5d%"ndZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZdZdZdZd Zd S) a+ This module contains functions that sign data using ed25519 keys, via the pyca/cryptography library. Functions that perform OpenPGP-compliant (e.g. GPG) signing are provided instead in root_signing. Function Manifest for this Module: serialize_and_sign wrap_as_signable sign_signable )hexlify)deepcopy) SUPPORTED_SERIALIZABLE_TYPES PrivateKey PublicKeycanonserializecheckformat_hex_keycheckformat_keycheckformat_signablecheckformat_signaturecheckformat_stringload_metadata_from_filewrite_metadata_to_filect|}||}t|d}|S)uF Given a JSON-compatible object, does the following: - serializes the dictionary as utf-8-encoded JSON, lazy-canonicalized such that any dictionary keys in any dictionaries inside are sorted and indentation is used and set to 2 spaces (using json lib) - creates a signature over that serialized result using private_key - returns that signature as a hex string See comments in common.canonserialize() Arguments: obj: a JSON-compatible object -- see common.canonserialize() private_key: a conda_content_trust.common.PrivateKey object # TODO ✅: Consider taking the private key data as a hex string instead? # On the other hand, it's useful to support an object that could # obscure the key (or provide an interface to a hardware key). zutf-8)r signrdecode)obj private_key serializedsignature_as_bytessignature_as_hexstrs ;lib/python3.11/site-packages/conda_content_trust/signing.pyserialize_and_signrsH* $$J$))*55!"455<} Expects strict typing matches (not duck typing), for no good reason. (Trying JSON serialization repeatedly could be too time consuming.) TODO: ✅ Consider whether or not the copy can be shallow instead, for speed. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES z]wrap_dict_as_signable requires a JSON-serializable object, but the given argument is of type z7, which is not supported by the json library functions.) signaturessigned)typer TypeErrorstrr)rs rwrap_as_signabler"=se 994 4 4 136tCyy>> BED D    6 66rct|t|t|d|}tj|}d|i}t |||d|<dS)u Given a JSON-compatible signable dictionary (as produced by calling wrap_dict_as_signable with a JSON-compatible dictionary), calls serialize_and_sign on the enclosed dictionary at signable['signed'], producing a signature, and places the signature in signable['signatures'], in an entry indexed by the public key corresponding to the given private_key. Updates the given signable in place, returning nothing. Overwrites if there is already an existing signature by the given key. # TODO ✅: Take hex string keys for sign_signable and serialize_and_sign # instead of constructed PrivateKey objects? Add the comment # below if so: # # Unlike with lower-level functions, both signatures and public keys are # # always written as hex strings. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES r signaturerN)r r rrto_hex public_keyr )signablerrpublic_key_as_hexstrsignature_dicts r sign_signabler*^s,K   """-Xh-?MM$+K,B,B,D,DEE "#67N.)))4BH\/000rc^t|t|tj|}t j|}t|}d|vrtdi|d<|d D]5\}}t||}d|i}t|||i|d|<6| di D]$\}}t||}|d|ii|d|<%t||dS)a Given a repodata.json filename, reads the "packages" entries in that file, and produces a signature over each artifact, with the given key. The signatures are then placed in a "signatures" entry parallel to the "packages" entry in the json file. The file is overwritten. Arguments: fname: filename of a repodata.json file private_key_hex: a private ed25519 key value represented as a 64-char hex string packagesz3Expected a "packages" entry in given repodata file.rr$zpackages.condaN)r rrfrom_hexrr%r&r ValueErroritemsrr getr) fnameprivate_key_hexprivate public_hexrepodata artifact_namemetadata signature_hexr)s rsign_all_in_repodatar9sd(((u!/22G!'"4"4"6"677J'u--H !!NOOO H\#+J#7#=#=#?#?MM x+8W== &}5n---1;^0L}--$,<<0@"#E#E#K#K#M#M   x*8W== m41 }-- 8U+++++rN)__doc__binasciircopyrcommonrrrr r r r r rrrrr"r*r9rrr?s                            <777B3B3B3BlA,A,A,A,A,r