sget: init at unstable-2022-10-04

This binary was provided by the `cosign` package until now but it is in the process of being removed, see https://github.com/sigstore/cosign/pull/2019 Since it might be removed during the 22.11 cycle we drop it preventively. This will make possible security backports easier if we need them.
2022-10-08 10:22:42 +02:00 · 2022-10-08 10:22:42 +02:00 · 679cd3462f
commit 679cd3462f
parent b078ae7937
5 changed files with 39 additions and 7 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -501,7 +501,9 @@
      <listitem>
        <para>
          <literal>pkgs.cosign</literal> does not provide the
-          <literal>cosigned</literal> binary anymore.
+          <literal>cosigned</literal> binary anymore. The
+          <literal>sget</literal> binary has been moved into its own
+          package.
        </para>
      </listitem>
      <listitem>
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -169,7 +169,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
 - PHP 7.4 is no longer supported due to upstream not supporting this
  version for the entire lifecycle of the 22.11 release.

- `pkgs.cosign` does not provide the `cosigned` binary anymore.
+- `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package.

 - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
  Users who still wish to remain using GTK can do so by using `emacs-gtk`.
--- a/pkgs/tools/security/cosign/default.nix
+++ b/pkgs/tools/security/cosign/default.nix
@ -20,7 +20,6 @@ buildGoModule rec {

  subPackages = [
    "cmd/cosign"
-    "cmd/sget"
  ];

  tags = [] ++ lib.optionals pivKeySupport [ "pivkey" ] ++ lib.optionals pkcs11Support [ "pkcs11key" ];
@ -45,10 +44,6 @@ buildGoModule rec {
      --bash <($out/bin/cosign completion bash) \
      --fish <($out/bin/cosign completion fish) \
      --zsh <($out/bin/cosign completion zsh)
-    installShellCompletion --cmd sget \
-      --bash <($out/bin/sget completion bash) \
-      --fish <($out/bin/sget completion fish) \
-      --zsh <($out/bin/sget completion zsh)
  '';

  meta = with lib; {
--- a/pkgs/tools/security/sget/default.nix
+++ b/pkgs/tools/security/sget/default.nix
@ -0,0 +1,33 @@
+{ stdenv, lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "sget";
+  version = "unstable-2022-10-04";
+
+  src = fetchFromGitHub {
+    owner = "sigstore";
+    repo = pname;
+    rev = "d7d1e53b21ca906000e74474729854cb5ac48dbc";
+    sha256 = "sha256-BgxTlLmtKqtDq3HgLoH+j0vBrpRujmL9Wr8F4d+jPi0=";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  vendorSha256 = "sha256-KPQHS7Hfco1ljOJgStIXMaol7j4dglcr0w+6Boj7GK8=";
+
+  ldflags = [ "-s" "-w" ];
+
+  postInstall = ''
+    installShellCompletion --cmd sget \
+      --bash <($out/bin/sget completion bash) \
+      --fish <($out/bin/sget completion fish) \
+      --zsh <($out/bin/sget completion zsh)
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/sigstore/sget";
+    description = "Command for safer, automatic verification of signatures and integration with Sigstore's binary transparency log, Rekor";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lesuisse ];
+  };
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11059,6 +11059,8 @@ with pkgs;

  sg3_utils = callPackage ../tools/system/sg3_utils { };

+  sget = callPackage ../tools/security/sget { };
+
  sha1collisiondetection = callPackage ../tools/security/sha1collisiondetection { };

  shadowsocks-libev = callPackage ../tools/networking/shadowsocks-libev { };