4 files changed, 71 insertions, 0 deletions

diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz
index 7938baccbe83..c5cc47a024a8 100644
--- a/sec-keys/Manifest.gz
+++ b/sec-keys/Manifest.gz
diff --git a/sec-keys/sigstore-trusted-root/Manifest b/sec-keys/sigstore-trusted-root/Manifest
new file mode 100644
index 000000000000..13ea97c52d89
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/Manifest
@@ -0,0 +1,4 @@
+DIST Python-3.13.0.tar.xz.sigstore 5067 BLAKE2B a774f8d3947bd114ea9cd8d028ba06d30a11385a5295d2f0535f507789e08697e290a920df23064add58496f3a8765aeb1ce3bad4e5548613e78e2b283852ff8 SHA512 6c9d99299ed3f1d221deca6e0a7abc9a89a7c87d2c74225c1175691b1c21ccc5d55da17d69dc9893f94d91deaf1870c1a2a4be0905fc2dbed16d34a4110e3ec2
+DIST sigstore-trusted-root-0_p20241016.tar.xz 7984 BLAKE2B e140e6262f803b5f08939c5234bdf4bd604e53fed1490c8cf33ddffda330de42db358c11cefe9e89d28943fbb61bb91e0e7f2ebe9153e90aa6662038154e22fb SHA512 09acc16c1b0b87d2fcfb0d1f2adadd2c2f62a6b0794e04cc75df88e4119ae628cd9438ce43ac6cd8163f2fcd59735aa7c76cc340702caed2decd78ea84d924d1
+EBUILD sigstore-trusted-root-0_p20241016.ebuild 1524 BLAKE2B 7ae84a9c882d483339db846631cf4f925c0730985807f0db9b2cef50f03756a3e61a05d883e3cafe53faae41084cd4ce9fe0a5b2f7a45d8d5ebf7c3ec14a3a58 SHA512 f5b1d66dbd1ef191c1ee6977e825ef79a44cc5136eb9448e2ab2d83917dc25ca8a0cd59d3b220621186db4d6ea05c9cc9d4e6acde15456a82ca5e2d5220761dd
+MISC metadata.xml 248 BLAKE2B f308d2aa052d11e427850af58bbebf95e7773f5562ed221f39043474b4c3827d724d49667edf1874272a5586a13201159f40e8f5eafb7e400e79c6566e1a6ac2 SHA512 b875c838394523483ae7d93585207eb3c642a345bbb08e1dcef3ceb737c813fa779e2f5479d48cdcc30732b8a0a9e6ecc648df940def6731e4dff43b23786e6d
diff --git a/sec-keys/sigstore-trusted-root/metadata.xml b/sec-keys/sigstore-trusted-root/metadata.xml
new file mode 100644
index 000000000000..076793e3f54b
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>mgorny@gentoo.org</email>
+		<name>Michał Górny</name>
+	</maintainer>
+</pkgmetadata>
diff --git a/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild
new file mode 100644
index 000000000000..d40f93428e94
--- /dev/null
+++ b/sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241016.ebuild
@@ -0,0 +1,59 @@
+# Copyright 2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="trusted-root.json for dev-python/sigstore"
+HOMEPAGE="https://www.sigstore.dev/"
+SRC_URI="
+	https://dev.gentoo.org/~mgorny/dist/${P}.tar.xz
+	test? (
+		https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore
+	)
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="test"
+PROPERTIES="test_network"
+RESTRICT="test"
+
+BDEPEND="
+	test? (
+		dev-python/sigstore
+		sys-apps/diffutils
+	)
+"
+
+src_test() {
+	local common_args=(
+		--bundle "${DISTDIR}"/Python-3.13.0.tar.xz.sigstore
+		--cert-identity thomas@python.org
+		--cert-oidc-issuer https://accounts.google.com
+		sha256:086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d
+	)
+
+	cp -r "${WORKDIR}"/{.cache,.local} "${HOME}"/ || die
+	einfo "Attempting offline verification ..."
+	sigstore verify identity --offline "${common_args[@]}" ||
+		die "Verification failed with extracted trust root"
+	einfo "Attempting online verification ..."
+	sigstore verify identity "${common_args[@]}" ||
+		die "Verification failed in online mode"
+
+	# check if anything needs updating
+	if ! diff -ur "${WORKDIR}" "${HOME}"; then
+		local tar="${WORKDIR}/${PN}-0_p$(date +%Y%m%d).tar"
+		cd "${HOME}" || die
+		tar -c -v -f "${tar}" $(find .cache .local -type f | sort) || die
+		xz -v9e "${tar}" || die
+		die "Changes found, please update to use ${tar}.xz"
+	fi
+}
+
+src_install() {
+	insinto /usr/share/sigstore-gentoo
+	doins -r .cache .local
+}