cosign: 1.9.0 -> 1.10.0

`cosigned` is no more part of the cosign repository and it has been moved into a `sigstore/policy-controller` repository. A new package should probably be created to replace it. https://github.com/sigstore/cosign/releases/tag/v1.10.0
2024-11-17 07:13:23 +01:00 · 2022-07-23 14:31:51 +02:00 · 2022-07-23 14:31:51 +02:00 · 595932cd2b
commit 595932cd2b
parent aafea0ae70
4 changed files with 12 additions and 14 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@ -258,6 +258,12 @@
          this version for the entire lifecycle of the 22.11 release.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <literal>pkgs.cosign</literal> does not provide the
+          <literal>cosigned</literal> binary anymore.
+        </para>
+      </listitem>
      <listitem>
        <para>
          riak package removed along with
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@ -101,6 +101,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - PHP 7.4 is no longer supported due to upstream not supporting this
  version for the entire lifecycle of the 22.11 release.

+- `pkgs.cosign` does not provide the `cosigned` binary anymore.
+
 - riak package removed along with `services.riak` module, due to lack of maintainer to update the package.

 - The `services.graphite.api` and `services.graphite.beacon` NixOS options, and
--- a/pkgs/tools/security/cosign/default.nix
+++ b/pkgs/tools/security/cosign/default.nix
@ -2,13 +2,13 @@

 buildGoModule rec {
  pname = "cosign";
-  version = "1.9.0";
+  version = "1.10.0";

  src = fetchFromGitHub {
    owner = "sigstore";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-l+jM0GCjaqbaoIcjUgnIZJqSGIsirWMwJWPrilBdps8=";
+    sha256 = "sha256-EJ1NOaGLLBkEkWLWn8wfyFA6Kgsb9mctkw4G2um9cWE=";
  };

  buildInputs = lib.optional (stdenv.isLinux && pivKeySupport) (lib.getDev pcsclite)
@ -16,11 +16,10 @@ buildGoModule rec {

  nativeBuildInputs = [ pkg-config installShellFiles ];

-  vendorSha256 = "sha256-mZeCQOnAVZrJmi9F+y7QPPXXl48f7HAjJCmri01hYew=";
+  vendorSha256 = "sha256-JL7bqdLrNwOQPVUhlIktRM1cAPycq0PVpB1xXXiJiKM=";

  subPackages = [
    "cmd/cosign"
-    "cmd/cosign/webhook"
    "cmd/sget"
  ];

@ -33,19 +32,12 @@ buildGoModule rec {
    "-X sigs.k8s.io/release-utils/version.gitTreeState=clean"
  ];

-  postBuild = ''
-    # cmd/cosign/webhook should be called cosigned
-    mv $GOPATH/bin/{webhook,cosigned}
-  '';
-
  preCheck = ''
    # test all paths
    unset subPackages

-    rm cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go # Require network access
-    rm pkg/cosign/kubernetes/webhook/validator_test.go # Require network access
    rm pkg/cosign/tlog_test.go # Require network access
-    rm pkg/cosign/tuf/client_test.go # Require network access
+    rm pkg/cosign/verify_test.go # Require network access
  '';

  postInstall = ''
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -2275,8 +2275,6 @@ with pkgs;

  cosign = callPackage ../tools/security/cosign {
    inherit (darwin.apple_sdk.frameworks) PCSC;
-    # pinned due to build failure or vendoring problems. When unpinning double check with: nix-build -A $name.go-modules --rebuild
-    buildGoModule = buildGo117Module;
  };

  cozy = callPackage ../applications/audio/cozy { };