From b17558d859b52cd4ac7a9a358f8960f1f14d57c9 Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Fri, 25 Feb 2022 11:58:14 +0000 Subject: witness: 0.1.1 -> 0.1.6 also: - added completions - enabled tests - added longDescription - added changelog - added myself as a maintainer --- pkgs/tools/security/witness/default.nix | 42 +++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 5 deletions(-) (limited to 'pkgs/tools/security/witness') diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix index 571685afb4006..bb15d9d72cc05 100644 --- a/pkgs/tools/security/witness/default.nix +++ b/pkgs/tools/security/witness/default.nix @@ -1,25 +1,57 @@ -{ lib, buildGoModule, fetchFromGitHub }: +{ lib, buildGoModule, fetchFromGitHub, installShellFiles }: buildGoModule rec { pname = "witness"; - version = "0.1.1"; + version = "0.1.6"; src = fetchFromGitHub { owner = "testifysec"; repo = pname; rev = "v${version}"; - sha256 = "sha256-NnDsiDUTCdjsHVA/mHnB8WRnvwFTzETkWUOd7IgMIWE="; + sha256 = "sha256-/35hIA6Wm/F5hwyLZbt4JXpwWISWbzVAWrX29r6pejY="; }; - vendorSha256 = "sha256-zkLparWJsuqrhOQxxV37dBqt6fwpSinTO+paJkbl+sM="; + vendorSha256 = "sha256-vXDsHHJknw9hsHx1mJA2c0CWwFbRXjCjitNWPh6V4yw="; + + nativeBuildInputs = [ installShellFiles ]; # We only want the witness binary, not the helper utilities for generating docs. subPackages = [ "cmd/witness" ]; + ldflags = [ + "-s" + "-w" + "-X github.com/testifysec/witness/cmd/witness/cmd.Version=v${version}" + ]; + + # Feed in all tests for testing + # This is because subPackages above limits what is built to just what we + # want but also limits the tests + preCheck = '' + unset subPackages + ''; + + postInstall = '' + installShellCompletion --cmd witness \ + --bash <($out/bin/witness completion bash) \ + --fish <($out/bin/witness completion fish) \ + --zsh <($out/bin/witness completion zsh) + ''; + meta = with lib; { description = "A pluggable framework for software supply chain security. Witness prevents tampering of build materials and verifies the integrity of the build process from source to target"; + longDescription = '' + Witness prevents tampering of build materials and verifies the integrity + of the build process from source to target. It works by wrapping commands + executed in a continuous integration process. Its attestation system is + pluggable and offers support out of the box for most major CI and + infrastructure providers. Verification of Witness metadata and a secure + PKI distribution system will mitigate against many software supply chain + attack vectors and can be used as a framework for automated governance. + ''; homepage = "https://github.com/testifysec/witness"; + changelog = "https://github.com/testifysec/witness/releases/tag/v${version}"; license = licenses.asl20; - maintainers = with maintainers; [ fkautz ]; + maintainers = with maintainers; [ fkautz jk ]; }; } -- cgit 1.4.1