From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Cc: "Michał Górny" <mgorny@gentoo.org>
Subject: [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010
Date: Sat, 12 Oct 2024 20:52:02 +0200 [thread overview]
Message-ID: <20241012185704.771370-2-mgorny@gentoo.org> (raw)
In-Reply-To: <20241012185704.771370-1-mgorny@gentoo.org>
New package installing trusted_root.json for dev-python/sigstore,
to verify signatures. Includes a test phase to verify if our root
is up-to-date.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
sec-keys/sigstore-trusted-root/Manifest | 2 +
sec-keys/sigstore-trusted-root/metadata.xml | 8 +++
.../sigstore-trusted-root-0_p20241010.ebuild | 54 +++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 sec-keys/sigstore-trusted-root/Manifest
create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..cb7c8da2676e
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,2 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241010.tar.xz 7984 BLAKE2B 4d6c6e043e116e9830dc2f9a0a3c0f1333f5044b0ba40e52d3790c6d220415c4b525ebc5592cee31266dace637fb8417ec5768b7370928e0f705f0f03f5bc080 SHA512 784c3bb95b9112bb64d5e8132dee8ee32bcc2e2953d8fd77b1bfca6f1172771f1ee0609b9f80e6e592cccf5205ed73c7584ef6b6e31c8531978c7f1b48a816fa
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>mgorny@gentoo.org</email>
+ <name>Michał Górny</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
new file mode 100644
index 000000000000..99355d7005a1
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
@@ -0,0 +1,54 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/"
+SRC_URI="
+ https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+ test? (
+ https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+ )
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+ test? (
+ dev-python/sigstore
+ sys-apps/diffutils
+ )
+"
+
+src_test() {
+ local common_args=(
+ --bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+ --cert-identity thomas@python.org
+ --cert-oidc-issuer https://accounts.google.com
+ sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+ )
+
+ cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+ einfo "Attempting offline verification ..."
+ sigstore verify identity --offline "${common_args[@]}" ||
+ die "Verification failed with extracted trust root"
+ einfo "Attempting online verification ..."
+ sigstore verify identity "${common_args[@]}" ||
+ die "Verification failed in online mode"
+
+ # check if anything needs updating
+ diff -ur "${WORKDIR}" "${HOME}" ||
+ die "Changes found, need to wrap up a new package"
+}
+
+src_install() {
+ insinto /usr/share/sigstore-gentoo
+ doins -r .cache .local
+}
--
2.47.0
next prev parent reply other threads:[~2024-10-12 18:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
2024-10-12 18:52 ` Michał Górny [this message]
2024-10-12 18:52 ` [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example) Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241012185704.771370-2-mgorny@gentoo.org \
--to=mgorny@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox