5dyHHdZddlmZddlmZddlmZddlmZddlm Z ddlm Z dd lm Zdd lmZmZmZmZmZmZdd Zd ZdZdZdZdZdZdZdZdZdZ ee zezezZ!eezezZ"eezZ#e$dkr.dd l%Z%ee%j&dd Z'e%j(e'd Sd S)z This module provides the CLI interface for conda-content-trust. This is intended to provide a command-line signing and metadata update interface. )ArgumentParser)deepcopy)dumps) __version__)authentication) root_signing)signing) CCT_Error PrivateKeyis_gpg_fingerprint is_hex_keyload_metadata_from_filewrite_metadata_to_fileNctdd}|dddddtz |d d }|d d}|dd|dd|dd}|dd|dd|dd}|ddd}t jsd}|d |d!z}|d"d#|d$|d%z}|d"d#|d&d'||}|jd$krZd |j  } t j |j| dS|jd krt|j5} |  } dddn #1swxYwYt'| st)d(dSt+j|j|jdS|jd krsd |j  } t j| } t)d)t5| zdS|jdkr%t7|j} t;| dS|jdkrt7|j}t7|j}|d*d+}|d,krO tAj!||t)d-d.S#tD$r}d/}t5|}Yd}~nYd}~wwxYw tAj#|||0t)d1d.S#tD$r}d2}t5|}Yd}~nd}~wwxYwt)d3|zd4z|zd5z|S|$dS)6Nz(Signing and verification tools for Condaresolve) descriptionconflict_handlerz-Vz --versionversionz5Show the conda-content-trust version number and exit.zconda-content-trust %s)actionhelpr subcommandssubcommand_name)titledestzsign-artifactszGiven a repodata.json file, produce signatures over the metadata for each artifact listed, and update the repodata.json file with their individual signatures.)rrepodata_fnamez^the filename of a repodata.json file from which to retrieve metadata for individual artifacts.private_key_fnamezthe filename of a file containing a hex string representation of an ed25519 private key to be used to sign each artifact's metadatazverify-metadataa]Uses the first (trusted) metadata file to verify the second (not yet trusted) metadata file. For example, "conda-content-trust verify-metadata 4.root.json 5.root.json" to verify version 5 of root based on version 4 of root, or "conda-content-trust verify-metadata 4.root.json key_mgr.json" to verify key manager metadata based on version 4 of root.trusted_metadata_filenamezothe filename of the already-trusted metadata file that sets the rules for verifying the untrusted metadata fileuntrusted_metadata_filenamez7the filename of the (untrusted) metadata file to verifyzmodify-metadataaInteractive metadata modification. Use this to produce a new version of a metadata file (like root.json or key_mgr.json), or correct an error in an unpublished metadata file, or review and sign a metadata file. This increments version number / timestamp, reports changes on console, etc. For example, "conda-content-trust modify-metadata 8.root.json" for assistance in producing a new version of root (version 9) using version 8.metadata_filenamez4the filename of the existing metadata file to modifyzJ[Unavailable]: Requires optional dependencies: securesystemslib and gpg. zgpg-key-lookupz~Given the OpenPGP fingerprint of an ed25519-type OpenPGP key, fetch the actual ed25519 public key value of the underlying key.gpg_key_fingerprintzthe 40-hex-character key fingerprint (long keyid) for the OpenPGP/GPG key that you want to sign something with. Do not add prefix "0x".zgpg-signzSign a given piece of metadata using GPG instead of the usual signing mechanisms. Takes an OpenPGP key fingerprint and a filename.filenamez,the filename of the file that will be signedzhABORTED. Expected key file to contain only a hex string representation of an ed25519 key. It does not.z%Underlying ed25519 public key value: signedtyperootz&Root metadata verification successful.r )delegation_nameuntrusted_delegated_metadatatrusted_delegating_metadataz!Metadata verification successful.z?Verification of untrusted metadata failed. Metadata type was "z". Error reads: "")%r add_argumentradd_subparsers add_parsercct_root_signingSSLIB_AVAILABLE parse_argsrjoinr"splitlowersign_root_metadata_via_gpgr#openrreadstriprprint cct_signingsign_all_in_repodatarprivate_key_hexfetch_keyval_from_gpgstrrr interactive_modify_metadatarrcct_authentication verify_rootr verify_delegation print_help)argsparsersp p_signrepo p_verifymd p_modifymd opt_reqs_str p_gpglookup p_gpgsignr"key_fobjr=keyval old_metadatauntrusted_metadatatrusted_metadata metadata_typee errorcode errorstrings 7lib/python3.11/site-packages/conda_content_trust/cli.pyclirXs >"F   D(;6    ]9J  K KB RJ C / I  J# *%J K  JGL  +  8  -- I I K   L LI H   T " "D z)) !ggd&>&D&D&F&FGGMMOO3DMCVWWWWW !1 1 1 $( ) ) >X'mmoo3355;;==O > > > > > > > > > > > > > > > /**  B    F()RSSSSS !1 1 1 ggd&>&D&D&F&FGGMMOO!78KLL 5F CDDDDD !2 2 2&/t/EFF $L11111 !2 2 2*5T5UVV243QRR+84V< F " " %"./?ASTTT>???q % % % !!ff  % %"4$11C0@ 9:::q % % % !!ff  %  ( )+B CEP QSV W    sB%9I**I.1I.,$O O7O22O7;&P## Q-QQc }t| ddl}ddl}ddl}n'#t$rt dd}ddlm}YnwxYwdfd}d}fd}d }d }d } d } fd } d} d} |dg|dg|dg|dg|dg| dg| dg| dg| dg| dgd }tdztz}|D]D}|dtzt|ztzdz||dztzdzz }Ed }|st ttzd!ztz|xtd"d#$}t ||d%|j|jn |t |t)td&ztz} t+|}n/#t t,tzd'ztzYxYw||vr)t t,tzd'ztzJt td(z||dzd)ztz||d}|dSdS)* rNa"interactive modify-metadata mode employs pygments for syntax highlighting, if pygments is available. pygments was not found, so the JSON contents will be... uglier than they would otherwise be. If you would like syntax highlighting and prettier printing of JSON, you may install pygments.)pprintcLttdz|ztzdzS)Nz ----- Please provide : )input F_INSTRUCTENDC)ss rW promptforz.interactive_modify_metadata..promptforNs%Z";;a?$FMNNNczd}tdt|tddS)Nz#a filename to save this metadata aszWriting to file....zModified metadata written!r)r:r)fnamemetadatarbs rWfn_writez-interactive_modify_metadata..fn_writeQsF ?@@ #$$$x/// *+++qrccTtttzdztzdS)Nz Aborting! r)r:REDBOLDr`rcrWfn_abortz-interactive_modify_metadata..fn_abortXs# cDj?*T1222qrcctjs*ttdztzdzt zd}d|}t|rItj |}tj |ttdzt znt|rj tj|ttdzt zn[#ttdztzdztzdzYn*xYwtttzd zt zd S) Nz Signing. zTPlease ABORT (control-c) if the metadata above is not EXACTLY what you want to sign!a a key: either: - a 40-character-hex-string GPG PUBLIC key fingerprint for GPG keys (e.g. root YubiKeys), or - a 64-character-hex-string PRIVATE key value for normal keys. Whitespace will be removed and characters will be lowercased. Keyr!z( --- Successfully signed! Please save. --- zSigning FAILED.z4 Do you have this key loaded in GPG on this system?z+Unable to recognize key. Please try again.r)r0r1r:F_OPTSrir`r3r4r5rr from_hexr; sign_signabler sign_root_metadata_dict_via_gpg)key private_keyrfrbs rW fn_addsigz.interactive_modify_metadata..fn_addsig]s/  %+/KKMQR   i '  ggciikk""((** c?? W$-c22K  %h < < < &GG$N O O O O  $ $ W T @3OOOfKKdRSSSS  !((  # # &3,!NNQUU V V Vqs $D/E cdSNrrkrkrcrW fn_remsigz.interactive_modify_metadata..fn_remsigqrccdSrwrkrkrcrW fn_updatez.interactive_modify_metadata..fn_updateryrccdSrwrkrkrcrW fn_adddelz.interactive_modify_metadata..fn_adddelryrccdSrwrkrkrcrW fn_remdelz.interactive_modify_metadata..fn_remdelryrccd}|ddvr,ttdztzdztzdSdt dd|dz} t |}|d ksJn2#ttd ztzd ztzYdSxYw|dd|d<ttd ztzdS) Nza delegation name (one of the entries in the "delegations" dictionary in the metadata above). This will be the delegation whose threshold number of required keys we will change.r$ delegationsrnz2Unable to find that delegation. Please try again.rz-a new threshold value. The current value is thresholdrz --- zPInvalid value. Expecting integer greater than or equal to 1. Please try again.z$ --- Threshold successfully updated.)r:rorir`r?int) delegation new_threshrfrbs rW fn_threshz.interactive_modify_metadata..fn_threshs=Y 2  Xh/ > > > #c)-&&(,-   1Y ;(8$]3J? LMM N   ZJ?????  !C'+AACGH   11EO=)*5kB f>>EFFFqs =B,CcdSrwrkrkrcrW fn_addkeyz.interactive_modify_metadata..fn_addkeyryrccdSrwrkrkrcrW fn_remkeyz.interactive_modify_metadata..fn_remkeyryrczDone: write and save metadataz/Abort: discard changes -- abort without writingz*Add a signature (sign with a key you have)zRemove a signaturez%Update any top-level dictionary entryzAdd a delegationzRemove a delegationz4Change the threshold number of keys for a delegationz%Add an authorized key to a delegationz*Remove an authorized key from a delegation) rr z7 --- Please choose an operation by entering its number z r]r FzD --------------------- --- Current metadata: --------------------- Tr) sort_keysindentzutf-8zChoice: z Invalid entry. Try again. z Chose "r,)rpygmentspygments.formatterspygments.lexers ImportErrorr:r[r_r`F_LABELr?rorjr highlightencodelexers JsonLexer formattersTerminalFormatterr^rri)rfinitial_metadatarr[rgrlrurxr{r}rrrroptions option_textindexdoneformatted_metadataselectedrbs` @rWr@r@"s2 ())H """""  " " "  G   !!!!!!!! "OOO ''''''R!!!!!!F 5 6 G H C D + , > ? ) * , - M N > ? C D  G        %jj     enQ       D!&  Y Z      !&x4!J!J!J  ""&--g66O--//'99;;     F8    k*,t344 8}}HH  #*??$F G G G H 7 " " #*??$F G G G  f{"WX%6q%99C?$FGGG#wx #%%C!&!&!&!&!&s "!AA G)H zzzzzzzzz__main__)N))__doc__argparsercopyrjsonrr!rrrAr r0r r;commonr r r rrrrXr@PINKBLUECYANGREENYELLOWrir`rj UNDERLINErr_ro__name__sysargv exit_statusexitrkrcrWrs $#####222222......$$$$$$EEEEPX&X&X&@     T !D ( D[4   zJJJ#chqrrl##K CH[ rc