Bug#1085854: marked as done (ITP: sigstore-go -- Go library for Sigstore signing and verification)

To: Simon Josefsson <simon@josefsson.org>
Subject: Bug#1085854: marked as done (ITP: sigstore-go -- Go library for Sigstore signing and verification)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 18 Jan 2025 16:12:02 +0000
Message-id: <[🔎] handler.1085854.D1085854.17372165941114901.ackdone@bugs.debian.org>
Reply-to: 1085854@bugs.debian.org
References: <E1tZBOQ-006OCv-S4@fasolo.debian.org> <877c9zwxk5.fsf@kaka.sjd.se>

Your message dated Sat, 18 Jan 2025 16:09:50 +0000
with message-id <E1tZBOQ-006OCv-S4@fasolo.debian.org>
and subject line Bug#1085854: fixed in sigstore-go 0.6.2-1
has caused the Debian Bug report #1085854,
regarding ITP: sigstore-go -- Go library for Sigstore signing and verification
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1085854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085854
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: ITP: sigstore-go -- Go library for Sigstore signing and verification
From: Simon Josefsson <simon@josefsson.org>
Date: Wed, 23 Oct 2024 01:02:50 +0200
Message-id: <877c9zwxk5.fsf@kaka.sjd.se>

Package: wnpp
Severity: wishlist
Owner: Simon Josefsson <simon@josefsson.org>

* Package name    : sigstore-go
  Version         : 0.6.2-1
  Upstream Author : sigstore
* URL             : https://github.com/sigstore/sigstore-go
* License         : Apache-2.0
  Programming Lang: Go
  Description     : Go library for Sigstore signing and verification

 sigstore-go
 .
 A client library for Sigstore (https://www.sigstore.dev/), written in
 Go.
 .
 Features:
 .
  * Signing and verification of Sigstore bundles
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_bundle.proto) compliant with Sigstore
    Client Spec
  * Verification of raw Sigstore signatures by creating bundles for them
    (see conformance tests (/cmd/conformance/main.go) for example)
  * Signing and verifying with a Timestamp Authority (TSA)
  * Signing and verifying (offline or online) with Rekor (Artifact
    Transparency Log)
  * Structured verification results including certificate metadata
  * TUF support
  * Verification support for custom trusted root
    (https://github.com/sigstore/protobuf-
    specs/blob/main/protos/sigstore_trustroot.proto)
  * Basic CLI and examples
 .
 There is not built-in support for signing with a KMS or other bring-your-
 own-key; however you can easily add support by implementing your own
 version of the interface pkg/sign/keys.go:Keypair.
 .
 For an example of how to use this library, see the verification
 documentation (/docs/verification.md), the CLI cmd/sigstore-go
 (/cmd/sigstore-go/main.go), or the CLI examples below. Note that the CLI
 is to demonstrate how to use the library, and not intended as a fully-
 featured Sigstore CLI like cosign (https://github.com/sigstore/cosign).
 .
 Background
 .
 Sigstore already has a canonical Go client implementation, cosign
 (https://github.com/sigstore/cosign), which was developed with a focus
 on container image signing/verification. It has a rich CLI and a long
 legacy of features and development. sigstore-go is a more minimal and
 friendly API for integrating Go code with Sigstore, with a focus on the
 newly specified data structures in sigstore/protobuf-specs
 (https://github.com/sigstore/protobuf-specs). sigstore-go attempts to
 minimize the dependency tree for simple signing and verification tasks,
 omitting KMS support and container image verification, and we intend to
 refactor parts of cosign to depend on sigstore-go.

I hope to maintain this package as part of Debian Go Packaging Team:

https://salsa.debian.org/go-team/packages/sigstore-go

/Simon

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1085854-close@bugs.debian.org
Subject: Bug#1085854: fixed in sigstore-go 0.6.2-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 18 Jan 2025 16:09:50 +0000
Message-id: <E1tZBOQ-006OCv-S4@fasolo.debian.org>
Reply-to: Simon Josefsson <simon@josefsson.org>

Source: sigstore-go
Source-Version: 0.6.2-1
Done: Simon Josefsson <simon@josefsson.org>

