diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..99d80f9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,20 @@ +version: 2 + +updates: + - package-ecosystem: pip + directory: / + groups: + python: + patterns: + - "*" + schedule: + interval: daily + + - package-ecosystem: github-actions + directory: / + groups: + actions: + patterns: + - "*" + schedule: + interval: daily diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 0000000..ca6c622 --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,45 @@ +name: Deploy Documentation + +on: + push: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + with: + enable-cache: true + cache-dependency-glob: pyproject.toml + + - name: setup + run: | + make dev INSTALL_EXTRA=doc + + - name: build docs + run: | + make doc + + - name: upload docs artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./html/ + + deploy: + needs: build + runs-on: ubuntu-latest + permissions: + # NOTE: Needed to push to the repository. + pages: write + id-token: write + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - id: deployment + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..77eb058 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,29 @@ +name: Lint + +on: + push: + branches: + - main + pull_request: + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + with: + enable-cache: true + cache-dependency-glob: pyproject.toml + + - name: install uv + run: > + curl --no-progress-meter --location --fail + --proto '=https' --tlsv1.2 + "https://astral.sh/uv/install.sh" + | sh + + - name: lint + run: make lint INSTALL_EXTRA=lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..d9e86c8 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,53 @@ +on: + release: + types: + - published + +name: release + +jobs: + build: + name: Build distributions + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@v3 + with: + enable-cache: true + cache-dependency-glob: pyproject.toml + + - name: Build distributions + run: uv build + + - name: Upload distributions + uses: actions/upload-artifact@v4 + with: + name: distributions + path: dist/ + + publish: + name: Publish Python distributions to PyPI + runs-on: ubuntu-latest + environment: + name: pypi + url: https://pypi.org/p/pip-plugin-pep740 + needs: [build] + permissions: + # Used to sign the release's artifacts with sigstore-python. + # Used to publish to PyPI with Trusted Publishing. + id-token: write + steps: + - name: Download distributions + uses: actions/download-artifact@v4 + with: + name: distributions + path: dist/ + + - name: Publish distributions + uses: pypa/gh-action-pypi-publish@release/v1 + with: + attestations: true diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..e05c008 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,34 @@ +name: Unit tests + +on: + push: + branches: + - main + pull_request: + +jobs: + test: + strategy: + matrix: + python: + - "3.8" + - "3.9" + - "3.10" + - "3.11" + - "3.12" + - "3.13" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install uv + uses: astral-sh/setup-uv@v3 + with: + enable-cache: true + cache-dependency-glob: pyproject.toml + + - name: Install Python ${{ matrix.python }} + run: uv python install ${{ matrix.python }} + + - name: test + run: make test INSTALL_EXTRA=test diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b90ba49 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +env/ +pip-wheel-metadata/ +*.egg-info/ +__pycache__/ +.coverage* +.idea +html/ +dist/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f433b1a --- /dev/null +++ b/LICENSE @@ -0,0 +1,177 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..36193c2 --- /dev/null +++ b/Makefile @@ -0,0 +1,82 @@ +SHELL := /bin/bash + +PY_IMPORT = pip_plugin_pep740 + +ALL_PY_SRCS := $(shell find src -name '*.py') \ + $(shell find test -name '*.py') + +# Optionally overriden by the user, if they're using a virtual environment manager. +VENV ?= env + +# On Windows, venv scripts/shims are under `Scripts` instead of `bin`. +VENV_BIN := $(VENV)/bin +ifeq ($(OS),Windows_NT) + VENV_BIN := $(VENV)/Scripts +endif + +# Optionally overridden by the user in the `release` target. +BUMP_ARGS := + +# Optionally overridden by the user in the `test` target. +TESTS := + +# Optionally overridden by the user/CI, to limit the installation to a specific +# subset of development dependencies. +INSTALL_EXTRA := dev + +# If the user selects a specific test pattern to run, set `pytest` to fail fast +# and only run tests that match the pattern. +# Otherwise, run all tests and enable coverage assertions, since we expect +# complete test coverage. +ifneq ($(TESTS),) + TEST_ARGS := -x -k $(TESTS) + COV_ARGS := +else + TEST_ARGS := + COV_ARGS := --fail-under 100 +endif + +.PHONY: all +all: + @echo "Run my targets individually!" + +.PHONY: dev +dev: $(VENV)/pyvenv.cfg + +$(VENV)/pyvenv.cfg: pyproject.toml + uv venv $(VENV) + @. $(VENV_BIN)/activate && uv pip install -e '.[$(INSTALL_EXTRA)]' --prerelease=allow + +.PHONY: lint +lint: $(VENV)/pyvenv.cfg + . $(VENV_BIN)/activate && \ + ruff format --check && \ + ruff check && \ + mypy + . $(VENV_BIN)/activate && \ + interrogate -c pyproject.toml . + +.PHONY: reformat +reformat: + . $(VENV_BIN)/activate && \ + ruff format && \ + ruff check --fix + +.PHONY: test tests +test tests: $(VENV)/pyvenv.cfg + . $(VENV_BIN)/activate && \ + pytest --cov=$(PY_IMPORT) $(T) $(TEST_ARGS) && \ + python -m coverage report -m $(COV_ARGS) + +.PHONY: doc +doc: $(VENV)/pyvenv.cfg + . $(VENV_BIN)/activate && \ + pdoc -o html $(PY_IMPORT) + +.PHONY: package +package: $(VENV)/pyvenv.cfg + uvx --from build pyproject-build --installer uv + +.PHONY: edit +edit: + $(EDITOR) $(ALL_PY_SRCS) diff --git a/README.md b/README.md new file mode 100644 index 0000000..240f835 --- /dev/null +++ b/README.md @@ -0,0 +1,12 @@ +# Pip plugin pep740 + + +[![CI](https://github.com/facutuesca/pip-plugin-pep740/actions/workflows/tests.yml/badge.svg)](https://github.com/facutuesca/pip-plugin-pep740/actions/workflows/tests.yml) +[![PyPI