Hi, dev-python/sigstore is yet another NIH signature verification tool. Python is planning to use it exclusively starting with Python 3.14. It uses some fancy PKI-like infrastructure backend by OAuth against some popular providers (read: now Google and Microsoft will hold keys used to sign Python releases).
This patch set adds: 1. A package to install an up-to-date root certificates for sigstore. It also has a test phase that can be used to verify if we need to wrap up a new version. 2. verify-sig support for verifying detached signatures against it. No other kinds of signatures are implemented, and I have no clue if they are supported at all. 3. An example Python 3.13.0 patch to use it. That said, I don't think we will actually use it for existing versions, just when there are no PGP signatures anymore. Michał Górny (5): sec-keys/sigstore-trusted-root: New package, v0_p20241010 verify-sig.eclass: Refactor code to use extra_args for all types verify-sig.eclass: Error out on invalid method+function combos verify-sig.eclass: Add support for verifying sigstore signatures dev-lang/python: Use sigstore in 3.13.0 (example) dev-lang/python/Manifest | 2 +- dev-lang/python/python-3.13.0.ebuild | 8 +- eclass/verify-sig.eclass | 74 +++++++++++++++++-- sec-keys/sigstore-trusted-root/Manifest | 2 + sec-keys/sigstore-trusted-root/metadata.xml | 8 ++ .../sigstore-trusted-root-0_p20241010.ebuild | 54 ++++++++++++++ 6 files changed, 136 insertions(+), 12 deletions(-) create mode 100644 sec-keys/sigstore-trusted-root/Manifest create mode 100644 sec-keys/sigstore-trusted-root/metadata.xml create mode 100644 sec-keys/sigstore-trusted-root/sigstore-trusted-root-0_p20241010.ebuild -- 2.47.0
