Trust instance

.github/workflows/bench.yml

@@ -51,7 +51,7 @@ jobs:
 
             core.setOutput('head', response.data.head.sha)
 
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ steps.config.outputs.head }}
 
@@ -67,7 +67,7 @@ jobs:
           oci: false
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         id: registry_login
         with:
           registry: ghcr.io
@@ -89,7 +89,7 @@ jobs:
     env:
       TAG: ${{needs.publish-benchmark-container.outputs.head}}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{needs.publish-benchmark-container.outputs.head}}
       - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0

.github/workflows/cli.yml

@@ -31,12 +31,13 @@ defaults:
 jobs:
   model-signing-cli-test:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+    - name: Set up Hatch
+      uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
     - name: Run CLI tests
-      run: |
-        # TODO: this should use hatch
-        python -m venv venv
-        . venv/bin/activate
-        pip install -e .[pkcs11]
-        ./scripts/tests/testrunner
+      run: hatch run cli:test

.github/workflows/codeql.yml

@@ -48,13 +48,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/cross_os.yml

@@ -65,7 +65,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
@@ -75,7 +75,7 @@ jobs:
       - name: Set up Hatch
         uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install
       - name: store beacon token into oidc-token.txt
-        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@1e3cabecd3790f48b79a795424e12fa3cb880dcb # main
+        uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@72d9d63b71e66f36b3e008b8be44ffce84cd2b63 # main
       - name: Sign the model
         run: hatch run python -m model_signing sign sigstore model_root/ --use_staging --signature model.sig --identity_token $(cat oidc-token.txt)
       - name: upload model signature
@@ -98,7 +98,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0

.github/workflows/docs.yml

@@ -30,7 +30,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Hatch

.github/workflows/integration.yml

@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - name: Set up Hatch

.github/workflows/lint.yml

@@ -29,7 +29,7 @@ jobs:
       contents: read
     steps:
       - name: Check out source repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Detect empty lines at end of file and trailing whitespace
@@ -74,7 +74,7 @@ jobs:
       contents: read
     steps:
       - name: Check out source repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Hatch
@@ -91,7 +91,7 @@ jobs:
       contents: read
     steps:
       - name: Check out source repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Hatch
@@ -108,7 +108,7 @@ jobs:
       contents: read
     steps:
       - name: Check out source repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Check for CLI flags with underscores

.github/workflows/release.yml

@@ -29,7 +29,7 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - name: Set up Hatch
@@ -71,12 +71,12 @@ jobs:
       packages: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         id: registry_login
         with:
           registry: ghcr.io
@@ -118,7 +118,7 @@ jobs:
           registry: ghcr.io
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-name: ghcr.io/sigstore/model-transparency-cli
           subject-digest: ${{ steps.push_minimal.outputs.digest }}
@@ -153,7 +153,7 @@ jobs:
           registry: ghcr.io
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-name: ghcr.io/sigstore/model-transparency-cli
           subject-digest: ${{ steps.push_full.outputs.digest }}

.github/workflows/scorecard.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -82,6 +82,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           sarif_file: results.sarif

.github/workflows/unit_tests.yml

@@ -36,7 +36,7 @@ jobs:
     permissions:
       contents: read
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - name: Set up Hatch

README.md

@@ -84,7 +84,9 @@ repository can do the same using [Hatch](https://hatch.pypa.io/latest/) via
 
 For the remainder of the section, we would use `model_signing <args>` method.
 
-The CLI has two subcommands: `sign` for signing and `verify` for verification.
+The CLI has three subcommands: `sign` for signing, `verify` for verification,
+and `trust-instance` for bootstrapping trust to a Sigstore instance (see
+[Using Private Sigstore Instances](#using-private-sigstore-instances)).
 Each subcommand has another level of subcommands to select the signing method
 (`sigstore` -- the default, can be skipped --, `key`, `certificate`). Then, each
 of these subcommands has several flags to configure parameters for
@@ -127,29 +129,57 @@ The digest subcommand follows the same ignore rules used when signing.
 
 ## Using Private Sigstore Instances
 
-To use a private Sigstore setup (e.g. custom Rekor/Fulcio), use the `--trust-config` flag:
+> **Note:** If you are signing and verifying with the default public
+> [Sigstore](https://www.sigstore.dev/) instance, you do not need any of the
+> options below — the CLI uses the public goods instance out of the box. This
+> section is only relevant when operating your own private Sigstore deployment.
+
+The recommended way to use a private Sigstore instance is via `--instance`,
+which resolves trust configuration automatically through
+[TUF](https://theupdateframework.io/).
+
+**1. Bootstrap trust** (one-time setup):
+
+Fetch the instance's initial `root.json` and register it locally:
 
 ```bash
-[...]$ model_signing sign bert-base-uncased --trust-config client_trust_config.json
+[...]$ curl -o root.json https://tuf-repo-cdn.sigstore.dev/1.root.json
+[...]$ model_signing trust-instance --instance https://tuf-repo-cdn.sigstore.dev root.json
 ```
 
