Adding debian version 1.8.0-2.debian/1.8.0-2debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

15 files changed, 358 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..3281409
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,40 @@
+golang-github-sigstore-sigstore (1.8.0-2) unstable; urgency=medium
+
+  * Team upload.
+  * Upload to unstable.
+  * Add securesystemslib >= 0.8 for binary package too.
+
+ -- Simon Josefsson <simon@josefsson.org>  Wed, 24 Jan 2024 16:25:37 +0100
+
+golang-github-sigstore-sigstore (1.8.0-1) experimental; urgency=medium
+
+  * Team upload.
+  * New upstream release
+  * Need securesystemslib 0.8
+
+ -- Simon Josefsson <simon@josefsson.org>  Tue, 16 Jan 2024 23:48:07 +0100
+
+golang-github-sigstore-sigstore (1.7.5-1) unstable; urgency=medium
+
+  * New upstream release
+  * Enable most of the test suite
+
+ -- Reinhard Tartler <siretart@tauware.de>  Tue, 21 Nov 2023 15:03:25 +0000
+
+golang-github-sigstore-sigstore (1.4.0-3) unstable; urgency=medium
+
+  * Build against securesystemslib 0.7
+
+ -- Reinhard Tartler <siretart@tauware.de>  Fri, 27 Oct 2023 11:51:14 -0400
+
+golang-github-sigstore-sigstore (1.4.0-2) unstable; urgency=medium
+
+  * Upload to unstable
+
+ -- Reinhard Tartler <siretart@tauware.de>  Sun, 20 Aug 2023 19:54:04 -0400
+
+golang-github-sigstore-sigstore (1.4.0-1) experimental; urgency=medium
+
+  * Initial release, Closes: #1029170
+
+ -- Reinhard Tartler <siretart@tauware.de>  Tue, 18 Jul 2023 21:15:28 -0400
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..2dc3ad0
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,75 @@
+Source: golang-github-sigstore-sigstore
+Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders: Reinhard Tartler <siretart@tauware.de>
+Section: golang
+Testsuite: autopkgtest-pkg-go
+Priority: optional
+Build-Depends: debhelper-compat (= 13),
+               dh-golang,
+               golang-any,
+               golang-github-azure-azure-sdk-for-go-dev,
+               golang-github-azure-go-autorest-dev,
+               golang-github-aws-aws-sdk-go-v2-dev,
+               golang-github-coreos-go-oidc-dev,
+               golang-github-go-test-deep-dev,
+               golang-github-google-go-cmp-dev,
+               golang-github-google-go-containerregistry-dev,
+               golang-github-coreos-go-oidc-v3-dev,
+#               golang-github-hashicorp-vault-dev,
+               golang-github-jellydator-ttlcache-dev,
+               golang-github-mitchellh-go-homedir-dev,
+               golang-github-pkg-browser-dev,
+               golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.8.0~),
+               golang-github-segmentio-ksuid-dev,
+               golang-github-skratchdot-open-golang-dev,
+               golang-github-stretchr-testify-dev,
+               golang-github-theupdateframework-go-tuf-dev,
+               golang-golang-x-crypto-dev,
+               golang-golang-x-oauth2-dev,
+               golang-golang-x-term-dev,
+               golang-google-api-dev,
+               golang-google-genproto-dev,
+               golang-google-protobuf-dev,
+#               golang-googlecloud-go-dev,
+               golang-gopkg-square-go-jose.v2-dev
+Standards-Version: 4.6.2
+Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore
+Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore.git
+Homepage: https://github.com/sigstore/sigstore
+Rules-Requires-Root: no
+XS-Go-Import-Path: github.com/sigstore/sigstore
+
+Package: golang-github-sigstore-sigstore-dev
+Architecture: all
+Multi-Arch: foreign
+Depends: golang-github-azure-azure-sdk-for-go-dev,
+         golang-github-azure-go-autorest-dev,
+         golang-github-aws-aws-sdk-go-v2-dev,
+         golang-github-coreos-go-oidc-dev,
+         golang-github-go-test-deep-dev,
+         golang-github-google-go-cmp-dev,
+         golang-github-google-go-containerregistry-dev,
+         golang-github-coreos-go-oidc-v3-dev,
+#         golang-github-hashicorp-vault-dev,
+         golang-github-jellydator-ttlcache-dev,
+         golang-github-mitchellh-go-homedir-dev,
+         golang-github-pkg-browser-dev,
+         golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.8.0~),
+         golang-github-segmentio-ksuid-dev,
+         golang-github-skratchdot-open-golang-dev,
+         golang-github-stretchr-testify-dev,
+         golang-github-theupdateframework-go-tuf-dev,
+         golang-golang-x-crypto-dev,
+         golang-golang-x-oauth2-dev,
+         golang-golang-x-term-dev,
+         golang-google-api-dev,
+         golang-google-genproto-dev,
+         golang-google-protobuf-dev,
+#         golang-googlecloud-go-dev,
+         golang-gopkg-square-go-jose.v2-dev,
+         ${misc:Depends}
+Description: Common go library shared across sigstore services and clients (library)
+ sigstore/sigstore is a generic library / framework that is utilized by
+ various other clients and projects including fulcio (webPKI), cosign
+ (container and OCI signing tool) and tektoncd/chains (Supply Chain
+ Security in Tekton Pipelines).
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..052b350
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,29 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: sigstore
+Source: https://github.com/sigstore/sigstore
+
+Files: *
+Copyright: 2021-2023 The Sigstore Authors.
+License: Apache-2.0
+
+Files: debian/*
+Copyright: 2023 Reinhard Tartler <siretart@tauware.de>
+           2024 Simon Josefsson <simon@josefsson.org>
+License: Apache-2.0
+Comment: Debian packaging is licensed under the same terms as upstream
+
+License: Apache-2.0
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+Comment:
+ On Debian systems, the complete text of the Apache version 2.0 license
+ can be found in "/usr/share/common-licenses/Apache-2.0".
diff --git a/debian/fix.scanned.copyright b/debian/fix.scanned.copyright
new file mode 100644
index 0000000..0d477d3
--- /dev/null
+++ b/debian/fix.scanned.copyright
@@ -0,0 +1 @@
+! copyright Files:~/.*/ Copyright="2021-2023 The Sigstore Authors."
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..3d450c2
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/sid
+dist = DEP14
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
new file mode 100644
index 0000000..594e14e
--- /dev/null
+++ b/debian/gitlab-ci.yml
@@ -0,0 +1,6 @@
+# auto-generated, DO NOT MODIFY.
+# The authoritative copy of this file lives at:
+# https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go
+---
+include:
+  - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml
diff --git a/debian/patches/avoid-boulder.patch b/debian/patches/avoid-boulder.patch
new file mode 100644
index 0000000..9cbee94
--- /dev/null
+++ b/debian/patches/avoid-boulder.patch
@@ -0,0 +1,63 @@
+commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6)
+Author: Reinhard Tartler <siretart@tauware.de>
+Date:   Thu Apr 6 20:24:46 2023 -0400
+
+    Drop dependency on boulder, disable RSA checks
+
+Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey.go
++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go
+@@ -16,7 +16,6 @@
+ package cryptoutils
+ 
+ import (
+-	"context"
+ 	"crypto"
+ 	"crypto/ecdsa"
+ 	"crypto/ed25519"
+@@ -30,8 +29,6 @@ import (
+ 	"encoding/pem"
+ 	"errors"
+ 	"fmt"
+-
+-	"github.com/letsencrypt/boulder/goodkey"
+ )
+ 
+ const (
+@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.Publ
+ func ValidatePubKey(pub crypto.PublicKey) error {
+ 	switch pk := pub.(type) {
+ 	case *rsa.PublicKey:
+-		// goodkey policy enforces:
+-		// * Size of key: 2048 <= size <= 4096, size % 8 = 0
+-		// * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
+-		// * Small primes check for modulus
+-		// * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
+-		// * Key is easily factored with Fermat's factorization method
+-		p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
+-		if err != nil {
+-			// Should not occur, only chances to return errors are if fermat rounds
+-			// are <0 or when loading blocked/weak keys from disk (not used here)
+-			return errors.New("unable to initialize key policy")
+-		}
+-		// ctx is unused
+-		return p.GoodKey(context.Background(), pub)
++		// Avoid dependency on Goodkey for debian
++		return nil;
+ 	case *ecdsa.PublicKey:
+ 		// Unable to use goodkey policy because P-521 curve is not supported
+ 		return validateEcdsaKey(pk)
+Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey_test.go
++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go
+@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *te
+ }
+ 
+ func TestValidatePubKeyRsa(t *testing.T) {
++	t.Skip("Validations disabled for Debian")
++
+ 	// Validate common RSA key sizes
+ 	for _, bits := range []int{2048, 3072, 4096} {
+ 		priv, err := rsa.GenerateKey(rand.Reader, bits)
diff --git a/debian/patches/disable-TestGetCode.patch b/debian/patches/disable-TestGetCode.patch
new file mode 100644
index 0000000..64909ea
--- /dev/null
+++ b/debian/patches/disable-TestGetCode.patch
@@ -0,0 +1,12 @@
+Index: golang-github-sigstore-sigstore/pkg/oauthflow/flow_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/oauthflow/flow_test.go
++++ golang-github-sigstore-sigstore/pkg/oauthflow/flow_test.go
+@@ -1,3 +1,7 @@
++// +build debian_disabled
++
++// causes a weird segfault in debian
++
+ //
+ // Copyright 2021 The Sigstore Authors.
+ //
diff --git a/debian/patches/disable-tests-that-download.ptach b/debian/patches/disable-tests-that-download.ptach
new file mode 100644
index 0000000..f0abd0d
--- /dev/null
+++ b/debian/patches/disable-tests-that-download.ptach
@@ -0,0 +1,49 @@
+Index: golang-github-sigstore-sigstore/pkg/tuf/client_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/tuf/client_test.go
++++ golang-github-sigstore-sigstore/pkg/tuf/client_test.go
+@@ -1,3 +1,7 @@
++// +build debian_disabled
++
++// disabled in debian as these tests require internet connectivity
++
+ //
+ // Copyright 2022 The Sigstore Authors.
+ //
+Index: golang-github-sigstore-sigstore/pkg/signature/kms/azure/client_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/signature/kms/azure/client_test.go
++++ golang-github-sigstore-sigstore/pkg/signature/kms/azure/client_test.go
+@@ -1,3 +1,7 @@
++// +build debian_disabled
++
++// disabled in debian as these tests require internet connectivity
++
+ //
+ // Copyright 2022 The Sigstore Authors.
+ //
+Index: golang-github-sigstore-sigstore/pkg/oauth/oidc/pkce_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/oauth/oidc/pkce_test.go
++++ golang-github-sigstore-sigstore/pkg/oauth/oidc/pkce_test.go
+@@ -1,3 +1,7 @@
++// +build debian_disabled
++
++// disabled in debian as these tests require internet connectivity
++
+ // Copyright 2022 The Sigstore Authors.
+ //
+ // Licensed under the Apache License, Version 2.0 (the "License");
+Index: golang-github-sigstore-sigstore/pkg/oauthflow/pkce_test.go
+===================================================================
+--- golang-github-sigstore-sigstore.orig/pkg/oauthflow/pkce_test.go
++++ golang-github-sigstore-sigstore/pkg/oauthflow/pkce_test.go
+@@ -1,3 +1,8 @@
++// +build debian_disabled
++
++// disabled in debian as these tests require internet connectivity
++
++
+ //
+ // Copyright 2021 The Sigstore Authors.
+ //
diff --git a/debian/patches/jose-v2.patch b/debian/patches/jose-v2.patch
new file mode 100644
index 0000000..580e20a
--- /dev/null
+++ b/debian/patches/jose-v2.patch
@@ -0,0 +1,47 @@
+From: Reinhard Tartler
+Subject: Revert back to go-jose v2
+
+This reverts:
+
+commit 7bf125c5120e99d5ff7fd579650ffcc84df8edc6
+Author: Miloslav Trmač <mitr@redhat.com>
+Date:   Tue Feb 14 09:23:14 2023 +0100
+
+    Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 (#969)
+
+    https://github.com/square/go-jose/tree/master says the former is deprecated.
+    Moving everything to /v3 will, eventually, allow callers to only contain one
+    vendored implementation instead of up to 3.
+
+    Signed-off-by: Miloslav Trmač <mitr@redhat.com>
+
+
+diff --git a/pkg/oauthflow/flow.go b/pkg/oauthflow/flow.go
+index c5251c3..38df970 100644
+--- b/pkg/oauthflow/flow.go
++++ a/pkg/oauthflow/flow.go
+@@ -21,9 +21,9 @@
+ 	"errors"
+
+ 	"github.com/coreos/go-oidc/v3/oidc"
+-	"github.com/go-jose/go-jose/v3"
+ 	soauth "github.com/sigstore/sigstore/pkg/oauth"
+ 	"golang.org/x/oauth2"
++	"gopkg.in/square/go-jose.v2"
+ )
+
+ const (
+diff --git a/pkg/oauthflow/flow_test.go b/pkg/oauthflow/flow_test.go
+index 703ec98..8eba8e6 100644
+--- b/pkg/oauthflow/flow_test.go
++++ a/pkg/oauthflow/flow_test.go
+@@ -26,8 +26,8 @@
+ 	"reflect"
+ 	"testing"
+
+-	"github.com/go-jose/go-jose/v3"
+ 	"golang.org/x/oauth2"
++	"gopkg.in/square/go-jose.v2"
+ )
+
+ func TestGetCodeWorking(t *testing.T) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..068faf1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,4 @@
+jose-v2.patch
+avoid-boulder.patch
+disable-tests-that-download.ptach
+disable-TestGetCode.patch
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..60e6216
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+export DH_GOLANG_INSTALL_ALL := 1
+export DH_GOLANG_EXCLUDES := kms/hashivault kms/gcp kms/azure test/fuzz
+
+%:
+	dh $@ --builddirectory=_build --buildsystem=golang --with=golang
+
+override_dh_auto_test:
+# disable tests for now
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+	# make test binaries available where the tests expect them
+	mkdir -p -m700 $(CURDIR)/debian/tmp-home/
+	env \
+	  HOME=$(CURDIR)/debian/tmp-home/.cache \
+	  DH_GOLANG_EXCLUDES="$${DH_GOLANG_EXCLUDES}" \
+	dh_auto_test -v --max-parallel=2 -- -tags "$(BUILDTAGS)"
+	rm -rf $(CURDIR)/debian/tmp-home
+endif
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..c89c457
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,5 @@
+---
+Bug-Database: https://github.com/sigstore/sigstore/issues
+Bug-Submit: https://github.com/sigstore/sigstore/issues/new
+Repository: https://github.com/sigstore/sigstore.git
+Repository-Browse: https://github.com/sigstore/sigstore
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..6308f8a
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,4 @@
+version=4
+opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%,\
+      uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/$1~$2$3/" \
+  https://github.com/sigstore/sigstore/tags .*/v?(\d\S*)\.tar\.gz debian