* [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support
@ 2024-10-12 18:52 Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Michał Górny
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Hi,
dev-python/sigstore is yet another NIH signature verification tool.
Python is planning to use it exclusively starting with Python 3.14.
It uses some fancy PKI-like infrastructure backend by OAuth against
some popular providers (read: now Google and Microsoft will hold keys
used to sign Python releases).
This patch set adds:
1. A package to install an up-to-date root certificates for sigstore.
It also has a test phase that can be used to verify if we need
to wrap up a new version.
2. verify-sig support for verifying detached signatures against it.
No other kinds of signatures are implemented, and I have no clue
if they are supported at all.
3. An example Python 3.13.0 patch to use it. That said, I don't think
we will actually use it for existing versions, just when there are
no PGP signatures anymore.
Michał Górny (5):
sec-keys/sigstore-trusted-root: New package, v0_p20241010
verify-sig.eclass: Refactor code to use extra_args for all types
verify-sig.eclass: Error out on invalid method+function combos
verify-sig.eclass: Add support for verifying sigstore signatures
dev-lang/python: Use sigstore in 3.13.0 (example)
dev-lang/python/Manifest | 2 +-
dev-lang/python/python-3.13.0.ebuild | 8 +-
eclass/verify-sig.eclass | 74 +++++++++++++++++--
sec-keys/sigstore-trusted-root/Manifest | 2 +
sec-keys/sigstore-trusted-root/metadata.xml | 8 ++
.../sigstore-trusted-root-0_p20241010.ebuild | 54 ++++++++++++++
6 files changed, 136 insertions(+), 12 deletions(-)
create mode 100644 sec-keys/sigstore-trusted-root/Manifest
create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
--
2.47.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
@ 2024-10-12 18:52 ` Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types Michał Górny
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
New package installing trusted_root.json for dev-python/sigstore,
to verify signatures. Includes a test phase to verify if our root
is up-to-date.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
sec-keys/sigstore-trusted-root/Manifest | 2 +
sec-keys/sigstore-trusted-root/metadata.xml | 8 +++
.../sigstore-trusted-root-0_p20241010.ebuild | 54 +++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 sec-keys/sigstore-trusted-root/Manifest
create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..cb7c8da2676e
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,2 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241010.tar.xz 7984 BLAKE2B 4d6c6e043e116e9830dc2f9a0a3c0f1333f5044b0ba40e52d3790c6d220415c4b525ebc5592cee31266dace637fb8417ec5768b7370928e0f705f0f03f5bc080 SHA512 784c3bb95b9112bb64d5e8132dee8ee32bcc2e2953d8fd77b1bfca6f1172771f1ee0609b9f80e6e592cccf5205ed73c7584ef6b6e31c8531978c7f1b48a816fa
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>mgorny@gentoo.org</email>
+ <name>Michał Górny</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
new file mode 100644
index 000000000000..99355d7005a1
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
@@ -0,0 +1,54 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/"
+SRC_URI="
+ https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+ test? (
+ https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+ )
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+ test? (
+ dev-python/sigstore
+ sys-apps/diffutils
+ )
+"
+
+src_test() {
+ local common_args=(
+ --bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+ --cert-identity thomas@python.org
+ --cert-oidc-issuer https://accounts.google.com
+ sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+ )
+
+ cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+ einfo "Attempting offline verification ..."
+ sigstore verify identity --offline "${common_args[@]}" ||
+ die "Verification failed with extracted trust root"
+ einfo "Attempting online verification ..."
+ sigstore verify identity "${common_args[@]}" ||
+ die "Verification failed in online mode"
+
+ # check if anything needs updating
+ diff -ur "${WORKDIR}" "${HOME}" ||
+ die "Changes found, need to wrap up a new package"
+}
+
+src_install() {
+ insinto /usr/share/sigstore-gentoo
+ doins -r .cache .local
+}
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Michał Górny
@ 2024-10-12 18:52 ` Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos Michał Górny
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index b74ed78290aa..d601c7838a00 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -132,7 +132,6 @@ verify-sig_verify_detached() {
fi
local extra_args=()
- [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
[[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
@@ -152,10 +151,15 @@ verify-sig_verify_detached() {
einfo "Verifying ${filename} ..."
