Merge pull request #27 from fepitre/debian

Debian

.gitignore

@@ -115,4 +115,7 @@ dmypy.json
 .pyre/
 
 # macOS
-.DS_Store
+.DS_Store
+
+# pycharm
+.idea

.travis.yml

@@ -1,4 +1,4 @@
-dist: xenial
+dist: bionic
 language: python
 
 matrix:
@@ -7,15 +7,8 @@ matrix:
         # tox environment, instead of using one Python version in Travis and
         # hoping that tox and pyenv run the tests in the desired versions.
         # https://github.com/travis-ci/travis-ci/issues/8363#issuecomment-355090242
-        - python: "3.5"
-          env: TOXENV=py35
-        - python: "3.6"
-          env: TOXENV=py36
-        - python: "3.7"
-          env: TOXENV=py37
-        - python: "3.8"
-          env: TOXENV=py38
-
+        - python: "3.9"
+          env: TOXENV=py39
 install:
     - pip install -U tox
     - pip install -U coveralls

README.md

@@ -23,7 +23,7 @@ git clone https://github.com/in-toto/apt-transport-in-toto.git
 # Install requirements
 pip install -r apt-transport-in-toto/requirements.txt
 # Install transport
-ln -s /usr/lib/apt/methods/intoto apt-transport-in-toto/intoto.py
+ln -s apt-transport-in-toto/intoto.py /usr/lib/apt/methods/intoto
 chmod 755 /usr/lib/apt/methods/intoto
 ```
 

debian/control

@@ -9,7 +9,7 @@ Uploaders:
  Vagrant Cascadian <vagrant@debian.org>,
  Justin Cappos <jcappos@nyu.edu>,
 Build-Depends:
- debhelper-compat (= 12),
+ debhelper-compat (= 13),
  dh-python,
  dh-exec,
  python3-all,
@@ -18,7 +18,7 @@ Build-Depends:
  python3-coverage,
  in-toto (>= 0.3.0),
  gnupg2,
-Standards-Version: 4.4.1
+Standards-Version: 4.5.1
 Rules-Requires-Root: no
 Homepage: https://in-toto.io
 Vcs-Git: https://github.com/in-toto/apt-transport-in-toto.git
@@ -30,6 +30,7 @@ Depends:
   ${misc:Depends},
   python3,
   python3-requests,
+  python3-securesystemslib,
   in-toto (>= 0.3.0),
   gnupg2,
 Description: apt transport method for in-toto supply chain verification

intoto.py

@@ -110,15 +110,11 @@
 import requests
 import tempfile
 import shutil
+import queue as Queue # pylint: disable=import-error
+import subprocess
+import securesystemslib.gpg.functions
 
-if sys.version_info[0] == 2: # pragma: no cover
-  import Queue # pylint: disable=import-error
-  import subprocess32 as subprocess # pylint: disable=import-error
-else: # pragma: no cover
-  import queue as Queue # pylint: disable=import-error
-  import subprocess
-
-import in_toto.util
+import in_toto.exceptions
 import in_toto.verifylib
 import in_toto.models.link
 import in_toto.models.metadata
@@ -659,12 +655,11 @@ def _intoto_verify(message_data):
         global_info["config"]["Keyids"]))
     if gpg_home:
       logger.info("Use gpg keyring '{}' (apt config)".format(gpg_home))
-      layout_keys = in_toto.util.import_gpg_public_keys_from_keyring_as_dict(
-          keyids, gpg_home=gpg_home)
-    else: # pragma: no cover
+      layout_keys = securesystemslib.gpg.functions.export_pubkeys(
+        keyids, homedir=gpg_home)
+    else:  # pragma: no cover
       logger.info("Use default gpg keyring")
-      layout_keys = in_toto.util.import_gpg_public_keys_from_keyring_as_dict(
-          keyids)
+      layout_keys = securesystemslib.gpg.functions.export_pubkeys(keyids)
 
     logger.info("Run in-toto verification")
 
@@ -737,7 +732,7 @@ def loop():
   # Messages from the parent process received on sys.stdin are relayed to the
   # subprocess' stdin and vice versa, messages written to the subprocess'
   # stdout are relayed to the parent via sys.stdout.
-  http_proc = subprocess.Popen([APT_METHOD_HTTP], stdin=subprocess.PIPE,
+  http_proc = subprocess.Popen([APT_METHOD_HTTP], stdin=subprocess.PIPE, # nosec
       stdout=subprocess.PIPE, universal_newlines=True)
 
   # HTTP transport message reader thread to add messages from the http

requirements.txt

