dependabot[bot]
811767a5bd
build(deps): bump the dependencies group with 1 update
...
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography ).
Updates `cryptography` from 42.0.3 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/42.0.3...42.0.4 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-21 15:03:52 +00:00
Lukas Pühringer
76f39f52ef
Merge pull request #2558 from NicholasTanz/replaceLintingTools
...
Replace most linting tools with ruff
2024-02-21 15:59:03 +01:00
E3E
f156e21537
remove pylint and suppressed inline errors from pylint
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 22:57:53 -05:00
E3E
da38b473bd
add pylint ruleset to ruff
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 16:04:06 -05:00
E3E
73842c97b8
reformat docstrings and supress small errors inline
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 15:19:33 -05:00
Jussi Kukkonen
b5bb27fa94
Merge pull request #2560 from jku/tweak-sign-failure
...
metadata API: Tweak exception message on sign failure
2024-02-20 15:13:12 +02:00
Jussi Kukkonen
3b65c2217b
metadata API: Tweak exception message on sign failure
...
I still don't know how we should handle failures in signing
(maybe just let all of the weird exceptions raise instead of wrapping
them) but this makes the wrapping error at least a bit more useful.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-20 14:39:50 +02:00
Jussi Kukkonen
c4c4de3ff1
Merge pull request #2559 from theupdateframework/dependabot/pip/dependencies-22b2fa18e9
...
build(deps): bump the dependencies group with 2 updates
2024-02-20 10:07:47 +02:00
E3E
1a4d870aad
add back in: # type: ignore
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 00:44:58 -05:00
E3E
206c9424f1
Add to linting Configuration:
...
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 00:34:47 -05:00
dependabot[bot]
63eaf0386f
build(deps): bump the dependencies group with 2 updates
...
Bumps the dependencies group with 2 updates: [cryptography](https://github.com/pyca/cryptography ) and [urllib3](https://github.com/urllib3/urllib3 ).
Updates `cryptography` from 42.0.2 to 42.0.3
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.3 )
Updates `urllib3` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/urllib3/urllib3/releases )
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst )
- [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: urllib3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 21:42:31 +00:00
E3E
cd543c9947
add ruff format and format 2 files
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-18 00:38:05 -05:00
E3E
4a53013548
use correct ruff command and add ignore unused imports
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-18 00:17:33 -05:00
E3E
e379507e63
replace black and isort for ruff. I still haven't replaced ruff with pylint
...
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-16 23:56:08 -05:00
Jussi Kukkonen
8f95162b27
Merge pull request from GHSA-77hh-43cm-v8j6
...
Metadata API: Fix role lookup for succinct delegation
2024-02-16 10:43:15 +02:00
Jussi Kukkonen
6902c9d61c
Merge pull request #2555 from theupdateframework/dependabot/pip/test-and-lint-dependencies-1f78fe719d
...
build(deps): bump the test-and-lint-dependencies group with 1 update
2024-02-13 09:08:01 +02:00
Jussi Kukkonen
c2351ea290
Merge pull request #2556 from theupdateframework/dependabot/github_actions/action-dependencies-5ec46a7f91
...
build(deps): bump the action-dependencies group with 2 updates
2024-02-13 09:03:58 +02:00
dependabot[bot]
21061fc239
build(deps): bump the action-dependencies group with 2 updates
...
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact ) and [actions/download-artifact](https://github.com/actions/download-artifact ).
Updates `actions/upload-artifact` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](26f96dfa69...5d5d22a312 )
Updates `actions/download-artifact` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](6b208ae046...eaceaf801f )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: action-dependencies
- dependency-name: actions/download-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: action-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 21:39:13 +00:00
dependabot[bot]
6ec61e58b9
build(deps): bump the test-and-lint-dependencies group with 1 update
...
Bumps the test-and-lint-dependencies group with 1 update: [black](https://github.com/psf/black ).
Updates `black` from 24.1.1 to 24.2.0
- [Release notes](https://github.com/psf/black/releases )
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md )
- [Commits](https://github.com/psf/black/compare/24.1.1...24.2.0 )
---
updated-dependencies:
- dependency-name: black
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 21:23:12 +00:00
Jussi Kukkonen
eb4834d920
Metadata API: Fix role lookup for succinct delegation
...
get_delegated_role() should not return a Role if the rolename is not
a delegated role. This is already true for "normal" DelegatedRole but
was not actually verified for SuccinctRoles.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-11 14:30:24 +02:00
Jussi Kukkonen
2aec25e729
tests: Add test for Delegations.get_delegated_role()
...
This test currently fails for SuccinctRoles.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-11 14:30:24 +02:00
Jussi Kukkonen
14a93d1875
Merge pull request #2553 from theupdateframework/dependabot/pip/dependencies-6a84798097
...
build(deps): bump the dependencies group with 3 updates
2024-02-08 11:07:32 +02:00
dependabot[bot]
74ec860c3b
build(deps): bump the dependencies group with 3 updates
...
Bumps the dependencies group with 3 updates: [certifi](https://github.com/certifi/python-certifi ), [cryptography](https://github.com/pyca/cryptography ) and [urllib3](https://github.com/urllib3/urllib3 ).
Updates `certifi` from 2023.11.17 to 2024.2.2
- [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02 )
Updates `cryptography` from 42.0.1 to 42.0.2
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/42.0.1...42.0.2 )
Updates `urllib3` from 2.1.0 to 2.2.0
- [Release notes](https://github.com/urllib3/urllib3/releases )
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst )
- [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0 )
---
updated-dependencies:
- dependency-name: certifi
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: dependencies
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
- dependency-name: urllib3
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 21:12:53 +00:00
Jussi Kukkonen
be55b871da
Merge pull request #2551 from jku/improve-verification-result
...
Improve verification results
2024-02-05 20:08:39 +02:00
Jussi Kukkonen
14edf3d044
tests: Add VerificationResult tests
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:26:31 +02:00
Jussi Kukkonen
bfea673893
tests: Update the root verification tests
...
Change tests so the previous root version is what the code expects.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:12:44 +02:00
Jussi Kukkonen
161c3e35ad
Metadata API: Add VerificationResult.missing
...
This is helper to tell how many signatures are still required.
Also change the order of Roots given to RootVerificationResult
(this way first is version N, second is version N+1).
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:01:46 +02:00
Jussi Kukkonen
b158c0852d
Metadata API: Make sanity checks in root verification
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 14:36:05 +02:00
Jussi Kukkonen
42d3a75787
Metadata API: Improve docs for RootVerificationResult
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 13:56:57 +02:00
Jussi Kukkonen
f60fb4abc8
Metadata API: Tweak get_root_verification_result args
...
Change the "other" argument to optional "previous" and
handle the None case in code.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 13:51:28 +02:00
Jussi Kukkonen
b8dbe307db
examples: Use verification results in repo example
...
This is an example of using the verification resutls in a repository.
The only remaining tricky part is in _get_verification_result():
* has to figure out the delegating metadata (something we currently
cannot provide in repository.Repository for the general case)
* Needs a special case for first root
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-03 17:10:12 +02:00
Jussi Kukkonen
26bdbbe20c
Metadata API: Simplify verify_delegate()
...
Now that VerificationResult has threshold, this can be simpler.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:04:01 +02:00
Jussi Kukkonen
dc11afc62e
Metadata API: Workaround for Python <3.9
...
dict unions are only supported in 3.9.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:02:27 +02:00
Jussi Kukkonen
3ab89c56da
Merge pull request #2547 from theupdateframework/dependabot/pip/test-and-lint-dependencies-de1c361fbc
2024-02-01 22:16:12 +02:00
Jussi Kukkonen
f72edc54bc
Linter fixes from new black
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 22:10:31 +02:00
Nicholas Tanzillo
af4beb1cb3
increase default network timeout ( #2542 )
...
* Increase default network timeout
* trying to defend against slow retrieval attacks in a generic library is impossible
but too low timeouts mean failures in high latency systems (like tests running
on CI).
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-01 22:06:26 +02:00
Jussi Kukkonen
3f896c0cfb
Merge pull request #2549 from theupdateframework/dependabot/github_actions/action-dependencies-0f5d477bc4
...
build(deps): bump the action-dependencies group with 1 update
2024-02-01 22:00:09 +02:00
Jussi Kukkonen
cd0fd5c2ff
tests: Add tests for root verification
...
This does much the same tests as test_signed_get_verification_result()
above it does, just using two root roles.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
506b40d93d
tests: Update to new VerificationResult
...
Changes are
* expected result changes (like the handling of keyids without keys)
* test refactoring to have access to the Key
* Removal of union test
* use the fact that VerificationResult is Truthy in asserts
(to get 1 more line of coverage)
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
368bee8228
Metadata API: Implement RootVerificationResult
...
This is a thin wrapper over two VerificationResults:
useful when verifying root signatures.
Now the API for getting verification results for root and
the API for getting the results for other metadata is different.
Client use cases can continue using verify_delegate() so should not
be affected.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
03a1caa1a8
Metadata API: Refactor VerificationResult
...
This is an API break as VerificationResult changes:
* Now contains threshold
* Now contains Keys and not just keyids
Note that there is a small edge case functionality change:
* if the role does not have a key for the keyid, then we no longer
include that key in "unsigned"
I think that is an acceptable change.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 18:26:03 +02:00
Jussi Kukkonen
dfd2906302
Merge pull request #2546 from theupdateframework/dependabot/pip/build-and-release-dependencies-cdf6c30bf5
...
build(deps): bump the build-and-release-dependencies group with 1 update
2024-01-30 10:15:28 +02:00
Jussi Kukkonen
0de814bf2b
Merge pull request #2548 from theupdateframework/dependabot/pip/dependencies-5a0ba54c73
...
build(deps): bump the dependencies group with 1 update
2024-01-30 10:15:03 +02:00
dependabot[bot]
60bb1d6f69
build(deps): bump the action-dependencies group with 1 update
...
Bumps the action-dependencies group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact ).
Updates `actions/upload-artifact` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](694cdabd8b...26f96dfa69 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: action-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:47:11 +00:00
dependabot[bot]
2016f24643
build(deps): bump the dependencies group with 1 update
...
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography ).
Updates `cryptography` from 41.0.7 to 42.0.1
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/41.0.7...42.0.1 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:16:26 +00:00
dependabot[bot]
bf01350836
build(deps): bump the test-and-lint-dependencies group with 3 updates
...
Bumps the test-and-lint-dependencies group with 3 updates: [coverage](https://github.com/nedbat/coveragepy ), [black](https://github.com/psf/black ) and [bandit](https://github.com/PyCQA/bandit ).
Updates `coverage` from 7.4.0 to 7.4.1
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.0...7.4.1 )
Updates `black` from 23.12.1 to 24.1.1
- [Release notes](https://github.com/psf/black/releases )
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md )
- [Commits](https://github.com/psf/black/compare/23.12.1...24.1.1 )
Updates `bandit` from 1.7.6 to 1.7.7
- [Release notes](https://github.com/PyCQA/bandit/releases )
- [Commits](https://github.com/PyCQA/bandit/compare/1.7.6...1.7.7 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
- dependency-name: black
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: test-and-lint-dependencies
- dependency-name: bandit
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:14:19 +00:00
dependabot[bot]
959e5f7ce3
build(deps): bump the build-and-release-dependencies group with 1 update
...
Bumps the build-and-release-dependencies group with 1 update: [hatchling](https://github.com/pypa/hatch ).
Updates `hatchling` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/pypa/hatch/releases )
- [Commits](https://github.com/pypa/hatch/compare/hatchling-v1.21.0...hatchling-v1.21.1 )
---
updated-dependencies:
- dependency-name: hatchling
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build-and-release-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:12:47 +00:00
Jussi Kukkonen
aec57af4f8
Merge pull request #2545 from theupdateframework/dependabot/github_actions/action-dependencies-61aaf34304
...
build(deps): bump the action-dependencies group with 2 updates
2024-01-23 10:48:52 +02:00
dependabot[bot]
ef913dc364
build(deps): bump the action-dependencies group with 2 updates
...
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact ) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action ).
Updates `actions/upload-artifact` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](1eb3cb2b3e...694cdabd8b )
Updates `actions/dependency-review-action` from 3 to 4
- [Release notes](https://github.com/actions/dependency-review-action/releases )
- [Commits](https://github.com/actions/dependency-review-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: action-dependencies
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: action-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 21:43:32 +00:00
Jussi Kukkonen
bbe2ca84a9
Merge pull request #2543 from theupdateframework/dependabot/github_actions/action-dependencies-515e419fdb
...
build(deps): bump the action-dependencies group with 2 updates
2024-01-16 10:11:14 +02:00