[gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support

[gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support

[Michał Górny]

Hi,

dev-python/sigstore is yet another NIH signature verification tool.
Python is planning to use it exclusively starting with Python 3.14.
It uses some fancy PKI-like infrastructure backend by OAuth against
some popular providers (read: now Google and Microsoft will hold keys
used to sign Python releases).

This patch set adds:

1. A package to install an up-to-date root certificates for sigstore.
   It also has a test phase that can be used to verify if we need
   to wrap up a new version.

2. verify-sig support for verifying detached signatures against it.
   No other kinds of signatures are implemented, and I have no clue
   if they are supported at all.

3. An example Python 3.13.0 patch to use it.  That said, I don't think
   we will actually use it for existing versions, just when there are
   no PGP signatures anymore.



Michał Górny (5):
  sec-keys/sigstore-trusted-root: New package, v0_p20241010
  verify-sig.eclass: Refactor code to use extra_args for all types
  verify-sig.eclass: Error out on invalid method+function combos
  verify-sig.eclass: Add support for verifying sigstore signatures
  dev-lang/python: Use sigstore in 3.13.0 (example)

 dev-lang/python/Manifest                      |  2 +-
 dev-lang/python/python-3.13.0.ebuild          |  8 +-
 eclass/verify-sig.eclass                      | 74 +++++++++++++++++--
 sec-keys/sigstore-trusted-root/Manifest       |  2 +
 sec-keys/sigstore-trusted-root/metadata.xml   |  8 ++
 .../sigstore-trusted-root-0_p20241010.ebuild  | 54 ++++++++++++++
 6 files changed, 136 insertions(+), 12 deletions(-)
 create mode 100644 sec-keys/sigstore-trusted-root/Manifest
 create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
 create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild

-- 
2.47.0

[gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010

[Michał Górny]

New package installing trusted_root.json for dev-python/sigstore,
to verify signatures.  Includes a test phase to verify if our root
is up-to-date.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 sec-keys/sigstore-trusted-root/Manifest       |  2 +
 sec-keys/sigstore-trusted-root/metadata.xml   |  8 +++
 .../sigstore-trusted-root-0_p20241010.ebuild  | 54 +++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 sec-keys/sigstore-trusted-root/Manifest
 create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
 create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild

diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..cb7c8da2676e
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,2 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241010.tar.xz 7984 BLAKE2B 4d6c6e043e116e9830dc2f9a0a3c0f1333f5044b0ba40e52d3790c6d220415c4b525ebc5592cee31266dace637fb8417ec5768b7370928e0f705f0f03f5bc080 SHA512 784c3bb95b9112bb64d5e8132dee8ee32bcc2e2953d8fd77b1bfca6f1172771f1ee0609b9f80e6e592cccf5205ed73c7584ef6b6e31c8531978c7f1b48a816fa
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>mgorny@gentoo.org</email>
+		<name>Michał Górny</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
new file mode 100644
index 000000000000..99355d7005a1
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
@@ -0,0 +1,54 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/"
+SRC_URI="
+	https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+	test? (
+		https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+	)
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+	test? (
+		dev-python/sigstore
+		sys-apps/diffutils
+	)
+"
+
+src_test() {
+	local common_args=(
+		--bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+		--cert-identity thomas@python.org
+		--cert-oidc-issuer https://accounts.google.com
+		sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+	)
+
+	cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+	einfo "Attempting offline verification ..."
+	sigstore verify identity --offline "${common_args[@]}" ||
+		die "Verification failed with extracted trust root"
+	einfo "Attempting online verification ..."
+	sigstore verify identity "${common_args[@]}" ||
+		die "Verification failed in online mode"
+
+	# check if anything needs updating
+	diff -ur "${WORKDIR}" "${HOME}" ||
+		die "Changes found, need to wrap up a new package"
+}
+
+src_install() {
+	insinto /usr/share/sigstore-gentoo
+	doins -r .cache .local
+}
-- 
2.47.0

[gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/verify-sig.eclass | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index b74ed78290aa..d601c7838a00 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -132,7 +132,6 @@ verify-sig_verify_detached() {
 	fi
 
 	local extra_args=()
-	[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
 	if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
 		[[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
 			die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
@@ -152,10 +151,15 @@ verify-sig_verify_detached() {
 	einfo "Verifying ${filename} ..."
 	case ${VERIFY_SIG_METHOD} in
 		minisig)
-			minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
+			minisign "${extra_args[@]}" \
+				-V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
 				die "minisig signature verification failed"
 			;;
 		openpgp)
+			if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+				extra_args+=( -R )
+			fi
+
 			# gpg can't handle very long TMPDIR
 			# https://bugs.gentoo.org/854492
 			local -x TMPDIR=/tmp
@@ -165,7 +169,8 @@ verify-sig_verify_detached() {
 				die "PGP signature verification failed"
 			;;
 		signify)
-			signify -V -p "${key}" -m "${file}" -x "${sig}" ||
+			signify "${extra_args[@]}" \
+				-V -p "${key}" -m "${file}" -x "${sig}" ||
 				die "Signify signature verification failed"
 			;;
 	esac
-- 
2.47.0

[gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/verify-sig.eclass | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d601c7838a00..9886e3352db7 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -173,6 +173,9 @@ verify-sig_verify_detached() {
 				-V -p "${key}" -m "${file}" -x "${sig}" ||
 				die "Signify signature verification failed"
 			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }
 
@@ -234,6 +237,9 @@ verify-sig_verify_message() {
 			signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
 				die "Signify signature verification failed"
 			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }
 
@@ -367,6 +373,9 @@ verify-sig_verify_signed_checksums() {
 				-x "${checksum_file}" "${files[@]}" ||
 				die "Signify signature verification failed"
 			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }
 
-- 
2.47.0

[gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 49 insertions(+), 5 deletions(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 9886e3352db7..f97c4a276865 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -57,6 +57,7 @@ IUSE="verify-sig"
 #
 #  - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
 #  - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+#  - sigstore -- verifsy signatures using dev-python/sigstore
 #  - signify -- verify signatures with Ed25519 public key using app-crypt/signify
 : "${VERIFY_SIG_METHOD:=openpgp}"
 
@@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
 	signify)
 		BDEPEND="verify-sig? ( app-crypt/signify )"
 		;;
+	sigstore)
+		BDEPEND="
+			verify-sig? (
+				dev-python/sigstore
+				sec-keys/sigstore-trusted-root
+			)
+		"
+		;;
 	*)
 		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
 		;;
@@ -89,8 +98,19 @@ esac
 #
 # The value of BROOT will be prepended to this path automatically.
 #
-# NB: this variable is also used for non-OpenPGP signatures.  The name
-# contains "OPENPGP" for historical reasons.
+# This variable is also used for non-OpenPGP signatures.  The name
+# contains "OPENPGP" for historical reasons.  It is not used
+# for sigstore, since it uses a single trusted root.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-identity passed to sigstore invocation.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-oidc-issuer passed to sigstore invocation.
 
 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
 # @DEFAULT_UNSET
@@ -108,7 +128,7 @@ esac
 # in make.conf to enable.  Note that this requires working Internet
 # connection.
 #
-# Supported for OpenPGP only.
+# Supported for OpenPGP and sigstore.
 : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"
 
 # @FUNCTION: verify-sig_verify_detached
@@ -123,7 +143,17 @@ verify-sig_verify_detached() {
 	local sig=${2}
 	local key=${3}
 
-	if [[ -z ${key} ]]; then
+	if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
+		if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
+			die "${FUNCNAME}: key unexpectedly specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore"
+		fi
+	elif [[ -z ${key} ]]; then
 		if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
 			die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
 		else
@@ -173,6 +203,20 @@ verify-sig_verify_detached() {
 				-V -p "${key}" -m "${file}" -x "${sig}" ||
 				die "Signify signature verification failed"
 			;;
+		sigstore)
+			if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+				extra_args+=( --offline )
+			fi
+
+			cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
+				"${HOME}"/ || die
+			sigstore verify identity "${extra_args[@]}" \
+				--bundle "${sig}" \
+				--cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
+				--cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \
+				"${file}" ||
+				die "Sigstore signature verification failed"
+			;;
 		*)
 			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
 			;;
@@ -394,7 +438,7 @@ verify-sig_src_unpack() {
 		# find all distfiles and signatures, and combine them
 		for f in ${A}; do
 			found=
-			for suffix in .asc .sig .minisig; do
+			for suffix in .asc .sig .minisig .sigstore; do
 				if [[ ${f} == *${suffix} ]]; then
 					signatures+=( "${f}" )
 					found=sig
-- 
2.47.0

[gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example)

[Michał Górny]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 dev-lang/python/Manifest             | 2 +-
 dev-lang/python/python-3.13.0.ebuild | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest
index daddb0dad1f4..7663f0072d2a 100644
--- a/dev-lang/python/Manifest
+++ b/dev-lang/python/Manifest
@@ -9,7 +9,7 @@ DIST Python-3.12.6.tar.xz.asc 963 BLAKE2B d5f9e4c5053610a1a53769278e69d8a25e2fb0
 DIST Python-3.12.7.tar.xz 20444032 BLAKE2B eed8744261cab3b401963ec5187a8b814adb9a18f8d0a6a3d59c027a83cf8408524af9b20204b0a0861d173cc33c45ae37bb1542a1ace3344dc59c649087ff1f SHA512 4a363d3f852ad8f4fd1484aa4cec35494a3811be48ef67fadb2bdf2e2489ed07dc78fad6ab475257db503ddd64d39f9800f23a1c94b6bbd15b7f632cff0c90ae
 DIST Python-3.12.7.tar.xz.asc 963 BLAKE2B 8c7db3d1971d93a10c611a2e6dd3679d0b331b48df87b5fe410b089061e48753d98af67084d4f051a31ae803fce3aa3c7af7cba9c692640f50068bd1e46f40e6 SHA512 4d0a7a0da2c81888e93d8ff89ca2ed4bb85a7b0bd00f0d54a14e2c201affac2677ef3984d2b5aea253e624f6465548d9032eefdd9033c1eb3864d82cfd8d3df0
 DIST Python-3.13.0.tar.xz 22532980 BLAKE2B 4a4e397199402de8c9fe8e4d63443ed972cbe8a4f541743908d699c7987127d159d600fd14145b6a946e8671426279d230c9155fdc5863c1e49a945eedcbf21b SHA512 44a143c9b96b55b01885ec020c3364265bda55289615cd7d5071915b0d0178a6f35e7551a89090001fcb7f3172d38177a56bf8b8532b15c9dbc50295c9210152
-DIST Python-3.13.0.tar.xz.asc 963 BLAKE2B d05f02692a9fea42b73dbfe5dc42bd6533555e5ecb848510d2b94bb7f0e55d4a0f89bcd20b073ed2c7f7a68be35b12cb6dbff6bc16fc9a4592ded2c339ada7fd SHA512 1b8bb0fe4eb93e31ec1770e90b94d44b5864c0391aad5dcba3a30d8e505d9b17107385414353c0060007f8a536254f49b8e919f36ddf6421a6e4330f817f1a3e
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
 DIST Python-3.8.20.tar.xz 18962788 BLAKE2B 715c75e0c0a3d3b77af7f07478311bb0554b80aac72915be703aa2d0dd6459a972e5669808e64da14a0b91bb183e00655055c1726f302dc3ccd8721e3b4ae3e6 SHA512 3c9341ee1fd33cb687958dcf2b7c0c7700489726c4d530c3e9d9537d46a6ab534541a4b312232d8505bea395a07e4518c42d75fb7571103e6b266f8f44115c61
 DIST Python-3.8.20.tar.xz.asc 833 BLAKE2B 5c86c15a1090b42e42bb7512565b1a7ad9d2137d59e9fd1ab0f83fdfc37dfcf184389418d6703db809e9c8c04a169af292665a2b58bf5dc61b7724ecbb4132d9 SHA512 a751ae0407a593d97acac4d5f8a0456580c753efa12a7d960125c219b4897fdb26fc1ffd43d8ea33ad1449162dd3b2904c16b6c51c57561ba73de3ffa62e0eed
 DIST Python-3.9.20.tar.xz 19648968 BLAKE2B 80a337ff406130599b8320068d11bc275d23473cedd7c85fcb9e40134f0f2d533be6e712139e788a6423cdc74cea938f306aa37c2a5099e3051f3e390159279c SHA512 c828f33edf1704e3149499d6d34e89264cb5cdb2b09ff05561641b359716d7996f0fe928629e09f006b1fd7850fdaf937275919c7fdd83f5efc32707c64d814b
diff --git a/dev-lang/python/python-3.13.0.ebuild b/dev-lang/python/python-3.13.0.ebuild
index 9216c5683e4c..c2b8106373ab 100644
--- a/dev-lang/python/python-3.13.0.ebuild
+++ b/dev-lang/python/python-3.13.0.ebuild
@@ -25,7 +25,7 @@ SRC_URI="
 	https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz
 	https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz
 	verify-sig? (
-		https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.asc
+		https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.sigstore
 	)
 "
 S="${WORKDIR}/${MY_P}"
@@ -105,7 +105,9 @@ if [[ ${PV} != *_alpha* ]]; then
 	"
 fi
 
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/python.org.asc
+VERIFY_SIG_METHOD=sigstore
+VERIFY_SIG_CERT_IDENTITY=thomas@python.org
+VERIFY_SIG_CERT_OIDC_ISSUER=https://accounts.google.com
 
 # large file tests involve a 2.5G file being copied (duplicated)
 CHECKREQS_DISK_BUILD=5500M
@@ -150,7 +152,7 @@ pkg_setup() {
 
 src_unpack() {
 	if use verify-sig; then
-		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc}
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.sigstore}
 	fi
 	default
 }
-- 
2.47.0