diff options
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/Manifest.gz | bin | 39031 -> 39023 bytes | |||
| -rw-r--r-- | eclass/ecm-common.eclass | 10 | ||||
| -rw-r--r-- | eclass/verify-sig.eclass | 74 |
3 files changed, 75 insertions, 9 deletions
diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz Binary files differindex 980253f12cef..e80e689b4e8b 100644 --- a/eclass/Manifest.gz +++ b/eclass/Manifest.gz diff --git a/eclass/ecm-common.eclass b/eclass/ecm-common.eclass index ba6840d75a6d..7f5d3d1e9915 100644 --- a/eclass/ecm-common.eclass +++ b/eclass/ecm-common.eclass @@ -165,8 +165,16 @@ if [[ ${ECM_KCM_TARGETS} ]]; then KF6_BDEPEND+=( "kde-frameworks/kcmutils:6" ) fi +KF6_BDEPEND+=( "dev-qt/qtbase:6" ) + if $(ver_test ${KFMIN} -lt 5.240) && [[ ${KF6_BDEPEND} && ${KF5_BDEPEND} ]]; then - BDEPEND+=" || ( ( ${KF6_BDEPEND[*]} ) ( ${KF5_BDEPEND[*]} ) )" + BDEPEND+=" || ( + ( ${KF6_BDEPEND[*]} ) + ( + ${KF5_BDEPEND[*]} + dev-qt/qtcore:5 + ) + )" else BDEPEND+=" ${KF6_BDEPEND[*]}" fi diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index b74ed78290aa..0e6b9b43e557 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -57,6 +57,7 @@ IUSE="verify-sig" # # - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign # - openpgp -- verify PGP signatures using app-crypt/gnupg (the default) +# - sigstore -- verify signatures using dev-python/sigstore # - signify -- verify signatures with Ed25519 public key using app-crypt/signify : "${VERIFY_SIG_METHOD:=openpgp}" @@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in signify) BDEPEND="verify-sig? ( app-crypt/signify )" ;; + sigstore) + BDEPEND=" + verify-sig? ( + dev-python/sigstore + sec-keys/sigstore-trusted-root + ) + " + ;; *) die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'" ;; @@ -89,8 +98,19 @@ esac # # The value of BROOT will be prepended to this path automatically. # -# NB: this variable is also used for non-OpenPGP signatures. The name -# contains "OPENPGP" for historical reasons. +# This variable is also used for non-OpenPGP signatures. The name +# contains "OPENPGP" for historical reasons. It is not used +# for sigstore, since it uses a single trusted root. + +# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY +# @DEFAULT_UNSET +# @DESCRIPTION: +# --cert-identity passed to sigstore invocation. + +# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER +# @DEFAULT_UNSET +# @DESCRIPTION: +# --cert-oidc-issuer passed to sigstore invocation. # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER # @DEFAULT_UNSET @@ -108,7 +128,7 @@ esac # in make.conf to enable. Note that this requires working Internet # connection. # -# Supported for OpenPGP only. +# Supported for OpenPGP and sigstore. : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}" # @FUNCTION: verify-sig_verify_detached @@ -123,7 +143,17 @@ verify-sig_verify_detached() { local sig=${2} local key=${3} - if [[ -z ${key} ]]; then + if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then + if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then + die "${FUNCNAME}: key unexpectedly specified for sigstore" + fi + if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then + die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore" + fi + if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then + die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore" + fi + elif [[ -z ${key} ]]; then if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" else @@ -132,7 +162,6 @@ verify-sig_verify_detached() { fi local extra_args=() - [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R ) if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then [[ ${VERIFY_SIG_METHOD} == openpgp ]] || die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported" @@ -152,10 +181,15 @@ verify-sig_verify_detached() { einfo "Verifying ${filename} ..." case ${VERIFY_SIG_METHOD} in minisig) - minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" || + minisign "${extra_args[@]}" \ + -V -P "$(<"${key}")" -x "${sig}" -m "${file}" || die "minisig signature verification failed" ;; openpgp) + if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then + extra_args+=( -R ) + fi + # gpg can't handle very long TMPDIR # https://bugs.gentoo.org/854492 local -x TMPDIR=/tmp @@ -165,9 +199,27 @@ verify-sig_verify_detached() { die "PGP signature verification failed" ;; signify) - signify -V -p "${key}" -m "${file}" -x "${sig}" || + signify "${extra_args[@]}" \ + -V -p "${key}" -m "${file}" -x "${sig}" || die "Signify signature verification failed" ;; + sigstore) + if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then + extra_args+=( --offline ) + fi + + cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \ + "${HOME}"/ || die + sigstore verify identity "${extra_args[@]}" \ + --bundle "${sig}" \ + --cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \ + --cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \ + "${file}" || + die "Sigstore signature verification failed" + ;; + *) + die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}" + ;; esac } @@ -229,6 +281,9 @@ verify-sig_verify_message() { signify -V -e -p "${key}" -m "${output_file}" -x "${file}" || die "Signify signature verification failed" ;; + *) + die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}" + ;; esac } @@ -362,6 +417,9 @@ verify-sig_verify_signed_checksums() { -x "${checksum_file}" "${files[@]}" || die "Signify signature verification failed" ;; + *) + die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}" + ;; esac } @@ -380,7 +438,7 @@ verify-sig_src_unpack() { # find all distfiles and signatures, and combine them for f in ${A}; do found= - for suffix in .asc .sig .minisig; do + for suffix in .asc .sig .minisig .sigstore; do if [[ ${f} == *${suffix} ]]; then signatures+=( "${f}" ) found=sig |