[gentoo-dev] [PATCH 4/5] verify-sig.eclass: Add support for verifying sigstore signatures

Sat, 12 Oct 2024 11:58:16 -0700 

Signed-off-by: Michał Górny <[email protected]>
---
 eclass/verify-sig.eclass | 54 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 49 insertions(+), 5 deletions(-)

diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 9886e3352db7..f97c4a276865 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -57,6 +57,7 @@ IUSE="verify-sig"
 #
 #  - minisig -- verify signatures with (base64) Ed25519 public key using 
app-crypt/minisign
 #  - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+#  - sigstore -- verifsy signatures using dev-python/sigstore
 #  - signify -- verify signatures with Ed25519 public key using 
app-crypt/signify
 : "${VERIFY_SIG_METHOD:=openpgp}"
 
@@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
        signify)
                BDEPEND="verify-sig? ( app-crypt/signify )"
                ;;
+       sigstore)
+               BDEPEND="
+                       verify-sig? (
+                               dev-python/sigstore
+                               sec-keys/sigstore-trusted-root
+                       )
+               "
+               ;;
        *)
                die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
                ;;
@@ -89,8 +98,19 @@ esac
 #
 # The value of BROOT will be prepended to this path automatically.
 #
-# NB: this variable is also used for non-OpenPGP signatures.  The name
-# contains "OPENPGP" for historical reasons.
+# This variable is also used for non-OpenPGP signatures.  The name
+# contains "OPENPGP" for historical reasons.  It is not used
+# for sigstore, since it uses a single trusted root.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-identity passed to sigstore invocation.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-oidc-issuer passed to sigstore invocation.
 
 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
 # @DEFAULT_UNSET
@@ -108,7 +128,7 @@ esac
 # in make.conf to enable.  Note that this requires working Internet
 # connection.
 #
-# Supported for OpenPGP only.
+# Supported for OpenPGP and sigstore.
 : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"
 
 # @FUNCTION: verify-sig_verify_detached
@@ -123,7 +143,17 @@ verify-sig_verify_detached() {
        local sig=${2}
        local key=${3}
 
-       if [[ -z ${key} ]]; then
+       if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
+               if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
+                       die "${FUNCNAME}: key unexpectedly specified for 
sigstore"
+               fi
+               if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
+                       die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be 
specified for sigstore"
+               fi
+               if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
+                       die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be 
specified for sigstore"
+               fi
+       elif [[ -z ${key} ]]; then
                if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
                        die "${FUNCNAME}: no key passed and 
VERIFY_SIG_OPENPGP_KEY_PATH unset"
                else
@@ -173,6 +203,20 @@ verify-sig_verify_detached() {
                                -V -p "${key}" -m "${file}" -x "${sig}" ||
                                die "Signify signature verification failed"
                        ;;
+               sigstore)
+                       if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+                               extra_args+=( --offline )
+                       fi
+
+                       cp -r 
"${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
+                               "${HOME}"/ || die
+                       sigstore verify identity "${extra_args[@]}" \
+                               --bundle "${sig}" \
+                               --cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
+                               --cert-oidc-issuer 
"${VERIFY_SIG_CERT_OIDC_ISSUER}" \
+                               "${file}" ||
+                               die "Sigstore signature verification failed"
+                       ;;
                *)
                        die "${FUNCNAME} not supported with 
${VERIFY_SIG_METHOD}"
                        ;;
@@ -394,7 +438,7 @@ verify-sig_src_unpack() {
                # find all distfiles and signatures, and combine them
                for f in ${A}; do
                        found=
-                       for suffix in .asc .sig .minisig; do
+                       for suffix in .asc .sig .minisig .sigstore; do
                                if [[ ${f} == *${suffix} ]]; then
                                        signatures+=( "${f}" )
                                        found=sig
-- 
2.47.0

Reply via email to