0f%"ldZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZdZdZdZd Zy ) a+ This module contains functions that sign data using ed25519 keys, via the pyca/cryptography library. Functions that perform OpenPGP-compliant (e.g. GPG) signing are provided instead in root_signing. Function Manifest for this Module: serialize_and_sign wrap_as_signable sign_signable )hexlify)deepcopy) SUPPORTED_SERIALIZABLE_TYPES PrivateKey PublicKeycanonserializecheckformat_hex_keycheckformat_keycheckformat_signablecheckformat_signaturecheckformat_stringload_metadata_from_filewrite_metadata_to_filecrt|}|j|}t|jd}|S)uF Given a JSON-compatible object, does the following: - serializes the dictionary as utf-8-encoded JSON, lazy-canonicalized such that any dictionary keys in any dictionaries inside are sorted and indentation is used and set to 2 spaces (using json lib) - creates a signature over that serialized result using private_key - returns that signature as a hex string See comments in common.canonserialize() Arguments: obj: a JSON-compatible object -- see common.canonserialize() private_key: a conda_content_trust.common.PrivateKey object # TODO ✅: Consider taking the private key data as a hex string instead? # On the other hand, it's useful to support an object that could # obscure the key (or provide an interface to a hardware key). zutf-8)r signrdecode)obj private_key serializedsignature_as_bytessignature_as_hexstrs ;lib/python3.12/site-packages/conda_content_trust/signing.pyserialize_and_signrs<* $J$))*5!"45<} Expects strict typing matches (not duck typing), for no good reason. (Trying JSON serialization repeatedly could be too time consuming.) TODO: ✅ Consider whether or not the copy can be shallow instead, for speed. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES z]wrap_dict_as_signable requires a JSON-serializable object, but the given argument is of type z7, which is not supported by the json library functions.) signaturessigned)typer TypeErrorstrr)rs rwrap_as_signabler"=sR 94 4 136tCy> BED D   66rct|t|t|d|}tj|j }d|i}t |||d|<y)u Given a JSON-compatible signable dictionary (as produced by calling wrap_dict_as_signable with a JSON-compatible dictionary), calls serialize_and_sign on the enclosed dictionary at signable['signed'], producing a signature, and places the signature in signable['signatures'], in an entry indexed by the public key corresponding to the given private_key. Updates the given signable in place, returning nothing. Overwrites if there is already an existing signature by the given key. # TODO ✅: Take hex string keys for sign_signable and serialize_and_sign # instead of constructed PrivateKey objects? Add the comment # below if so: # # Unlike with lower-level functions, both signatures and public keys are # # always written as hex strings. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES r signaturerN)r r rrto_hex public_keyr )signablerrpublic_key_as_hexstrsignature_dicts r sign_signabler*^sj,K "-Xh-?M$++K,B,B,DE "#67N.)4BH\/0rct|t|tj|}t j |j }t|}d|vr tdi|d<|djD]*\}}t||}d|i}t|||i|d|<,|jdijD]\}}t||}|d|ii|d|<t||y)a Given a repodata.json filename, reads the "packages" entries in that file, and produces a signature over each artifact, with the given key. The signatures are then placed in a "signatures" entry parallel to the "packages" entry in the json file. The file is overwritten. Arguments: fname: filename of a repodata.json file private_key_hex: a private ed25519 key value represented as a 64-char hex string packagesz3Expected a "packages" entry in given repodata file.rr$zpackages.condaN)r rrfrom_hexrr%r&r ValueErroritemsrr getr) fnameprivate_key_hexprivate public_hexrepodata artifact_namemetadata signature_hexr)s rsign_all_in_repodatar9s%(u!!/2G!!'"4"4"67J'u-H !NOO H\#+J#7#=#=#?M x+8W= &}5n-1;^0L}-#M($,<<0@"#E#K#K#M  x*8W= m41 }- 8U+rN)__doc__binasciircopyrcommonrrrr r r r r rrrrr"r*r9rrr?s>     <7B3BlA,r