@@ -1,3 +1,3 @@
 in-toto
-subprocess32; python_version < '3'
 requests
+securesystemslib

tests/data/test.layout

@@ -2,13 +2,13 @@
  "signatures": [
   {
    "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46",
-   "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c50",
-   "signature": "2a5e5f62641c19e998ef0d3d41edbce64bc6c70ec8a10c271ca282340ce5ea5f56644911e55e1234837e6a468fe54a5fac224d1bae902bb46da9552a464b95304062fa18b873fee3f536d490dc762dc46b27cfb0058378b597136350da46d1dac8488137a1a048a0c1300c72980a627267ef49570e546c7b967786f663c4ebc6ed47545e34a7d2f89013e7c4af02ef79e7a2a345cf4aa8d761b1762a45f4fda266449cad36eeee22d24c426fba3d38d5377b2d2a7d62b188ae52ebd8eb71e2ec69eab3062c71f513c2f7999f8360a3e9784fc6b8fbd9cbc367020ef6f4394b8ba8e2b49fdbb8dfc4a241d8ae53c2ba3ff1f2e638b254a0110e0bc5e52c8b6785"
+   "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e460502600eaa72",
+   "signature": "4e03ee1b0ad69bc581b6e91bd7760db932020b1a3233bb09b7cf4bb118187f1c2ab19c43169399ef609835f829164f86da440dce4299d5dac027f5fddf1ef6ae6b6828de1d2fac34415a318c3b235fdc352543837a70d5bc2693af25a48c76c0d37c31ce9fdd2aa6f6c0f3cdb03db6ab710ed4e3f10ca51ca8a39fd1d6237f0909e0cea257b579b66db13b3451a597011670bf153b406c5b7218762e31ea6ec9294cc4058da5639970c069281cb8bfa3adaff505c3967dc55128be85150dc1d041f0e0bacd2dc38e535534228cab86f0954205ca24453a99a0f1758ec386100c9a4d370849728e42fc2720a6fa8bda3984eecb5eba28ee8008e9e7ae33a9a4aa"
   }
  ],
  "signed": {
   "_type": "layout",
-  "expires": "2021-01-06T18:30:57Z",
+  "expires": "2030-01-01T00:00:00Z",
   "inspect": [
    {
     "_type": "inspection",

tests/data/test.layout.docker

@@ -2,13 +2,13 @@
  "signatures": [
   {
    "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46",
-   "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c1c",
-   "signature": "3b7ed41185c6e7c7ee8845a2b0604201347e383243ff21687580231c9b2e537b92897f4a579a7e63fe654b0cb21fd971b5dd21dfea60c75cacb2e6acbcb4642bf1515e032953215a3d0371d16ea4e10753ab1a74f57ebe2bb7f60185fc8ff9aadb1a5f3de63b3823ef158a199a58cd5adbbf7d240796a9966e365c3bcbadac9d967b3e072e77ed065a6d601ceeed06a398b665f692f5151575367331cb67b89081a4862cf2d8b0d76722935f4c45566214bf876e58c938e39b704c6d00bd228587eed8d22cc18665d4923219192e312e2259a607e09a265775ba83edc9dbff85e04864629f1bd12999ad2a2916c2e2c0c485a5350461105f29a085ee41f2da53"
+   "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e460502600eaa7a",
+   "signature": "0d09b045bb7baabf8a099830e24a0e36454253f811fda0d0b12fc99c1bcace9bd79aee921e1ebecbc7134fc3c0de584b38aca2e793ce2a77c1c66d91db33817ba8ca1021a77a9d0cce535761ce1c247e20e46637737cd2a954de4d572b2a3100756f150cb7544772e4a456b392219a694b1a41ce56d7016056a1b00da585db7303db706b7942d08e33b13b55569c541d98f8b6d19dfb8847d71cf853196f69ff30571ba875c8a673943262209c2ea725379590ff95ab179529874860da0aba6eba5c4299af7e5efaa13969472a08c6c3d0cff26b67b791ac1aca186d5df979588268e2593cc100c24cc0d6ca286eb321b64fea105733bb45cbfa6046b89640f0"
   }
  ],
  "signed": {
   "_type": "layout",
-  "expires": "2021-01-06T18:30:57Z",
+  "expires": "2030-01-01T00:00:00Z",
   "inspect": [
    {
     "_type": "inspection",

tox.ini

@@ -5,8 +5,8 @@
 
 # To run an individual test environment run e.g. tox -e py38
 [tox]
-skipsdist=True
-envlist = py{35,36,37,38}
+skipsdist = True
+envlist = py39
 
 [testenv]
 deps =
@@ -16,6 +16,7 @@ deps =
     coverage
     mock
 
+setenv = PYTHONPATH={envsitepackagesdir}
 
 commands =
     # Run pylint, using secure system lab's pylintrc configuration file
@@ -28,6 +29,6 @@ commands =
     bandit intoto.py --skip B404
 
     # Run tests generating coverage
-    coverage run -m unittest discover
-    coverage combine
-    coverage report -m
+    {envpython} -m coverage run -m unittest discover
+    {envpython} -m coverage combine
+    {envpython} -m coverage report -m