g%"lSrSSKJr SSKJr SSKJrJrJrJ r J r J r J r J r JrJrJr SrSrSrS rg ) a+ This module contains functions that sign data using ed25519 keys, via the pyca/cryptography library. Functions that perform OpenPGP-compliant (e.g. GPG) signing are provided instead in root_signing. Function Manifest for this Module: serialize_and_sign wrap_as_signable sign_signable )hexlify)deepcopy) SUPPORTED_SERIALIZABLE_TYPES PrivateKey PublicKeycanonserializecheckformat_hex_keycheckformat_keycheckformat_signablecheckformat_signaturecheckformat_stringload_metadata_from_filewrite_metadata_to_filecr[U5nURU5n[U5RS5nU$)u Given a JSON-compatible object, does the following: - serializes the dictionary as utf-8-encoded JSON, lazy-canonicalized such that any dictionary keys in any dictionaries inside are sorted and indentation is used and set to 2 spaces (using json lib) - creates a signature over that serialized result using private_key - returns that signature as a hex string See comments in common.canonserialize() Arguments: obj: a JSON-compatible object -- see common.canonserialize() private_key: a conda_content_trust.common.PrivateKey object # TODO ✅: Consider taking the private key data as a hex string instead? # On the other hand, it's useful to support an object that could # obscure the key (or provide an interface to a hardware key). zutf-8)r signrdecode)obj private_key serializedsignature_as_bytessignature_as_hexstrs ;lib/python3.13/site-packages/conda_content_trust/signing.pyserialize_and_signrs<* $J$))*5!"45<} Expects strict typing matches (not duck typing), for no good reason. (Trying JSON serialization repeatedly could be too time consuming.) TODO: ✅ Consider whether or not the copy can be shallow instead, for speed. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES z]wrap_dict_as_signable requires a JSON-serializable object, but the given argument is of type z7, which is not supported by the json library functions.) signaturessigned)typer TypeErrorstrr)rs rwrap_as_signabler"=sR 94 4 136tCy> BED D   66rc[U5 [U5 [USU5n[R"UR 55nSU0n[ U5 X@SU'g)ue Given a JSON-compatible signable dictionary (as produced by calling wrap_dict_as_signable with a JSON-compatible dictionary), calls serialize_and_sign on the enclosed dictionary at signable['signed'], producing a signature, and places the signature in signable['signatures'], in an entry indexed by the public key corresponding to the given private_key. Updates the given signable in place, returning nothing. Overwrites if there is already an existing signature by the given key. # TODO ✅: Take hex string keys for sign_signable and serialize_and_sign # instead of constructed PrivateKey objects? Add the comment # below if so: # # Unlike with lower-level functions, both signatures and public keys are # # always written as hex strings. Raises ❌TypeError if the given object is not a JSON-serializable type per SUPPORTED_SERIALIZABLE_TYPES r signaturerN)r r rrto_hex public_keyr )signablerrpublic_key_as_hexstrsignature_dicts r sign_signabler*^sh,K "-Xh-?M$++K,B,B,DE "#67N.)4B\/0rc[U5 [U5 [R"U5n[R "UR 55n[U5nSU;a [S5e0US'USR5H(upV[Xb5nSU0n[U5 X80USU'M* URS05R5HupV[Xb5nUSU00USU'M [X@5 g)a Given a repodata.json filename, reads the "packages" entries in that file, and produces a signature over each artifact, with the given key. The signatures are then placed in a "signatures" entry parallel to the "packages" entry in the json file. The file is overwritten. Arguments: fname: filename of a repodata.json file private_key_hex: a private ed25519 key value represented as a 64-char hex string packagesz3Expected a "packages" entry in given repodata file.rr$zpackages.condaN)r rrfrom_hexrr%r&r ValueErroritemsrr getr) fnameprivate_key_hexprivate public_hexrepodata artifact_namemetadata signature_hexr)s rsign_all_in_repodatar9s(u!!/2G!!'"4"4"67J'u-H !NOO H\#+J#7#=#=#? +8= &}5n-1;0L}-#$@($,<<0@"#E#K#K#M *8= m41 }-$N8+rN)__doc__binasciircopyrcommonrrrr r r r r rrrrr"r*r9rrr?s>     <7B3BlA,r