[gentoo-dev] [PATCH 1/5] sec-keys/sigstore-trusted-root: New package, v0_p20241010

[Michał Górny]

New package installing trusted_root.json for dev-python/sigstore,
to verify signatures.  Includes a test phase to verify if our root
is up-to-date.

Signed-off-by: Michał Górny <mgo...@gentoo.org>
---
 sec-keys/sigstore-trusted-root/Manifest       |  2 +
 sec-keys/sigstore-trusted-root/metadata.xml   |  8 +++
 .../sigstore-trusted-root-0_p20241010.ebuild  | 54 +++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 sec-keys/sigstore-trusted-root/Manifest
 create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml
 create mode 100644 
sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild

diff --git a/sec-keys/sigstore-trusted-root/Manifest 
b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..cb7c8da2676e
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,2 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B 
a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8
 SHA512 
6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241010.tar.xz 7984 BLAKE2B 
4d6c6e043e116e9830dc2f9a0a3c0f1333f5044b0ba40e52d3790c6d220415c4b525ebc5592cee31266dace637fb8417ec5768b7370928e0f705f0f03f5bc080
 SHA512 
784c3bb95b9112bb64d5e8132dee8ee32bcc2e2953d8fd77b1bfca6f1172771f1ee0609b9f80e6e592cccf5205ed73c7584ef6b6e31c8531978c7f1b48a816fa
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml 
b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";>
+<pkgmetadata>
+       <maintainer type="person">
+               <email>mgo...@gentoo.org</email>
+               <name>Michał Górny</name>
+       </maintainer>
+</pkgmetadata>
diff --git 
a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild 
b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
new file mode 100644
index 000000000000..99355d7005a1
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild
@@ -0,0 +1,54 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/";
+SRC_URI="
+       https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+       test? (
+               
https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+       )
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+       test? (
+               dev-python/sigstore
+               sys-apps/diffutils
+       )
+"
+
+src_test() {
+       local common_args=(
+               --bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+               --cert-identity tho...@python.org
+               --cert-oidc-issuer https://accounts.google.com
+               
sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+       )
+
+       cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+       einfo "Attempting offline verification ..."
+       sigstore verify identity --offline "${common_args[@]}" ||
+               die "Verification failed with extracted trust root"
+       einfo "Attempting online verification ..."
+       sigstore verify identity "${common_args[@]}" ||
+               die "Verification failed in online mode"
+
+       # check if anything needs updating
+       diff -ur "${WORKDIR}" "${HOME}" ||
+               die "Changes found, need to wrap up a new package"
+}
+
+src_install() {
+       insinto /usr/share/sigstore-gentoo
+       doins -r .cache .local
+}
-- 
2.47.0