From 771d32666a83f67880e77e5d4088f09ecd989042 Mon Sep 17 00:00:00 2001 From: Lukas Puehringer Date: Tue, 23 Apr 2024 11:13:29 +0200 Subject: [PATCH] Mark securesystemslib.gpg subpackage as internal The `gpg` subpackage provides a vaguely defined API (`gpg.functions`) to create signatures, export public keys, and verify signatures. This API and the used formats are incompatible with the securesystemslib signer API. For the sake of a consistent API, the `gpg` subpackage is marked as internal (renamed to `_gpg`) and the above mentioned functionality is exposed via the new signer API. Replacement methods are: - `GPGSigner.import_` (replaces `export_pubkey`) - `GPGSigner.sign` - `GPGKey.verify_signature` Note that public key and signature formats also change, in order to match `Key` and `Signature` interfaces. This means: - signature field `signature` is renamed to `sig` - public key fields `type`, `method` and `hashes` are replaced by `keytype` and `scheme` fields, and - public keys no longer include `subkeys` or key expiration infos. This means that the signature verification function no longer needs to decide, if a key is authorized or valid to verify a given signature. See discussion for context: https://github.com/secure-systems-lab/securesystemslib/pull/488#issuecomment-1398169012 https://github.com/secure-systems-lab/securesystemslib/pull/488#issuecomment-1400190844 Signed-off-by: Lukas Puehringer --- mypy.ini | 2 +- securesystemslib/{gpg => _gpg}/__init__.py | 0 securesystemslib/{gpg => _gpg}/common.py | 30 ++++++++++---------- securesystemslib/{gpg => _gpg}/constants.py | 0 securesystemslib/{gpg => _gpg}/dsa.py | 12 ++++---- securesystemslib/{gpg => _gpg}/eddsa.py | 10 +++---- securesystemslib/{gpg => _gpg}/exceptions.py | 0 securesystemslib/{gpg => _gpg}/functions.py | 20 ++++++------- securesystemslib/{gpg => _gpg}/handlers.py | 2 +- securesystemslib/{gpg => _gpg}/rsa.py | 12 ++++---- securesystemslib/{gpg => _gpg}/util.py | 10 +++---- securesystemslib/signer/_gpg_signer.py | 10 +++---- tests/__init__.py | 5 ++-- tests/check_gpg_available.py | 6 ++-- tests/check_public_interfaces.py | 16 +++++------ tests/check_public_interfaces_gpg.py | 8 +++--- tests/test_gpg.py | 24 ++++++++-------- tests/test_signer.py | 4 +-- tox.ini | 5 ++-- 19 files changed, 89 insertions(+), 87 deletions(-) rename securesystemslib/{gpg => _gpg}/__init__.py (100%) rename securesystemslib/{gpg => _gpg}/common.py (97%) rename securesystemslib/{gpg => _gpg}/constants.py (100%) rename securesystemslib/{gpg => _gpg}/dsa.py (95%) rename securesystemslib/{gpg => _gpg}/eddsa.py (96%) rename securesystemslib/{gpg => _gpg}/exceptions.py (100%) rename securesystemslib/{gpg => _gpg}/functions.py (94%) rename securesystemslib/{gpg => _gpg}/handlers.py (93%) rename securesystemslib/{gpg => _gpg}/rsa.py (94%) rename securesystemslib/{gpg => _gpg}/util.py (97%) diff --git a/mypy.ini b/mypy.ini index 3595e5f5..28101cdd 100644 --- a/mypy.ini +++ b/mypy.ini @@ -3,7 +3,7 @@ warn_unused_configs = True files = securesystemslib/signer/*.py, securesystemslib/storage.py, - securesystemslib/gpg/constants.py + securesystemslib/_gpg/constants.py # Supress error messages until enough modules # are type annotated diff --git a/securesystemslib/gpg/__init__.py b/securesystemslib/_gpg/__init__.py similarity index 100% rename from securesystemslib/gpg/__init__.py rename to securesystemslib/_gpg/__init__.py diff --git a/securesystemslib/gpg/common.py b/securesystemslib/_gpg/common.py similarity index 97% rename from securesystemslib/gpg/common.py rename to securesystemslib/_gpg/common.py index 676ce9ac..507f2ecc 100644 --- a/securesystemslib/gpg/common.py +++ b/securesystemslib/_gpg/common.py @@ -23,8 +23,8 @@ import logging import struct -from securesystemslib.gpg import util as gpg_util -from securesystemslib.gpg.constants import ( +from securesystemslib._gpg import util as gpg_util +from securesystemslib._gpg.constants import ( FULL_KEYID_SUBPACKET, GPG_HASH_ALGORITHM_STRING, KEY_EXPIRATION_SUBPACKET, @@ -45,13 +45,13 @@ SUPPORTED_PUBKEY_PACKET_VERSIONS, SUPPORTED_SIGNATURE_PACKET_VERSIONS, ) -from securesystemslib.gpg.exceptions import ( +from securesystemslib._gpg.exceptions import ( KeyNotFoundError, PacketParsingError, PacketVersionNotSupportedError, SignatureAlgorithmNotSupportedError, ) -from securesystemslib.gpg.handlers import ( +from securesystemslib._gpg.handlers import ( SIGNATURE_HANDLERS, SUPPORTED_SIGNATURE_ALGORITHMS, ) @@ -71,7 +71,7 @@ def parse_pubkey_payload(data): (version 4) of the RFC. NOTE: The payload can be parsed from a full key packet (header + - payload) by using securesystemslib.gpg.util.parse_packet_header. + payload) by using securesystemslib._gpg.util.parse_packet_header. WARNING: this doesn't support armored pubkey packets, so use with care. pubkey packets are a little bit more complicated than the @@ -81,13 +81,13 @@ def parse_pubkey_payload(data): ValueError If the passed public key data is empty. - securesystemslib.gpg.exceptions.PacketVersionNotSupportedError + securesystemslib._gpg.exceptions.PacketVersionNotSupportedError If the packet version does not match - securesystemslib.gpg.constants.SUPPORTED_PUBKEY_PACKET_VERSIONS + securesystemslib._gpg.constants.SUPPORTED_PUBKEY_PACKET_VERSIONS - securesystemslib.gpg.exceptions.SignatureAlgorithmNotSupportedError + securesystemslib._gpg.exceptions.SignatureAlgorithmNotSupportedError If the signature algorithm does not match one of - securesystemslib.gpg.constants.SUPPORTED_SIGNATURE_ALGORITHMS + securesystemslib._gpg.constants.SUPPORTED_SIGNATURE_ALGORITHMS None. @@ -169,7 +169,7 @@ def parse_pubkey_bundle(data): Public key data as written to stdout by gpg_export_pubkey_command. - securesystemslib.gpg.exceptions.PacketParsingError + securesystemslib._gpg.exceptions.PacketParsingError If data is empty. If data cannot be parsed. @@ -585,17 +585,17 @@ def get_pubkey_bundle(data, keyid): data: Public key data as written to stdout by - securesystemslib.gpg.constants.gpg_export_pubkey_command. + securesystemslib._gpg.constants.gpg_export_pubkey_command. keyid: The keyid of the master key or one of its subkeys expected to be contained in the passed gpg data. - securesystemslib.gpg.exceptions.PacketParsingError + securesystemslib._gpg.exceptions.PacketParsingError If the key data could not be parsed - securesystemslib.gpg.exceptions.KeyNotFoundError + securesystemslib._gpg.exceptions.KeyNotFoundError If the passed data is empty. If no master key or subkeys could be found that matches the passed keyid. @@ -676,12 +676,12 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches section 5.2 (and 5.2.3.1). supported_signature_types: (optional) a set of supported signature_types, the signature packet may be - (see securesystemslib.gpg.constants for available types). If None is + (see securesystemslib._gpg.constants for available types). If None is specified the signature packet must be of type SIGNATURE_TYPE_BINARY. supported_hash_algorithms: (optional) a set of supported hash algorithm ids, the signature packet may use. Available ids are SHA1, SHA256, SHA512 (see - securesystemslib.gpg.constants). If None is specified, the signature + securesystemslib._gpg.constants). If None is specified, the signature packet must use SHA256. include_info: (optional) a boolean that indicates whether an opaque dictionary should be diff --git a/securesystemslib/gpg/constants.py b/securesystemslib/_gpg/constants.py similarity index 100% rename from securesystemslib/gpg/constants.py rename to securesystemslib/_gpg/constants.py diff --git a/securesystemslib/gpg/dsa.py b/securesystemslib/_gpg/dsa.py similarity index 95% rename from securesystemslib/gpg/dsa.py rename to securesystemslib/_gpg/dsa.py index 66650513..b5b88f79 100644 --- a/securesystemslib/gpg/dsa.py +++ b/securesystemslib/_gpg/dsa.py @@ -29,8 +29,8 @@ # pylint: disable=wrong-import-position from securesystemslib import exceptions -from securesystemslib.gpg import util as gpg_util -from securesystemslib.gpg.exceptions import PacketParsingError +from securesystemslib._gpg import util as gpg_util +from securesystemslib._gpg.exceptions import PacketParsingError # pylint: enable=wrong-import-position @@ -80,7 +80,7 @@ def get_pubkey_params(data): in the fifth paragraph of section 5.5.2. - securesystemslib.gpg.exceptions.PacketParsingError: + securesystemslib._gpg.exceptions.PacketParsingError: if the public key parameters are malformed @@ -138,7 +138,7 @@ def get_signature_params(data): in the fourth paragraph of section 5.2.2 - securesystemslib.gpg.exceptions.PacketParsingError: + securesystemslib._gpg.exceptions.PacketParsingError: if the public key parameters are malformed securesystemslib.exceptions.UnsupportedLibraryError: @@ -189,7 +189,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): The DSA public key dict. hash_algorithm_id: - one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants) + one of SHA1, SHA256, SHA512 (see securesystemslib._gpg.constants) used to verify the signature NOTE: Overrides any hash algorithm specification in "pubkey_info"'s "hashes" or "method" fields. @@ -203,7 +203,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): ValueError: if the passed hash_algorithm_id is not supported (see - securesystemslib.gpg.util.get_hashing_class) + securesystemslib._gpg.util.get_hashing_class) True if signature verification passes and False otherwise diff --git a/securesystemslib/gpg/eddsa.py b/securesystemslib/_gpg/eddsa.py similarity index 96% rename from securesystemslib/gpg/eddsa.py rename to securesystemslib/_gpg/eddsa.py index 6d93163a..e3365a90 100644 --- a/securesystemslib/gpg/eddsa.py +++ b/securesystemslib/_gpg/eddsa.py @@ -20,8 +20,8 @@ import binascii from securesystemslib import exceptions -from securesystemslib.gpg import util as gpg_util -from securesystemslib.gpg.exceptions import PacketParsingError +from securesystemslib._gpg import util as gpg_util +from securesystemslib._gpg.exceptions import PacketParsingError CRYPTO = True NO_CRYPTO_MSG = "EdDSA key support for GPG requires the cryptography library" @@ -57,7 +57,7 @@ def get_pubkey_params(data): public-key algorithm of this key. - securesystemslib.gpg.exceptions.PacketParsingError or IndexError: + securesystemslib._gpg.exceptions.PacketParsingError or IndexError: if the public key data is malformed. @@ -197,7 +197,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): A DSA public key dict. hash_algorithm_id: - one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants) + one of SHA1, SHA256, SHA512 (see securesystemslib._gpg.constants) used to verify the signature NOTE: Overrides any hash algorithm specification in "pubkey_info"'s "hashes" or "method" fields. @@ -211,7 +211,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): ValueError: if the passed hash_algorithm_id is not supported (see - securesystemslib.gpg.util.get_hashing_class) + securesystemslib._gpg.util.get_hashing_class) True if signature verification passes and False otherwise. diff --git a/securesystemslib/gpg/exceptions.py b/securesystemslib/_gpg/exceptions.py similarity index 100% rename from securesystemslib/gpg/exceptions.py rename to securesystemslib/_gpg/exceptions.py diff --git a/securesystemslib/gpg/functions.py b/securesystemslib/_gpg/functions.py similarity index 94% rename from securesystemslib/gpg/functions.py rename to securesystemslib/_gpg/functions.py index 0b046b84..d66b14b5 100644 --- a/securesystemslib/gpg/functions.py +++ b/securesystemslib/_gpg/functions.py @@ -21,11 +21,11 @@ import time from securesystemslib import exceptions -from securesystemslib.gpg.common import ( +from securesystemslib._gpg.common import ( get_pubkey_bundle, parse_signature_packet, ) -from