docs: add changelog entry for plugin signature verification

Author: clement-tourriere

changelog.d/20260219_155531_clement.tourriere_plugin_signing.md

@@ -0,0 +1,7 @@
+### Added
+
+- Add sigstore signature verification for plugin wheels, enforcing identity-based trust via OIDC. Plugins can be verified in STRICT, WARN, or DISABLED mode, configurable through enterprise settings or the `--allow-unsigned` flag. Note: `--allow-unsigned` is intentionally separate from the existing `--insecure` option, as they address different security concerns (content authenticity vs. transport security).
+
+### Fixed
+
+- Forward `signature_mode` through GitHub release and GitHub artifact download paths, ensuring signature verification is applied consistently across all install sources.

ggshield/__main__.py

@@ -70,25 +70,13 @@ def _load_plugins() -> PluginRegistry:
     """Load plugins at module level so commands are available."""
     global _plugin_registry
     if _plugin_registry is None:
-        # Suppress signature/loader loggers during startup to avoid noisy output
-        # before logging is configured
-        sig_logger = logging.getLogger("ggshield.core.plugin.signature")
-        loader_logger = logging.getLogger("ggshield.core.plugin.loader")
-        orig_sig_level = sig_logger.level
-        orig_loader_level = loader_logger.level
-        sig_logger.setLevel(logging.CRITICAL)
-        loader_logger.setLevel(logging.CRITICAL)
-
         try:
             enterprise_config = EnterpriseConfig.load()
             plugin_loader = PluginLoader(enterprise_config)
             _plugin_registry = plugin_loader.load_enabled_plugins()
         except Exception as e:
             _deferred_warnings.append(f"Failed to load plugins: {e}")
             _plugin_registry = PluginRegistry()
-        finally:
-            sig_logger.setLevel(orig_sig_level)
-            loader_logger.setLevel(orig_loader_level)
 
         # Make registry available to hooks module
         from ggshield.core.plugin.hooks import set_plugin_registry
@@ -286,14 +274,14 @@ def main(args: Optional[List[str]] = None) -> Any:
 
     `args` is only used by unit-tests.
     """
+    log_utils.disable_logs()
+
     _register_plugin_commands()
 
     # Required by pyinstaller when forking.
     # See https://pyinstaller.org/en/latest/common-issues-and-pitfalls.html#multi-processing
     multiprocessing.freeze_support()
 
-    log_utils.disable_logs()
-
     if not os.getenv("GG_PLAINTEXT_OUTPUT", False) and sys.stderr.isatty():
         ui.set_ui(RichGGShieldUI())
 

ggshield/core/config/enterprise_config.py

@@ -2,16 +2,22 @@
 Enterprise configuration - plugin settings.
 """
 
+from __future__ import annotations
+
 from dataclasses import dataclass, field
 from pathlib import Path
 from typing import TYPE_CHECKING, Any, Dict, Optional
 
+from ggshield.core.config.utils import load_yaml_dict, save_yaml_dict
+from ggshield.core.dirs import get_config_dir
+
 
 if TYPE_CHECKING:
     from ggshield.core.plugin.signature import SignatureVerificationMode
 
-from ggshield.core.config.utils import load_yaml_dict, save_yaml_dict
-from ggshield.core.dirs import get_config_dir
+
+_PLUGIN_SIGNATURE_MODE_KEY = "plugin_signature_mode"
+_DEFAULT_SIGNATURE_MODE = "strict"
 
 
 def get_enterprise_config_filepath() -> Path:
@@ -33,10 +39,10 @@ class EnterpriseConfig:
     """Enterprise configuration stored in ~/.config/ggshield/enterprise_config.yaml"""
 
     plugins: Dict[str, PluginConfig] = field(default_factory=dict)
-    plugin_signature_mode: str = "strict"
+    plugin_signature_mode: str = _DEFAULT_SIGNATURE_MODE
 
     @classmethod
-    def load(cls) -> "EnterpriseConfig":
+    def load(cls) -> EnterpriseConfig:
         """Load enterprise config from file."""
         config_path = get_enterprise_config_filepath()
         data = load_yaml_dict(config_path)
@@ -59,7 +65,9 @@ def load(cls) -> "EnterpriseConfig":
             else:
                 plugins[name] = PluginConfig(enabled=True)
 
-        plugin_signature_mode = data.get("plugin_signature_mode", "strict")
+        plugin_signature_mode = data.get(
+            _PLUGIN_SIGNATURE_MODE_KEY, _DEFAULT_SIGNATURE_MODE
+        )
 
         return cls(plugins=plugins, plugin_signature_mode=plugin_signature_mode)
 
