From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D6D38158046 for ; Sat, 12 Oct 2024 18:57:31 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DABD82BC027; Sat, 12 Oct 2024 18:57:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 929B02BC024 for ; Sat, 12 Oct 2024 18:57:09 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Date: Sat, 12 Oct 2024 20:52:02 +0200 Message-ID: <20241012185704.771370-2-mgorny@gentoo.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241012185704.771370-1-mgorny@gentoo.org> References: <20241012185704.771370-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 95ea4ab7-c39c-4d0f-9661-2f4a6744c177 X-Archives-Hash: 7b27ad1d413c8f9dc0062dda057327e7 New package installing trusted_root.json for dev-python/sigstore, to verify signatures. Includes a test phase to verify if our root is up-to-date. Signed-off-by: Michał Górny --- sec-keys/sigstore-trusted-root/Manifest | 2 + sec-keys/sigstore-trusted-root/metadata.xml | 8 +++ .../sigstore-trusted-root-0_p20241010.ebuild | 54 +++++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 sec-keys/sigstore-trusted-root/Manifest create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest new file mode 100644 index 000000000000..cb7c8da2676e --- /dev/null +++ b/sec-keys/sigstore-trusted-root/Manifest @@ -0,0 +1,2 @@ +DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2 +DIST sigstore-trusted-root-0_p20241010.tar.xz 7984 BLAKE2B 4d6c6e043e116e9830dc2f9a0a3c0f1333f5044b0ba40e52d3790c6d220415c4b525ebc5592cee31266dace637fb8417ec5768b7370928e0f705f0f03f5bc080 SHA512 784c3bb95b9112bb64d5e8132dee8ee32bcc2e2953d8fd77b1bfca6f1172771f1ee0609b9f80e6e592cccf5205ed73c7584ef6b6e31c8531978c7f1b48a816fa diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml new file mode 100644 index 000000000000..076793e3f54b --- /dev/null +++ b/sec-keys/sigstore-trusted-root/metadata.xml @@ -0,0 +1,8 @@ + + + + + mgorny@gentoo.org + Michał Górny + + diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild new file mode 100644 index 000000000000..99355d7005a1 --- /dev/null +++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild @@ -0,0 +1,54 @@ +# Copyright 2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="trusted-root.json for dev-python/sigstore" +HOMEPAGE="https://www.sigstore.dev/" +SRC_URI=" + https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz + test? ( + https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore + ) +" +S=${WORKDIR} + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~amd64" +IUSE="test" +PROPERTIES="test_network" +RESTRICT="test" + +BDEPEND=" + test? ( + dev-python/sigstore + sys-apps/diffutils + ) +" + +src_test() { + local common_args=( + --bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore + --cert-identity thomas@python.org + --cert-oidc-issuer https://accounts.google.com + sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d + ) + + cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die + einfo "Attempting offline verification ..." + sigstore verify identity --offline "${common_args[@]}" || + die "Verification failed with extracted trust root" + einfo "Attempting online verification ..." + sigstore verify identity "${common_args[@]}" || + die "Verification failed in online mode" + + # check if anything needs updating + diff -ur "${WORKDIR}" "${HOME}" || + die "Changes found, need to wrap up a new package" +} + +src_install() { + insinto /usr/share/sigstore-gentoo + doins -r .cache .local +} -- 2.47.0