case ${VERIFY_SIG_METHOD} in
minisig)
- minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
+ minisign "${extra_args[@]}" \
+ -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
die "minisig signature verification failed"
;;
openpgp)
+ if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+ extra_args+=( -R )
+ fi
+
# gpg can't handle very long TMPDIR
# https://bugs.gentoo.org/854492
local -x TMPDIR=/tmp
@@ -165,7 +169,8 @@ verify-sig_verify_detached() {
die "PGP signature verification failed"
;;
signify)
- signify -V -p "${key}" -m "${file}" -x "${sig}" ||
+ signify "${extra_args[@]}" \
+ -V -p "${key}" -m "${file}" -x "${sig}" ||
die "Signify signature verification failed"
;;
esac
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types Michał Górny
@ 2024-10-12 18:52 ` Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example) Michał Górny
4 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d601c7838a00..9886e3352db7 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -173,6 +173,9 @@ verify-sig_verify_detached() {
-V -p "${key}" -m "${file}" -x "${sig}" ||
die "Signify signature verification failed"
;;
+ *)
+ die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+ ;;
esac
}
@@ -234,6 +237,9 @@ verify-sig_verify_message() {
signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
die "Signify signature verification failed"
;;
+ *)
+ die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+ ;;
esac
}
@@ -367,6 +373,9 @@ verify-sig_verify_signed_checksums() {
-x "${checksum_file}" "${files[@]}" ||
die "Signify signature verification failed"
;;
+ *)
+ die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+ ;;
esac
}
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
` (2 preceding siblings ...)
2024-10-12 18:52 ` [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos Michał Górny
@ 2024-10-12 18:52 ` Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example) Michał Górny
4 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++++++++----
1 file changed, 49 insertions(+), 5 deletions(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 9886e3352db7..f97c4a276865 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -57,6 +57,7 @@ IUSE="verify-sig"
#
# - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+# - sigstore -- verifsy signatures using dev-python/sigstore
# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
: "${VERIFY_SIG_METHOD:=openpgp}"
@@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
signify)
BDEPEND="verify-sig? ( app-crypt/signify )"
;;
+ sigstore)
+ BDEPEND="
+ verify-sig? (
+ dev-python/sigstore
+ sec-keys/sigstore-trusted-root
+ )
+ "
+ ;;
*)
die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
;;
@@ -89,8 +98,19 @@ esac
#
# The value of BROOT will be prepended to this path automatically.
#
-# NB: this variable is also used for non-OpenPGP signatures. The name
-# contains "OPENPGP" for historical reasons.
+# This variable is also used for non-OpenPGP signatures. The name
+# contains "OPENPGP" for historical reasons. It is not used
+# for sigstore, since it uses a single trusted root.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-identity passed to sigstore invocation.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-oidc-issuer passed to sigstore invocation.
# @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
# @DEFAULT_UNSET
@@ -108,7 +128,7 @@ esac
# in make.conf to enable. Note that this requires working Internet
# connection.
#
-# Supported for OpenPGP only.
+# Supported for OpenPGP and sigstore.
: "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"
# @FUNCTION: verify-sig_verify_detached
@@ -123,7 +143,17 @@ verify-sig_verify_detached() {
local sig=${2}
local key=${3}
- if [[ -z ${key} ]]; then
+ if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
+ if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
+ die "${FUNCNAME}: key unexpectedly specified for sigstore"
+ fi
+ if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
+ die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore"
+ fi
+ if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
+ die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore"
+ fi
+ elif [[ -z ${key} ]]; then
if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
else
@@ -173,6 +203,20 @@ verify-sig_verify_detached() {
-V -p "${key}" -m "${file}" -x "${sig}" ||
die "Signify signature verification failed"
;;
+ sigstore)
+ if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+ extra_args+=( --offline )
+ fi
+
+ cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
+ "${HOME}"/ || die
+ sigstore verify identity "${extra_args[@]}" \
+ --bundle "${sig}" \
+ --cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
+ --cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \
+ "${file}" ||
+ die "Sigstore signature verification failed"
+ ;;
*)
die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
;;
@@ -394,7 +438,7 @@ verify-sig_src_unpack() {
# find all distfiles and signatures, and combine them
for f in ${A}; do
found=
- for suffix in .asc .sig .minisig; do
+ for suffix in .asc .sig .minisig .sigstore; do
if [[ ${f} == *${suffix} ]]; then
signatures+=( "${f}" )
found=sig
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example)
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
` (3 preceding siblings ...)