@@ -79,7 +87,7 @@ def save(self) -> None:
             }
         }
 
-        data["plugin_signature_mode"] = self.plugin_signature_mode
+        data[_PLUGIN_SIGNATURE_MODE_KEY] = self.plugin_signature_mode
 
         # Remove None values for cleaner YAML
         for plugin_data in data["plugins"].values():
@@ -88,8 +96,10 @@ def save(self) -> None:
 
         save_yaml_dict(data, config_path)
 
-    def get_signature_mode(self) -> "SignatureVerificationMode":
+    def get_signature_mode(self) -> SignatureVerificationMode:
         """Get the signature verification mode."""
+        # Deferred import to avoid circular dependency:
+        # enterprise_config -> plugin.__init__ -> loader -> enterprise_config
         from ggshield.core.plugin.signature import SignatureVerificationMode
 
         try:

ggshield/core/plugin/downloader.py

@@ -33,17 +33,6 @@
 logger = logging.getLogger(__name__)
 
 
-def parse_wheel_filename(filename: str) -> Optional[Tuple[str, str]]:
-    """Parse a wheel filename into (name, version).
-
-    Returns None if the filename doesn't match the wheel naming convention.
-    """
-    match = re.match(r"^([A-Za-z0-9_.-]+?)-(\d+[^-]*)-", filename)
-    if match:
-        return match.group(1), match.group(2)
-    return None
-
-
 def get_signature_label(manifest: Dict[str, Any]) -> Optional[str]:
     """Get a human-readable signature status label from a manifest.
 

tests/unit/cmd/plugin/test_install.py

@@ -17,6 +17,7 @@
     PluginSourceType,
 )
 from ggshield.core.plugin.downloader import ChecksumMismatchError, DownloadError
+from ggshield.core.plugin.signature import SignatureStatus, SignatureVerificationError
 
 
 class TestPluginInstall:
@@ -1054,3 +1055,221 @@ def test_install_checksum_mismatch(
 