securesystemslib.gpg.constants import ( +from securesystemslib._gpg.constants import ( FULLY_SUPPORTED_MIN_VERSION, GPG_TIMEOUT, NO_GPG_MSG, @@ -34,9 +34,9 @@ gpg_sign_command, have_gpg, ) -from securesystemslib.gpg.exceptions import CommandError, KeyExpirationError -from securesystemslib.gpg.handlers import SIGNATURE_HANDLERS -from securesystemslib.gpg.rsa import CRYPTO +from securesystemslib._gpg.exceptions import CommandError, KeyExpirationError +from securesystemslib._gpg.handlers import SIGNATURE_HANDLERS +from securesystemslib._gpg.rsa import CRYPTO log = logging.getLogger(__name__) @@ -50,10 +50,10 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): identified by the passed keyid from the gpg keyring at the passed homedir. The executed base command is defined in - securesystemslib.gpg.constants.gpg_sign_command. + securesystemslib._gpg.constants.gpg_sign_command. NOTE: On not fully supported versions of GPG, i.e. versions below - securesystemslib.gpg.constants.FULLY_SUPPORTED_MIN_VERSION the returned + securesystemslib._gpg.constants.FULLY_SUPPORTED_MIN_VERSION the returned signature does not contain the full keyid. As a work around, we export the public key bundle identified by the short keyid to compute the full keyid and add it to the returned signature. @@ -84,10 +84,10 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): If the gpg command is not available, or the cryptography library is not installed. - securesystemslib.gpg.exceptions.CommandError: + securesystemslib._gpg.exceptions.CommandError: If the gpg command returned a non-zero exit code - securesystemslib.gpg.exceptions.KeyNotFoundError: + securesystemslib._gpg.exceptions.KeyNotFoundError: If the used gpg version is not fully supported and no public key can be found for short keyid. @@ -215,7 +215,7 @@ def verify_signature(signature_object, pubkey_info, content): The content to be verified. (bytes) - securesystemslib.gpg.exceptions.KeyExpirationError: + securesystemslib._gpg.exceptions.KeyExpirationError: if the passed public key has expired securesystemslib.exceptions.UnsupportedLibraryError: diff --git a/securesystemslib/gpg/handlers.py b/securesystemslib/_gpg/handlers.py similarity index 93% rename from securesystemslib/gpg/handlers.py rename to securesystemslib/_gpg/handlers.py index cd51866f..1eb4aa6a 100644 --- a/securesystemslib/gpg/handlers.py +++ b/securesystemslib/_gpg/handlers.py @@ -16,7 +16,7 @@ the signature verification and key parsing. """ -from securesystemslib.gpg import dsa, eddsa, rsa +from securesystemslib._gpg import dsa, eddsa, rsa # See section 9.1. (public-key algorithms) of RFC4880 (-bis8) SUPPORTED_SIGNATURE_ALGORITHMS = { diff --git a/securesystemslib/gpg/rsa.py b/securesystemslib/_gpg/rsa.py similarity index 94% rename from securesystemslib/gpg/rsa.py rename to securesystemslib/_gpg/rsa.py index 9a876bdc..4a17a966 100644 --- a/securesystemslib/gpg/rsa.py +++ b/securesystemslib/_gpg/rsa.py @@ -28,8 +28,8 @@ # pylint: disable=wrong-import-position from securesystemslib import exceptions -from securesystemslib.gpg import util as gpg_util -from securesystemslib.gpg.exceptions import PacketParsingError +from securesystemslib._gpg import util as gpg_util +from securesystemslib._gpg.exceptions import PacketParsingError # pylint: enable=wrong-import-position @@ -74,7 +74,7 @@ def get_pubkey_params(data): in the fifth paragraph of section 5.5.2. - securesystemslib.gpg.exceptions.PacketParsingError: + securesystemslib._gpg.exceptions.PacketParsingError: if the public key parameters are malformed @@ -115,7 +115,7 @@ def get_signature_params(data): in the third paragraph of section 5.2.2. - securesystemslib.gpg.exceptions.PacketParsingError: + securesystemslib._gpg.exceptions.PacketParsingError: if the public key parameters are malformed @@ -152,7 +152,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): The