From 779b77a7e44c4e3409ca0edfcf7ac85ce316ffb7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Tue, 16 Apr 2024 19:37:07 +0200 Subject: Adding debian version 1.8.0-2. Signed-off-by: Daniel Baumann --- debian/changelog | 40 +++++++++++++ debian/control | 75 ++++++++++++++++++++++++ debian/copyright | 29 +++++++++ debian/fix.scanned.copyright | 1 + debian/gbp.conf | 3 + debian/gitlab-ci.yml | 6 ++ debian/patches/avoid-boulder.patch | 63 ++++++++++++++++++++ debian/patches/disable-TestGetCode.patch | 12 ++++ debian/patches/disable-tests-that-download.ptach | 49 ++++++++++++++++ debian/patches/jose-v2.patch | 47 +++++++++++++++ debian/patches/series | 4 ++ debian/rules | 19 ++++++ debian/source/format | 1 + debian/upstream/metadata | 5 ++ debian/watch | 4 ++ 15 files changed, 358 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/fix.scanned.copyright create mode 100644 debian/gbp.conf create mode 100644 debian/gitlab-ci.yml create mode 100644 debian/patches/avoid-boulder.patch create mode 100644 debian/patches/disable-TestGetCode.patch create mode 100644 debian/patches/disable-tests-that-download.ptach create mode 100644 debian/patches/jose-v2.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..3281409 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,40 @@ +golang-github-sigstore-sigstore (1.8.0-2) unstable; urgency=medium + + * Team upload. + * Upload to unstable. + * Add securesystemslib >= 0.8 for binary package too. + + -- Simon Josefsson Wed, 24 Jan 2024 16:25:37 +0100 + +golang-github-sigstore-sigstore (1.8.0-1) experimental; urgency=medium + + * Team upload. + * New upstream release + * Need securesystemslib 0.8 + + -- Simon Josefsson Tue, 16 Jan 2024 23:48:07 +0100 + +golang-github-sigstore-sigstore (1.7.5-1) unstable; urgency=medium + + * New upstream release + * Enable most of the test suite + + -- Reinhard Tartler Tue, 21 Nov 2023 15:03:25 +0000 + +golang-github-sigstore-sigstore (1.4.0-3) unstable; urgency=medium + + * Build against securesystemslib 0.7 + + -- Reinhard Tartler Fri, 27 Oct 2023 11:51:14 -0400 + +golang-github-sigstore-sigstore (1.4.0-2) unstable; urgency=medium + + * Upload to unstable + + -- Reinhard Tartler Sun, 20 Aug 2023 19:54:04 -0400 + +golang-github-sigstore-sigstore (1.4.0-1) experimental; urgency=medium + + * Initial release, Closes: #1029170 + + -- Reinhard Tartler Tue, 18 Jul 2023 21:15:28 -0400 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..2dc3ad0 --- /dev/null +++ b/debian/control @@ -0,0 +1,75 @@ +Source: golang-github-sigstore-sigstore +Maintainer: Debian Go Packaging Team +Uploaders: Reinhard Tartler +Section: golang +Testsuite: autopkgtest-pkg-go +Priority: optional +Build-Depends: debhelper-compat (= 13), + dh-golang, + golang-any, + golang-github-azure-azure-sdk-for-go-dev, + golang-github-azure-go-autorest-dev, + golang-github-aws-aws-sdk-go-v2-dev, + golang-github-coreos-go-oidc-dev, + golang-github-go-test-deep-dev, + golang-github-google-go-cmp-dev, + golang-github-google-go-containerregistry-dev, + golang-github-coreos-go-oidc-v3-dev, +# golang-github-hashicorp-vault-dev, + golang-github-jellydator-ttlcache-dev, + golang-github-mitchellh-go-homedir-dev, + golang-github-pkg-browser-dev, + golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.8.0~), + golang-github-segmentio-ksuid-dev, + golang-github-skratchdot-open-golang-dev, + golang-github-stretchr-testify-dev, + golang-github-theupdateframework-go-tuf-dev, + golang-golang-x-crypto-dev, + golang-golang-x-oauth2-dev, + golang-golang-x-term-dev, + golang-google-api-dev, + golang-google-genproto-dev, + golang-google-protobuf-dev, +# golang-googlecloud-go-dev, + golang-gopkg-square-go-jose.v2-dev +Standards-Version: 4.6.2 +Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore +Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-sigstore-sigstore.git +Homepage: https://github.com/sigstore/sigstore +Rules-Requires-Root: no +XS-Go-Import-Path: github.com/sigstore/sigstore + +Package: golang-github-sigstore-sigstore-dev +Architecture: all +Multi-Arch: foreign +Depends: golang-github-azure-azure-sdk-for-go-dev, + golang-github-azure-go-autorest-dev, + golang-github-aws-aws-sdk-go-v2-dev, + golang-github-coreos-go-oidc-dev, + golang-github-go-test-deep-dev, + golang-github-google-go-cmp-dev, + golang-github-google-go-containerregistry-dev, + golang-github-coreos-go-oidc-v3-dev, +# golang-github-hashicorp-vault-dev, + golang-github-jellydator-ttlcache-dev, + golang-github-mitchellh-go-homedir-dev, + golang-github-pkg-browser-dev, + golang-github-secure-systems-lab-go-securesystemslib-dev (>> 0.8.0~), + golang-github-segmentio-ksuid-dev, + golang-github-skratchdot-open-golang-dev, + golang-github-stretchr-testify-dev, + golang-github-theupdateframework-go-tuf-dev, + golang-golang-x-crypto-dev, + golang-golang-x-oauth2-dev, + golang-golang-x-term-dev, + golang-google-api-dev, + golang-google-genproto-dev, + golang-google-protobuf-dev, +# golang-googlecloud-go-dev, + golang-gopkg-square-go-jose.v2-dev, + ${misc:Depends} +Description: Common go library shared across sigstore services and clients (library) + sigstore/sigstore is a generic library / framework that is utilized by + various other clients and projects including fulcio (webPKI), cosign + (container and OCI signing tool) and tektoncd/chains (Supply Chain + Security in Tekton Pipelines). diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..052b350 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,29 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: sigstore +Source: https://github.com/sigstore/sigstore + +Files: * +Copyright: 2021-2023 The Sigstore Authors. +License: Apache-2.0 + +Files: debian/* +Copyright: 2023 Reinhard Tartler + 2024 Simon Josefsson +License: Apache-2.0 +Comment: Debian packaging is licensed under the same terms as upstream + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +Comment: + On Debian systems, the complete text of the Apache version 2.0 license + can be found in "/usr/share/common-licenses/Apache-2.0". diff --git a/debian/fix.scanned.copyright b/debian/fix.scanned.copyright new file mode 100644 index 0000000..0d477d3 --- /dev/null +++ b/debian/fix.scanned.copyright @@ -0,0 +1 @@ +! copyright Files:~/.*/ Copyright="2021-2023 The Sigstore Authors." diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..3d450c2 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/sid +dist = DEP14 diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml new file mode 100644 index 0000000..594e14e --- /dev/null +++ b/debian/gitlab-ci.yml @@ -0,0 +1,6 @@ +# auto-generated, DO NOT MODIFY. +# The authoritative copy of this file lives at: +# https://salsa.debian.org/go-team/infra/pkg-go-tools/blob/master/config/gitlabciyml.go +--- +include: + - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml diff --git a/debian/patches/avoid-boulder.patch b/debian/patches/avoid-boulder.patch new file mode 100644 index 0000000..9cbee94 --- /dev/null +++ b/debian/patches/avoid-boulder.patch @@ -0,0 +1,63 @@ +commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6) +Author: Reinhard Tartler +Date: Thu Apr 6 20:24:46 2023 -0400 + + Drop dependency on boulder, disable RSA checks + +Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey.go ++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go +@@ -16,7 +16,6 @@ + package cryptoutils + + import ( +- "context" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" +@@ -30,8 +29,6 @@ import ( + "encoding/pem" + "errors" + "fmt" +- +- "github.com/letsencrypt/boulder/goodkey" + ) + + const ( +@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.Publ + func ValidatePubKey(pub crypto.PublicKey) error { + switch pk := pub.(type) { + case *rsa.PublicKey: +- // goodkey policy enforces: +- // * Size of key: 2048 <= size <= 4096, size % 8 = 0 +- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) +- // * Small primes check for modulus +- // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) +- // * Key is easily factored with Fermat's factorization method +- p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil) +- if err != nil { +- // Should not occur, only chances to return errors are if fermat rounds +- // are <0 or when loading blocked/weak keys from disk (not used here) +- return errors.New("unable to initialize key policy") +- } +- // ctx is unused +- return p.GoodKey(context.Background(), pub) ++ // Avoid dependency on Goodkey for debian ++ return nil; + case *ecdsa.PublicKey: + // Unable to use goodkey policy because P-521 curve is not supported + return validateEcdsaKey(pk) +Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey_test.go ++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go +@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *te + } + + func TestValidatePubKeyRsa(t *testing.T) { ++ t.Skip("Validations disabled for Debian") ++ + // Validate common RSA key sizes + for _, bits := range []int{2048, 3072, 4096} { + priv, err := rsa.GenerateKey(rand.Reader, bits) diff --git a/debian/patches/disable-TestGetCode.patch b/debian/patches/disable-TestGetCode.patch new file mode 100644 index 0000000..64909ea --- /dev/null +++ b/debian/patches/disable-TestGetCode.patch @@ -0,0 +1,12 @@ +Index: golang-github-sigstore-sigstore/pkg/oauthflow/flow_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/oauthflow/flow_test.go ++++ golang-github-sigstore-sigstore/pkg/oauthflow/flow_test.go +@@ -1,3 +1,7 @@ ++// +build debian_disabled ++ ++// causes a weird segfault in debian ++ + // + // Copyright 2021 The Sigstore Authors. + // diff --git a/debian/patches/disable-tests-that-download.ptach b/debian/patches/disable-tests-that-download.ptach new file mode 100644 index 0000000..f0abd0d --- /dev/null +++ b/debian/patches/disable-tests-that-download.ptach @@ -0,0 +1,49 @@ +Index: golang-github-sigstore-sigstore/pkg/tuf/client_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/tuf/client_test.go ++++ golang-github-sigstore-sigstore/pkg/tuf/client_test.go +@@ -1,3 +1,7 @@ ++// +build debian_disabled ++ ++// disabled in debian as these tests require internet connectivity ++ + // + // Copyright 2022 The Sigstore Authors. + // +Index: golang-github-sigstore-sigstore/pkg/signature/kms/azure/client_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/signature/kms/azure/client_test.go ++++ golang-github-sigstore-sigstore/pkg/signature/kms/azure/client_test.go +@@ -1,3 +1,7 @@ ++// +build debian_disabled ++ ++// disabled in debian as these tests require internet connectivity ++ + // + // Copyright 2022 The Sigstore Authors. + // +Index: golang-github-sigstore-sigstore/pkg/oauth/oidc/pkce_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/oauth/oidc/pkce_test.go ++++ golang-github-sigstore-sigstore/pkg/oauth/oidc/pkce_test.go +@@ -1,3 +1,7 @@ ++// +build debian_disabled ++ ++// disabled in debian as these tests require internet connectivity ++ + // Copyright 2022 The Sigstore Authors. + // + // Licensed under the Apache License, Version 2.0 (the "License"); +Index: golang-github-sigstore-sigstore/pkg/oauthflow/pkce_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/oauthflow/pkce_test.go ++++ golang-github-sigstore-sigstore/pkg/oauthflow/pkce_test.go +@@ -1,3 +1,8 @@ ++// +build debian_disabled ++ ++// disabled in debian as these tests require internet connectivity ++ ++ + // + // Copyright 2021 The Sigstore Authors. + // diff --git a/debian/patches/jose-v2.patch b/debian/patches/jose-v2.patch new file mode 100644 index 0000000..580e20a --- /dev/null +++ b/debian/patches/jose-v2.patch @@ -0,0 +1,47 @@ +From: Reinhard Tartler +Subject: Revert back to go-jose v2 + +This reverts: + +commit 7bf125c5120e99d5ff7fd579650ffcc84df8edc6 +Author: Miloslav Trmač +Date: Tue Feb 14 09:23:14 2023 +0100 + + Migrate from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3 (#969) + + https://github.com/square/go-jose/tree/master says the former is deprecated. + Moving everything to /v3 will, eventually, allow callers to only contain one + vendored implementation instead of up to 3. + + Signed-off-by: Miloslav Trmač + + +diff --git a/pkg/oauthflow/flow.go b/pkg/oauthflow/flow.go +index c5251c3..38df970 100644 +--- b/pkg/oauthflow/flow.go ++++ a/pkg/oauthflow/flow.go +@@ -21,9 +21,9 @@ + "errors" + + "github.com/coreos/go-oidc/v3/oidc" +- "github.com/go-jose/go-jose/v3" + soauth "github.com/sigstore/sigstore/pkg/oauth" + "golang.org/x/oauth2" ++ "gopkg.in/square/go-jose.v2" + ) + + const ( +diff --git a/pkg/oauthflow/flow_test.go b/pkg/oauthflow/flow_test.go +index 703ec98..8eba8e6 100644 +--- b/pkg/oauthflow/flow_test.go ++++ a/pkg/oauthflow/flow_test.go +@@ -26,8 +26,8 @@ + "reflect" + "testing" + +- "github.com/go-jose/go-jose/v3" + "golang.org/x/oauth2" ++ "gopkg.in/square/go-jose.v2" + ) + + func TestGetCodeWorking(t *testing.T) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..068faf1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,4 @@ +jose-v2.patch +avoid-boulder.patch +disable-tests-that-download.ptach +disable-TestGetCode.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..60e6216 --- /dev/null +++ b/debian/rules @@ -0,0 +1,19 @@ +#!/usr/bin/make -f + +export DH_GOLANG_INSTALL_ALL := 1 +export DH_GOLANG_EXCLUDES := kms/hashivault kms/gcp kms/azure test/fuzz + +%: + dh $@ --builddirectory=_build --buildsystem=golang --with=golang + +override_dh_auto_test: +# disable tests for now +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) + # make test binaries available where the tests expect them + mkdir -p -m700 $(CURDIR)/debian/tmp-home/ + env \ + HOME=$(CURDIR)/debian/tmp-home/.cache \ + DH_GOLANG_EXCLUDES="$${DH_GOLANG_EXCLUDES}" \ + dh_auto_test -v --max-parallel=2 -- -tags "$(BUILDTAGS)" + rm -rf $(CURDIR)/debian/tmp-home +endif diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..c89c457 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,5 @@ +--- +Bug-Database: https://github.com/sigstore/sigstore/issues +Bug-Submit: https://github.com/sigstore/sigstore/issues/new +Repository: https://github.com/sigstore/sigstore.git +Repository-Browse: https://github.com/sigstore/sigstore diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..6308f8a --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=4 +opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%,\ + uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/$1~$2$3/" \ + https://github.com/sigstore/sigstore/tags .*/v?(\d\S*)\.tar\.gz debian -- cgit v1.2.3