sec-keys/sigstore-trusted-root: New package, v0_p20241016

New package installing trusted_root.json for dev-python/sigstore,
to verify signatures.  Includes a test phase to verify if our root
is up-to-date.

Signed-off-by: Michał Górny <mgorny@gentoo.org>

3 files changed, 69 insertions, 0 deletions

diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..23c5cf224248
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,2 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241016.tar.xz 7984 BLAKE2B e140e6262f803b5f08939c5234bdf4bd604e53fed1490c8cf33ddffda330de42db358c11cefe9e89d28943fbb61bb91e0e7f2ebe9153e90aa6662038154e22fb SHA512 09acc16c1b0b87d2fcfb0d1f2adadd2c2f62a6b0794e04cc75df88e4119ae628cd9438ce43ac6cd8163f2fcd59735aa7c76cc340702caed2decd78ea84d924d1
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>mgorny@gentoo.org</email>
+		<name>Michał Górny</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild
new file mode 100644
index 000000000000..d40f93428e94
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild
@@ -0,0 +1,59 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/"
+SRC_URI="
+	https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+	test? (
+		https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+	)
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+	test? (
+		dev-python/sigstore
+		sys-apps/diffutils
+	)
+"
+
+src_test() {
+	local common_args=(
+		--bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+		--cert-identity thomas@python.org
+		--cert-oidc-issuer https://accounts.google.com
+		sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+	)
+
+	cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+	einfo "Attempting offline verification ..."
+	sigstore verify identity --offline "${common_args[@]}" ||
+		die "Verification failed with extracted trust root"
+	einfo "Attempting online verification ..."
+	sigstore verify identity "${common_args[@]}" ||
+		die "Verification failed in online mode"
+
+	# check if anything needs updating
+	if ! diff -ur "${WORKDIR}" "${HOME}"; then
+		local tar="${WORKDIR}/${PN}-0_p$(date +%Y%m%d).tar"
+		cd "${HOME}" || die
+		tar -c -v -f "${tar}" $(find .cache .local -type f | sort) || die
+		xz -v9e "${tar}" || die
+		die "Changes found, please update to use ${tar}.xz"
+	fi
+}
+
+src_install() {
+	insinto /usr/share/sigstore-gentoo
+	doins -r .cache .local
+}