contract defined in
https://github.com/tinfoilsh/tinfoil-conformance. Separate from the
consumer-facing SDK; this is a thin wrapper that exposes the verifier
through the JSON-in / JSON-out protocol the harness speaks.
"""
Loading