pkgs/by-name/fu/fulcio/package.nix at devShellTools-shell

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / by-name / fu / fulcio / package.nix
at devShellTools-shell 106 lines 3.0 kB view raw
wrap content
  1{
  2  lib,
  3  buildGoModule,
  4  fetchFromGitHub,
  5
  6  # required for completion and cross-compilation
  7  installShellFiles,
  8  buildPackages,
  9  stdenv,
 10
 11  # required for testing
 12  testers,
 13  fulcio,
 14}:
 15
 16buildGoModule rec {
 17  pname = "fulcio";
 18  version = "1.7.1";
 19
 20  src = fetchFromGitHub {
 21    owner = "sigstore";
 22    repo = "fulcio";
 23    rev = "v${version}";
 24    hash = "sha256-UVUVT4RvNHvzIwV6azu2h1O9lnNu0PQnnkj4wbrY8BA=";
 25    # populate values that require us to use git. By doing this in postFetch we
 26    # can delete .git afterwards and maintain better reproducibility of the src.
 27    leaveDotGit = true;
 28    postFetch = ''
 29      cd "$out"
 30      git rev-parse HEAD > $out/COMMIT
 31      # 0000-00-00T00:00:00Z
 32      date -u -d "@$(git log -1 --pretty=%ct)" "+%Y-%m-%dT%H:%M:%SZ" > $out/SOURCE_DATE_EPOCH
 33      find "$out" -name .git -print0 | xargs -0 rm -rf
 34    '';
 35  };
 36  vendorHash = "sha256-lNPRejC7Z3OHDvhJGzPIlgqi7eXjlqgeECJO/13gGt4=";
 37
 38  nativeBuildInputs = [ installShellFiles ];
 39
 40  subPackages = [ "." ];
 41
 42  ldflags = [
 43    "-s"
 44    "-w"
 45    "-X sigs.k8s.io/release-utils/version.gitVersion=v${version}"
 46    "-X sigs.k8s.io/release-utils/version.gitTreeState=clean"
 47  ];
 48
 49  # ldflags based on metadata from git and source
 50  preBuild = ''
 51    ldflags+=" -X sigs.k8s.io/release-utils/version.gitCommit=$(cat COMMIT)"
 52    ldflags+=" -X sigs.k8s.io/release-utils/version.buildDate=$(cat SOURCE_DATE_EPOCH)"
 53  '';
 54
 55  preCheck = ''
 56    # test all paths
 57    unset subPackages
 58  '';
 59
 60  checkFlags = [
 61    "-skip=TestLoad"
 62  ];
 63
 64  postInstall =
 65    let
 66      fulcio =
 67        if stdenv.buildPlatform.canExecute stdenv.hostPlatform then
 68          placeholder "out"
 69        else
 70          buildPackages.fulcio;
 71    in
 72    ''
 73      installShellCompletion --cmd fulcio \
 74        --bash <(${fulcio}/bin/fulcio completion bash) \
 75        --fish <(${fulcio}/bin/fulcio completion fish) \
 76        --zsh <(${fulcio}/bin/fulcio completion zsh)
 77    '';
 78
 79  passthru.tests.version = testers.testVersion {
 80    package = fulcio;
 81    command = "fulcio version";
 82    version = "v${version}";
 83  };
 84
 85  meta = {
 86    homepage = "https://github.com/sigstore/fulcio";
 87    changelog = "https://github.com/sigstore/fulcio/releases/tag/v${version}";
 88    description = "Root-CA for code signing certs - issuing certificates based on an OIDC email address";
 89    mainProgram = "fulcio";
 90    longDescription = ''
 91      Fulcio is a free code signing Certificate Authority, built to make
 92      short-lived certificates available to anyone. Based on an Open ID Connect
 93      email address, Fulcio signs x509 certificates valid for under 20 minutes.
 94
 95      Fulcio was designed to run as a centralized, public-good instance backed
 96      up by other transparency logs. Development is now underway to support
 97      different delegation models, and to deploy and run Fulcio as a
 98      disconnected instance.
 99    '';
100    license = lib.licenses.asl20;
101    maintainers = with lib.maintainers; [
102      lesuisse
103      jk
104    ];
105  };
106}