All, After some insight from upstream about TUFv0 vs TUFv2 use by cosign, there is finally a Salsa built cosign package to test! echo "deb [trusted=yes] https://salsa.debian.org/jas/cosign/-/jobs/6682245/artifacts/raw/aptly experimental main" | tee --append /etc/apt/sources.list.d/add.list sudo apt-get update sudo apt-get install cosign cosign version If you know how to use cosign, please try the various sub-commands and tell us what works and what doesn't. The packaging is still rough (no man page and no self-tests), but I've uploaded it into NEW for copyright review to get started. For those wondering how the TUFv0-vs-v2 dilemma is resolved, you may not want to know but here is the story: x) The problem is that cosign requires both github.com/sigstore/sigstore ("ss") and github.com/sigstore/sigstore-go ("ssg"), and that ss depends on TUFv0 and ssg depends on TUFv2, and further TUF branches are not released in a namespace-clean way so v0 and v2 cannot be co-installed in Debian. x) Upstream discussions implied that we could simply try to patch things, pending their upstream resolution to this (which may not happen until cosign v3 and I'm not holding my breath on that). x) I've uploaded golang-github-sigstore-sigstore 1.8.10-3~exp0 to experimental that again ships pkg/tuf/ and pkg/fulcioroots/ but patched to use my own invention of a github.com/theupdateframework/go-tuf/v0 namespace from the golang-github-theupdateframework-go-tuf-dev >> 2.0.2+0.7.0. Any other packages that require TUFv0 will need similar patching, but I expect/hope this to be minimal. x) I've uploaded golang-github-theupdateframework-go-tuf 2.0.2+0.7.0-1 to experimental that includes a new orig.tar component of the v0 0.7.0 branch, and some patching to rename all references to github.com/theupdateframework/go-tuf into github.com/theupdateframework/go-tuf/v0 when building the v0 component, and bringing back some old debian/copyright and build magic from the earlier TUF 0.6.1-1 upload. Better solutions are welcome! I'm hoping github.com/sigstore/sigstore will drop the TUFv0 dependency, or that github.com/sigstore/cosign will drop the github.com/sigstore/sigstore dependency, so that we can drop this ugly hack, and hopefully do that before trixie. /Simon
Attachment:
signature.asc
Description: PGP signature