         assert result.exit_code == ExitCode.UNEXPECTED_ERROR
         assert "Checksum verification failed" in result.output
+
+
+class TestSignatureVerificationHandling:
+    """Tests for signature verification error handling in install commands."""
+
+    def test_gitguardian_install_signature_error(self, cli_fs_runner) -> None:
+        """
+        GIVEN a plugin with invalid signature
+        WHEN installing from GitGuardian API
+        THEN signature error is shown with --allow-unsigned hint
+        """
+        mock_catalog = PluginCatalog(
+            plan="Enterprise",
+            plugins=[
+                PluginInfo(
+                    name="tokenscanner",
+                    display_name="Token Scanner",
+                    description="Local secret scanning",
+                    available=True,
+                    latest_version="1.0.0",
+                    reason=None,
+                ),
+            ],
+            features={},
+        )
+
+        mock_download_info = PluginDownloadInfo(
+            download_url="https://example.com/plugin.whl",
+            filename="tokenscanner-1.0.0.whl",
+            sha256="abc123",
+            version="1.0.0",
+            expires_at="2099-12-31T23:59:59Z",
+        )
+
+        with (
+            mock.patch(
+                "ggshield.cmd.plugin.install.create_client_from_config"
+            ) as mock_create_client,
+            mock.patch(
+                "ggshield.cmd.plugin.install.PluginAPIClient"
+            ) as mock_plugin_api_client_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.PluginDownloader"
+            ) as mock_downloader_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.EnterpriseConfig"
+            ) as mock_config_class,
+        ):
+            mock_client = mock.MagicMock()
+            mock_create_client.return_value = mock_client
+
+            mock_plugin_api_client = mock.MagicMock()
+            mock_plugin_api_client.get_available_plugins.return_value = mock_catalog
+            mock_plugin_api_client.get_download_info.return_value = mock_download_info
+            mock_plugin_api_client_class.return_value = mock_plugin_api_client
+
+            mock_downloader = mock.MagicMock()
+            mock_downloader.download_and_install.side_effect = (
+                SignatureVerificationError(
+                    SignatureStatus.INVALID, "no trusted identity matched"
+                )
+            )
+            mock_downloader_class.return_value = mock_downloader
+
+            mock_config = mock.MagicMock()
+            mock_config.get_signature_mode.return_value = mock.MagicMock()
+            mock_config_class.load.return_value = mock_config
+
+            result = cli_fs_runner.invoke(cli, ["plugin", "install", "tokenscanner"])
+
+        assert result.exit_code == ExitCode.UNEXPECTED_ERROR
+        assert "Signature verification failed" in result.output
+        assert "--allow-unsigned" in result.output
+
+    def test_local_wheel_signature_error(self, cli_fs_runner, tmp_path: Path) -> None:
+        """
+        GIVEN a local wheel with invalid signature
+        WHEN installing from local wheel
+        THEN signature error is shown with --allow-unsigned hint
+        """
+        wheel_path = tmp_path / "plugin.whl"
+        wheel_path.touch()
+
+        with (
+            mock.patch(
+                "ggshield.cmd.plugin.install.PluginDownloader"
+            ) as mock_downloader_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.EnterpriseConfig"
+            ) as mock_config_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.detect_source_type",
+                return_value=PluginSourceType.LOCAL_FILE,
+            ),
+        ):
+            mock_downloader = mock.MagicMock()
+            mock_downloader.install_from_wheel.side_effect = SignatureVerificationError(
+                SignatureStatus.MISSING, "No bundle found"
+            )
+            mock_downloader_class.return_value = mock_downloader
+
+            mock_config = mock.MagicMock()
+            mock_config.get_signature_mode.return_value = mock.MagicMock()
+            mock_config_class.load.return_value = mock_config
+
+            result = cli_fs_runner.invoke(cli, ["plugin", "install", str(wheel_path)])
+
+        assert result.exit_code == ExitCode.UNEXPECTED_ERROR
+        assert "Signature verification failed" in result.output
+        assert "--allow-unsigned" in result.output
+
+    @pytest.mark.parametrize(
+        "source_type, method, cli_args",
+        [
+            pytest.param(
+                PluginSourceType.URL,
+                "download_from_url",
+                ["plugin", "install", "https://example.com/plugin.whl"],
+                id="url",
+            ),
+            pytest.param(
+                PluginSourceType.GITHUB_RELEASE,
+                "download_from_github_release",
+                [
+                    "plugin",
+                    "install",
+                    "https://github.com/o/r/releases/download/v1/p.whl",
+                ],
+                id="github_release",
+            ),
+            pytest.param(
+                PluginSourceType.GITHUB_ARTIFACT,
+                "download_from_github_artifact",
+                [
+                    "plugin",
+                    "install",
+                    "https://github.com/o/r/actions/runs/1/artifacts/2",
+                ],
+                id="github_artifact",
+            ),
+        ],
+    )
+    def test_signature_error_all_sources(
+        self, cli_fs_runner, source_type, method, cli_args
+    ) -> None:
+        """Test that SignatureVerificationError is handled for all source types."""
+        with (
+            mock.patch(
+                "ggshield.cmd.plugin.install.PluginDownloader"
+            ) as mock_downloader_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.EnterpriseConfig"
+            ) as mock_config_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.detect_source_type",
+                return_value=source_type,
+            ),
+        ):
+            mock_downloader = mock.MagicMock()
+            getattr(mock_downloader, method).side_effect = SignatureVerificationError(
+                SignatureStatus.INVALID, "bad signature"
+            )
+            mock_downloader_class.return_value = mock_downloader
+
+            mock_config = mock.MagicMock()
+            mock_config.get_signature_mode.return_value = mock.MagicMock()
+            mock_config_class.load.return_value = mock_config
+
+            result = cli_fs_runner.invoke(cli, cli_args)
+
+        assert result.exit_code == ExitCode.UNEXPECTED_ERROR
+        assert "Signature verification failed" in result.output
+        assert "--allow-unsigned" in result.output
+
+    def test_allow_unsigned_flag(self, cli_fs_runner, tmp_path: Path) -> None:
+        """
+        GIVEN --allow-unsigned flag
+        WHEN installing a plugin
+        THEN signature mode is set to WARN (not STRICT)
+        """
+        wheel_path = tmp_path / "plugin.whl"
+        wheel_path.touch()
+
+        with (
+            mock.patch(
+                "ggshield.cmd.plugin.install.PluginDownloader"
+            ) as mock_downloader_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.EnterpriseConfig"
+            ) as mock_config_class,
+            mock.patch(
+                "ggshield.cmd.plugin.install.detect_source_type",
+                return_value=PluginSourceType.LOCAL_FILE,
+            ),
+        ):
+            mock_downloader = mock.MagicMock()
+            mock_downloader.install_from_wheel.return_value = (
+                "plugin",
+                "1.0.0",
+                wheel_path,
+            )
+            mock_downloader_class.return_value = mock_downloader
+
+            mock_config = mock.MagicMock()
+            mock_config.get_signature_mode.return_value = mock.MagicMock()
+            mock_config_class.load.return_value = mock_config
+
+            result = cli_fs_runner.invoke(
+                cli,
+                ["plugin", "install", str(wheel_path), "--allow-unsigned"],
+                catch_exceptions=False,
+            )
+
+        assert result.exit_code == ExitCode.SUCCESS
+        call_kwargs = mock_downloader.install_from_wheel.call_args[1]
+        from ggshield.core.plugin.signature import SignatureVerificationMode
+
+        assert call_kwargs["signature_mode"] == SignatureVerificationMode.WARN