Implement append functionality for claims.jsonl attestations #592
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This aligns with the OMS format conventions where claims.jsonl is the standard filename for bundled attestations. The default can still be overridden using the --signature CLI option. Assisted-by: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Ralph Bean <[email protected]>
Updated all examples in README.md, docs/demo.ipynb, and docs/model_signing_format.md to reflect the new default signature filename. Assisted-by: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Ralph Bean <[email protected]>
This implements the unified bundle layout from issue sigstore#587, where attestations accumulate in a single claims.jsonl file as the model moves through its lifecycle. Changes: - Signature write() now appends to existing claims.jsonl files - Each signature is written as compact JSON on a single line (JSONL format) - Signature read() reads the last line (most recent attestation) - Updated both sign_sigstore.py and sign_sigstore_pb.py implementations - Updated test helpers to handle JSONL format Test-Driven Development: - RED: Added test_append_to_existing_claims_jsonl that failed - GREEN: Implemented append functionality to make test pass - Updated existing tests to handle JSONL format Related to sigstore#587 Assisted-by: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Ralph Bean <[email protected]>
Instead of parsing and re-encoding JSON, simply strip newlines from the bundle.to_json() output. This achieves the same result (compact JSON on a single line) with much simpler code. Assisted-by: Claude Sonnet 4.5 <[email protected]> Signed-off-by: Ralph Bean <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements the unified bundle layout from issue #587, where attestations accumulate in a single
claims.jsonlfile as the model moves through its lifecycle.Changes
write()now appends to existingclaims.jsonlfiles instead of overwritingread()reads the last line (most recent attestation) for backward compatibilitysign_sigstore.pyandsign_sigstore_pb.pyimplementationsTest-Driven Development
This was implemented using RED-GREEN-REFACTOR:
test_append_to_existing_claims_jsonlthat initially failedExample Usage
This allows attestations to accumulate as models move through their lifecycle (training → registry → security review → production) without invalidating earlier signatures.
Builds on PR #591
Related to #587