From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0AE19158046 for ; Sat, 12 Oct 2024 18:57:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 033082BC017; Sat, 12 Oct 2024 18:57:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AE50CE2A50 for ; Sat, 12 Oct 2024 18:57:08 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Date: Sat, 12 Oct 2024 20:52:01 +0200 Message-ID: <20241012185704.771370-1-mgorny@gentoo.org> X-Mailer: git-send-email 2.47.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: a92114e3-c5f1-453c-9d0a-1e0d136e8653 X-Archives-Hash: eb78373939a07377a2adea650d1d17a4 Hi, dev-python/sigstore is yet another NIH signature verification tool. Python is planning to use it exclusively starting with Python 3.14. It uses some fancy PKI-like infrastructure backend by OAuth against some popular providers (read: now Google and Microsoft will hold keys used to sign Python releases). This patch set adds: 1. A package to install an up-to-date root certificates for sigstore. It also has a test phase that can be used to verify if we need to wrap up a new version. 2. verify-sig support for verifying detached signatures against it. No other kinds of signatures are implemented, and I have no clue if they are supported at all. 3. An example Python 3.13.0 patch to use it. That said, I don't think we will actually use it for existing versions, just when there are no PGP signatures anymore. Michał Górny (5): sec-keys/sigstore-trusted-root: New package, v0_p20241010 verify-sig.eclass: Refactor code to use extra_args for all types verify-sig.eclass: Error out on invalid method+function combos verify-sig.eclass: Add support for verifying sigstore signatures dev-lang/python: Use sigstore in 3.13.0 (example) dev-lang/python/Manifest | 2 +- dev-lang/python/python-3.13.0.ebuild | 8 +- eclass/verify-sig.eclass | 74 +++++++++++++++++-- sec-keys/sigstore-trusted-root/Manifest | 2 + sec-keys/sigstore-trusted-root/metadata.xml | 8 ++ .../sigstore-trusted-root-0_p20241010.ebuild | 54 ++++++++++++++ 6 files changed, 136 insertions(+), 12 deletions(-) create mode 100644 sec-keys/sigstore-trusted-root/Manifest create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild -- 2.47.0