From ab492ea95909bb0beb4eb618c3fac12208b82427 Mon Sep 17 00:00:00 2001 From: Michał Górny Date: Thu, 10 Oct 2024 20:55:15 +0200 Subject: sec-keys/sigstore-trusted-root: New package, v0_p20241016 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New package installing trusted_root.json for dev-python/sigstore, to verify signatures. Includes a test phase to verify if our root is up-to-date. Signed-off-by: Michał Górny --- sec-keys/sigstore-trusted-root/Manifest | 2 + sec-keys/sigstore-trusted-root/metadata.xml | 8 +++ .../sigstore-trusted-root-0_p20241016.ebuild | 59 ++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 sec-keys/sigstore-trusted-root/Manifest create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild (limited to 'sec-keys') diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest new file mode 100644 index 000000000000..23c5cf224248 --- /dev/null +++ b/sec-keys/sigstore-trusted-root/Manifest @@ -0,0 +1,2 @@ +DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2 +DIST sigstore-trusted-root-0_p20241016.tar.xz 7984 BLAKE2B e140e6262f803b5f08939c5234bdf4bd604e53fed1490c8cf33ddffda330de42db358c11cefe9e89d28943fbb61bb91e0e7f2ebe9153e90aa6662038154e22fb SHA512 09acc16c1b0b87d2fcfb0d1f2adadd2c2f62a6b0794e04cc75df88e4119ae628cd9438ce43ac6cd8163f2fcd59735aa7c76cc340702caed2decd78ea84d924d1 diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml new file mode 100644 index 000000000000..076793e3f54b --- /dev/null +++ b/sec-keys/sigstore-trusted-root/metadata.xml @@ -0,0 +1,8 @@ + + + + + mgorny@gentoo.org + Michał Górny + + diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild new file mode 100644 index 000000000000..d40f93428e94 --- /dev/null +++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild @@ -0,0 +1,59 @@ +# Copyright 2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="trusted-root.json for dev-python/sigstore" +HOMEPAGE="https://www.sigstore.dev/" +SRC_URI=" + https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz + test? ( + https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore + ) +" +S=${WORKDIR} + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~amd64" +IUSE="test" +PROPERTIES="test_network" +RESTRICT="test" + +BDEPEND=" + test? ( + dev-python/sigstore + sys-apps/diffutils + ) +" + +src_test() { + local common_args=( + --bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore + --cert-identity thomas@python.org + --cert-oidc-issuer https://accounts.google.com + sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d + ) + + cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die + einfo "Attempting offline verification ..." + sigstore verify identity --offline "${common_args[@]}" || + die "Verification failed with extracted trust root" + einfo "Attempting online verification ..." + sigstore verify identity "${common_args[@]}" || + die "Verification failed in online mode" + + # check if anything needs updating + if ! diff -ur "${WORKDIR}" "${HOME}"; then + local tar="${WORKDIR}/${PN}-0_p$(date +%Y%m%d).tar" + cd "${HOME}" || die + tar -c -v -f "${tar}" $(find .cache .local -type f | sort) || die + xz -v9e "${tar}" || die + die "Changes found, please update to use ${tar}.xz" + fi +} + +src_install() { + insinto /usr/share/sigstore-gentoo + doins -r .cache .local +} -- cgit v1.2.3-65-gdbad