From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: "Michał Górny" <mgorny@gentoo.org>
Subject: [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support
Date: Sat, 12 Oct 2024 20:52:01 +0200 [thread overview]
Message-ID: <20241012185704.771370-1-mgorny@gentoo.org> (raw)
Hi,
dev-python/sigstore is yet another NIH signature verification tool.
Python is planning to use it exclusively starting with Python 3.14.
It uses some fancy PKI-like infrastructure backend by OAuth against
some popular providers (read: now Google and Microsoft will hold keys
used to sign Python releases).
This patch set adds:
1. A package to install an up-to-date root certificates for sigstore.
It also has a test phase that can be used to verify if we need
to wrap up a new version.
2. verify-sig support for verifying detached signatures against it.
No other kinds of signatures are implemented, and I have no clue
if they are supported at all.
3. An example Python 3.13.0 patch to use it. That said, I don't think
we will actually use it for existing versions, just when there are
no PGP signatures anymore.
Michał Górny (5):
sec-keys/sigstore-trusted-root: New package, v0_p20241010
verify-sig.eclass: Refactor code to use extra_args for all types
verify-sig.eclass: Error out on invalid method+function combos
verify-sig.eclass: Add support for verifying sigstore signatures
dev-lang/python: Use sigstore in 3.13.0 (example)
dev-lang/python/Manifest | 2 +-
dev-lang/python/python-3.13.0.ebuild | 8 +-
eclass/verify-sig.eclass | 74 +++++++++++++++++--
sec-keys/sigstore-trusted-root/Manifest | 2 +
sec-keys/sigstore-trusted-root/metadata.xml | 8 ++
.../sigstore-trusted-root-0_p20241010.ebuild | 54 ++++++++++++++
6 files changed, 136 insertions(+), 12 deletions(-)
create mode 100644 sec-keys/sigstore-trusted-root/Manifest
create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
--
2.47.0
next reply other threads:[~2024-10-12 18:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-12 18:52 Michał Górny [this message]
2024-10-12 18:52 ` [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example) Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241012185704.771370-1-mgorny@gentoo.org \
--to=mgorny@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox