Commit graph

6224 commits

Author SHA1 Message Date
E3E
1a4d870aad add back in: # type: ignore
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 00:44:58 -05:00
E3E
206c9424f1 Add to linting Configuration:
- adpot changes in dependabot.yml and remove --diff from ruff check.
- select pydocstyle, isort, pyflakes, pep8-naming, pycodestyle for ruff and ignore some small issues / add inline comments.
- adjust docstring length to 80 in various files

Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 00:34:47 -05:00
dependabot[bot]
63eaf0386f
build(deps): bump the dependencies group with 2 updates
Bumps the dependencies group with 2 updates: [cryptography](https://github.com/pyca/cryptography) and [urllib3](https://github.com/urllib3/urllib3).


Updates `cryptography` from 42.0.2 to 42.0.3
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.3)

Updates `urllib3` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.2.0...2.2.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 21:42:31 +00:00
E3E
cd543c9947 add ruff format and format 2 files
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-18 00:38:05 -05:00
E3E
4a53013548 use correct ruff command and add ignore unused imports
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-18 00:17:33 -05:00
E3E
e379507e63 replace black and isort for ruff. I still haven't replaced ruff with pylint
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-16 23:56:08 -05:00
Jussi Kukkonen
8f95162b27
Merge pull request from GHSA-77hh-43cm-v8j6
Metadata API: Fix role lookup for succinct delegation
2024-02-16 10:43:15 +02:00
Jussi Kukkonen
6902c9d61c
Merge pull request #2555 from theupdateframework/dependabot/pip/test-and-lint-dependencies-1f78fe719d
build(deps): bump the test-and-lint-dependencies group with 1 update
2024-02-13 09:08:01 +02:00
Jussi Kukkonen
c2351ea290
Merge pull request #2556 from theupdateframework/dependabot/github_actions/action-dependencies-5ec46a7f91
build(deps): bump the action-dependencies group with 2 updates
2024-02-13 09:03:58 +02:00
dependabot[bot]
21061fc239
build(deps): bump the action-dependencies group with 2 updates
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/upload-artifact` from 4.3.0 to 4.3.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](26f96dfa69...5d5d22a312)

Updates `actions/download-artifact` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](6b208ae046...eaceaf801f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-dependencies
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 21:39:13 +00:00
dependabot[bot]
6ec61e58b9
build(deps): bump the test-and-lint-dependencies group with 1 update
Bumps the test-and-lint-dependencies group with 1 update: [black](https://github.com/psf/black).


Updates `black` from 24.1.1 to 24.2.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/24.1.1...24.2.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 21:23:12 +00:00
Jussi Kukkonen
eb4834d920 Metadata API: Fix role lookup for succinct delegation
get_delegated_role() should not return a Role if the rolename is not
a delegated role. This is already true for "normal" DelegatedRole but
was not actually verified for SuccinctRoles.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-11 14:30:24 +02:00
Jussi Kukkonen
2aec25e729 tests: Add test for Delegations.get_delegated_role()
This test currently fails for SuccinctRoles.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-11 14:30:24 +02:00
Jussi Kukkonen
14a93d1875
Merge pull request #2553 from theupdateframework/dependabot/pip/dependencies-6a84798097
build(deps): bump the dependencies group with 3 updates
2024-02-08 11:07:32 +02:00
dependabot[bot]
74ec860c3b
build(deps): bump the dependencies group with 3 updates
Bumps the dependencies group with 3 updates: [certifi](https://github.com/certifi/python-certifi), [cryptography](https://github.com/pyca/cryptography) and [urllib3](https://github.com/urllib3/urllib3).


Updates `certifi` from 2023.11.17 to 2024.2.2
- [Commits](https://github.com/certifi/python-certifi/compare/2023.11.17...2024.02.02)

Updates `cryptography` from 42.0.1 to 42.0.2
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.1...42.0.2)

Updates `urllib3` from 2.1.0 to 2.2.0
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/2.1.0...2.2.0)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 21:12:53 +00:00
Jussi Kukkonen
be55b871da
Merge pull request #2551 from jku/improve-verification-result
Improve verification results
2024-02-05 20:08:39 +02:00
Jussi Kukkonen
14edf3d044 tests: Add VerificationResult tests
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:26:31 +02:00
Jussi Kukkonen
bfea673893 tests: Update the root verification tests
Change tests so the previous root version is what the code expects.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:12:44 +02:00
Jussi Kukkonen
161c3e35ad Metadata API: Add VerificationResult.missing
This is helper to tell how many signatures are still required.
Also change the order of Roots given to RootVerificationResult
(this way first is version N, second is version N+1).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 15:01:46 +02:00
Jussi Kukkonen
b158c0852d Metadata API: Make sanity checks in root verification
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 14:36:05 +02:00
Jussi Kukkonen
42d3a75787 Metadata API: Improve docs for RootVerificationResult
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 13:56:57 +02:00
Jussi Kukkonen
f60fb4abc8 Metadata API: Tweak get_root_verification_result args
Change the "other" argument to optional "previous" and
handle the None case in code.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-05 13:51:28 +02:00
Jussi Kukkonen
b8dbe307db examples: Use verification results in repo example
This is an example of using the verification resutls in a repository.

The only remaining tricky part is in _get_verification_result():
* has to figure out the delegating metadata (something we currently
  cannot provide in repository.Repository for the general case)
* Needs a special case for first root

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-03 17:10:12 +02:00
Jussi Kukkonen
26bdbbe20c Metadata API: Simplify verify_delegate()
Now that VerificationResult has threshold, this can be simpler.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:04:01 +02:00
Jussi Kukkonen
dc11afc62e Metadata API: Workaround for Python <3.9
dict unions are only supported in 3.9.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:02:27 +02:00
Jussi Kukkonen
3ab89c56da
Merge pull request #2547 from theupdateframework/dependabot/pip/test-and-lint-dependencies-de1c361fbc 2024-02-01 22:16:12 +02:00
Jussi Kukkonen
f72edc54bc Linter fixes from new black
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 22:10:31 +02:00
Nicholas Tanzillo
af4beb1cb3
increase default network timeout (#2542)
* Increase default network timeout
* trying to defend against slow retrieval attacks in a generic library is impossible
but too low timeouts mean failures in high latency systems (like tests running
on CI).

Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-01 22:06:26 +02:00
Jussi Kukkonen
3f896c0cfb
Merge pull request #2549 from theupdateframework/dependabot/github_actions/action-dependencies-0f5d477bc4
build(deps): bump the action-dependencies group with 1 update
2024-02-01 22:00:09 +02:00
Jussi Kukkonen
cd0fd5c2ff tests: Add tests for root verification
This does much the same tests as test_signed_get_verification_result()
above it does, just using two root roles.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
506b40d93d tests: Update to new VerificationResult
Changes are
* expected result changes (like the handling of keyids without keys)
* test refactoring to have access to the Key
* Removal of union test
* use the fact that VerificationResult is Truthy in asserts
  (to get 1 more line of coverage)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
368bee8228 Metadata API: Implement RootVerificationResult
This is a thin wrapper over two VerificationResults:
useful when verifying root signatures.

Now the API for getting verification results for root and
the API for getting the results for other metadata is different.

Client use cases can continue using verify_delegate() so should not
be affected.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
03a1caa1a8 Metadata API: Refactor VerificationResult
This is an API break as VerificationResult changes:
 * Now contains threshold
 * Now contains Keys and not just keyids

Note that there is a small edge case functionality change:
 * if the role does not have a key for the keyid, then we no longer
   include that key in "unsigned"

I think that is an acceptable change.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 18:26:03 +02:00
Jussi Kukkonen
dfd2906302
Merge pull request #2546 from theupdateframework/dependabot/pip/build-and-release-dependencies-cdf6c30bf5
build(deps): bump the build-and-release-dependencies group with 1 update
2024-01-30 10:15:28 +02:00
Jussi Kukkonen
0de814bf2b
Merge pull request #2548 from theupdateframework/dependabot/pip/dependencies-5a0ba54c73
build(deps): bump the dependencies group with 1 update
2024-01-30 10:15:03 +02:00
dependabot[bot]
60bb1d6f69
build(deps): bump the action-dependencies group with 1 update
Bumps the action-dependencies group with 1 update: [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/upload-artifact` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](694cdabd8b...26f96dfa69)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:47:11 +00:00
dependabot[bot]
2016f24643
build(deps): bump the dependencies group with 1 update
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography).


Updates `cryptography` from 41.0.7 to 42.0.1
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.7...42.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:16:26 +00:00
dependabot[bot]
bf01350836
build(deps): bump the test-and-lint-dependencies group with 3 updates
Bumps the test-and-lint-dependencies group with 3 updates: [coverage](https://github.com/nedbat/coveragepy), [black](https://github.com/psf/black) and [bandit](https://github.com/PyCQA/bandit).


Updates `coverage` from 7.4.0 to 7.4.1
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.0...7.4.1)

Updates `black` from 23.12.1 to 24.1.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.12.1...24.1.1)

Updates `bandit` from 1.7.6 to 1.7.7
- [Release notes](https://github.com/PyCQA/bandit/releases)
- [Commits](https://github.com/PyCQA/bandit/compare/1.7.6...1.7.7)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: test-and-lint-dependencies
- dependency-name: bandit
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:14:19 +00:00
dependabot[bot]
959e5f7ce3
build(deps): bump the build-and-release-dependencies group with 1 update
Bumps the build-and-release-dependencies group with 1 update: [hatchling](https://github.com/pypa/hatch).


Updates `hatchling` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/pypa/hatch/releases)
- [Commits](https://github.com/pypa/hatch/compare/hatchling-v1.21.0...hatchling-v1.21.1)

---
updated-dependencies:
- dependency-name: hatchling
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: build-and-release-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:12:47 +00:00
Jussi Kukkonen
aec57af4f8
Merge pull request #2545 from theupdateframework/dependabot/github_actions/action-dependencies-61aaf34304
build(deps): bump the action-dependencies group with 2 updates
2024-01-23 10:48:52 +02:00
dependabot[bot]
ef913dc364
build(deps): bump the action-dependencies group with 2 updates
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action).


Updates `actions/upload-artifact` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](1eb3cb2b3e...694cdabd8b)

Updates `actions/dependency-review-action` from 3 to 4
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: action-dependencies
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 21:43:32 +00:00
Jussi Kukkonen
bbe2ca84a9
Merge pull request #2543 from theupdateframework/dependabot/github_actions/action-dependencies-515e419fdb
build(deps): bump the action-dependencies group with 2 updates
2024-01-16 10:11:14 +02:00
dependabot[bot]
8c70971dea
build(deps): bump the action-dependencies group with 2 updates
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/upload-artifact` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](c7d193f32e...1eb3cb2b3e)

Updates `actions/download-artifact` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](f44cd7b40b...6b208ae046)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: action-dependencies
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 21:46:10 +00:00
Lukas Pühringer
69a07373ab
Merge pull request #2541 from lukpueh/fix-verify_release-build
build: constrain version in verify_release script
2024-01-12 10:59:32 +01:00
Lukas Puehringer
73cf25efe8 build: constrain version in verify_release script
In #2528 we added a workaround in cd.yml, which allows pinning the
build backend version AND having Dependabot autodupates for it.

This workaround also needs to be applied verify_release for reproducible
builds verification.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-01-11 16:26:29 +01:00
Jussi Kukkonen
e3dc0953ee
Merge pull request #2540 from theupdateframework/dependabot/pip/test-and-lint-dependencies-263ca8bcb0
build(deps): bump the test-and-lint-dependencies group with 1 update
2024-01-02 10:38:47 +02:00
dependabot[bot]
a924f2b886
build(deps): bump the test-and-lint-dependencies group with 1 update
Bumps the test-and-lint-dependencies group with 1 update: [coverage](https://github.com/nedbat/coveragepy).


Updates `coverage` from 7.3.4 to 7.4.0
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.4...7.4.0)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 21:05:46 +00:00
Jussi Kukkonen
3f822a80e5
Merge pull request #2538 from theupdateframework/dependabot/pip/test-and-lint-dependencies-ea336aa95c
build(deps): bump the test-and-lint-dependencies group with 3 updates
2023-12-26 11:39:55 +02:00
dependabot[bot]
07f94f2154
build(deps): bump the test-and-lint-dependencies group with 3 updates
Bumps the test-and-lint-dependencies group with 3 updates: [coverage](https://github.com/nedbat/coveragepy), [black](https://github.com/psf/black) and [mypy](https://github.com/python/mypy).


Updates `coverage` from 7.3.3 to 7.3.4
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.3...7.3.4)

Updates `black` from 23.12.0 to 23.12.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.12.0...23.12.1)

Updates `mypy` from 1.7.1 to 1.8.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](https://github.com/python/mypy/compare/v1.7.1...v1.8.0)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 21:03:19 +00:00
Jussi Kukkonen
a2a5d71818
Merge pull request #2537 from theupdateframework/dependabot/github_actions/action-dependencies-03d6f0ee26
build(deps): bump the action-dependencies group with 1 update
2023-12-20 16:35:53 +02:00