diff --git a/pkgs/tools/security/fulcio/default.nix b/pkgs/tools/security/fulcio/default.nix index 4098a1015180..86ba5a9b3bf4 100644 --- a/pkgs/tools/security/fulcio/default.nix +++ b/pkgs/tools/security/fulcio/default.nix @@ -2,47 +2,50 @@ buildGoModule rec { pname = "fulcio"; - version = "0.3.0"; + version = "0.4.0"; src = fetchFromGitHub { owner = "sigstore"; repo = pname; rev = "v${version}"; - sha256 = "sha256-jcmjfNGruDhQPhVn5R2hdUr+d42qQnIVj8+CCX5HMMM="; + sha256 = "sha256-WxSN1pZ8E5vKMoqR5EkGgKnLuHYb5Wl2vzqPcPEkXWE="; # populate values that require us to use git. By doing this in postFetch we # can delete .git afterwards and maintain better reproducibility of the src. leaveDotGit = true; postFetch = '' cd "$out" git rev-parse HEAD > $out/COMMIT - # '0000-00-00T00:00:00Z' - date -u -d "@$(git log -1 --pretty=%ct)" "+'%Y-%m-%dT%H:%M:%SZ'" > $out/SOURCE_DATE_EPOCH + # 0000-00-00T00:00:00Z + date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH find "$out" -name .git -print0 | xargs -0 rm -rf ''; }; - vendorSha256 = "sha256-WQ0MuNEJWCxKTjkyqA66bGPoMrS/7W/YTiGU3yd+Ge8="; + vendorSha256 = "sha256-v3H+uUERDHZB2ArruCOClCQFEEW8ANeReObww+1VKOI="; - # install completions post-install nativeBuildInputs = [ installShellFiles ]; - excludedPackages = [ "federation" "test/prometheus" ]; + subPackages = [ "." ]; ldflags = [ "-s" "-w" - "-X github.com/sigstore/fulcio/cmd/app.gitVersion=v${version}" - "-X github.com/sigstore/fulcio/cmd/app.gitTreeState=clean" + "-X github.com/sigstore/fulcio/pkg/api.gitVersion=v${version}" + "-X github.com/sigstore/fulcio/pkg/api.gitTreeState=clean" ]; # ldflags based on metadata from git and source preBuild = '' - ldflags+=" -X github.com/sigstore/fulcio/cmd/app.gitCommit=$(cat COMMIT)" - ldflags+=" -X github.com/sigstore/fulcio/cmd/app.buildDate=$(cat SOURCE_DATE_EPOCH)" + ldflags+=" -X github.com/sigstore/fulcio/pkg/api.gitCommit=$(cat COMMIT)" + ldflags+=" -X github.com/sigstore/fulcio/pkg/api.buildDate=$(cat SOURCE_DATE_EPOCH)" ''; preCheck = '' - # remove test that requires networking - rm pkg/config/config_test.go + # test all paths + unset subPackages + + # skip test that requires networking + substituteInPlace pkg/config/config_test.go \ + --replace "TestLoad" "SkipLoad" ''; postInstall = '' @@ -55,10 +58,8 @@ buildGoModule rec { doInstallCheck = true; installCheckPhase = '' runHook preInstallCheck - $out/bin/fulcio --help $out/bin/fulcio version | grep "v${version}" - runHook postInstallCheck ''; @@ -66,8 +67,17 @@ buildGoModule rec { homepage = "https://github.com/sigstore/fulcio"; changelog = "https://github.com/sigstore/fulcio/releases/tag/v${version}"; description = "A Root-CA for code signing certs - issuing certificates based on an OIDC email address"; + longDescription = '' + Fulcio is a free code signing Certificate Authority, built to make + short-lived certificates available to anyone. Based on an Open ID Connect + email address, Fulcio signs x509 certificates valid for under 20 minutes. + + Fulcio was designed to run as a centralized, public-good instance backed + up by other transparency logs. Development is now underway to support + different delegation models, and to deploy and run Fulcio as a + disconnected instance. + ''; license = licenses.asl20; maintainers = with maintainers; [ lesuisse jk ]; - mainProgram = "fulcio-server"; }; }