signed bytes against which the signature is verified hash_algorithm_id: - one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants) + one of SHA1, SHA256, SHA512 (see securesystemslib._gpg.constants) used to verify the signature NOTE: Overrides any hash algorithm specification in "pubkey_info"'s "hashes" or "method" fields. @@ -163,7 +163,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): ValueError: if the passed hash_algorithm_id is not supported (see - securesystemslib.gpg.util.get_hashing_class) + securesystemslib._gpg.util.get_hashing_class) True if signature verification passes and False otherwise diff --git a/securesystemslib/gpg/util.py b/securesystemslib/_gpg/util.py similarity index 97% rename from securesystemslib/gpg/util.py rename to securesystemslib/_gpg/util.py index 01c94c16..a0822c57 100644 --- a/securesystemslib/gpg/util.py +++ b/securesystemslib/_gpg/util.py @@ -29,8 +29,8 @@ # pylint: disable=wrong-import-position from securesystemslib import exceptions -from securesystemslib.gpg import constants -from securesystemslib.gpg.exceptions import PacketParsingError +from securesystemslib._gpg import constants +from securesystemslib._gpg.exceptions import PacketParsingError log = logging.getLogger(__name__) @@ -113,11 +113,11 @@ def parse_packet_header( expected_type: (optional) Used to error out if the packet does not have the expected - type. See securesystemslib.gpg.constants.PACKET_TYPE_* for + type. See securesystemslib._gpg.constants.PACKET_TYPE_* for available types. - securesystemslib.gpg.exceptions.PacketParsingError + securesystemslib._gpg.exceptions.PacketParsingError If the new format packet length encodes a partial body length If the old format packet length encodes an indeterminate length If header or body length could not be determined @@ -315,7 +315,7 @@ def get_hashing_class(hash_algorithm_id): hash_algorithm_id: - one of SHA1, SHA256, SHA512 (see securesystemslib.gpg.constants) + one of SHA1, SHA256, SHA512 (see securesystemslib._gpg.constants) ValueError diff --git a/securesystemslib/signer/_gpg_signer.py b/securesystemslib/signer/_gpg_signer.py index b007241b..5eaf3e07 100644 --- a/securesystemslib/signer/_gpg_signer.py +++ b/securesystemslib/signer/_gpg_signer.py @@ -5,9 +5,9 @@ from urllib import parse from securesystemslib import exceptions -from securesystemslib.gpg import constants as gpg_constants -from securesystemslib.gpg import exceptions as gpg_exceptions -from securesystemslib.gpg import functions as gpg +from securesystemslib._gpg import constants as gpg_constants +from securesystemslib._gpg import exceptions as gpg_exceptions +from securesystemslib._gpg import functions as gpg from securesystemslib.signer._key import Key from securesystemslib.signer._signer import SecretsHandler, Signature, Signer @@ -205,9 +205,9 @@ def sign(self, payload: bytes) -> Signature: OSError: gpg command is not present or non-executable. securesystemslib.exceptions.UnsupportedLibraryError: gpg command is not available, or the cryptography library is not installed. - securesystemslib.gpg.exceptions.CommandError: gpg command returned a + securesystemslib._gpg.exceptions.CommandError: gpg command returned a non-zero exit code. - securesystemslib.gpg.exceptions.KeyNotFoundError: gpg version is not fully + securesystemslib._gpg.exceptions.KeyNotFoundError: gpg version is not fully supported. Returns: diff --git a/tests/__init__.py b/tests/__init__.py index eb69e9ce..ab3a77c9 100755 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -6,6 +6,7 @@ """ # Increase gpg subprocess timeout -- Windows CI fails frequently with default 10s. -import securesystemslib.gpg.constants +# pylint: disable=protected-access +import securesystemslib._gpg.constants -securesystemslib.gpg.constants.GPG_TIMEOUT = 120 +securesystemslib._gpg.constants.GPG_TIMEOUT = 120 diff --git a/tests/check_gpg_available.py b/tests/check_gpg_available.py