From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 318C7158046 for ; Sat, 12 Oct 2024 18:58:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1E3DE2BC04B; Sat, 12 Oct 2024 18:57:13 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D221A2BC048 for ; Sat, 12 Oct 2024 18:57:12 +0000 (UTC) From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Cc: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Subject: [gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures Date: Sat, 12 Oct 2024 20:52:05 +0200 Message-ID: <20241012185704.771370-5-mgorny@gentoo.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241012185704.771370-1-mgorny@gentoo.org> References: <20241012185704.771370-1-mgorny@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: faccec5b-b3a7-4adc-9b51-be365c19f5b5 X-Archives-Hash: 5ac049c56b7a01aa120819f0b391bc8a Signed-off-by: Michał Górny --- eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 9886e3352db7..f97c4a276865 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -57,6 +57,7 @@ IUSE="verify-sig" # # - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign # - openpgp -- verify PGP signatures using app-crypt/gnupg (the default) +# - sigstore -- verifsy signatures using dev-python/sigstore # - signify -- verify signatures with Ed25519 public key using app-crypt/signify : "${VERIFY_SIG_METHOD:=openpgp}" @@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in signify) BDEPEND="verify-sig? ( app-crypt/signify )" ;; + sigstore) + BDEPEND=" + verify-sig? ( + dev-python/sigstore + sec-keys/sigstore-trusted-root + ) + " + ;; *) die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'" ;; @@ -89,8 +98,19 @@ esac # # The value of BROOT will be prepended to this path automatically. # -# NB: this variable is also used for non-OpenPGP signatures. The name -# contains "OPENPGP" for historical reasons. +# This variable is also used for non-OpenPGP signatures. The name +# contains "OPENPGP" for historical reasons. It is not used +# for sigstore, since it uses a single trusted root. + +# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY +# @DEFAULT_UNSET +# @DESCRIPTION: +# --cert-identity passed to sigstore invocation. + +# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER +# @DEFAULT_UNSET +# @DESCRIPTION: +# --cert-oidc-issuer passed to sigstore invocation. # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER # @DEFAULT_UNSET @@ -108,7 +128,7 @@ esac # in make.conf to enable. Note that this requires working Internet # connection. # -# Supported for OpenPGP only. +# Supported for OpenPGP and sigstore. : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}" # @FUNCTION: verify-sig_verify_detached @@ -123,7 +143,17 @@ verify-sig_verify_detached() { local sig=${2} local key=${3} - if [[ -z ${key} ]]; then + if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then + if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then + die "${FUNCNAME}: key unexpectedly specified for sigstore" + fi + if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then + die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore" + fi + if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then + die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore" + fi + elif [[ -z ${key} ]]; then if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" else @@ -173,6 +203,20 @@ verify-sig_verify_detached() { -V -p "${key}" -m "${file}" -x "${sig}" || die "Signify signature verification failed" ;; + sigstore) + if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then + extra_args+=( --offline ) + fi + + cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \ + "${HOME}"/ || die + sigstore verify identity "${extra_args[@]}" \ + --bundle "${sig}" \ + --cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \ + --cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \ + "${file}" || + die "Sigstore signature verification failed" + ;; *) die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}" ;; @@ -394,7 +438,7 @@ verify-sig_src_unpack() { # find all distfiles and signatures, and combine them for f in ${A}; do found= - for suffix in .asc .sig .minisig; do + for suffix in .asc .sig .minisig .sigstore; do if [[ ${f} == *${suffix} ]]; then signatures+=( "${f}" ) found=sig -- 2.47.0