-For verification:
+**2. Sign and verify** using the instance URL:
 
 ```bash
-[...]$ model_signing verify bert-base-uncased \
+[...]$ model_signing sign --instance https://tuf-repo-cdn.sigstore.dev bert-base-uncased
+[...]$ model_signing verify --instance https://tuf-repo-cdn.sigstore.dev \
       --signature model.sig \
-      --trust-config client_trust_config.json
-      --identity "$identity"
-      --identity-provider "$oidc_provider"
+      --identity "$identity" \
+      --identity-provider "$oidc_provider" \
+      bert-base-uncased
 ```
 
-The `client_trust_config.json` file should include:
+After bootstrapping, only the URL is needed — TUF handles metadata updates and
+key rotation transparently.
 
-- A signed target trust root
-- A `signingConfig` section with your private Rekor, Fulcio, and CT log endpoints
-- Public keys for verification (if applicable)
+#### Using a manual ClientTrustConfig
 
-You can find an example `client_trust_config.json` that references the public Sigstore production services in the Sigstore Python repository [here](https://github.com/sigstore/sigstore-python/blob/main/test/assets/trust_config/config.v1.json).
+If you need full control over the trust root (e.g. pinning specific keys or
+endpoints), you can provide a `ClientTrustConfig` JSON file directly via
+`--trust-config`. This takes precedence over `--instance` when both are given.
+
+```bash
+[...]$ model_signing sign --trust-config client_trust_config.json bert-base-uncased
+[...]$ model_signing verify \
+      --trust-config client_trust_config.json \
+      --signature model.sig \
+      --identity "$identity" \
+      --identity-provider "$oidc_provider" \
+      bert-base-uncased
+```
+
+An example `client_trust_config.json` referencing the public Sigstore production
+services can be found in the sigstore-python repository
+[here](https://github.com/sigstore/sigstore-python/blob/main/test/assets/trust_config/config.v1.json).
 
 As another example, here is how we can sign with private keys. First, we
 generate the key pair:
@@ -446,6 +476,21 @@ model_signing.verifying.Config().use_sigstore_verifier(
 ).verify("finbert", "finbert.sig")
 ```
 
+To sign or verify against a specific Sigstore instance, pass its TUF URL:
+
+```python
+import model_signing
+
+model_signing.signing.Config().use_sigstore_signer(
+    instance="https://tuf-repo-cdn.sigstore.dev"
+).sign("finbert", "finbert.sig")
+
+model_signing.verifying.Config().use_sigstore_verifier(
+    identity=identity, oidc_issuer=oidc_provider,
+    instance="https://tuf-repo-cdn.sigstore.dev"
+).verify("finbert", "finbert.sig")
+```
+
 The same verification configuration can be used to verify multiple models:
 
 ```python

pyproject.toml

@@ -39,7 +39,7 @@ dependencies = [
   "click",
   "cryptography",
   "in-toto-attestation",
-  "sigstore>=4.0",
+  "sigstore>=4.2",
   "sigstore-models>=0.0.5",
   "typing_extensions",
 ]
@@ -152,6 +152,26 @@ python = "3.12"
 [tool.hatch.envs.type.scripts]
 check = "pytype -k -j auto src tests benchmarks"
 
+[tool.hatch.envs.hatch-static-analysis]
+config-path = "none"
+
+[tool.hatch.envs.hatch-static-analysis.scripts]
+format-check = "ruff format --check src/"
+format-fix = "ruff format src/"
+lint-check = "ruff check src/"
+lint-fix = "ruff check --fix src/"
+
+[tool.hatch.envs.cli]
+description = """Custom environment for CLI tests.
+Use `hatch run cli:test` to run CLI tests.
+"""
+features = [
+    "pkcs11",
+]
+
+[tool.hatch.envs.cli.scripts]
+test = "bash ./scripts/tests/testrunner"
+
 [tool.coverage.report]
 exclude_also = [
   "pass",
@@ -183,11 +203,7 @@ skip-magic-trailing-comma = true
 [tool.ruff.lint]
 select = ["B", "D", "E", "F", "I", "N", "PLC", "PLE", "PT", "SIM", "UP", "W"]
 ignore = [
-  # TODO: selectively enable back most of these in subsequent PRs
-  "B024", "D100", "D101", "D102", "D103", "D104", "D105", "D107", "D417",
-  # Unnecessary arguments can help with clarity
-  "UP012", "UP015",
-  "PLC0415", # Lazy imports
+  "PLC0415",  # Intentional lazy imports for optional dependencies
 ]
 
 [tool.ruff.lint.flake8-tidy-imports]