diff --git a/debian/Dockerfile b/debian/Dockerfile new file mode 100644 index 00000000..8015e398 --- /dev/null +++ b/debian/Dockerfile @@ -0,0 +1,66 @@ + +FROM debian:sid + +# Install developer tools +RUN apt-get update \ + && apt-get install --no-install-recommends -yV \ + build-essential \ + devscripts \ + debhelper \ + equivs \ + wget \ + sudo + + +RUN useradd builder +RUN usermod -aG sudo builder +USER builder + +COPY . /tmp/debian +WORKDIR /tmp + +RUN mk-build-deps \ + --install \ + --root-cmd sudo \ + --remove \ + --tool \ + 'apt-get --no-install-recommends -yV' /tmp/debian/control + + + +# ARG VERSION + + +# RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz \ +# -O python-securesystemslib_${VERSION}.orig.tar.gz +# RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz.asc \ +# -O python-securesystemslib_${VERSION}.orig.tar.gz.asc + +# RUN tar xf python-securesystemslib_${VERSION}.orig.tar.gz +# RUN mv debian securesystemslib-${VERSION} + +# WORKDIR securesystemslib-${VERSION} + + +# RUN debuild --unsigned-source --unsigned-changes + +# docker build -t deb-sid . +# docker run --rm -it --entrypoint bash deb-sid + + + +# dget https://mentors.debian.net/debian/pool/main/p/python-securesystemslib/python-securesystemslib_0.28.0-1.dsc +# tar xf python-securesystemslib_0.28.0-1.debian.tar.xz +# tar xf python-securesystemslib_0.28.0.orig.tar.gz +# mv debian securesystemslib-0.28.0/ +# cd securesystemslib-0.28.0 +# mk-build-deps -irt 'apt-get --no-install-recommends -yV' debian/control +# DEB_BUILD_OPTIONS=nocheck debuild --unsigned-source --unsigned-changes +# apt install ./python3-securesystemslib_0.28.0-1_all.deb + + + + + + +# debuild --unsigned-source --unsigned-changes \ No newline at end of file diff --git a/debian/changelog b/debian/changelog index 6fecdb9c..f34b774d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +python-securesystemslib (0.28.0-1) unstable; urgency=medium + + * New upstream release includes among other things: + - ... + + * d/control + - Change gnupg2 to gnupg + + -- Lukas Puehringer Tue, 07 Nov 2023 12:12:00 +0100 + python-securesystemslib (0.26.0-1) unstable; urgency=medium * New upstream release includes among other things: diff --git a/debian/control b/debian/control index e24268d4..787e0ad1 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,7 @@ Build-Depends: python3-pykcs11, python3-asn1crypto, softhsm2, - gnupg2, + gnupg, Standards-Version: 4.6.2 Rules-Requires-Root: no Homepage: https://ssl.engineering.nyu.edu @@ -31,7 +31,7 @@ Depends: ${python3:Depends}, ${misc:Depends}, Recommends: - gnupg2, + gnupg, python3-cryptography, python3-nacl, python3-pykcs11, diff --git a/debian/patches/01_rm_sphincs_tests.diff b/debian/patches/01_rm_sphincs_tests.diff index 015f9ce9..dc034ac8 100644 --- a/debian/patches/01_rm_sphincs_tests.diff +++ b/debian/patches/01_rm_sphincs_tests.diff @@ -9,109 +9,44 @@ Author: Lukas Puehringer Forwarded: not-needed --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: securesystemslib-0.26.0/tests/test_keys.py -=================================================================== ---- securesystemslib-0.26.0.orig/tests/test_keys.py -+++ securesystemslib-0.26.0/tests/test_keys.py -@@ -40,7 +40,6 @@ class TestKeys(unittest.TestCase): # py - cls.rsakey_dict = KEYS.generate_rsa_key() - cls.ed25519key_dict = KEYS.generate_ed25519_key() - cls.ecdsakey_dict = KEYS.generate_ecdsa_key() -- cls.sphincskey_dict = KEYS.generate_sphincs_key() +--- a/tests/test_keys.py ++++ b/tests/test_keys.py +@@ -33,27 +33,6 @@ + DATA = securesystemslib.formats.encode_canonical(DATA_STR).encode("utf-8") - def test_generate_rsa_key(self): - _rsakey_dict = KEYS.generate_rsa_key() # pylint: disable=invalid-name -@@ -267,7 +266,6 @@ class TestKeys(unittest.TestCase): # py - # Creating a signature for 'DATA'. - rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA) - ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA) -- sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA) - # Check format of output. - self.assertEqual( -@@ -284,13 +282,6 @@ class TestKeys(unittest.TestCase): # py - ), - FORMAT_ERROR_MSG, - ) -- self.assertEqual( -- None, -- securesystemslib.formats.SIGNATURE_SCHEMA.check_match( -- sphincs_signature -- ), -- FORMAT_ERROR_MSG, -- ) - - # Test for invalid signature scheme. - args = (self.rsakey_dict, DATA) -@@ -344,7 +335,6 @@ class TestKeys(unittest.TestCase): # py - rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA) - ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA) - ecdsa_signature = KEYS.create_signature(self.ecdsakey_dict, DATA) -- sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA) - - # Verifying the 'signature' of 'DATA'. - verified = KEYS.verify_signature(self.rsakey_dict, rsa_signature, DATA) -@@ -368,24 +358,6 @@ class TestKeys(unittest.TestCase): # py - ) - self.ed25519key_dict["scheme"] = valid_scheme - -- # Verifying the 'sphincs_signature' of 'DATA'. -- verified = KEYS.verify_signature( -- self.sphincskey_dict, sphincs_signature, DATA -- ) -- self.assertTrue(verified, "Incorrect signature.") +-@unittest.skipIf(os.name == "nt", "PySPX n/a on Windows") +-class TestSphincsKeys(unittest.TestCase): +- """Test create keys, sign and verify for sphincs keys.""" - -- # Verify that an invalid sphincs signature scheme is rejected. -- valid_scheme = self.sphincskey_dict["scheme"] -- self.sphincskey_dict["scheme"] = "invalid_scheme" -- self.assertRaises( -- securesystemslib.exceptions.UnsupportedAlgorithmError, -- KEYS.verify_signature, -- self.sphincskey_dict, -- sphincs_signature, -- DATA, -- ) -- self.sphincskey_dict["scheme"] = valid_scheme +- def test_sphincs_keys(self): +- key = KEYS.generate_sphincs_key() +- sig = KEYS.create_signature(key, b"data") +- self.assertTrue(securesystemslib.formats.SIGNATURE_SCHEMA.matches(sig)) - - # Verifying the 'ecdsa_signature' of 'DATA'. - verified = KEYS.verify_signature( - self.ecdsakey_dict, ecdsa_signature, DATA -@@ -432,11 +404,6 @@ class TestKeys(unittest.TestCase): # py - self.assertFalse(verified, "Returned 'True' on an incorrect signature.") - - verified = KEYS.verify_signature( -- self.sphincskey_dict, sphincs_signature, _DATA -- ) -- self.assertFalse(verified, "Returned 'True' on an incorrect signature.") +- # Assert valid/invalid signature +- self.assertTrue(KEYS.verify_signature(key, sig, b"data")) +- self.assertFalse(KEYS.verify_signature(key, sig, b"not data")) - -- verified = KEYS.verify_signature( - self.ecdsakey_dict, ecdsa_signature, _DATA - ) - self.assertFalse(verified, "Returned 'True' on an incorrect signature.") -@@ -484,14 +451,6 @@ class TestKeys(unittest.TestCase): # py - ) - self.assertTrue(verified, "Incorrect signature.") - -- # Verify that sphincs fails if PySPX is not installed -- KEYS.sphincs_keys.SPX_AVAIL = False # Monkey patch availability +- # Assert verificaiton failure for unsupported signing scheme +- key["scheme"] = "invalid_scheme" - with self.assertRaises( -- securesystemslib.exceptions.UnsupportedLibraryError +- securesystemslib.exceptions.UnsupportedAlgorithmError - ): -- KEYS.verify_signature(self.sphincskey_dict, sphincs_signature, DATA) -- KEYS.sphincs_keys.SPX_AVAIL = True +- KEYS.verify_signature(key, sig, b"data") +- - - # Verify ecdsa key with HEX encoded keyval instead of PEM encoded keyval - ecdsa_key = KEYS.generate_ecdsa_key() - ecdsa_key["keyval"]["public"] = "abcd" -Index: securesystemslib-0.26.0/tests/test_signer.py -=================================================================== ---- securesystemslib-0.26.0.orig/tests/test_signer.py -+++ securesystemslib-0.26.0/tests/test_signer.py -@@ -168,7 +168,6 @@ class TestSigner(unittest.TestCase): - KEYS.generate_rsa_key(), + class TestKeys(unittest.TestCase): # pylint: disable=missing-class-docstring + @classmethod + def setUpClass(cls): +--- a/tests/test_signer.py ++++ b/tests/test_signer.py +@@ -280,8 +280,6 @@ KEYS.generate_ed25519_key(), KEYS.generate_ecdsa_key(), -- KEYS.generate_sphincs_key(), ] +- if os.name != "nt": +- cls.keys.append(KEYS.generate_sphincs_key()) + cls.DATA = b"DATA" diff --git a/debian/patches/02_fix_py2_shebang.diff b/debian/patches/02_fix_py2_shebang.diff deleted file mode 100644 index e59e7ea1..00000000 --- a/debian/patches/02_fix_py2_shebang.diff +++ /dev/null @@ -1,17 +0,0 @@ -Description: Fix Python2 shebang - Python2 is no longer supported, fix obsolete - shebang. -Author: Lukas Puehringer -Forwarded: https://github.com/secure-systems-lab/securesystemslib/issues/498 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: securesystemslib-0.26.0/securesystemslib/hash.py -=================================================================== ---- securesystemslib-0.26.0.orig/securesystemslib/hash.py -+++ securesystemslib-0.26.0/securesystemslib/hash.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python2 -+#!/usr/bin/env python - """ - - hash.py diff --git a/debian/patches/03_rm_vendored_gitignore.diff b/debian/patches/02_rm_vendored_gitignore.diff similarity index 100% rename from debian/patches/03_rm_vendored_gitignore.diff rename to debian/patches/02_rm_vendored_gitignore.diff diff --git a/debian/patches/series b/debian/patches/series index 9476bc59..92663ad7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,2 @@ 01_rm_sphincs_tests.diff -02_fix_py2_shebang.diff -03_rm_vendored_gitignore.diff +02_rm_vendored_gitignore.diff