We believe that the bug you reported is fixed in the latest version of
sigstore-go, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1085854@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated sigstore-go package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 22 Oct 2024 22:40:21 +0000
Source: sigstore-go
Binary: golang-github-sigstore-sigstore-go-dev sigstore-go sigstore-go-dbgsym
Architecture: source all amd64
Version: 0.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Description:
 golang-github-sigstore-sigstore-go-dev - Sigstore signing and verification (Go library)
 sigstore-go - Sigstore signing and verification (program)
Closes: 1085854
Changes:
 sigstore-go (0.6.2-1) unstable; urgency=medium
 .
   * Initial release (Closes: #1085854)
Checksums-Sha1:
 65c32720fe4c8e55142a1aeda608d710663f838f 3316 sigstore-go_0.6.2-1.dsc
 9e43111123e0d2671f3a36eb7abb090ba2d573cf 166357 sigstore-go_0.6.2.orig.tar.gz
 2acfcebf73ea5d2048be30bd3ca51f4a5fd4a05b 3316 sigstore-go_0.6.2-1.debian.tar.xz
 6b967618012e90e6aad4213b1dede1f056e12a81 94588 golang-github-sigstore-sigstore-go-dev_0.6.2-1_all.deb
 62c55de65df88701de437254eba40b07f97315a6 19714140 sigstore-go-dbgsym_0.6.2-1_amd64.deb
 f2401e078ba118314d9bf430fb1365a87aa94f5d 30317 sigstore-go_0.6.2-1_amd64.buildinfo
 5f0536fd8ac75110e7a36f2c6b0535c1aac078f7 17234548 sigstore-go_0.6.2-1_amd64.deb
Checksums-Sha256:
 ee688b9735858c12b58df3b4db50aef5942d2302a573d60c9a3b2be17ba140b0 3316 sigstore-go_0.6.2-1.dsc
 d02b28778219171be15220086382b5bb2a221c32bda31778b47fff9995daedc5 166357 sigstore-go_0.6.2.orig.tar.gz
 84863709aaa889f61cc0a8b440b61d927d2d370501b136160aa58e1772a74104 3316 sigstore-go_0.6.2-1.debian.tar.xz
 0ab407d3dd491f1d8000ff7c912ef9f3e427562f9daaa1790d9b6acb9a25ef75 94588 golang-github-sigstore-sigstore-go-dev_0.6.2-1_all.deb
 c04e9ec6082378f7cd1d3e73d1fcb495c6929b06648de1dc14dcd9d87120a40a 19714140 sigstore-go-dbgsym_0.6.2-1_amd64.deb
 d5793bc29211206c3762f306bdfcdd8f82c2befcc72a63db29062b4eea4eb3fd 30317 sigstore-go_0.6.2-1_amd64.buildinfo
 e7ce670c6444d4617c95013b9c096e2219877cb1d0ef09a54596676f328a469d 17234548 sigstore-go_0.6.2-1_amd64.deb
Files:
 fb61b7cc926015acc043a13b0b51a9b0 3316 golang optional sigstore-go_0.6.2-1.dsc
 9c74efeb711330cba2c4081ba6f37bd0 166357 golang optional sigstore-go_0.6.2.orig.tar.gz
 69f205649648c46128d43bd51c5f1017 3316 golang optional sigstore-go_0.6.2-1.debian.tar.xz
 50071be2063c1dc1000391431a678c4b 94588 golang optional golang-github-sigstore-sigstore-go-dev_0.6.2-1_all.deb
 1d30ed3fe3620b3fa5fd04e38b4fbd98 19714140 debug optional sigstore-go-dbgsym_0.6.2-1_amd64.deb
 21fd6839d51de4a4e5d59f8e9cde8da1 30317 golang optional sigstore-go_0.6.2-1_amd64.buildinfo
 97853cbad41fc4a432e9fdb395812d38 17234548 golang optional sigstore-go_0.6.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmeLvA4UHHNpbW9uQGpv
c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f
V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z
ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh
BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA
+wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs
FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx
I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0
+MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R
cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE
8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J
ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s
HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB
BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA
JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF
PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c
OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFoq+IAP4vm0M+4ve5
2+ItV/r9AyxOddxzgn/po+3YhhIHZdCfcAEAwCi1JkKM/WZirEJT2raPzjxv0adI
b13R0FJIxq5wZAY=
=hEDM
-----END PGP SIGNATURE-----

Attachment: pgp8NMqjbsyoB.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: Bug#1031634: marked as done (ITP: gum -- A tool for glamourous shell scripts)
Next by Date: Processed: Bug#1093424 marked as pending in r-cran-s7
Previous by thread: Bug#1031634: marked as done (ITP: gum -- A tool for glamourous shell scripts)
Next by thread: Bug#1085481: marked as done (ITP: sptlrx -- Synchronized lyrics in your terminal)
Index(es):
- Date
- Thread