cli: add a flag for disabling ambient OIDC detection (sigstore#68)

woodruffw · web-flow · commit 4e2b59a44754 · 2022-05-03T00:40:18.000-04:00
* cli: add a flag for disabling ambient OIDC detection

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* README: update `sigstore sign --help`

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/README.md b/README.md
@@ -55,9 +55,12 @@ Signing:
 Usage: sigstore sign [OPTIONS] FILE [FILE ...]
 
 Options:
-  --identity-token TEXT
+  --identity-token TEXT           the OIDC identity token to use
   --ctfe FILENAME
-  --help                 Show this message and exit.
+  --oidc-disable-ambient-providers
+                                  Disable ambient OIDC detection (e.g. on
+                                  GitHub Actions)
+  --help                          Show this message and exit.
 ```
 <!-- @end-sigstore-sign-help@ -->
 
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -31,26 +31,45 @@ def main():
 
 
 @main.command("sign")
-@click.option("identity_token", "--identity-token", type=click.STRING)
+@click.option(
+    "identity_token",
+    "--identity-token",
+    type=click.STRING,
+    help="the OIDC identity token to use",
+)
 @click.option(
     "ctfe_pem",
     "--ctfe",
     type=click.File("rb"),
     default=resources.open_binary("sigstore._store", "ctfe.pub"),
 )
+@click.option(
+    "oidc_disable_ambient_providers",
+    "--oidc-disable-ambient-providers",
+    is_flag=True,
+    default=False,
+    help="Disable ambient OIDC detection (e.g. on GitHub Actions)",
+)
 @click.argument(
-    "files", metavar="FILE [FILE ...]", type=click.File("rb"), nargs=-1, required=True
+    "files",
+    metavar="FILE [FILE ...]",
+    type=click.File("rb"),
+    nargs=-1,
+    required=True,
 )
-def _sign(files, identity_token, ctfe_pem):
+def _sign(files, identity_token, ctfe_pem, oidc_disable_ambient_providers):
     # The order of precedence is as follows:
     #
     # 1) Explicitly supplied identity token
-    # 2) Ambient credential detected in the environment
+    # 2) Ambient credential detected in the environment, unless disabled
     # 3) Interactive OAuth flow
-    if not identity_token:
+    if not identity_token and not oidc_disable_ambient_providers:
         identity_token = detect_credential()
     if not identity_token:
         identity_token = get_identity_token()
+    if not identity_token:
+        click.echo("No identity token supplied or detected!", err=True)
+        raise click.Abort
 
     ctfe_pem = ctfe_pem.read()
     for file in files:
