[gentoo-dev] [PATCH 0/5] verify-sig.eclass: sigstore support
From
=?UTF-8?q?Micha=C5=82=20G=C3=B3rny?@21:1/5 to
All on Sat Oct 12 21:00:01 2024
Hi,
dev-python/sigstore is yet another NIH signature verification tool.
Python is planning to use it exclusively starting with Python 3.14.
It uses some fancy PKI-like infrastructure backend by OAuth against
some popular providers (read: now Google and Microsoft will hold keys
used to sign Python releases).
This patch set adds:
1. A package to install an up-to-date root certificates for sigstore.
It also has a test phase that can be used to verify if we need
to wrap up a new version.
2. verify-sig support for verifying detached signatures against it.
No other kinds of signatures are implemented, and I have no clue
if they are supported at all.
3. An example Python 3.13.0 patch to use it. That said, I don't think
we will actually use it for existing versions, just when there are
no PGP signatures anymore.
Michał Górny (5):
sec-keys/sigstore-trusted-root: New package, v0_p20241010
verify-sig.eclass: Refactor code to use extra_args for all types
verify-sig.eclass: Error out on invalid method+function combos
verify-sig.eclass: Add support for verifying sigstore signatures
dev-lang/python: Use sigstore in 3.13.0 (example)
dev-lang/python/Manifest | 2 +-
dev-lang/python/python-3.13.0.ebuild | 8 +-
eclass/verify-sig.eclass | 74 +++++++++++++++++--
sec-keys/sigstore-trusted-root/Manifest | 2 +
sec-keys/sigstore-trusted-root/metadata.xml | 8 ++
.../sigstore-trusted-root-0_p20241010.ebuild | 54 ++++++++++++++
6 files changed, 136 insertions(+), 12 deletions(-)
create mode 100644 sec-keys/sigstore-trusted-root/Manifest
create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
--
2.47.0
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)