[gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures

["Michał Górny" <mgorny@gentoo.org>]

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 49 insertions(+), 5 deletions(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 9886e3352db7..f97c4a276865 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -57,6 +57,7 @@ IUSE="verify-sig"
 #
 #  - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
 #  - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+#  - sigstore -- verifsy signatures using dev-python/sigstore
 #  - signify -- verify signatures with Ed25519 public key using app-crypt/signify
 : "${VERIFY_SIG_METHOD:=openpgp}"
 
@@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
 	signify)
 		BDEPEND="verify-sig? ( app-crypt/signify )"
 		;;
+	sigstore)
+		BDEPEND="
+			verify-sig? (
+				dev-python/sigstore
+				sec-keys/sigstore-trusted-root
+			)
+		"
+		;;
 	*)
 		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
 		;;
@@ -89,8 +98,19 @@ esac
 #
 # The value of BROOT will be prepended to this path automatically.
 #
-# NB: this variable is also used for non-OpenPGP signatures.  The name
-# contains "OPENPGP" for historical reasons.
+# This variable is also used for non-OpenPGP signatures.  The name
+# contains "OPENPGP" for historical reasons.  It is not used
+# for sigstore, since it uses a single trusted root.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-identity passed to sigstore invocation.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-oidc-issuer passed to sigstore invocation.
 
 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
 # @DEFAULT_UNSET
@@ -108,7 +128,7 @@ esac
 # in make.conf to enable.  Note that this requires working Internet
 # connection.
 #
-# Supported for OpenPGP only.
+# Supported for OpenPGP and sigstore.
 : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"
 
 # @FUNCTION: verify-sig_verify_detached
@@ -123,7 +143,17 @@ verify-sig_verify_detached() {
 	local sig=${2}
 	local key=${3}
 
-	if [[ -z ${key} ]]; then
+	if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
+		if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
+			die "${FUNCNAME}: key unexpectedly specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore"
+		fi
+	elif [[ -z ${key} ]]; then
 		if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
 			die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
 		else
@@ -173,6 +203,20 @@ verify-sig_verify_detached() {
 				-V -p "${key}" -m "${file}" -x "${sig}" ||
 				die "Signify signature verification failed"
 			;;
+		sigstore)
+			if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+				extra_args+=( --offline )
+			fi
+
+			cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
+				"${HOME}"/ || die
+			sigstore verify identity "${extra_args[@]}" \
+				--bundle "${sig}" \
+				--cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
+				--cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \
+				"${file}" ||
+				die "Sigstore signature verification failed"
+			;;
 		*)
 			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
 			;;
@@ -394,7 +438,7 @@ verify-sig_src_unpack() {
 		# find all distfiles and signatures, and combine them
 		for f in ${A}; do
 			found=
-			for suffix in .asc .sig .minisig; do
+			for suffix in .asc .sig .minisig .sigstore; do
 				if [[ ${f} == *${suffix} ]]; then
 					signatures+=( "${f}" )
 					found=sig
-- 
2.47.0