fnmatch() will do case-normalization if the OS expects it:
we do not want this as
* the path is more a URL than a file path
* results need to not change based on OS
Fix the result on Windows by using fnmatchcase()
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
We could just stop testing with 3.9... but I think this will lead to
unintentionally breaking 3.9 anyway sooner or later.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Latest ruff complains about Generic[T] not being the last base class in
the bases tuple of Simple Envelope (generic-not-last-base-class
(PYI059)).
This commit applies the default fix by changing the order of the bases.
While this can change the MRO, there shouldn't be a change of behavior
given the used bases.
See https://docs.astral.sh/ruff/rules/generic-not-last-base-class/ for
details.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Fixes for ruff 0.12
* Tweak some annotations
* Add __hash__() implementations to api classes: These really should be
hashable
* My use of "super().__hash__()" is not very optimized but avoids some
repetition
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
securesystemslib.hash is a small wrapper around hashlib, which serves
two main purposes:
* provide helper function to hash a file
* translate custom hash algorithm name "blake2b-256" to "blake2b" with
(digest_size=32).
In preparation for the removal of securesystemslib.hash, this patch ports
above behavior to tuf and uses the builtin hashlib directly where
possible.
related secure-systems-lab/securesystemslib#943
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
mypy rightly complains our types do not match (this only happen if you
enable type checks for securesystemslib):
* I think the annotation is actually wrong: Envelope does not know the
contained type at this point.
* Likely SimpleEnvelope should not be generic: it does not relly know
what it contains
I decided not to break the API here and just made the type cast
explicit (even though we don't really know that the cast is correct):
this silences mypy but has no other consequences.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
mypy warns about this but we know that encode_canonical() cannot return
None if we don't set output_function argument.
ruff does not like assert so I added a "noqa" and a comment
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The noqa comment was added manually to avoid
A005 Module `json` shadows a Python standard-library module
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This reverts commit eb6d82f324.
The change itself was fine but since the code is otherwise compatible
with python 3.8, let's revert this to be compatible for one more
release.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This allows using some more nice annotations from 3.10
while still being compatible with even Python 3.8.
These are all annotation changes, should not modify any functionality.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* API changes covered:
* keys and interface modules removed
* SSlibSigner removed
* CryptoSigner added: this replaces the removed functionality
* DSSE "signatures" container type changed
* Currently pins a securesystemslib main branch commit:
this shoudl be reverted before merging, when securesystemslib
has made a release
* tests/generated_data/generate_md.py was simplified
* Encrypted test keys in tests/repository_data/keystore were replaced
with the unencrypted PEM versions of the same keys
* The public test keys in tests/repository_data/keystore were removed
as they were not used anymore
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This makes flake8-datetimez happier but has no effect on the result:
DTZ007 The use of `datetime.datetime.strptime()` without %z must be
followed by `.replace(tzinfo=)` or `.astimezone()
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Practically were changing API if we start requiring that
expires is non-naive because this no longer works:
metadata.signed.expires = datetime(3000,1,1)
We can make this work without API breaks though:
* it the input is naive, just use UTC
* if the input is not naive or UTC, raise
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Most importantly use strftime() to serialize the datetime
* Force the timezone as UTC when deserializing
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
22b2726413 claims to add all names
that were moved to the internal _payload module back to metadata.
LengthOrHashMismatchError was not added back. Now it is.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
* Rename Envelope to SimpleEnvelope:
Envelope should be the generic term in this context for something that
contains a payload and signatures. SimpleEnvelope is the specific
DSSE implementation (just like Metadata is the specific traditional
canonical JSON -based TUF envelope implementation).
* Add SimpleEnvelope class and method docstrings.
* Add convenience alias for ``self.signatures`` mapped to keyids for
compatibility with Metadata.signatures.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Allows to simultanously use those classes in different container /
signature wrapper APIs, e.g. Metadata API and Envelope API (DSSE).
All moved classes are imported into tuf.api.metadata scope for
backwards-compatibility.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
I still don't know how we should handle failures in signing
(maybe just let all of the weird exceptions raise instead of wrapping
them) but this makes the wrapping error at least a bit more useful.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files
Signed-off-by: E3E <ntanzill@purdue.edu>
get_delegated_role() should not return a Role if the rolename is not
a delegated role. This is already true for "normal" DelegatedRole but
was not actually verified for SuccinctRoles.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This is helper to tell how many signatures are still required.
Also change the order of Roots given to RootVerificationResult
(this way first is version N, second is version N+1).
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