2024-10-12 18:52 ` [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Michał Górny
@ 2024-10-12 18:52 ` Michał Górny
4 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2024-10-12 18:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
dev-lang/python/Manifest | 2 +-
dev-lang/python/python-3.13.0.ebuild | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest
index daddb0dad1f4..7663f0072d2a 100644
--- a/dev-lang/python/Manifest
+++ b/dev-lang/python/Manifest
@@ -9,7 +9,7 @@ DIST Python-3.12.6.tar.xz.asc 963 BLAKE2B d5f9e4c5053610a1a53769278e69d8a25e2fb0
DIST Python-3.12.7.tar.xz 20444032 BLAKE2B eed8744261cab3b401963ec5187a8b814adb9a18f8d0a6a3d59c027a83cf8408524af9b20204b0a0861d173cc33c45ae37bb1542a1ace3344dc59c649087ff1f SHA512 4a363d3f852ad8f4fd1484aa4cec35494a3811be48ef67fadb2bdf2e2489ed07dc78fad6ab475257db503ddd64d39f9800f23a1c94b6bbd15b7f632cff0c90ae
DIST Python-3.12.7.tar.xz.asc 963 BLAKE2B 8c7db3d1971d93a10c611a2e6dd3679d0b331b48df87b5fe410b089061e48753d98af67084d4f051a31ae803fce3aa3c7af7cba9c692640f50068bd1e46f40e6 SHA512 4d0a7a0da2c81888e93d8ff89ca2ed4bb85a7b0bd00f0d54a14e2c201affac2677ef3984d2b5aea253e624f6465548d9032eefdd9033c1eb3864d82cfd8d3df0
DIST Python-3.13.0.tar.xz 22532980 BLAKE2B 4a4e397199402de8c9fe8e4d63443ed972cbe8a4f541743908d699c7987127d159d600fd14145b6a946e8671426279d230c9155fdc5863c1e49a945eedcbf21b SHA512 44a143c9b96b55b01885ec020c3364265bda55289615cd7d5071915b0d0178a6f35e7551a89090001fcb7f3172d38177a56bf8b8532b15c9dbc50295c9210152
-DIST Python-3.13.0.tar.xz.asc 963 BLAKE2B d05f02692a9fea42b73dbfe5dc42bd6533555e5ecb848510d2b94bb7f0e55d4a0f89bcd20b073ed2c7f7a68be35b12cb6dbff6bc16fc9a4592ded2c339ada7fd SHA512 1b8bb0fe4eb93e31ec1770e90b94d44b5864c0391aad5dcba3a30d8e505d9b17107385414353c0060007f8a536254f49b8e919f36ddf6421a6e4330f817f1a3e
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
DIST Python-3.8.20.tar.xz 18962788 BLAKE2B 715c75e0c0a3d3b77af7f07478311bb0554b80aac72915be703aa2d0dd6459a972e5669808e64da14a0b91bb183e00655055c1726f302dc3ccd8721e3b4ae3e6 SHA512 3c9341ee1fd33cb687958dcf2b7c0c7700489726c4d530c3e9d9537d46a6ab534541a4b312232d8505bea395a07e4518c42d75fb7571103e6b266f8f44115c61
DIST Python-3.8.20.tar.xz.asc 833 BLAKE2B 5c86c15a1090b42e42bb7512565b1a7ad9d2137d59e9fd1ab0f83fdfc37dfcf184389418d6703db809e9c8c04a169af292665a2b58bf5dc61b7724ecbb4132d9 SHA512 a751ae0407a593d97acac4d5f8a0456580c753efa12a7d960125c219b4897fdb26fc1ffd43d8ea33ad1449162dd3b2904c16b6c51c57561ba73de3ffa62e0eed
DIST Python-3.9.20.tar.xz 19648968 BLAKE2B 80a337ff406130599b8320068d11bc275d23473cedd7c85fcb9e40134f0f2d533be6e712139e788a6423cdc74cea938f306aa37c2a5099e3051f3e390159279c SHA512 c828f33edf1704e3149499d6d34e89264cb5cdb2b09ff05561641b359716d7996f0fe928629e09f006b1fd7850fdaf937275919c7fdd83f5efc32707c64d814b
diff --git a/dev-lang/python/python-3.13.0.ebuild b/dev-lang/python/python-3.13.0.ebuild
index 9216c5683e4c..c2b8106373ab 100644
--- a/dev-lang/python/python-3.13.0.ebuild
+++ b/dev-lang/python/python-3.13.0.ebuild
@@ -25,7 +25,7 @@ SRC_URI="
https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz
https://dev.gentoo.org/~mgorny/dist/python/${PATCHSET}.tar.xz
verify-sig? (
- https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.asc
+ https://www.python.org/ftp/python/${PV%%_*}/${MY_P}.tar.xz.sigstore
)
"
S="${WORKDIR}/${MY_P}"
@@ -105,7 +105,9 @@ if [[ ${PV} != *_alpha* ]]; then
"
fi
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/python.org.asc
+VERIFY_SIG_METHOD=sigstore
+VERIFY_SIG_CERT_IDENTITY=thomas@python.org
+VERIFY_SIG_CERT_OIDC_ISSUER=https://accounts.google.com
# large file tests involve a 2.5G file being copied (duplicated)
CHECKREQS_DISK_BUILD=5500M
@@ -150,7 +152,7 @@ pkg_setup() {
src_unpack() {
if use verify-sig; then
- verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.asc}
+ verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.xz{,.sigstore}
fi
default
}
--
2.47.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-10-12 18:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-12 18:52 [gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010 Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 2/5] verify-sig.eclass: Refactor code to use extra_args for all types Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 3/5] verify-sig.eclass: Error out on invalid method+function combos Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Michał Górny
2024-10-12 18:52 ` [gentoo-dev] [PATCH 5/5] dev-lang/python: Use sigstore in 3.13.0 (example) Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox