Jussi Kukkonen
b8dbe307db
examples: Use verification results in repo example
...
This is an example of using the verification resutls in a repository.
The only remaining tricky part is in _get_verification_result():
* has to figure out the delegating metadata (something we currently
cannot provide in repository.Repository for the general case)
* Needs a special case for first root
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-03 17:10:12 +02:00
Jussi Kukkonen
26bdbbe20c
Metadata API: Simplify verify_delegate()
...
Now that VerificationResult has threshold, this can be simpler.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:04:01 +02:00
Jussi Kukkonen
dc11afc62e
Metadata API: Workaround for Python <3.9
...
dict unions are only supported in 3.9.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-02 11:02:27 +02:00
Jussi Kukkonen
cd0fd5c2ff
tests: Add tests for root verification
...
This does much the same tests as test_signed_get_verification_result()
above it does, just using two root roles.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
506b40d93d
tests: Update to new VerificationResult
...
Changes are
* expected result changes (like the handling of keyids without keys)
* test refactoring to have access to the Key
* Removal of union test
* use the fact that VerificationResult is Truthy in asserts
(to get 1 more line of coverage)
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
368bee8228
Metadata API: Implement RootVerificationResult
...
This is a thin wrapper over two VerificationResults:
useful when verifying root signatures.
Now the API for getting verification results for root and
the API for getting the results for other metadata is different.
Client use cases can continue using verify_delegate() so should not
be affected.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 21:13:29 +02:00
Jussi Kukkonen
03a1caa1a8
Metadata API: Refactor VerificationResult
...
This is an API break as VerificationResult changes:
* Now contains threshold
* Now contains Keys and not just keyids
Note that there is a small edge case functionality change:
* if the role does not have a key for the keyid, then we no longer
include that key in "unsigned"
I think that is an acceptable change.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-01 18:26:03 +02:00
Jussi Kukkonen
dfd2906302
Merge pull request #2546 from theupdateframework/dependabot/pip/build-and-release-dependencies-cdf6c30bf5
...
build(deps): bump the build-and-release-dependencies group with 1 update
2024-01-30 10:15:28 +02:00
Jussi Kukkonen
0de814bf2b
Merge pull request #2548 from theupdateframework/dependabot/pip/dependencies-5a0ba54c73
...
build(deps): bump the dependencies group with 1 update
2024-01-30 10:15:03 +02:00
dependabot[bot]
2016f24643
build(deps): bump the dependencies group with 1 update
...
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography ).
Updates `cryptography` from 41.0.7 to 42.0.1
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/41.0.7...42.0.1 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:16:26 +00:00
dependabot[bot]
959e5f7ce3
build(deps): bump the build-and-release-dependencies group with 1 update
...
Bumps the build-and-release-dependencies group with 1 update: [hatchling](https://github.com/pypa/hatch ).
Updates `hatchling` from 1.21.0 to 1.21.1
- [Release notes](https://github.com/pypa/hatch/releases )
- [Commits](https://github.com/pypa/hatch/compare/hatchling-v1.21.0...hatchling-v1.21.1 )
---
updated-dependencies:
- dependency-name: hatchling
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build-and-release-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 21:12:47 +00:00
Jussi Kukkonen
aec57af4f8
Merge pull request #2545 from theupdateframework/dependabot/github_actions/action-dependencies-61aaf34304
...
build(deps): bump the action-dependencies group with 2 updates
2024-01-23 10:48:52 +02:00
dependabot[bot]
ef913dc364
build(deps): bump the action-dependencies group with 2 updates
...
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact ) and [actions/dependency-review-action](https://github.com/actions/dependency-review-action ).
Updates `actions/upload-artifact` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](1eb3cb2b3e...694cdabd8bhttps://github.com/actions/dependency-review-action/releases )
- [Commits](https://github.com/actions/dependency-review-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: action-dependencies
- dependency-name: actions/dependency-review-action
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: action-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 21:43:32 +00:00
Jussi Kukkonen
bbe2ca84a9
Merge pull request #2543 from theupdateframework/dependabot/github_actions/action-dependencies-515e419fdb
...
build(deps): bump the action-dependencies group with 2 updates
2024-01-16 10:11:14 +02:00
dependabot[bot]
8c70971dea
build(deps): bump the action-dependencies group with 2 updates
...
Bumps the action-dependencies group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact ) and [actions/download-artifact](https://github.com/actions/download-artifact ).
Updates `actions/upload-artifact` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](c7d193f32e...1eb3cb2b3ehttps://github.com/actions/download-artifact/releases )
- [Commits](f44cd7b40b...6b208ae046
2024-01-15 21:46:10 +00:00
Lukas Pühringer
69a07373ab
Merge pull request #2541 from lukpueh/fix-verify_release-build
...
build: constrain version in verify_release script
2024-01-12 10:59:32 +01:00
Lukas Puehringer
73cf25efe8
build: constrain version in verify_release script
...
In #2528 we added a workaround in cd.yml, which allows pinning the
build backend version AND having Dependabot autodupates for it.
This workaround also needs to be applied verify_release for reproducible
builds verification.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-01-11 16:26:29 +01:00
Jussi Kukkonen
e3dc0953ee
Merge pull request #2540 from theupdateframework/dependabot/pip/test-and-lint-dependencies-263ca8bcb0
...
build(deps): bump the test-and-lint-dependencies group with 1 update
2024-01-02 10:38:47 +02:00
dependabot[bot]
a924f2b886
build(deps): bump the test-and-lint-dependencies group with 1 update
...
Bumps the test-and-lint-dependencies group with 1 update: [coverage](https://github.com/nedbat/coveragepy ).
Updates `coverage` from 7.3.4 to 7.4.0
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.4...7.4.0 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 21:05:46 +00:00
Jussi Kukkonen
3f822a80e5
Merge pull request #2538 from theupdateframework/dependabot/pip/test-and-lint-dependencies-ea336aa95c
...
build(deps): bump the test-and-lint-dependencies group with 3 updates
2023-12-26 11:39:55 +02:00
dependabot[bot]
07f94f2154
build(deps): bump the test-and-lint-dependencies group with 3 updates
...
Bumps the test-and-lint-dependencies group with 3 updates: [coverage](https://github.com/nedbat/coveragepy ), [black](https://github.com/psf/black ) and [mypy](https://github.com/python/mypy ).
Updates `coverage` from 7.3.3 to 7.3.4
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.3...7.3.4 )
Updates `black` from 23.12.0 to 23.12.1
- [Release notes](https://github.com/psf/black/releases )
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md )
- [Commits](https://github.com/psf/black/compare/23.12.0...23.12.1 )
Updates `mypy` from 1.7.1 to 1.8.0
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md )
- [Commits](https://github.com/python/mypy/compare/v1.7.1...v1.8.0 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
- dependency-name: black
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 21:03:19 +00:00
Jussi Kukkonen
a2a5d71818
Merge pull request #2537 from theupdateframework/dependabot/github_actions/action-dependencies-03d6f0ee26
...
build(deps): bump the action-dependencies group with 1 update
2023-12-20 16:35:53 +02:00
dependabot[bot]
a17f6f7c8d
build(deps): bump the action-dependencies group with 1 update
...
Bumps the action-dependencies group with 1 update: [actions/download-artifact](https://github.com/actions/download-artifact ).
Updates `actions/download-artifact` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](7a1cd3216c...f44cd7b40b
2023-12-19 09:36:42 +00:00
Jussi Kukkonen
f1141f069b
Merge pull request #2536 from jku/add-coverage-to-test-group
...
dependabot: Add coverage to test-and-lint group
2023-12-19 11:35:55 +02:00
Jussi Kukkonen
e878e083ce
Merge pull request #2533 from theupdateframework/dependabot/pip/build-and-release-dependencies-fc7e6ec015
...
build(deps): bump the build-and-release-dependencies group with 1 update
2023-12-19 10:24:20 +02:00
Jussi Kukkonen
65d58b1375
Merge pull request #2535 from theupdateframework/dependabot/pip/dependencies-82d57d2cf0
...
build(deps): bump the dependencies group with 1 update
2023-12-19 10:23:59 +02:00
Jussi Kukkonen
d593a82d6a
dependabot: Add coverage to test-and-lint group
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-12-19 10:20:30 +02:00
Jussi Kukkonen
5b4e0944d0
Merge pull request #2534 from theupdateframework/dependabot/pip/test-and-lint-dependencies-137aa31706
...
build(deps): bump the test-and-lint-dependencies group with 1 update
2023-12-19 10:15:56 +02:00
Jussi Kukkonen
9ffb7bd038
Merge pull request #2532 from theupdateframework/dependabot/github_actions/action-dependencies-7a33d65384
...
build(deps): bump the action-dependencies group with 3 updates
2023-12-19 10:15:45 +02:00
dependabot[bot]
0e34993d16
build(deps): bump the dependencies group with 1 update
...
Bumps the dependencies group with 1 update: [coverage](https://github.com/nedbat/coveragepy ).
Updates `coverage` from 7.3.2 to 7.3.3
- [Release notes](https://github.com/nedbat/coveragepy/releases )
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst )
- [Commits](https://github.com/nedbat/coveragepy/compare/7.3.2...7.3.3 )
---
updated-dependencies:
- dependency-name: coverage
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 21:59:12 +00:00
dependabot[bot]
745eff6676
build(deps): bump the test-and-lint-dependencies group with 1 update
...
Bumps the test-and-lint-dependencies group with 1 update: [isort](https://github.com/pycqa/isort ).
Updates `isort` from 5.13.1 to 5.13.2
- [Release notes](https://github.com/pycqa/isort/releases )
- [Changelog](https://github.com/PyCQA/isort/blob/main/CHANGELOG.md )
- [Commits](https://github.com/pycqa/isort/compare/5.13.1...5.13.2 )
---
updated-dependencies:
- dependency-name: isort
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 21:57:54 +00:00
dependabot[bot]
c60dd9bc3a
build(deps): bump the build-and-release-dependencies group with 1 update
...
Bumps the build-and-release-dependencies group with 1 update: [hatchling](https://github.com/pypa/hatch ).
Updates `hatchling` from 1.20.0 to 1.21.0
- [Release notes](https://github.com/pypa/hatch/releases )
- [Commits](https://github.com/pypa/hatch/compare/hatchling-v1.20.0...hatchling-v1.21.0 )
---
updated-dependencies:
- dependency-name: hatchling
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: build-and-release-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 21:57:17 +00:00
dependabot[bot]
0ee4bb14d8
build(deps): bump the action-dependencies group with 3 updates
...
Bumps the action-dependencies group with 3 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact ), [actions/download-artifact](https://github.com/actions/download-artifact ) and [github/codeql-action](https://github.com/github/codeql-action ).
Updates `actions/upload-artifact` from 3.1.3 to 4.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](a8a3f3ad30...c7d193f32ehttps://github.com/actions/download-artifact/releases )
- [Commits](9bc31d5ccc...7a1cd3216chttps://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2...v3 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: action-dependencies
- dependency-name: actions/download-artifact
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: action-dependencies
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: action-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 21:37:32 +00:00
Jussi Kukkonen
9b877d2971
Merge pull request #2531 from theupdateframework/dependabot/pip/test-and-lint-dependencies-ba4aa0f83e
...
build(deps): bump the test-and-lint-dependencies group with 3 updates
2023-12-13 15:50:26 +02:00
dependabot[bot]
bae72af900
build(deps): bump the test-and-lint-dependencies group with 3 updates
...
Bumps the test-and-lint-dependencies group with 3 updates: [black](https://github.com/psf/black ), [isort](https://github.com/pycqa/isort ) and [pylint](https://github.com/pylint-dev/pylint ).
Updates `black` from 23.11.0 to 23.12.0
- [Release notes](https://github.com/psf/black/releases )
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md )
- [Commits](https://github.com/psf/black/compare/23.11.0...23.12.0 )
Updates `isort` from 5.13.0 to 5.13.1
- [Release notes](https://github.com/pycqa/isort/releases )
- [Changelog](https://github.com/PyCQA/isort/blob/main/CHANGELOG.md )
- [Commits](https://github.com/pycqa/isort/compare/5.13.0...5.13.1 )
Updates `pylint` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/pylint-dev/pylint/releases )
- [Commits](https://github.com/pylint-dev/pylint/compare/v3.0.2...v3.0.3 )
---
updated-dependencies:
- dependency-name: black
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: test-and-lint-dependencies
- dependency-name: isort
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
- dependency-name: pylint
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: test-and-lint-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-13 13:38:25 +00:00
Jussi Kukkonen
e07b7e443d
Merge pull request #2530 from jku/dependabot-groups
...
Dependabot: Use groups, update weekly
2023-12-13 15:34:46 +02:00
Jussi Kukkonen
fdcfb6a423
dependabot: Add hatchling to build dependencies group
...
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-12-13 13:56:07 +02:00
Jussi Kukkonen
2b1d4eb182
Dependabot: Use groups, update weekly
...
All dependencies are now checked weekly and those weekly updates
are grouped into 4 groups:
* critical python build/release deps
* python test and lint deps (only pinned for test repro)
* all other python dependencies
* All github action dependencies
This is not quite the division that was hashed out in #2014 , mostly for
practical reasons:
* GitHub actions are already practically split by pinning strategy so they
don't really need further groups:
* Non-security-relevant actions are pinned by tags
* Other actions are pinned by hash
* The dependency grouping is quite limited
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-12-13 13:56:07 +02:00
Jussi Kukkonen
6c25c353f0
Merge pull request #2528 from lukpueh/upgrade-hatchling
...
build: Upgrade hatchling to 1.20.0
2023-12-13 13:55:54 +02:00
Lukas Puehringer
dd9b5e0da2
build: add workaround to auto-update build system
...
Dependabot does not support `build-system.requires`. To get
reproducibility and auto-updates, we pin the version in a regular
requirements file and use it as constraint during build.
fixes : #2529
upstream issue: dependabot/dependabot-core#8465
h/t @jku
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-12-13 12:32:00 +01:00
Lukas Puehringer
7c5f5d2517
build: Upgrade hatchling to 1.20.0
...
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-12-13 09:49:15 +01:00
Jussi Kukkonen
8fbf0c7d2f
Merge pull request #2514 from theupdateframework/dependabot/pip/idna-3.6
...
build(deps): bump idna from 3.4 to 3.6
2023-12-12 14:57:13 +02:00
Jussi Kukkonen
3419e7d0a0
Merge pull request #2524 from lukpueh/upgrade-hatchling
...
build: Upgrade hatchling to 1.19.1
2023-12-12 14:10:57 +02:00
Lukas Puehringer
00be49b6b5
build: Upgrade hatchling to 1.19.1
...
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-12-12 11:20:09 +01:00
dependabot[bot]
7a2f4e2734
build(deps): bump idna from 3.4 to 3.6
...
Bumps [idna](https://github.com/kjd/idna ) from 3.4 to 3.6.
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst )
- [Commits](https://github.com/kjd/idna/compare/v3.4...v3.6 )
---
updated-dependencies:
- dependency-name: idna
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-12 09:11:44 +00:00
Jussi Kukkonen
a1a2f2bcbe
Merge pull request #2515 from theupdateframework/dependabot/pip/cryptography-41.0.7
...
build(deps): bump cryptography from 41.0.5 to 41.0.7
2023-12-12 11:11:03 +02:00
Jussi Kukkonen
892b778d47
Merge pull request #2521 from theupdateframework/dependabot/github_actions/actions/setup-python-5.0.0
...
build(deps): bump actions/setup-python from 4.7.1 to 5.0.0
2023-12-12 11:10:44 +02:00
Jussi Kukkonen
7183e55b87
Merge pull request #2513 from theupdateframework/dependabot/pip/mypy-1.7.1
...
build(deps): bump mypy from 1.7.0 to 1.7.1
2023-12-12 11:10:08 +02:00
dependabot[bot]
cbbae8ae79
build(deps): bump mypy from 1.7.0 to 1.7.1
...
Bumps [mypy](https://github.com/python/mypy ) from 1.7.0 to 1.7.1.
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md )
- [Commits](https://github.com/python/mypy/compare/v1.7.0...v1.7.1 )
---
updated-dependencies:
- dependency-name: mypy
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-12 09:06:50 +00:00
Jussi Kukkonen
06c68f1f00
Merge pull request #2523 from theupdateframework/dependabot/pip/bandit-1.7.6
...
build(deps): bump bandit from 1.7.5 to 1.7.6
2023-12-12 11:05:52 +02:00