version](https://badge.fury.io/py/pip-plugin-pep740.svg)](https://pypi.org/project/pip-plugin-pep740) +[![Packaging status](https://repology.org/badge/tiny-repos/python:pip-plugin-pep740.svg)](https://repology.org/project/python:pip-plugin-pep740/versions) + + +An implementation of a "dist-inspector" [pip](https://pypi.org/project/pip/) plugin +that verifies PEP-740 attestations before installing a package, and +aborts the installation if verification fails +(as discussed on the pip [issue tracker](https://github.com/pypa/pip/issues/12766)). diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..1dbcdf2 --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,97 @@ +[project] +name = "pip-plugin-pep740" +dynamic = ["version"] +description = "A pip plugin that verifies PEP 740 attestations before package installation" +readme = "README.md" +license = { file = "LICENSE" } +authors = [ + { name = "Trail of Bits", email = "opensource@trailofbits.com" }, +] +classifiers = [ + "Programming Language :: Python :: 3", + "License :: OSI Approved :: Apache Software License", +] +dependencies = [ + "packaging", + # Change to >=0.0.13 once the PR is merged + "pypi-attestations @ git+https://github.com/trailofbits/pypi-attestations@refs/pull/64/head", + "rfc3986", + "sigstore~=3.3", +] +requires-python = ">=3.9" + +[tool.setuptools.dynamic] +version = { attr = "pip_plugin_pep740.__version__" } + +[project.entry-points."pip.plugins"] +pep740-distinspector = "pip_plugin_pep740" + +[project.optional-dependencies] +doc = ["pdoc"] +test = ["pytest", "pytest-cov", "pretend", "coverage[toml]", "requests-mock"] +lint = [ + # NOTE: ruff is under active development, so we pin conservatively here + # and let Dependabot periodically perform this update. + "ruff ~= 0.6.2", + "mypy >= 1.0", + "types-html5lib", + "types-requests", + "types-toml", + "interrogate", +] +dev = ["pip-plugin-pep740[doc,test,lint]", "twine", "build"] + + + +[project.urls] +Homepage = "https://pypi.org/project/pip-plugin-pep740" +Documentation = "https://facutuesca.github.io/pip-plugin-pep740/" +Issues = "https://github.com/facutuesca/pip-plugin-pep740/issues" +Source = "https://github.com/facutuesca/pip-plugin-pep740" + +[tool.coverage.run] +# don't attempt code coverage for the CLI entrypoints +omit = ["src/pip_plugin_pep740/_cli.py"] + +[tool.mypy] +mypy_path = "src" +packages = "pip_plugin_pep740" +allow_redefinition = true +check_untyped_defs = true +disallow_incomplete_defs = true +disallow_untyped_defs = true +ignore_missing_imports = true +no_implicit_optional = true +show_error_codes = true +sqlite_cache = true +strict_equality = true +warn_no_return = true +warn_redundant_casts = true +warn_return_any = true +warn_unreachable = true +warn_unused_configs = true +warn_unused_ignores = true + +[tool.ruff] +line-length = 100 +include = ["src/**/*.py", "test/**/*.py"] + +[tool.ruff.lint] +select = ["ALL"] +# D203 and D213 are incompatible with D211 and D212 respectively. +# COM812 and ISC001 can cause conflicts when using ruff as a formatter. +# See https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules. +ignore = ["D203", "D213", "COM812", "ISC001"] + +[tool.ruff.lint.per-file-ignores] + +"test/**/*.py" = [ + "D", # no docstrings in tests + "S101", # asserts are expected in tests +] +[tool.interrogate] +# don't enforce documentation coverage for packaging, testing, the virtual +# environment, or the CLI (which is documented separately). +exclude = ["env", "test", "src/pip_plugin_pep740/_cli.py"] +ignore-semiprivate = true +fail-under = 100 diff --git a/src/pip_plugin_pep740/__init__.py b/src/pip_plugin_pep740/__init__.py new file mode 100644 index 0000000..5e5e43c --- /dev/null +++ b/src/pip_plugin_pep740/__init__.py @@ -0,0 +1,7 @@ +"""The `pip-plugin-pep740` APIs.""" + +__version__ = "0.0.1" + +from ._impl import plugin_type, pre_download, pre_extract + +__all__ = ["plugin_type", "pre_extract", "pre_download"] diff --git a/src/pip_plugin_pep740/_impl.py b/src/pip_plugin_pep740/_impl.py new file mode 100644 index 0000000..c8181b7 --- /dev/null +++ b/src/pip_plugin_pep740/_impl.py @@ -0,0 +1,121 @@ +"""The `pip-plugin-pep740` implementation.""" + +from __future__ import annotations + +from json import JSONDecodeError +from typing import TYPE_CHECKING, Literal + +import requests +from packaging.utils import parse_sdist_filename, parse_wheel_filename +from pydantic import ValidationError +from pypi_attestations import ( + AttestationBundle, + AttestationError, + Distribution, + GitHubPublisher, + GitLabPublisher, + Provenance, +) +from rfc3986 import builder +from sigstore.verify import Verifier, policy + +if TYPE_CHECKING: + from pathlib import Path # pragma: no cover + +PluginType = Literal["dist-inspector"] + + +def _get_provenance(filename: str) -> Provenance | None: + """Download the provenance for a given distribution.""" + if filename.endswith(".tar.gz"): + name, version = parse_sdist_filename(filename) + elif filename.endswith(".whl"): + name, version, _, _ = parse_wheel_filename(filename) + else: + # Unexpected file, ignore + return None + + # This currently only works when installing packages from PyPI + # In order to make it general, we need to get the provenance URL from the index API instead + # of hardcoding the URL. This can be done once + # https://github.com/pypi/warehouse/pull/16801 is merged + provenance_url = ( + builder.URIBuilder() + .add_scheme("https") + .add_host("pypi.org") + .add_path(f"integrity/{name}/{version}/{filename}/provenance") + .geturl() + ) + try: + r = requests.get(url=provenance_url, params={"Accept": "application/json"}, timeout=5) + r.raise_for_status() + except requests.HTTPError as e: + # If there is no provenance available, continue + if e.response.status_code == requests.codes.not_found: + return None + raise ValueError(e) from e + except requests.RequestException as e: + msg = f"Error downloading provenance file: {e}" + raise ValueError(msg) from e + + try: + return Provenance.model_validate(r.json()) + except ValidationError as e: + msg = f"Invalid provenance: {e}" + raise ValueError(msg) from e + except JSONDecodeError as e: + msg = f"Invalid provenance JSON: {e}" + raise ValueError(msg) from e + + +def _get_verification_policy(bundle: AttestationBundle) -> policy.VerificationPolicy: + """Construct a verification policy from the Trusted Publisher in the bundle.""" + publisher = bundle.publisher + if isinstance(publisher, GitHubPublisher): + issuer = "https://token.actions.githubusercontent.com" + repository = f"https://github.com/{publisher.repository}" + elif isinstance(publisher, GitLabPublisher): + issuer = "https://gitlab.com" + repository = f"https://gitlab.com/{publisher.repository}" + + return policy.AllOf( + [ + policy.OIDCIssuerV2(issuer), + policy.OIDCSourceRepositoryURI(repository), + ] + ) + + +def plugin_type() -> PluginType: + """Return the plugin type.""" + return "dist-inspector" + + +def pre_download(url: str, filename: str, digest: str) -> None: # noqa: ARG001 + """Inspect the file about to be downloaded by pip. + + This hook is called right before pip downloads a distribution + file. It doesn't return anything, and it can only raise `ValueError` + to signal to pip that the operation should be aborted. + """ + provenance = _get_provenance(filename) + if not provenance: + return + distribution = Distribution(name=filename, digest=digest) + verifier = Verifier.production() + for bundle in provenance.attestation_bundles: + # Each bundle has their own trusted publisher information, so each + # needs its own verification policy. + policy = _get_verification_policy(bundle) + try: + for a in bundle.attestations: + a.verify(verifier=verifier, policy=policy, dist=distribution) + except AttestationError as e: + msg = f"Provenance failed verification: {e}" + raise ValueError(msg) from e + return + + +def pre_extract(dist: Path) -> None: # noqa: ARG001 + """Check before extraction.""" + return diff --git a/src/pip_plugin_pep740/py.typed b/src/pip_plugin_pep740/py.typed new file mode 100644 index 0000000..e69de29 diff --git a/test/__init__.py b/test/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/test/assets/abi3info-2024.10.3-py3-none-any.whl b/test/assets/abi3info-2024.10.3-py3-none-any.whl new file mode 100644 index 0000000..ad5230e Binary files /dev/null and b/test/assets/abi3info-2024.10.3-py3-none-any.whl differ diff --git a/test/assets/abi3info-2024.10.3-py3-none-any.whl.provenance b/test/assets/abi3info-2024.10.3-py3-none-any.whl.provenance new file mode 100644 index 0000000..a005486 --- /dev/null +++ b/test/assets/abi3info-2024.10.3-py3-none-any.whl.provenance @@ -0,0 +1 @@ +{"attestation_bundles":[{"attestations":[{"envelope":{"signature":"MEUCIEAYNKAdEGWZvAmtKTGXcZXGurccs4NW3Q7sFOgKNGA9AiEAmC/tResW9BKvNZAac1Deb3R4YZ1ULVCmZ3blPRRFL64=","statement":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYWJpM2luZm8tMjAyNC4xMC4zLXB5My1ub25lLWFueS53aGwiLCJkaWdlc3QiOnsic2hhMjU2IjoiMDE1NzdlMjMxNDA5MzAxMTg1NGVjN2U4ODhkYzNmZDI1ZTE5MDMxYmMxMjFhOGMzOTQ0MzBkYTA2ZTFmZDRkYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2RvY3MucHlwaS5vcmcvYXR0ZXN0YXRpb25zL3B1Ymxpc2gvdjEiLCJwcmVkaWNhdGUiOm51bGx9"},"verification_material":{"certificate":"MIIGzzCCBlSgAwIBAgIUKw9qrIPZnEU+Usa26Qv949cFyDQwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMDAzMjA0MDI5WhcNMjQxMDAzMjA1MDI5WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESvDOxMIlFqM3BUctN/vMfVfqzvx0wXLPprKP29FQX75IQh5LcfhwWIt01I/G5VdNkGKkhpq22yL/aHC6vMoQGqOCBXMwggVvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUgsZGCgNM7LzjdEkwhCBdA9UhVtIwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZwYDVR0RAQH/BF0wW4ZZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDMwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKDBmNDBmNGYzNTdiOTE0MWVjMzQ3Mjc3MWQ0Y2I5MDRlMjI5YjBkZTIwFQYKKwYBBAGDvzABBAQHcmVsZWFzZTAgBgorBgEEAYO/MAEFBBJ3b29kcnVmZncvYWJpM2luZm8wIwYKKwYBBAGDvzABBgQVcmVmcy90YWdzL3YyMDI0LjEwLjAzMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTBpBgorBgEEAYO/MAEJBFsMWWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy90YWdzL3YyMDI0LjEwLjAzMDgGCisGAQQBg78wAQoEKgwoMGY0MGY0ZjM1N2I5MTQxZWMzNDcyNzcxZDRjYjkwNGUyMjliMGRlMjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNQYKKwYBBAGDvzABDAQnDCVodHRwczovL2dpdGh1Yi5jb20vd29vZHJ1ZmZ3L2FiaTNpbmZvMDgGCisGAQQBg78wAQ0EKgwoMGY0MGY0ZjM1N2I5MTQxZWMzNDcyNzcxZDRjYjkwNGUyMjliMGRlMjAlBgorBgEEAYO/MAEOBBcMFXJlZnMvdGFncy92MjAyNC4xMC4wMzAZBgorBgEEAYO/MAEPBAsMCTUzODI5MzE5NzAsBgorBgEEAYO/MAEQBB4MHGh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncwFwYKKwYBBAGDvzABEQQJDAczMDU5MjEwMGkGCisGAQQBg78wARIEWwxZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDMwOAYKKwYBBAGDvzABEwQqDCgwZjQwZjRmMzU3YjkxNDFlYzM0NzI3NzFkNGNiOTA0ZTIyOWIwZGUyMBcGCisGAQQBg78wARQECQwHcmVsZWFzZTBZBgorBgEEAYO/MAEVBEsMSWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vYWN0aW9ucy9ydW5zLzExMTY5MzkwNTIyL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZJUHNm4AAAEAwBHMEUCIQCJJIFE+F6EvQ+oh6Ylm51NrIzyQ2dPTL5bPueeJYLk8AIgEzUJ0XhzfANgpr7LAhkvTq+i70Z6/Wmep+n+NpIk/QwwCgYIKoZIzj0EAwMDaQAwZgIxAMaKx/mnBGO6cH10rcAEGXwDKj9Wgfl9ORxesJyCegQLkQuUV+ix75Ib55ZHx9Ir6QIxAIq5FB9kKyGXMDoN2zaMxSK05Lb5CGGjy3ELSWyySdPBuI5YWu6q+H+hpnLxkA0t2Q==","transparency_entries":[{"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiZDQ0OGFmM2Q2MGM2ZWUxNDc2ZmJmNTYxMDMxMmUzYjU1NDdhMzE1NDE2MTQwNjRhOWQyMWRjN2Q0NDVjYTJlZSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNiNmJlYjRmNmNhOGNlM2RmOGRmYzMyYzZlNzE5MjA1OTAwODZmOGI0ZTA5OTYzNzU3N2FhNGU0ZTM5YTI2M2IifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVVQ0lFQVlOS0FkRUdXWnZBbXRLVEdYY1pYR3VyY2NzNE5XM1E3c0ZPZ0tOR0E5QWlFQW1DL3RSZXNXOUJLdk5aQWFjMURlYjNSNFlaMVVMVkNtWjNibFBSUkZMNjQ9IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VkNmVrTkRRbXhUWjBGM1NVSkJaMGxWUzNjNWNYSkpVRnB1UlZVclZYTmhNalpSZGprME9XTkdlVVJSZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmVFMUVRWHBOYWtFd1RVUkpOVmRvWTA1TmFsRjRUVVJCZWsxcVFURk5SRWsxVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVlRka1JQZUUxSmJFWnhUVE5DVldOMFRpOTJUV1pXWm5GNmRuZ3dkMWhNVUhCeVMxQUtNamxHVVZnM05VbFJhRFZNWTJab2QxZEpkREF4U1M5SE5WWmtUbXRIUzJ0b2NIRXlNbmxNTDJGSVF6WjJUVzlSUjNGUFEwSllUWGRuWjFaMlRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVm5jMXBIQ2tOblRrMDNUSHBxWkVWcmQyaERRbVJCT1ZWb1ZuUkpkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMXAzV1VSV1VqQlNRVkZJTDBKR01IZFhORnBhWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBURE5rZG1JeVVubGtWMXB0WkhrNWFBcFpiV3Q2WVZjMWJXSjVPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YbGFWM2hzV1ZoT2JFeHViSFJpUlVKNVdsZGFla3d6VW1oYU0wMTJDbVJxU1hkTmFsRjFUVlJCZFUxRVRYZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHeGlhVFZvV1ROU2NHSXlOWG9LVEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlVnBYZUd4WldFNXNUVVJaUndwRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBSQ2JVNUVRbTFPUjFsNlRsUmthVTlVUlRCTlYxWnFUWHBSTTAxcVl6Tk5WMUV3V1RKSk5VMUVVbXhOYWtrMUNsbHFRbXRhVkVsM1JsRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVaGpiVlp6V2xkR2VscFVRV2RDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0pLTTJJeU9Xc0tZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSGRKZDFsTFMzZFpRa0pCUjBSMmVrRkNRbWRSVm1OdFZtMWplVGt3V1Zka2Vrd3pXWGxOUkVrd1RHcEZkd3BNYWtGNlRVUnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVk1VWGR5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQmtSMmd4Q2xsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkNjRUpuYjNKQ1owVkZRVmxQTDAxQlJVcENSbk5OVjFkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1rS1RHMU9kbUpUT1ROaU1qbHJZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VncGFVelUxWWxkNFFXTnRWbTFqZVRrd1dWZGtla3d6V1hsTlJFa3dUR3BGZDB4cVFYcE5SR2RIUTJselIwRlJVVUpuTnpoM1FWRnZSVXRuZDI5TlIxa3dDazFIV1RCYWFrMHhUakpKTlUxVVVYaGFWMDE2VGtSamVVNTZZM2hhUkZKcVdXcHJkMDVIVlhsTmFteHBUVWRTYkUxcVFXUkNaMjl5UW1kRlJVRlpUeThLVFVGRlRFSkJPRTFFVjJSd1pFZG9NVmxwTVc5aU0wNHdXbGRSZDA1UldVdExkMWxDUWtGSFJIWjZRVUpFUVZGdVJFTldiMlJJVW5kamVtOTJUREprY0Fwa1IyZ3hXV2sxYW1JeU1IWmtNamwyV2toS01WcHRXak5NTWtacFlWUk9jR0p0V25aTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlOUjFrd0NrMUhXVEJhYWsweFRqSkpOVTFVVVhoYVYwMTZUa1JqZVU1NlkzaGFSRkpxV1dwcmQwNUhWWGxOYW14cFRVZFNiRTFxUVd4Q1oyOXlRbWRGUlVGWlR5OEtUVUZGVDBKQ1kwMUdXRXBzV201TmRtUkhSbTVqZVRreVRXcEJlVTVETkhoTlF6UjNUWHBCV2tKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVhOTlExUlZlZ3BQUkVrMVRYcEZOVTU2UVhOQ1oyOXlRbWRGUlVGWlR5OU5RVVZSUWtJMFRVaEhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBURzFPZG1KVE9UTmlNamxyQ21OdVZtMWFibU4zUm5kWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVVwRVFXTjZUVVJWTlUxcVJYZE5SMnRIUTJselIwRlJVVUpuTnpoM1FWSkpSVmQzZUZvS1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROa2RtSXlVbmxrVjFwdFpIazVhRmx0YTNwaFZ6VnRZbms0ZFZveWJEQmhTRlpwVEROa2RncGpiWFJ0WWtjNU0yTjVPWGxhVjNoc1dWaE9iRXh1YkhSaVJVSjVXbGRhZWt3elVtaGFNMDEyWkdwSmQwMXFVWFZOVkVGMVRVUk5kMDlCV1V0TGQxbENDa0pCUjBSMmVrRkNSWGRSY1VSRFozZGFhbEYzV21wU2JVMTZWVE5aYW10NFRrUkdiRmw2VFRCT2Vra3pUbnBHYTA1SFRtbFBWRUV3V2xSSmVVOVhTWGNLV2tkVmVVMUNZMGREYVhOSFFWRlJRbWMzT0hkQlVsRkZRMUYzU0dOdFZuTmFWMFo2V2xSQ1drSm5iM0pDWjBWRlFWbFBMMDFCUlZaQ1JYTk5VMWRvTUFwa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVE5pTWpsclkyNVdiVnB1WTNaWlYwcHdUVEpzZFZwdE9IWlpWMDR3WVZjNWRXTjVPWGxrVnpWNkNreDZSWGhOVkZrMVRYcHJkMDVVU1hsTU1rWXdaRWRXZEdOSVVucE1la1YzUm1kWlMwdDNXVUpDUVVkRWRucEJRa1puVVVsRVFWcDNaRmRLYzJGWFRYY0taMWx2UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtUVZJMlFVaG5RV1JuUkdSUVZFSnhlSE5qVWsxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTQXBwYmt0QlRIbHVkV3BuUVVGQldrcFZTRTV0TkVGQlFVVkJkMEpJVFVWVlEwbFJRMHBLU1VaRkswWTJSWFpSSzI5b05sbHNiVFV4VG5KSmVubFJNbVJRQ2xSTU5XSlFkV1ZsU2xsTWF6aEJTV2RGZWxWS01GaG9lbVpCVG1kd2NqZE1RV2hyZGxSeEsyazNNRm8yTDFkdFpYQXJiaXRPY0VsckwxRjNkME5uV1VrS1MyOWFTWHBxTUVWQmQwMUVZVkZCZDFwblNYaEJUV0ZMZUM5dGJrSkhUelpqU0RFd2NtTkJSVWRZZDBSTGFqbFhaMlpzT1U5U2VHVnpTbmxEWldkUlRBcHJVWFZWVml0cGVEYzFTV0kxTlZwSWVEbEpjalpSU1hoQlNYRTFSa0k1YTB0NVIxaE5SRzlPTW5waFRYaFRTekExVEdJMVEwZEhhbmt6UlV4VFYzbDVDbE5rVUVKMVNUVlpWM1UyY1N0SUsyaHdia3g0YTBFd2RESlJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In1dfX0=","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCmNyYsPowG1JhsTdxqiIX3U/7Au6XaXYGUSOpqH4vm4wIhAKWKlfBqYEnAS4PmnpFU8urVnWRyX+RgYG/xC3R3IoBl"},"inclusionProof":{"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n14715023\nIyQHfWBCjwz8lnRQzUXashtTN7aPUC4oZXd4RLHvMWc=\n\n— rekor.sigstore.dev wNI9ajBFAiBPiiso077c0r3RNk2ZBBj5Uktbye/J5o+9w/++ta0uIAIhAKtaFqOdKFkpROfsNf2iFu+p56pKoHldBqOttJZrKd1p\n"},"hashes":["9ThPYz4yEosFImoMc7oyLeN1He3ieULNUMj5yNiH5rA=","95k7tsx18wk/s+gC0VwVIWJSpsFLbM9Va9OXxwg1QoM=","PPRIClKANC4yMimtdRsbqF4uuSTISvGXTKykY7YIm9g=","5E9UT2AALNmYJDhBfdQHpi/0sNDhOIrVOFpRs17dO5w=","AIchu5T6uNVFYxxOKziKSag2JbfWSkIyM20jzCUh1O0=","IWeCvjCw+7vtXTKqMOGXaVsiczrTGcP9sBsjjhfFHkA=","QzDOEWyBb/3k5BehbANgpJnqCv18gWmRP6KhEoXU01g=","Vy4gMeigrzl2h7E1v0/hMaOzFXSdIQN01k9twthAt24=","UOIKRNrO4SY8vQWPM9XszYB37SeuO8WzM8T/KZG+nwA=","m8jmAdc3HEDKqvvIKmGhqoilAvqBxZhsktXmXh58WiA="],"logIndex":"14715021","rootHash":"IyQHfWBCjwz8lnRQzUXashtTN7aPUC4oZXd4RLHvMWc=","treeSize":"14715023"},"integratedTime":"1727988030","kindVersion":{"kind":"dsse","version":"0.0.1"},"logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"logIndex":"136619283"}]},"version":1}],"publisher":{"claims":null,"environment":"","kind":"GitHub","repository":"woodruffw/abi3info","workflow":"release.yml"}}],"version":1} diff --git a/test/assets/abi3info-2024.10.8-py3-none-any.whl b/test/assets/abi3info-2024.10.8-py3-none-any.whl new file mode 100644 index 0000000..e468b7c Binary files /dev/null and b/test/assets/abi3info-2024.10.8-py3-none-any.whl differ diff --git a/test/assets/abi3info-2024.10.8-py3-none-any.whl.provenance b/test/assets/abi3info-2024.10.8-py3-none-any.whl.provenance new file mode 100644 index 0000000..3d8e1fa --- /dev/null +++ b/test/assets/abi3info-2024.10.8-py3-none-any.whl.provenance @@ -0,0 +1 @@ +{"attestation_bundles":[{"attestations":[{"envelope":{"signature":"MEQCIELMZRhsNcO/dBwR7PgmYb8XmSMJlgpr2T7t4J1Qa2aQAiAYp7swRtCbhlbi7U0ruMfLkVYe9FJUd58EDuKCix8k8A==","statement":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYWJpM2luZm8tMjAyNC4xMC44LXB5My1ub25lLWFueS53aGwiLCJkaWdlc3QiOnsic2hhMjU2IjoiYjAyMzZjNjcwNzc4M2Y5Mzk3MTI3NDEwMWUxMTkwNTUxOTJjZWYwOTI1ZjViN2NlYmRhZDAzYzY5ZGM1YTQ5OSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2RvY3MucHlwaS5vcmcvYXR0ZXN0YXRpb25zL3B1Ymxpc2gvdjEiLCJwcmVkaWNhdGUiOm51bGx9"},"verification_material":{"certificate":"MIIGzzCCBlSgAwIBAgIUHNCMvxbSSrQaSAOP6jlm3Nh1hHUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMDA4MjAxNzI4WhcNMjQxMDA4MjAyNzI4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETiHxYwwcJT/PRHqE3IUTYb5YcaDJuKQcjz+R3H6JMHFm2FvEaGTItQSMeneq+W6HOnXjpne35qv6RypMOwu4DqOCBXMwggVvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUW2d4aGqCITzR57P2UPtf4Bl7eLUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZwYDVR0RAQH/BF0wW4ZZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDgwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKGMxYjhhZmQzZDZjYTAzOGRjMmJiNTEyNTAzYzYxOWZjYWI0ODlkMmIwFQYKKwYBBAGDvzABBAQHcmVsZWFzZTAgBgorBgEEAYO/MAEFBBJ3b29kcnVmZncvYWJpM2luZm8wIwYKKwYBBAGDvzABBgQVcmVmcy90YWdzL3YyMDI0LjEwLjA4MDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTBpBgorBgEEAYO/MAEJBFsMWWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy90YWdzL3YyMDI0LjEwLjA4MDgGCisGAQQBg78wAQoEKgwoYzFiOGFmZDNkNmNhMDM4ZGMyYmI1MTI1MDNjNjE5ZmNhYjQ4OWQyYjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNQYKKwYBBAGDvzABDAQnDCVodHRwczovL2dpdGh1Yi5jb20vd29vZHJ1ZmZ3L2FiaTNpbmZvMDgGCisGAQQBg78wAQ0EKgwoYzFiOGFmZDNkNmNhMDM4ZGMyYmI1MTI1MDNjNjE5ZmNhYjQ4OWQyYjAlBgorBgEEAYO/MAEOBBcMFXJlZnMvdGFncy92MjAyNC4xMC4wODAZBgorBgEEAYO/MAEPBAsMCTUzODI5MzE5NzAsBgorBgEEAYO/MAEQBB4MHGh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncwFwYKKwYBBAGDvzABEQQJDAczMDU5MjEwMGkGCisGAQQBg78wARIEWwxZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDgwOAYKKwYBBAGDvzABEwQqDChjMWI4YWZkM2Q2Y2EwMzhkYzJiYjUxMjUwM2M2MTlmY2FiNDg5ZDJiMBcGCisGAQQBg78wARQECQwHcmVsZWFzZTBZBgorBgEEAYO/MAEVBEsMSWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vYWN0aW9ucy9ydW5zLzExMjQzMDUyOTg4L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZJtx5L9AAAEAwBHMEUCIQCA3BVUaO7RwUdi++6QnUXa9bWu88YM06lcGlCGbSVzBgIgYnGK8Ide+GQa0HHClkLcu+OY2jzKJo0mXqkABSCt7y0wCgYIKoZIzj0EAwMDaQAwZgIxAJHGmcKO8Dtu1Twc3L3SGNC4eyG6K95KfEiWdxZGoBq5vAF2oEtcjEqZgvDjUZ9zOQIxAL1HgaKvdl4eZ6GnMNKW06SA1NKB81fQFddcRVdvgOywPZpxtkayanf1xQyKa/klnQ==","transparency_entries":[{"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiMWYzNjE5NTAzZmNkYTZiNjcwYTZiMmUwMjYxZTc5MDZhOWViNjM1MzBmYWQ4ODhjMjUzNTBlMjBlNmNiNzhlYSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6Ijc3NmNmZjRhNGY4ZDY5ZjEyYWE4NGRjNmExMDRlNjM1MWEzNGIyODViZDVkNTExNWQ3YWExZjMzYmM1Y2E1ZjYifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVRQ0lFTE1aUmhzTmNPL2RCd1I3UGdtWWI4WG1TTUpsZ3ByMlQ3dDRKMVFhMmFRQWlBWXA3c3dSdENiaGxiaTdVMHJ1TWZMa1ZZZTlGSlVkNThFRHVLQ2l4OGs4QT09IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VkNmVrTkRRbXhUWjBGM1NVSkJaMGxWU0U1RFRYWjRZbE5UY2xGaFUwRlBVRFpxYkcwelRtZ3hhRWhWZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmVFMUVRVFJOYWtGNFRucEpORmRvWTA1TmFsRjRUVVJCTkUxcVFYbE9la2swVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVlVhVWg0V1hkM1kwcFVMMUJTU0hGRk0wbFZWRmxpTlZsallVUktkVXRSWTJwNksxSUtNMGcyU2sxSVJtMHlSblpGWVVkVVNYUlJVMDFsYm1WeEsxYzJTRTl1V0dwd2JtVXpOWEYyTmxKNWNFMVBkM1UwUkhGUFEwSllUWGRuWjFaMlRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVlhNbVEwQ21GSGNVTkpWSHBTTlRkUU1sVlFkR1kwUW13M1pVeFZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMXAzV1VSV1VqQlNRVkZJTDBKR01IZFhORnBhWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBURE5rZG1JeVVubGtWMXB0WkhrNWFBcFpiV3Q2WVZjMWJXSjVPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YbGFWM2hzV1ZoT2JFeHViSFJpUlVKNVdsZGFla3d6VW1oYU0wMTJDbVJxU1hkTmFsRjFUVlJCZFUxRVozZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHeGlhVFZvV1ROU2NHSXlOWG9LVEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlVnBYZUd4WldFNXNUVVJaUndwRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBkTmVGbHFhR2hhYlZGNldrUmFhbGxVUVhwUFIxSnFUVzFLYVU1VVJYbE9WRUY2V1hwWmVFOVhXbXBaVjBrd0NrOUViR3ROYlVsM1JsRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVaGpiVlp6V2xkR2VscFVRV2RDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0pLTTJJeU9Xc0tZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSGRKZDFsTFMzZFpRa0pCUjBSMmVrRkNRbWRSVm1OdFZtMWplVGt3V1Zka2Vrd3pXWGxOUkVrd1RHcEZkd3BNYWtFMFRVUnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVk1VWGR5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQmtSMmd4Q2xsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkNjRUpuYjNKQ1owVkZRVmxQTDAxQlJVcENSbk5OVjFkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1rS1RHMU9kbUpUT1ROaU1qbHJZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VncGFVelUxWWxkNFFXTnRWbTFqZVRrd1dWZGtla3d6V1hsTlJFa3dUR3BGZDB4cVFUUk5SR2RIUTJselIwRlJVVUpuTnpoM1FWRnZSVXRuZDI5WmVrWnBDazlIUm0xYVJFNXJUbTFPYUUxRVRUUmFSMDE1V1cxSk1VMVVTVEZOUkU1cVRtcEZOVnB0VG1oWmFsRTBUMWRSZVZscVFXUkNaMjl5UW1kRlJVRlpUeThLVFVGRlRFSkJPRTFFVjJSd1pFZG9NVmxwTVc5aU0wNHdXbGRSZDA1UldVdExkMWxDUWtGSFJIWjZRVUpFUVZGdVJFTldiMlJJVW5kamVtOTJUREprY0Fwa1IyZ3hXV2sxYW1JeU1IWmtNamwyV2toS01WcHRXak5NTWtacFlWUk9jR0p0V25aTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlaZWtacENrOUhSbTFhUkU1clRtMU9hRTFFVFRSYVIwMTVXVzFKTVUxVVNURk5SRTVxVG1wRk5WcHRUbWhaYWxFMFQxZFJlVmxxUVd4Q1oyOXlRbWRGUlVGWlR5OEtUVUZGVDBKQ1kwMUdXRXBzV201TmRtUkhSbTVqZVRreVRXcEJlVTVETkhoTlF6UjNUMFJCV2tKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVhOTlExUlZlZ3BQUkVrMVRYcEZOVTU2UVhOQ1oyOXlRbWRGUlVGWlR5OU5RVVZSUWtJMFRVaEhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBURzFPZG1KVE9UTmlNamxyQ21OdVZtMWFibU4zUm5kWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVVwRVFXTjZUVVJWTlUxcVJYZE5SMnRIUTJselIwRlJVVUpuTnpoM1FWSkpSVmQzZUZvS1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROa2RtSXlVbmxrVjFwdFpIazVhRmx0YTNwaFZ6VnRZbms0ZFZveWJEQmhTRlpwVEROa2RncGpiWFJ0WWtjNU0yTjVPWGxhVjNoc1dWaE9iRXh1YkhSaVJVSjVXbGRhZWt3elVtaGFNMDEyWkdwSmQwMXFVWFZOVkVGMVRVUm5kMDlCV1V0TGQxbENDa0pCUjBSMmVrRkNSWGRSY1VSRGFHcE5WMGswV1ZkYWEwMHlVVEpaTWtWM1RYcG9hMWw2U21sWmFsVjRUV3BWZDAweVRUSk5WR3h0V1RKR2FVNUVaelVLV2tSS2FVMUNZMGREYVhOSFFWRlJRbWMzT0hkQlVsRkZRMUYzU0dOdFZuTmFWMFo2V2xSQ1drSm5iM0pDWjBWRlFWbFBMMDFCUlZaQ1JYTk5VMWRvTUFwa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVE5pTWpsclkyNVdiVnB1WTNaWlYwcHdUVEpzZFZwdE9IWlpWMDR3WVZjNWRXTjVPWGxrVnpWNkNreDZSWGhOYWxGNlRVUlZlVTlVWnpSTU1rWXdaRWRXZEdOSVVucE1la1YzUm1kWlMwdDNXVUpDUVVkRWRucEJRa1puVVVsRVFWcDNaRmRLYzJGWFRYY0taMWx2UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtUVZJMlFVaG5RV1JuUkdSUVZFSnhlSE5qVWsxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTQXBwYmt0QlRIbHVkV3BuUVVGQldrcDBlRFZNT1VGQlFVVkJkMEpJVFVWVlEwbFJRMEV6UWxaVllVODNVbmRWWkdrckt6WlJibFZZWVRsaVYzVTRPRmxOQ2pBMmJHTkhiRU5IWWxOV2VrSm5TV2RaYmtkTE9FbGtaU3RIVVdFd1NFaERiR3RNWTNVclQxa3lhbnBMU204d2JWaHhhMEZDVTBOME4za3dkME5uV1VrS1MyOWFTWHBxTUVWQmQwMUVZVkZCZDFwblNYaEJTa2hIYldOTFR6aEVkSFV4Vkhkak0wd3pVMGRPUXpSbGVVYzJTemsxUzJaRmFWZGtlRnBIYjBKeE5RcDJRVVl5YjBWMFkycEZjVnBuZGtScVZWbzVlazlSU1hoQlRERklaMkZMZG1Sc05HVmFOa2R1VFU1TFZ6QTJVMEV4VGt0Q09ERm1VVVprWkdOU1ZtUjJDbWRQZVhkUVduQjRkR3RoZVdGdVpqRjRVWGxMWVM5cmJHNVJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In1dfX0=","inclusionPromise":{"signedEntryTimestamp":"MEUCIQCHVJJECS48TrdhijyH7ULyJkjnyL6nRFlKqIdOXakhJAIgNuPNkvJIoMuAfsKKuzezeW2Ux/hPp06UGiK7W3V+FiE="},"inclusionProof":{"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n16252918\nx+s+MbBeSodo41RziQ5f7jApTPKCxJVXzZuVmmOGfHw=\n\n— rekor.sigstore.dev wNI9ajBGAiEAl0MZpdlQeukwKGt7ct3x25dQ1kbqAtQlPeSNEvqdmHoCIQC42T3rlo3Ucgu8ULb5/5Mz9Mh+8QD4d8Q7o/qP5wdGkQ==\n"},"hashes":["u7KzRpzc/+2bXTuTiJDaHsT4Z4fMuxPj6DNnqkhdJKM=","vL0vOau+P5oSiAePe2L1lDPMisYfg0uAz05a23d3UoY=","4jbqWRVLBIMRWy69DybZxJjIh35jkCpf/6jM4qNYOng=","TJvk9HAUbc0ozZaOaloVPXs+k2dL6h3Rhms80uRjCi0=","pS46P4FtY5cP+P7DPfPeDDI7K1LlNlSJB8fzvygG2FE=","bEoYqfsu+Lp0xiQKRVpif829vmAflYrdmrMs8h+vNfc=","0fg1FZVlvhL54JIUvvwf0DqlWu8ol6dA/4eco+GDqzs=","iw5fwvdQnYx1KafraPteZzxhtUJ+cLSeIRM+u4yN3x0=","J5/1+QGJDN5TsthZ3GiWydkb0x1T5Rlzapmy8H/b2So=","uQ9Qo22fH48W6tYEuoT57E4y3I5BlrFAUp9EsXjPiTk=","Y13KY3NsPaSUawdzdimEjKICRBs0o5JAwxA+X9SKktA=","ATDrBjVGXZq0SXE3l93icSsbQO/GPwSxIi4C5mmVA5E=","pAYZ0udCZhKomfpSblidBPOUqHywHJhYRsFkr8ErUXM=","U8z9kuBu9lsBt8aThPBJMFxNkgsN5Sj56XKcZD+SDRc=","kMFisEs5aXocgiyVwbQ086AueGVgsj2kO1W2yt9BFwA=","wXgmSa32VbZBEcq2/StIvZog6n3YPGMkJW71c9A8Spw=","9/8OCCPxXk/mOWRs/Yky2HsQ/+cdzOKcuHctd3dJMrQ=","66A5KssTkbRaPhP6q0qwMpzgjor0Mwy/s2XTZ66cMpc=","Vy4gMeigrzl2h7E1v0/hMaOzFXSdIQN01k9twthAt24=","UOIKRNrO4SY8vQWPM9XszYB37SeuO8WzM8T/KZG+nwA=","m8jmAdc3HEDKqvvIKmGhqoilAvqBxZhsktXmXh58WiA="],"logIndex":"16252917","rootHash":"x+s+MbBeSodo41RziQ5f7jApTPKCxJVXzZuVmmOGfHw=","treeSize":"16252918"},"integratedTime":"1728418649","kindVersion":{"kind":"dsse","version":"0.0.1"},"logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"logIndex":"138157179"}]},"version":1}],"publisher":{"claims":null,"environment":"","kind":"GitHub","repository":"woodruffw/abi3info","workflow":"release.yml"}}],"version":1} diff --git a/test/assets/abi3info-2024.10.8.tar.gz b/test/assets/abi3info-2024.10.8.tar.gz new file mode 100644 index 0000000..b89049b Binary files /dev/null and b/test/assets/abi3info-2024.10.8.tar.gz differ diff --git a/test/assets/abi3info-2024.10.8.tar.gz.provenance b/test/assets/abi3info-2024.10.8.tar.gz.provenance new file mode 100644 index 0000000..3988842 --- /dev/null +++ b/test/assets/abi3info-2024.10.8.tar.gz.provenance @@ -0,0 +1 @@ +{"attestation_bundles":[{"attestations":[{"envelope":{"signature":"MEQCIG3px68+ebEqBRt96IUbeCzhGAX7AHpsWoPuzHJy5tX1AiAhzewz5ba6+DLru8GlnPjVVXgRvU7/LCfso35mh2WhPw==","statement":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiYWJpM2luZm8tMjAyNC4xMC44LnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiJmODFmOTUxM2NiYTAzOWE1MjMxZDY1MjNjYTU4YjA3MWQxZDk2YWZlNDMwY2Q1NzZiZmRhM2U3M2M4YjRlNTVmIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vZG9jcy5weXBpLm9yZy9hdHRlc3RhdGlvbnMvcHVibGlzaC92MSIsInByZWRpY2F0ZSI6bnVsbH0="},"verification_material":{"certificate":"MIIGzzCCBlSgAwIBAgIUHNCMvxbSSrQaSAOP6jlm3Nh1hHUwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQxMDA4MjAxNzI4WhcNMjQxMDA4MjAyNzI4WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETiHxYwwcJT/PRHqE3IUTYb5YcaDJuKQcjz+R3H6JMHFm2FvEaGTItQSMeneq+W6HOnXjpne35qv6RypMOwu4DqOCBXMwggVvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUW2d4aGqCITzR57P2UPtf4Bl7eLUwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZwYDVR0RAQH/BF0wW4ZZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDgwOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAVBgorBgEEAYO/MAECBAdyZWxlYXNlMDYGCisGAQQBg78wAQMEKGMxYjhhZmQzZDZjYTAzOGRjMmJiNTEyNTAzYzYxOWZjYWI0ODlkMmIwFQYKKwYBBAGDvzABBAQHcmVsZWFzZTAgBgorBgEEAYO/MAEFBBJ3b29kcnVmZncvYWJpM2luZm8wIwYKKwYBBAGDvzABBgQVcmVmcy90YWdzL3YyMDI0LjEwLjA4MDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTBpBgorBgEEAYO/MAEJBFsMWWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy90YWdzL3YyMDI0LjEwLjA4MDgGCisGAQQBg78wAQoEKgwoYzFiOGFmZDNkNmNhMDM4ZGMyYmI1MTI1MDNjNjE5ZmNhYjQ4OWQyYjAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNQYKKwYBBAGDvzABDAQnDCVodHRwczovL2dpdGh1Yi5jb20vd29vZHJ1ZmZ3L2FiaTNpbmZvMDgGCisGAQQBg78wAQ0EKgwoYzFiOGFmZDNkNmNhMDM4ZGMyYmI1MTI1MDNjNjE5ZmNhYjQ4OWQyYjAlBgorBgEEAYO/MAEOBBcMFXJlZnMvdGFncy92MjAyNC4xMC4wODAZBgorBgEEAYO/MAEPBAsMCTUzODI5MzE5NzAsBgorBgEEAYO/MAEQBB4MHGh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncwFwYKKwYBBAGDvzABEQQJDAczMDU5MjEwMGkGCisGAQQBg78wARIEWwxZaHR0cHM6Ly9naXRodWIuY29tL3dvb2RydWZmdy9hYmkzaW5mby8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjIwMjQuMTAuMDgwOAYKKwYBBAGDvzABEwQqDChjMWI4YWZkM2Q2Y2EwMzhkYzJiYjUxMjUwM2M2MTlmY2FiNDg5ZDJiMBcGCisGAQQBg78wARQECQwHcmVsZWFzZTBZBgorBgEEAYO/MAEVBEsMSWh0dHBzOi8vZ2l0aHViLmNvbS93b29kcnVmZncvYWJpM2luZm8vYWN0aW9ucy9ydW5zLzExMjQzMDUyOTg4L2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAZJtx5L9AAAEAwBHMEUCIQCA3BVUaO7RwUdi++6QnUXa9bWu88YM06lcGlCGbSVzBgIgYnGK8Ide+GQa0HHClkLcu+OY2jzKJo0mXqkABSCt7y0wCgYIKoZIzj0EAwMDaQAwZgIxAJHGmcKO8Dtu1Twc3L3SGNC4eyG6K95KfEiWdxZGoBq5vAF2oEtcjEqZgvDjUZ9zOQIxAL1HgaKvdl4eZ6GnMNKW06SA1NKB81fQFddcRVdvgOywPZpxtkayanf1xQyKa/klnQ==","transparency_entries":[{"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiNWNkOTA2ZWE1OWFlODM3YzBjMDg5NDc0YjhlZTc0ZTdiYjEwYzE0NTIxMmJiYmEzNDg4YTllODBmNjIwOTdhMSJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjIyMzljZTViZjQ1MDY5NzVkNmM1YTAyYmE2NjQ1NTUxYjVhYWZkMDE4ZDk1NzgyYjk0YjlhOTkwN2ZiZGFjZTEifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVRQ0lHM3B4NjgrZWJFcUJSdDk2SVViZUN6aEdBWDdBSHBzV29QdXpISnk1dFgxQWlBaHpld3o1YmE2K0RMcnU4R2xuUGpWVlhnUnZVNy9MQ2ZzbzM1bWgyV2hQdz09IiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VkNmVrTkRRbXhUWjBGM1NVSkJaMGxWU0U1RFRYWjRZbE5UY2xGaFUwRlBVRFpxYkcwelRtZ3hhRWhWZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmVFMUVRVFJOYWtGNFRucEpORmRvWTA1TmFsRjRUVVJCTkUxcVFYbE9la2swVjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVlVhVWg0V1hkM1kwcFVMMUJTU0hGRk0wbFZWRmxpTlZsallVUktkVXRSWTJwNksxSUtNMGcyU2sxSVJtMHlSblpGWVVkVVNYUlJVMDFsYm1WeEsxYzJTRTl1V0dwd2JtVXpOWEYyTmxKNWNFMVBkM1UwUkhGUFEwSllUWGRuWjFaMlRVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVlhNbVEwQ21GSGNVTkpWSHBTTlRkUU1sVlFkR1kwUW13M1pVeFZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMXAzV1VSV1VqQlNRVkZJTDBKR01IZFhORnBhWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBURE5rZG1JeVVubGtWMXB0WkhrNWFBcFpiV3Q2WVZjMWJXSjVPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9YbGFWM2hzV1ZoT2JFeHViSFJpUlVKNVdsZGFla3d6VW1oYU0wMTJDbVJxU1hkTmFsRjFUVlJCZFUxRVozZFBVVmxMUzNkWlFrSkJSMFIyZWtGQ1FWRlJjbUZJVWpCalNFMDJUSGs1TUdJeWRHeGlhVFZvV1ROU2NHSXlOWG9LVEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVFWWkNaMjl5UW1kRlJVRlpUeTlOUVVWRFFrRmtlVnBYZUd4WldFNXNUVVJaUndwRGFYTkhRVkZSUW1jM09IZEJVVTFGUzBkTmVGbHFhR2hhYlZGNldrUmFhbGxVUVhwUFIxSnFUVzFLYVU1VVJYbE9WRUY2V1hwWmVFOVhXbXBaVjBrd0NrOUViR3ROYlVsM1JsRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVVaGpiVlp6V2xkR2VscFVRV2RDWjI5eVFtZEZSVUZaVHk5TlFVVkdRa0pLTTJJeU9Xc0tZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSGRKZDFsTFMzZFpRa0pCUjBSMmVrRkNRbWRSVm1OdFZtMWplVGt3V1Zka2Vrd3pXWGxOUkVrd1RHcEZkd3BNYWtFMFRVUnpSME5wYzBkQlVWRkNaemM0ZDBGUlowVk1VWGR5WVVoU01HTklUVFpNZVRrd1lqSjBiR0pwTldoWk0xSndZakkxZWt4dFpIQmtSMmd4Q2xsdVZucGFXRXBxWWpJMU1GcFhOVEJNYlU1MllsUkNjRUpuYjNKQ1owVkZRVmxQTDAxQlJVcENSbk5OVjFkb01HUklRbnBQYVRoMldqSnNNR0ZJVm1rS1RHMU9kbUpUT1ROaU1qbHJZMjVXYlZwdVkzWlpWMHB3VFRKc2RWcHRPSFpNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VncGFVelUxWWxkNFFXTnRWbTFqZVRrd1dWZGtla3d6V1hsTlJFa3dUR3BGZDB4cVFUUk5SR2RIUTJselIwRlJVVUpuTnpoM1FWRnZSVXRuZDI5WmVrWnBDazlIUm0xYVJFNXJUbTFPYUUxRVRUUmFSMDE1V1cxSk1VMVVTVEZOUkU1cVRtcEZOVnB0VG1oWmFsRTBUMWRSZVZscVFXUkNaMjl5UW1kRlJVRlpUeThLVFVGRlRFSkJPRTFFVjJSd1pFZG9NVmxwTVc5aU0wNHdXbGRSZDA1UldVdExkMWxDUWtGSFJIWjZRVUpFUVZGdVJFTldiMlJJVW5kamVtOTJUREprY0Fwa1IyZ3hXV2sxYW1JeU1IWmtNamwyV2toS01WcHRXak5NTWtacFlWUk9jR0p0V25aTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZFd1JVdG5kMjlaZWtacENrOUhSbTFhUkU1clRtMU9hRTFFVFRSYVIwMTVXVzFKTVUxVVNURk5SRTVxVG1wRk5WcHRUbWhaYWxFMFQxZFJlVmxxUVd4Q1oyOXlRbWRGUlVGWlR5OEtUVUZGVDBKQ1kwMUdXRXBzV201TmRtUkhSbTVqZVRreVRXcEJlVTVETkhoTlF6UjNUMFJCV2tKbmIzSkNaMFZGUVZsUEwwMUJSVkJDUVhOTlExUlZlZ3BQUkVrMVRYcEZOVTU2UVhOQ1oyOXlRbWRGUlVGWlR5OU5RVVZSUWtJMFRVaEhhREJrU0VKNlQyazRkbG95YkRCaFNGWnBURzFPZG1KVE9UTmlNamxyQ21OdVZtMWFibU4zUm5kWlMwdDNXVUpDUVVkRWRucEJRa1ZSVVVwRVFXTjZUVVJWTlUxcVJYZE5SMnRIUTJselIwRlJVVUpuTnpoM1FWSkpSVmQzZUZvS1lVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROa2RtSXlVbmxrVjFwdFpIazVhRmx0YTNwaFZ6VnRZbms0ZFZveWJEQmhTRlpwVEROa2RncGpiWFJ0WWtjNU0yTjVPWGxhVjNoc1dWaE9iRXh1YkhSaVJVSjVXbGRhZWt3elVtaGFNMDEyWkdwSmQwMXFVWFZOVkVGMVRVUm5kMDlCV1V0TGQxbENDa0pCUjBSMmVrRkNSWGRSY1VSRGFHcE5WMGswV1ZkYWEwMHlVVEpaTWtWM1RYcG9hMWw2U21sWmFsVjRUV3BWZDAweVRUSk5WR3h0V1RKR2FVNUVaelVLV2tSS2FVMUNZMGREYVhOSFFWRlJRbWMzT0hkQlVsRkZRMUYzU0dOdFZuTmFWMFo2V2xSQ1drSm5iM0pDWjBWRlFWbFBMMDFCUlZaQ1JYTk5VMWRvTUFwa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVE5pTWpsclkyNVdiVnB1WTNaWlYwcHdUVEpzZFZwdE9IWlpWMDR3WVZjNWRXTjVPWGxrVnpWNkNreDZSWGhOYWxGNlRVUlZlVTlVWnpSTU1rWXdaRWRXZEdOSVVucE1la1YzUm1kWlMwdDNXVUpDUVVkRWRucEJRa1puVVVsRVFWcDNaRmRLYzJGWFRYY0taMWx2UjBOcGMwZEJVVkZDTVc1clEwSkJTVVZtUVZJMlFVaG5RV1JuUkdSUVZFSnhlSE5qVWsxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTQXBwYmt0QlRIbHVkV3BuUVVGQldrcDBlRFZNT1VGQlFVVkJkMEpJVFVWVlEwbFJRMEV6UWxaVllVODNVbmRWWkdrckt6WlJibFZZWVRsaVYzVTRPRmxOQ2pBMmJHTkhiRU5IWWxOV2VrSm5TV2RaYmtkTE9FbGtaU3RIVVdFd1NFaERiR3RNWTNVclQxa3lhbnBMU204d2JWaHhhMEZDVTBOME4za3dkME5uV1VrS1MyOWFTWHBxTUVWQmQwMUVZVkZCZDFwblNYaEJTa2hIYldOTFR6aEVkSFV4Vkhkak0wd3pVMGRPUXpSbGVVYzJTemsxUzJaRmFWZGtlRnBIYjBKeE5RcDJRVVl5YjBWMFkycEZjVnBuZGtScVZWbzVlazlSU1hoQlRERklaMkZMZG1Sc05HVmFOa2R1VFU1TFZ6QTJVMEV4VGt0Q09ERm1VVVprWkdOU1ZtUjJDbWRQZVhkUVduQjRkR3RoZVdGdVpqRjRVWGxMWVM5cmJHNVJQVDBLTFMwdExTMUZUa1FnUTBWU1ZFbEdTVU5CVkVVdExTMHRMUW89In1dfX0=","inclusionPromise":{"signedEntryTimestamp":"MEYCIQCc6tIT5aVPQreeozY28946mYX/Suhx39aWJ+OOoX46WQIhAMm/S6cxN6Od2Qi03D0IVqj81/Cuhl5mVbJ5j4FWJ73a"},"inclusionProof":{"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n16252916\nbT4m3maU9LM44YpTWk8hT/sHdI4bSmfzbMrwxlk9XRQ=\n\n— rekor.sigstore.dev wNI9ajBEAiBQa/pnV6FCMtcCMp2HJBURLvQn+ebVI5Cnv2w+d/d9fgIgLCEyfyCo50jSPFJSmxdfdmPlegWnFZWdnXhJlmaszHE=\n"},"hashes":["Bux6HJ1xOwuZmQDCmyjhD4rxO14JEwV98b4dxyzX1pk=","8zS40YMlUJWy2FKKxydLB3XZPTqatPmjB2Pd34qtukc=","4jbqWRVLBIMRWy69DybZxJjIh35jkCpf/6jM4qNYOng=","TJvk9HAUbc0ozZaOaloVPXs+k2dL6h3Rhms80uRjCi0=","pS46P4FtY5cP+P7DPfPeDDI7K1LlNlSJB8fzvygG2FE=","bEoYqfsu+Lp0xiQKRVpif829vmAflYrdmrMs8h+vNfc=","0fg1FZVlvhL54JIUvvwf0DqlWu8ol6dA/4eco+GDqzs=","iw5fwvdQnYx1KafraPteZzxhtUJ+cLSeIRM+u4yN3x0=","J5/1+QGJDN5TsthZ3GiWydkb0x1T5Rlzapmy8H/b2So=","uQ9Qo22fH48W6tYEuoT57E4y3I5BlrFAUp9EsXjPiTk=","Y13KY3NsPaSUawdzdimEjKICRBs0o5JAwxA+X9SKktA=","ATDrBjVGXZq0SXE3l93icSsbQO/GPwSxIi4C5mmVA5E=","pAYZ0udCZhKomfpSblidBPOUqHywHJhYRsFkr8ErUXM=","U8z9kuBu9lsBt8aThPBJMFxNkgsN5Sj56XKcZD+SDRc=","kMFisEs5aXocgiyVwbQ086AueGVgsj2kO1W2yt9BFwA=","wXgmSa32VbZBEcq2/StIvZog6n3YPGMkJW71c9A8Spw=","9/8OCCPxXk/mOWRs/Yky2HsQ/+cdzOKcuHctd3dJMrQ=","66A5KssTkbRaPhP6q0qwMpzgjor0Mwy/s2XTZ66cMpc=","Vy4gMeigrzl2h7E1v0/hMaOzFXSdIQN01k9twthAt24=","UOIKRNrO4SY8vQWPM9XszYB37SeuO8WzM8T/KZG+nwA=","m8jmAdc3HEDKqvvIKmGhqoilAvqBxZhsktXmXh58WiA="],"logIndex":"16252915","rootHash":"bT4m3maU9LM44YpTWk8hT/sHdI4bSmfzbMrwxlk9XRQ=","treeSize":"16252916"},"integratedTime":"1728418649","kindVersion":{"kind":"dsse","version":"0.0.1"},"logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"logIndex":"138157177"}]},"version":1}],"publisher":{"claims":null,"environment":"","kind":"GitHub","repository":"woodruffw/abi3info","workflow":"release.yml"}}],"version":1} diff --git a/test/test_impl.py b/test/test_impl.py new file mode 100644 index 0000000..3001c0b --- /dev/null +++ b/test/test_impl.py @@ -0,0 +1,184 @@ +"""Tests for the plugin implementation.""" + +import hashlib +import json +from pathlib import Path + +import pytest +import requests +import requests_mock +from pypi_attestations import AttestationBundle, GitLabPublisher +from sigstore.verify.policy import AllOf, OIDCIssuerV2, OIDCSourceRepositoryURI + +import pip_plugin_pep740 + +PACKAGE_NAME = "abi3info" +PACKAGE_VERSION_1 = "2024.10.8" +DIST_FILE_1 = Path("test/assets/abi3info-2024.10.8-py3-none-any.whl") +PROVENANCE_FILE_1 = Path("test/assets/abi3info-2024.10.8-py3-none-any.whl.provenance") + +PACKAGE_VERSION_2 = "2024.10.3" +DIST_FILE_2 = Path("test/assets/abi3info-2024.10.3-py3-none-any.whl") +PROVENANCE_FILE_2 = Path("test/assets/abi3info-2024.10.3-py3-none-any.whl.provenance") + +PACKAGE_VERSION_3 = "2024.10.8" +DIST_FILE_3 = Path("test/assets/abi3info-2024.10.8.tar.gz") +PROVENANCE_FILE_3 = Path("test/assets/abi3info-2024.10.8.tar.gz.provenance") + +with DIST_FILE_1.open("rb") as f: + DIST_DIGEST_1 = hashlib.file_digest(f, "sha256").hexdigest() + +with DIST_FILE_2.open("rb") as f: + DIST_DIGEST_2 = hashlib.file_digest(f, "sha256").hexdigest() + +with DIST_FILE_3.open("rb") as f: + DIST_DIGEST_3 = hashlib.file_digest(f, "sha256").hexdigest() + + +class TestPlugin: + def test_plugin_type(self) -> None: + assert pip_plugin_pep740.plugin_type() == "dist-inspector" + + @pytest.mark.parametrize( + ("version", "filename", "provenance_file", "digest"), + [ + (PACKAGE_VERSION_1, DIST_FILE_1.name, PROVENANCE_FILE_1, DIST_DIGEST_1), + (PACKAGE_VERSION_3, DIST_FILE_3.name, PROVENANCE_FILE_3, DIST_DIGEST_3), + ], + ) + def test_pre_download_valid_provenance( + self, version: str, filename: str, provenance_file: Path, digest: str + ) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{version}/{filename}/provenance", + text=provenance_file.read_text(), + ) + pip_plugin_pep740.pre_download( + url="url", + filename=filename, + digest=digest, + ) + + def test_pre_download_invalid_filename(self) -> None: + assert ( + pip_plugin_pep740.pre_download( + url="url", + filename="not_a_dist.docx", + digest="digest", + ) + is None + ) + + def test_pre_download_no_provenance_found(self) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + status_code=404, + ) + assert ( + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + is None + ) + + def test_pre_download_provenance_download_error(self) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + status_code=403, + ) + with pytest.raises(ValueError, match="403 Client Error"): + assert ( + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + is None + ) + + def test_pre_download_provenance_timeout(self) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + exc=requests.exceptions.ConnectTimeout, + ) + with pytest.raises(ValueError, match="Error downloading provenance file"): + assert ( + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + is None + ) + + def test_pre_download_invalid_provenance(self) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + text=PROVENANCE_FILE_2.read_text(), + ) + with pytest.raises( + ValueError, + match="subject does not match distribution name", + ): + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + + def test_pre_download_invalid_provenance_json(self) -> None: + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + text="invalidjson", + ) + with pytest.raises( + ValueError, + match="Invalid provenance JSON", + ): + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + + def test_pre_download_malformed_provenance_valid_json(self) -> None: + provenance = json.loads(PROVENANCE_FILE_1.read_text()) + provenance["attestation_bundles"] = "invalid" + with requests_mock.Mocker(real_http=True) as m: + m.get( + f"https://pypi.org/integrity/{PACKAGE_NAME}/{PACKAGE_VERSION_1}/{DIST_FILE_1.name}/provenance", + text=json.dumps(provenance), + ) + with pytest.raises( + ValueError, + match="Invalid provenance: 1 validation error for Provenance", + ): + pip_plugin_pep740.pre_download( + url="url", + filename=DIST_FILE_1.name, + digest=DIST_DIGEST_1, + ) + + def test_get_verification_policy_gitlab(self) -> None: + bundle = AttestationBundle( + publisher=GitLabPublisher(repository="namespace/pkg"), attestations=[] + ) + policy = pip_plugin_pep740._impl._get_verification_policy(bundle) # noqa: SLF001 + assert isinstance(policy, AllOf) + issuer_policy = policy._children[0] # noqa: SLF001 + assert isinstance(issuer_policy, OIDCIssuerV2) + assert issuer_policy._value == "https://gitlab.com" # noqa: SLF001 + repository_policy = policy._children[1] # noqa: SLF001 + assert isinstance(repository_policy, OIDCSourceRepositoryURI) + assert repository_policy._value == "https://gitlab.com/namespace/pkg" # noqa: SLF001 + + def test_pre_extract(self) -> None: + assert pip_plugin_pep740.pre_extract(dist=Path("filename")) is None diff --git a/test/test_init.py b/test/test_init.py new file mode 100644 index 0000000..74b1baa --- /dev/null +++ b/test/test_init.py @@ -0,0 +1,9 @@ +"""Tests for the module's init.""" + +import pip_plugin_pep740 + + +def test_version() -> None: + version = getattr(pip_plugin_pep740, "__version__", None) + assert version is not None + assert isinstance(version, str)