Refactor manifest extraction to use verification path

edonadei · edonadei · commit caed127a25d1 · 2025-11-20T19:37:31.000-05:00
Replace Manifest.from_signature() with signing.manifest_from_signature()
that verifies signatures before extracting manifests. This addresses
reviewer feedback to reuse existing verification logic and adds security
to incremental signing by ensuring old signatures are verified before
their hashes are reused.

Changes:
- Add manifest_from_signature() to signing.py that calls Verifier.verify()
- Update sign_incremental() to require identity/oidc_issuer parameters
  for verification of old signatures
- Remove Manifest.from_signature() from manifest.py (eliminated code
  duplication)
- Update documentation examples in hashing.py
- Remove redundant tests (DSSE parsing already tested in signing_test.py)

This is a breaking change for incremental signing API, but improves
security by preventing tampering of old signatures.

Signed-off-by: Emrick Donadei &lt;emrick.donadei@gmail.com&gt;
diff --git a/src/model_signing/signing.py b/src/model_signing/signing.py
@@ -48,7 +48,6 @@
 from typing import Optional
 
 from model_signing import hashing
-from model_signing import manifest
 from model_signing._signing import sign_certificate as certificate
 from model_signing._signing import sign_ec_key as ec_key
 from model_signing._signing import sign_sigstore as sigstore
@@ -216,7 +215,7 @@ def sign_incremental(
                 fails.
         """
         # Extract and verify manifest from old signature
-        old_manifest = manifest_from_signature(
+        old_manifest = signing.manifest_from_signature(
             pathlib.Path(old_signature_path),
             identity=identity,
             oidc_issuer=oidc_issuer,
@@ -383,7 +382,9 @@ def use_pkcs11_signer(
             The new signing configuration.
         """
         try:
-            from model_signing._signing import sign_pkcs11 as pkcs11
+            from model_signing._signing import (  # noqa: PLC0415
+                sign_pkcs11 as pkcs11,
+            )
         except ImportError as e:
             raise RuntimeError(
                 "PKCS #11 functionality requires the 'pkcs11' extra. "
@@ -416,7 +417,9 @@ def use_pkcs11_certificate_signer(
             The new signing configuration.
         """
         try:
-            from model_signing._signing import sign_pkcs11 as pkcs11
+            from model_signing._signing import (  # noqa: PLC0415
+                sign_pkcs11 as pkcs11,
+            )
         except ImportError as e:
             raise RuntimeError(
                 "PKCS #11 functionality requires the 'pkcs11' extra. "
