tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1{
2 lib,
3 buildPythonPackage,
4 fetchFromGitHub,
5
6 # build-system
7 hatchling,
8
9 # optional-dependencies
10 # PySPX
11 pyspx,
12 # awskms
13 boto3,
14 botocore,
15 cryptography,
16 # azurekms
17 azure-identity,
18 azure-keyvault-keys,
19 # hsm
20 asn1crypto,
21 # gcpkms
22 google-cloud-kms,
23 # pynacl
24 pynacl,
25
26 # tests
27 ed25519,
28 pytestCheckHook,
29}:
30
31buildPythonPackage (finalAttrs: {
32 pname = "securesystemslib";
33 version = "1.3.1";
34 pyproject = true;
35
36 src = fetchFromGitHub {
37 owner = "secure-systems-lab";
38 repo = "securesystemslib";
39 tag = "v${finalAttrs.version}";
40 hash = "sha256-ERFRLNHD3OhbMEGBEnDLkRYGv4f+bYg9MStS5IarcPA=";
41 };
42
43 postPatch = ''
44 substituteInPlace pyproject.toml \
45 --replace-fail '"hatchling==1.27.0"' '"hatchling"'
46 '';
47
48 build-system = [ hatchling ];
49
50 optional-dependencies = {
51 PySPX = [ pyspx ];
52 awskms = [
53 boto3
54 botocore
55 cryptography
56 ];
57 azurekms = [
58 azure-identity
59 azure-keyvault-keys
60 cryptography
61 ];
62 crypto = [ cryptography ];
63 gcpkms = [
64 cryptography
65 google-cloud-kms
66 ];
67 hsm = [
68 asn1crypto
69 cryptography
70 # pykcs11
71 ];
72 pynacl = [ pynacl ];
73 # Circular dependency
74 # sigstore = [
75 # sigstore
76 # ];
77 };
78
79 nativeCheckInputs = [
80 ed25519
81 pytestCheckHook
82 ]
83 ++ lib.concatAttrValues finalAttrs.passthru.optional-dependencies;
84
85 pythonImportsCheck = [ "securesystemslib" ];
86
87 disabledTestPaths = [
88 # pykcs11 is not available
89 "tests/test_hsm_signer.py"
90 # Ignore vendorized tests
91 "securesystemslib/_vendor/"
92 ];
93
94 meta = {
95 description = "Cryptographic and general-purpose routines";
96 homepage = "https://github.com/secure-systems-lab/securesystemslib";
97 changelog = "https://github.com/secure-systems-lab/securesystemslib/blob/${finalAttrs.src.tag}/CHANGELOG.md";
98 license = lib.licenses.mit;
99 maintainers = with lib.maintainers; [ fab ];
100 };
101})