diff --git a/.gitignore b/.gitignore index 61f1734..69420b9 100644 --- a/.gitignore +++ b/.gitignore @@ -115,4 +115,7 @@ dmypy.json .pyre/ # macOS -.DS_Store \ No newline at end of file +.DS_Store + +# pycharm +.idea diff --git a/.travis.yml b/.travis.yml index 429fb17..a11fca0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,4 @@ -dist: xenial +dist: bionic language: python matrix: @@ -7,15 +7,8 @@ matrix: # tox environment, instead of using one Python version in Travis and # hoping that tox and pyenv run the tests in the desired versions. # https://github.com/travis-ci/travis-ci/issues/8363#issuecomment-355090242 - - python: "3.5" - env: TOXENV=py35 - - python: "3.6" - env: TOXENV=py36 - - python: "3.7" - env: TOXENV=py37 - - python: "3.8" - env: TOXENV=py38 - + - python: "3.9" + env: TOXENV=py39 install: - pip install -U tox - pip install -U coveralls diff --git a/README.md b/README.md index 623b22f..48979af 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ git clone https://github.com/in-toto/apt-transport-in-toto.git # Install requirements pip install -r apt-transport-in-toto/requirements.txt # Install transport -ln -s /usr/lib/apt/methods/intoto apt-transport-in-toto/intoto.py +ln -s apt-transport-in-toto/intoto.py /usr/lib/apt/methods/intoto chmod 755 /usr/lib/apt/methods/intoto ``` diff --git a/debian/control b/debian/control index 33811b3..dae1cbb 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Uploaders: Vagrant Cascadian , Justin Cappos , Build-Depends: - debhelper-compat (= 12), + debhelper-compat (= 13), dh-python, dh-exec, python3-all, @@ -18,7 +18,7 @@ Build-Depends: python3-coverage, in-toto (>= 0.3.0), gnupg2, -Standards-Version: 4.4.1 +Standards-Version: 4.5.1 Rules-Requires-Root: no Homepage: https://in-toto.io Vcs-Git: https://github.com/in-toto/apt-transport-in-toto.git @@ -30,6 +30,7 @@ Depends: ${misc:Depends}, python3, python3-requests, + python3-securesystemslib, in-toto (>= 0.3.0), gnupg2, Description: apt transport method for in-toto supply chain verification diff --git a/intoto.py b/intoto.py index b1d1e8e..3a3473a 100755 --- a/intoto.py +++ b/intoto.py @@ -110,15 +110,11 @@ import requests import tempfile import shutil +import queue as Queue # pylint: disable=import-error +import subprocess +import securesystemslib.gpg.functions -if sys.version_info[0] == 2: # pragma: no cover - import Queue # pylint: disable=import-error - import subprocess32 as subprocess # pylint: disable=import-error -else: # pragma: no cover - import queue as Queue # pylint: disable=import-error - import subprocess - -import in_toto.util +import in_toto.exceptions import in_toto.verifylib import in_toto.models.link import in_toto.models.metadata @@ -659,12 +655,11 @@ def _intoto_verify(message_data): global_info["config"]["Keyids"])) if gpg_home: logger.info("Use gpg keyring '{}' (apt config)".format(gpg_home)) - layout_keys = in_toto.util.import_gpg_public_keys_from_keyring_as_dict( - keyids, gpg_home=gpg_home) - else: # pragma: no cover + layout_keys = securesystemslib.gpg.functions.export_pubkeys( + keyids, homedir=gpg_home) + else: # pragma: no cover logger.info("Use default gpg keyring") - layout_keys = in_toto.util.import_gpg_public_keys_from_keyring_as_dict( - keyids) + layout_keys = securesystemslib.gpg.functions.export_pubkeys(keyids) logger.info("Run in-toto verification") @@ -737,7 +732,7 @@ def loop(): # Messages from the parent process received on sys.stdin are relayed to the # subprocess' stdin and vice versa, messages written to the subprocess' # stdout are relayed to the parent via sys.stdout. - http_proc = subprocess.Popen([APT_METHOD_HTTP], stdin=subprocess.PIPE, + http_proc = subprocess.Popen([APT_METHOD_HTTP], stdin=subprocess.PIPE, # nosec stdout=subprocess.PIPE, universal_newlines=True) # HTTP transport message reader thread to add messages from the http diff --git a/requirements.txt b/requirements.txt index 76f7c27..290c6df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ in-toto -subprocess32; python_version < '3' requests +securesystemslib diff --git a/tests/data/test.layout b/tests/data/test.layout index b56cab5..c03cfab 100644 --- a/tests/data/test.layout +++ b/tests/data/test.layout @@ -2,13 +2,13 @@ "signatures": [ { "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46", - "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c50", - "signature": "2a5e5f62641c19e998ef0d3d41edbce64bc6c70ec8a10c271ca282340ce5ea5f56644911e55e1234837e6a468fe54a5fac224d1bae902bb46da9552a464b95304062fa18b873fee3f536d490dc762dc46b27cfb0058378b597136350da46d1dac8488137a1a048a0c1300c72980a627267ef49570e546c7b967786f663c4ebc6ed47545e34a7d2f89013e7c4af02ef79e7a2a345cf4aa8d761b1762a45f4fda266449cad36eeee22d24c426fba3d38d5377b2d2a7d62b188ae52ebd8eb71e2ec69eab3062c71f513c2f7999f8360a3e9784fc6b8fbd9cbc367020ef6f4394b8ba8e2b49fdbb8dfc4a241d8ae53c2ba3ff1f2e638b254a0110e0bc5e52c8b6785" + "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e460502600eaa72", + "signature": "4e03ee1b0ad69bc581b6e91bd7760db932020b1a3233bb09b7cf4bb118187f1c2ab19c43169399ef609835f829164f86da440dce4299d5dac027f5fddf1ef6ae6b6828de1d2fac34415a318c3b235fdc352543837a70d5bc2693af25a48c76c0d37c31ce9fdd2aa6f6c0f3cdb03db6ab710ed4e3f10ca51ca8a39fd1d6237f0909e0cea257b579b66db13b3451a597011670bf153b406c5b7218762e31ea6ec9294cc4058da5639970c069281cb8bfa3adaff505c3967dc55128be85150dc1d041f0e0bacd2dc38e535534228cab86f0954205ca24453a99a0f1758ec386100c9a4d370849728e42fc2720a6fa8bda3984eecb5eba28ee8008e9e7ae33a9a4aa" } ], "signed": { "_type": "layout", - "expires": "2021-01-06T18:30:57Z", + "expires": "2030-01-01T00:00:00Z", "inspect": [ { "_type": "inspection", diff --git a/tests/data/test.layout.docker b/tests/data/test.layout.docker index b55fa74..e475a34 100644 --- a/tests/data/test.layout.docker +++ b/tests/data/test.layout.docker @@ -2,13 +2,13 @@ "signatures": [ { "keyid": "88876a89e3d4698f83d3db0e72e33ca3e0e04e46", - "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e4605025c348c1c", - "signature": "3b7ed41185c6e7c7ee8845a2b0604201347e383243ff21687580231c9b2e537b92897f4a579a7e63fe654b0cb21fd971b5dd21dfea60c75cacb2e6acbcb4642bf1515e032953215a3d0371d16ea4e10753ab1a74f57ebe2bb7f60185fc8ff9aadb1a5f3de63b3823ef158a199a58cd5adbbf7d240796a9966e365c3bcbadac9d967b3e072e77ed065a6d601ceeed06a398b665f692f5151575367331cb67b89081a4862cf2d8b0d76722935f4c45566214bf876e58c938e39b704c6d00bd228587eed8d22cc18665d4923219192e312e2259a607e09a265775ba83edc9dbff85e04864629f1bd12999ad2a2916c2e2c0c485a5350461105f29a085ee41f2da53" + "other_headers": "04000108001d16210488876a89e3d4698f83d3db0e72e33ca3e0e04e460502600eaa7a", + "signature": "0d09b045bb7baabf8a099830e24a0e36454253f811fda0d0b12fc99c1bcace9bd79aee921e1ebecbc7134fc3c0de584b38aca2e793ce2a77c1c66d91db33817ba8ca1021a77a9d0cce535761ce1c247e20e46637737cd2a954de4d572b2a3100756f150cb7544772e4a456b392219a694b1a41ce56d7016056a1b00da585db7303db706b7942d08e33b13b55569c541d98f8b6d19dfb8847d71cf853196f69ff30571ba875c8a673943262209c2ea725379590ff95ab179529874860da0aba6eba5c4299af7e5efaa13969472a08c6c3d0cff26b67b791ac1aca186d5df979588268e2593cc100c24cc0d6ca286eb321b64fea105733bb45cbfa6046b89640f0" } ], "signed": { "_type": "layout", - "expires": "2021-01-06T18:30:57Z", + "expires": "2030-01-01T00:00:00Z", "inspect": [ { "_type": "inspection", diff --git a/tox.ini b/tox.ini index 4808c9a..a8139be 100644 --- a/tox.ini +++ b/tox.ini @@ -5,8 +5,8 @@ # To run an individual test environment run e.g. tox -e py38 [tox] -skipsdist=True -envlist = py{35,36,37,38} +skipsdist = True +envlist = py39 [testenv] deps = @@ -16,6 +16,7 @@ deps = coverage mock +setenv = PYTHONPATH={envsitepackagesdir} commands = # Run pylint, using secure system lab's pylintrc configuration file @@ -28,6 +29,6 @@ commands = bandit intoto.py --skip B404 # Run tests generating coverage - coverage run -m unittest discover - coverage combine - coverage report -m + {envpython} -m coverage run -m unittest discover + {envpython} -m coverage combine + {envpython} -m coverage report -m