index 12b4b8ec..7c6b7640 100644 --- a/tests/check_gpg_available.py +++ b/tests/check_gpg_available.py @@ -26,7 +26,7 @@ import unittest -import securesystemslib.gpg.constants +import securesystemslib._gpg.constants class TestGpgAvailable(unittest.TestCase): @@ -34,7 +34,9 @@ class TestGpgAvailable(unittest.TestCase): def test_gpg_available(self): """Test that GPG is available.""" - self.assertTrue(securesystemslib.gpg.constants.have_gpg()) + self.assertTrue( + securesystemslib._gpg.constants.have_gpg() # pylint: disable=protected-access + ) if __name__ == "__main__": diff --git a/tests/check_public_interfaces.py b/tests/check_public_interfaces.py index c3f2ee3c..c79f8cab 100644 --- a/tests/check_public_interfaces.py +++ b/tests/check_public_interfaces.py @@ -32,10 +32,10 @@ import tempfile import unittest -import securesystemslib.exceptions # pylint: disable=wrong-import-position -import securesystemslib.gpg.constants # pylint: disable=wrong-import-position -import securesystemslib.gpg.functions # pylint: disable=wrong-import-position -import securesystemslib.gpg.util # pylint: disable=wrong-import-position +# pylint: disable=protected-access +import securesystemslib._gpg.constants +import securesystemslib._gpg.util +import securesystemslib.exceptions from securesystemslib.exceptions import ( UnsupportedLibraryError, VerificationError, @@ -66,18 +66,18 @@ def tearDownClass(cls): def test_gpg_functions(self): """Public GPG functions must raise error on missing cryptography lib.""" expected_error = securesystemslib.exceptions.UnsupportedLibraryError - expected_error_msg = securesystemslib.gpg.functions.NO_CRYPTO_MSG + expected_error_msg = securesystemslib._gpg.functions.NO_CRYPTO_MSG with self.assertRaises(expected_error) as ctx: - securesystemslib.gpg.functions.create_signature("bar") + securesystemslib._gpg.functions.create_signature("bar") self.assertEqual(expected_error_msg, str(ctx.exception)) with self.assertRaises(expected_error) as ctx: - securesystemslib.gpg.functions.verify_signature(None, "f00", "bar") + securesystemslib._gpg.functions.verify_signature(None, "f00", "bar") self.assertEqual(expected_error_msg, str(ctx.exception)) with self.assertRaises(expected_error) as ctx: - securesystemslib.gpg.functions.export_pubkey("f00") + securesystemslib._gpg.functions.export_pubkey("f00") self.assertEqual(expected_error_msg, str(ctx.exception)) def test_sslib_key_from_crypto(self): diff --git a/tests/check_public_interfaces_gpg.py b/tests/check_public_interfaces_gpg.py index 72de6d6b..aeaa86f5 100644 --- a/tests/check_public_interfaces_gpg.py +++ b/tests/check_public_interfaces_gpg.py @@ -12,7 +12,7 @@ See LICENSE for licensing information. - Check that the public facing 'gpg.functions' module remains importable if + Check that the public facing '_gpg.functions' module remains importable if gnupg is not installed, and that each function presents meaningful user-feedback. Further check that gpg signature verification works even without gpg. @@ -25,14 +25,14 @@ import unittest -from securesystemslib.exceptions import UnsupportedLibraryError -from securesystemslib.gpg.constants import NO_GPG_MSG, have_gpg -from securesystemslib.gpg.functions import ( +from securesystemslib._gpg.constants import NO_GPG_MSG, have_gpg +from securesystemslib._gpg.functions import ( create_signature, export_pubkey, export_pubkeys, verify_signature, ) +from securesystemslib.exceptions import UnsupportedLibraryError from securesystemslib.signer import GPGKey, GPGSigner, Signer diff --git a/tests/test_gpg.py b/tests/test_gpg.py index 4fd78fa2..4e72692d 100644 --- a/tests/test_gpg.py +++ b/tests/test_gpg.py @@ -31,7 +31,7 @@ from cryptography.hazmat import backends from cryptography.hazmat.primitives import serialization -from securesystemslib.gpg.common import ( +from securesystemslib._gpg.common import ( _assign_certified_key_info, _get_verified_subkeys, get_pubkey_bundle, @@ -39,7 +39,7 @@ parse_pubkey_payload, parse_signature_packet, ) -from securesystemslib.gpg.constants import ( +from securesystemslib._gpg.constants import ( PACKET_TYPE_PRIMARY_KEY, PACKET_TYPE_SUB_KEY, PACKET_TYPE_USER_ATTR, @@ -49,9 +49,9 @@ SHA512, have_gpg, ) -from securesystemslib.gpg.dsa import create_pubkey as dsa_create_pubkey -from securesystemslib.gpg.eddsa import ED25519_SIG_LENGTH -from securesystemslib.gpg.exceptions import ( +from securesystemslib._gpg.dsa import create_pubkey as dsa_create_pubkey +from securesystemslib._gpg.eddsa import ED25519_SIG_LENGTH +from securesystemslib._gpg.exceptions import ( CommandError, KeyExpirationError, KeyNotFoundError, @@ -59,14 +59,14 @@ PacketVersionNotSupportedError, SignatureAlgorithmNotSupportedError, ) -from securesystemslib.gpg.functions import ( +from securesystemslib._gpg.functions import ( create_signature, export_pubkey, export_pubkeys, verify_signature, ) -from securesystemslib.gpg.rsa import create_pubkey as rsa_create_pubkey -from securesystemslib.gpg.util import ( +from securesystemslib._gpg.rsa import create_pubkey as rsa_create_pubkey +from securesystemslib._gpg.util import ( get_hashing_class, parse_packet_header, parse_subpacket_header, @@ -196,7 +196,7 @@ def test_parse_subpacket_header(self): @unittest.skipIf(not have_gpg(), "gpg not found") class TestCommon(unittest.TestCase): - """Test common functions of the securesystemslib.gpg module.""" + """Test common functions of the securesystemslib._gpg module.""" @classmethod def setUpClass(self): # pylint: disable=bad-classmethod-argument @@ -271,7 +271,7 @@ def test_parse_pubkey_bundle_errors(self): # Create empty packet of unsupported type 66 (bit 0-5) and length 0 and # pass as second packet to provoke skipping of unsupported packet unsupported_packet = bytearray([0b01111111, 0]) - with patch("securesystemslib.gpg.common.log") as mock_log: + with patch("securesystemslib._gpg.common.log") as mock_log: parse_pubkey_bundle(primary_key_packet + unsupported_packet) self.assertTrue( "Ignoring gpg key packet '63'" in mock_log.info.call_args[0][0] @@ -370,7 +370,7 @@ def test_assign_certified_key_info_errors(self): ] for bundle, expected_msg in test_data: - with patch("securesystemslib.gpg.common.log") as mock_log: + with patch("securesystemslib._gpg.common.log") as mock_log: _assign_certified_key_info(bundle) msg = str(mock_log.info.call_args[0][0]) self.assertTrue( @@ -483,7 +483,7 @@ def test_get_verified_subkeys_errors(self): ] for bundle, expected_msg in test_data: - with patch("securesystemslib.gpg.common.log") as mock_log: + with patch("securesystemslib._gpg.common.log") as mock_log: _get_verified_subkeys(bundle) msg = str(mock_log.info.call_args[0][0]) self.assertTrue( diff --git a/tests/test_signer.py b/tests/test_signer.py index 21d871f1..73674344 100644 --- a/tests/test_signer.py +++ b/tests/test_signer.py @@ -15,9 +15,9 @@ load_pem_public_key, ) +from securesystemslib._gpg.constants import have_gpg +from securesystemslib._gpg.exceptions import CommandError, KeyNotFoundError from securesystemslib.exceptions import FormatError, UnverifiedSignatureError -from securesystemslib.gpg.constants import have_gpg -from securesystemslib.gpg.exceptions import CommandError, KeyNotFoundError from securesystemslib.signer import ( KEY_FOR_TYPE_AND_SCHEME, SIGNER_FOR_URI_SCHEME, diff --git a/tox.ini b/tox.ini index 69c9d2a1..81f5d248 100644 --- a/tox.ini +++ b/tox.ini @@ -52,13 +52,12 @@ deps = commands = python -m tests.check_sigstore_signer -# This checks that importing securesystemslib.gpg.constants doesn't shell out on -# import. +# Check that importing securesystemslib._gpg.constants doesn't shell out. [testenv:py311-test-gpg-fails] setenv = GNUPG = false commands = - python -c "import securesystemslib.gpg.constants" + python -c "import securesystemslib._gpg.constants" [testenv:lint] deps =