eclass/verify-sig: Sync with Gentoo

It's from Gentoo commit 115181ac99d8d65fba3d4cb33270e02f609b8fc4.
2025-11-28 14:01:43 +01:00 · 2024-10-21 07:07:35 +00:00 · 2024-10-21 07:07:35 +00:00 · 87c1157870
commit 87c1157870
parent a63a7d86c6
1 changed files with 66 additions and 8 deletions
--- a/sdk_container/src/third_party/portage-stable/eclass/verify-sig.eclass
+++ b/sdk_container/src/third_party/portage-stable/eclass/verify-sig.eclass
@ -57,6 +57,7 @@ IUSE="verify-sig"
 #
 #  - minisig -- verify signatures with (base64) Ed25519 public key using app-crypt/minisign
 #  - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+#  - sigstore -- verify signatures using dev-python/sigstore
 #  - signify -- verify signatures with Ed25519 public key using app-crypt/signify
 : "${VERIFY_SIG_METHOD:=openpgp}"

@ -75,6 +76,14 @@ case ${VERIFY_SIG_METHOD} in
 	signify)
 		BDEPEND="verify-sig? ( app-crypt/signify )"
 		;;
+	sigstore)
+		BDEPEND="
+			verify-sig? (
+				dev-python/sigstore
+				sec-keys/sigstore-trusted-root
+			)
+		"
+		;;
 	*)
 		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
 		;;
@ -89,8 +98,19 @@ esac
 #
 # The value of BROOT will be prepended to this path automatically.
 #
-# NB: this variable is also used for non-OpenPGP signatures.  The name
-# contains "OPENPGP" for historical reasons.
+# This variable is also used for non-OpenPGP signatures.  The name
+# contains "OPENPGP" for historical reasons.  It is not used
+# for sigstore, since it uses a single trusted root.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_IDENTITY
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-identity passed to sigstore invocation.
+
+# @ECLASS_VARIABLE: VERIFY_SIG_CERT_OIDC_ISSUER
+# @DEFAULT_UNSET
+# @DESCRIPTION:
+# --cert-oidc-issuer passed to sigstore invocation.

 # @ECLASS_VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
 # @DEFAULT_UNSET
@ -108,7 +128,7 @@ esac
 # in make.conf to enable.  Note that this requires working Internet
 # connection.
 #
-# Supported for OpenPGP only.
+# Supported for OpenPGP and sigstore.
 : "${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}"

 # @FUNCTION: verify-sig_verify_detached
@ -123,7 +143,17 @@ verify-sig_verify_detached() {
 	local sig=${2}
 	local key=${3}

-	if [[ -z ${key} ]]; then
+	if [[ ${VERIFY_SIG_METHOD} == sigstore ]]; then
+		if [[ -n ${key:-${VERIFY_SIG_OPENPGP_KEY_PATH}} ]]; then
+			die "${FUNCNAME}: key unexpectedly specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_IDENTITY} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_IDENTITY must be specified for sigstore"
+		fi
+		if [[ -z ${VERIFY_SIG_CERT_OIDC_ISSUER} ]]; then
+			die "${FUNCNAME}: VERIFY_SIG_CERT_OIDC_ISSUER must be specified for sigstore"
+		fi
+	elif [[ -z ${key} ]]; then
 		if [[ -z ${VERIFY_SIG_OPENPGP_KEY_PATH} ]]; then
 			die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
 		else
@ -132,7 +162,6 @@ verify-sig_verify_detached() {
 	fi

 	local extra_args=()
-	[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
 	if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
 		[[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
 			die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
@ -152,10 +181,15 @@ verify-sig_verify_detached() {
 	einfo "Verifying ${filename} ..."
 	case ${VERIFY_SIG_METHOD} in
 		minisig)
-			minisign -V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
+			minisign "${extra_args[@]}" \
+				-V -P "$(<"${key}")" -x "${sig}" -m "${file}" ||
 				die "minisig signature verification failed"
 			;;
 		openpgp)
+			if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+				extra_args+=( -R )
+			fi
+
 			# gpg can't handle very long TMPDIR
 			# https://bugs.gentoo.org/854492
 			local -x TMPDIR=/tmp
@ -165,9 +199,27 @@ verify-sig_verify_detached() {
 				die "PGP signature verification failed"
 			;;
 		signify)
-			signify -V -p "${key}" -m "${file}" -x "${sig}" ||
+			signify "${extra_args[@]}" \
+				-V -p "${key}" -m "${file}" -x "${sig}" ||
 				die "Signify signature verification failed"
 			;;
+		sigstore)
+			if [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} != yes ]]; then
+				extra_args+=( --offline )
+			fi
+
+			cp -r "${BROOT}"/usr/share/sigstore-gentoo/{.cache,.local} \
+				"${HOME}"/ || die
+			sigstore verify identity "${extra_args[@]}" \
+				--bundle "${sig}" \
+				--cert-identity "${VERIFY_SIG_CERT_IDENTITY}" \
+				--cert-oidc-issuer "${VERIFY_SIG_CERT_OIDC_ISSUER}" \
+				"${file}" ||
+				die "Sigstore signature verification failed"
+			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }

@ -229,6 +281,9 @@ verify-sig_verify_message() {
 			signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
 				die "Signify signature verification failed"
 			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }

@ -362,6 +417,9 @@ verify-sig_verify_signed_checksums() {
 				-x "${checksum_file}" "${files[@]}" ||
 				die "Signify signature verification failed"
 			;;
+		*)
+			die "${FUNCNAME} not supported with ${VERIFY_SIG_METHOD}"
+			;;
 	esac
 }

@ -380,7 +438,7 @@ verify-sig_src_unpack() {
 		# find all distfiles and signatures, and combine them
 		for f in ${A}; do
 			found=
-			for suffix in .asc .sig .minisig; do
+			for suffix in .asc .sig .minisig .sigstore; do
 				if [[ ${f} == *${suffix} ]]; then
 					signatures+=( "${f}" )
 					found=sig