prepare debian 0.28.0 (wip)

Can't release 0.30.0, because crypto dependency is missing

TODO:
- figure out user (needed for permission test) and install/build
  permissions
- figure out debsign (how to safely use host gpg key)
- clean up docker file

debian/Dockerfile

@@ -0,0 +1,66 @@
+
+FROM debian:sid
+
+# Install developer tools
+RUN apt-get update \
+  && apt-get install --no-install-recommends -yV \
+    build-essential \
+    devscripts \
+    debhelper \
+    equivs \
+    wget \
+    sudo
+
+
+RUN useradd builder
+RUN usermod -aG sudo builder
+USER builder
+
+COPY . /tmp/debian
+WORKDIR /tmp
+
+RUN mk-build-deps \
+    --install \
+    --root-cmd sudo \
+    --remove \
+    --tool \
+    'apt-get --no-install-recommends -yV' /tmp/debian/control
+
+
+
+# ARG VERSION
+
+
+# RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz \
+#           -O python-securesystemslib_${VERSION}.orig.tar.gz
+# RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz.asc \
+#           -O python-securesystemslib_${VERSION}.orig.tar.gz.asc
+
+# RUN tar xf python-securesystemslib_${VERSION}.orig.tar.gz
+# RUN mv debian securesystemslib-${VERSION}
+
+# WORKDIR securesystemslib-${VERSION}
+
+
+# RUN debuild --unsigned-source --unsigned-changes
+
+# docker build -t deb-sid .
+# docker run --rm -it --entrypoint bash deb-sid
+
+
+
+# dget https://mentors.debian.net/debian/pool/main/p/python-securesystemslib/python-securesystemslib_0.28.0-1.dsc
+# tar xf python-securesystemslib_0.28.0-1.debian.tar.xz
+# tar xf python-securesystemslib_0.28.0.orig.tar.gz
+# mv debian securesystemslib-0.28.0/
+# cd securesystemslib-0.28.0
+# mk-build-deps -irt 'apt-get --no-install-recommends -yV' debian/control
+# DEB_BUILD_OPTIONS=nocheck debuild --unsigned-source --unsigned-changes
+# apt install ./python3-securesystemslib_0.28.0-1_all.deb
+
+
+
+
+
+
+# debuild --unsigned-source --unsigned-changes

debian/changelog

@@ -1,3 +1,13 @@
+python-securesystemslib (0.28.0-1) unstable; urgency=medium
+
+  * New upstream release includes among other things:
+    - ...
+
+  * d/control
+    - Change gnupg2 to gnupg
+
+ -- Lukas Puehringer <[email protected]>  Tue, 07 Nov 2023 12:12:00 +0100
+
 python-securesystemslib (0.26.0-1) unstable; urgency=medium
 
   * New upstream release includes among other things:

debian/control

@@ -18,7 +18,7 @@ Build-Depends:
  python3-pykcs11,
  python3-asn1crypto,
  softhsm2,
- gnupg2,
+ gnupg,
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Homepage: https://ssl.engineering.nyu.edu
@@ -31,7 +31,7 @@ Depends:
   ${python3:Depends},
   ${misc:Depends},
 Recommends:
- gnupg2,
+ gnupg,
  python3-cryptography,
  python3-nacl,
  python3-pykcs11,

debian/patches/01_rm_sphincs_tests.diff

@@ -9,109 +9,44 @@ Author: Lukas Puehringer <[email protected]>
 Forwarded: not-needed
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: securesystemslib-0.26.0/tests/test_keys.py
-===================================================================
---- securesystemslib-0.26.0.orig/tests/test_keys.py
-+++ securesystemslib-0.26.0/tests/test_keys.py
-@@ -40,7 +40,6 @@ class TestKeys(unittest.TestCase):  # py
-         cls.rsakey_dict = KEYS.generate_rsa_key()
-         cls.ed25519key_dict = KEYS.generate_ed25519_key()
-         cls.ecdsakey_dict = KEYS.generate_ecdsa_key()
--        cls.sphincskey_dict = KEYS.generate_sphincs_key()
+--- a/tests/test_keys.py
++++ b/tests/test_keys.py
+@@ -33,27 +33,6 @@
+ DATA = securesystemslib.formats.encode_canonical(DATA_STR).encode("utf-8")
 
-     def test_generate_rsa_key(self):
-         _rsakey_dict = KEYS.generate_rsa_key()  # pylint: disable=invalid-name
-@@ -267,7 +266,6 @@ class TestKeys(unittest.TestCase):  # py
-         # Creating a signature for 'DATA'.
-         rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA)
-         ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA)
--        sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA)
 
-         # Check format of output.
-         self.assertEqual(
-@@ -284,13 +282,6 @@ class TestKeys(unittest.TestCase):  # py
-             ),
-             FORMAT_ERROR_MSG,
-         )
--        self.assertEqual(
--            None,
--            securesystemslib.formats.SIGNATURE_SCHEMA.check_match(
--                sphincs_signature
--            ),
--            FORMAT_ERROR_MSG,
--        )
-
-         # Test for invalid signature scheme.
-         args = (self.rsakey_dict, DATA)
-@@ -344,7 +335,6 @@ class TestKeys(unittest.TestCase):  # py
-         rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA)
-         ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA)
-         ecdsa_signature = KEYS.create_signature(self.ecdsakey_dict, DATA)
--        sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA)
-
-         # Verifying the 'signature' of 'DATA'.
-         verified = KEYS.verify_signature(self.rsakey_dict, rsa_signature, DATA)
-@@ -368,24 +358,6 @@ class TestKeys(unittest.TestCase):  # py
-         )
-         self.ed25519key_dict["scheme"] = valid_scheme
-
--        # Verifying the 'sphincs_signature' of 'DATA'.
--        verified = KEYS.verify_signature(
--            self.sphincskey_dict, sphincs_signature, DATA
--        )
--        self.assertTrue(verified, "Incorrect signature.")
+-@unittest.skipIf(os.name == "nt", "PySPX n/a on Windows")
+-class TestSphincsKeys(unittest.TestCase):
+-    """Test create keys, sign and verify for sphincs keys."""
 -
--        # Verify that an invalid sphincs signature scheme is rejected.
--        valid_scheme = self.sphincskey_dict["scheme"]
--        self.sphincskey_dict["scheme"] = "invalid_scheme"
--        self.assertRaises(
--            securesystemslib.exceptions.UnsupportedAlgorithmError,
--            KEYS.verify_signature,
--            self.sphincskey_dict,
--            sphincs_signature,
--            DATA,
--        )
--        self.sphincskey_dict["scheme"] = valid_scheme
+-    def test_sphincs_keys(self):
+-        key = KEYS.generate_sphincs_key()
+-        sig = KEYS.create_signature(key, b"data")
+-        self.assertTrue(securesystemslib.formats.SIGNATURE_SCHEMA.matches(sig))
 -
-         # Verifying the 'ecdsa_signature' of 'DATA'.
-         verified = KEYS.verify_signature(
-             self.ecdsakey_dict, ecdsa_signature, DATA
-@@ -432,11 +404,6 @@ class TestKeys(unittest.TestCase):  # py
-         self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
-
-         verified = KEYS.verify_signature(
--            self.sphincskey_dict, sphincs_signature, _DATA
--        )
--        self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
+-        # Assert valid/invalid signature
+-        self.assertTrue(KEYS.verify_signature(key, sig, b"data"))
+-        self.assertFalse(KEYS.verify_signature(key, sig, b"not data"))
 -
--        verified = KEYS.verify_signature(
-             self.ecdsakey_dict, ecdsa_signature, _DATA
-         )
-         self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
-@@ -484,14 +451,6 @@ class TestKeys(unittest.TestCase):  # py
-         )
-         self.assertTrue(verified, "Incorrect signature.")
-
--        # Verify that sphincs fails if PySPX is not installed
--        KEYS.sphincs_keys.SPX_AVAIL = False  # Monkey patch availability
+-        # Assert verificaiton failure for unsupported signing scheme
+-        key["scheme"] = "invalid_scheme"
 -        with self.assertRaises(
--            securesystemslib.exceptions.UnsupportedLibraryError
+-            securesystemslib.exceptions.UnsupportedAlgorithmError
 -        ):
--            KEYS.verify_signature(self.sphincskey_dict, sphincs_signature, DATA)
--        KEYS.sphincs_keys.SPX_AVAIL = True
+-            KEYS.verify_signature(key, sig, b"data")
+-
 -
-         # Verify ecdsa key with HEX encoded keyval instead of PEM encoded keyval
-         ecdsa_key = KEYS.generate_ecdsa_key()
-         ecdsa_key["keyval"]["public"] = "abcd"
-Index: securesystemslib-0.26.0/tests/test_signer.py
-===================================================================
---- securesystemslib-0.26.0.orig/tests/test_signer.py
-+++ securesystemslib-0.26.0/tests/test_signer.py
-@@ -168,7 +168,6 @@ class TestSigner(unittest.TestCase):
-             KEYS.generate_rsa_key(),
+ class TestKeys(unittest.TestCase):  # pylint: disable=missing-class-docstring
+     @classmethod
+     def setUpClass(cls):
+--- a/tests/test_signer.py
++++ b/tests/test_signer.py
+@@ -280,8 +280,6 @@
              KEYS.generate_ed25519_key(),
              KEYS.generate_ecdsa_key(),
--            KEYS.generate_sphincs_key(),
          ]
+-        if os.name != "nt":
+-            cls.keys.append(KEYS.generate_sphincs_key())
+
          cls.DATA = b"DATA"
 

debian/patches/series

@@ -1,3 +1,2 @@
 01_rm_sphincs_tests.diff
-02_fix_py2_shebang.diff
-03_rm_vendored_gitignore.diff
+02_rm_vendored_gitignore.diff