summary refs log tree commit diff
path: root/pkgs/tools/security/cosign
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/tools/security/cosign')
-rw-r--r--pkgs/tools/security/cosign/default.nix69
1 files changed, 69 insertions, 0 deletions
diff --git a/pkgs/tools/security/cosign/default.nix b/pkgs/tools/security/cosign/default.nix
new file mode 100644
index 00000000000..63d36e99032
--- /dev/null
+++ b/pkgs/tools/security/cosign/default.nix
@@ -0,0 +1,69 @@
+{ stdenv, lib, buildGoModule, fetchFromGitHub, pcsclite, pkg-config, installShellFiles, PCSC, pivKeySupport ? true, pkcs11Support ? true }:
+
+buildGoModule rec {
+  pname = "cosign";
+  version = "1.6.0";
+
+  src = fetchFromGitHub {
+    owner = "sigstore";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-jAkTIO+tmb1vjS2eRWU9Fau7qzPCBlXJCk00iwNpULE=";
+  };
+
+  buildInputs = lib.optional (stdenv.isLinux && pivKeySupport) (lib.getDev pcsclite)
+    ++ lib.optionals (stdenv.isDarwin && pivKeySupport) [ PCSC ];
+
+  nativeBuildInputs = [ pkg-config installShellFiles ];
+
+  vendorSha256 = "sha256-E9zeRlPIIoXo/EfagHC3aDnW747SdsPiqIA384D7NQI=";
+
+  subPackages = [
+    "cmd/cosign"
+    "cmd/cosign/webhook"
+    "cmd/sget"
+  ];
+
+  tags = [] ++ lib.optionals pivKeySupport [ "pivkey" ] ++ lib.optionals pkcs11Support [ "pkcs11key" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X sigs.k8s.io/release-utils/version.gitVersion=v${version}"
+    "-X sigs.k8s.io/release-utils/version.gitTreeState=clean"
+  ];
+
+  postBuild = ''
+    # cmd/cosign/webhook should be called cosigned
+    mv $GOPATH/bin/{webhook,cosigned}
+  '';
+
+  preCheck = ''
+    # test all paths
+    unset subPackages
+
+    rm cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go # Require network access
+    rm pkg/cosign/kubernetes/webhook/validator_test.go # Require network access
+    rm pkg/cosign/tlog_test.go # Require network access
+    rm pkg/cosign/tuf/client_test.go # Require network access
+  '';
+
+  postInstall = ''
+    installShellCompletion --cmd cosign \
+      --bash <($out/bin/cosign completion bash) \
+      --fish <($out/bin/cosign completion fish) \
+      --zsh <($out/bin/cosign completion zsh)
+    installShellCompletion --cmd sget \
+      --bash <($out/bin/sget completion bash) \
+      --fish <($out/bin/sget completion fish) \
+      --zsh <($out/bin/sget completion zsh)
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/sigstore/cosign";
+    changelog = "https://github.com/sigstore/cosign/releases/tag/v${version}";
+    description = "Container Signing CLI with support for ephemeral keys and Sigstore signing";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lesuisse jk ];
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-23 07:41:10 +0000