2021-12-10 10:11:57 +01:00
#
2022-01-06 16:04:12 +01:00
# spec file for package rekor
#
# Copyright (c) 2022 SUSE LLC
2021-12-10 10:11:57 +01:00
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
2022-01-06 16:04:12 +01:00
2022-04-03 11:03:38 +02:00
%define apps cli server
2021-12-10 10:11:57 +01:00
Name : rekor
2022-07-27 15:37:41 +02:00
Version : 0.9.1
2021-12-10 10:11:57 +01:00
Release : 0
2022-06-20 09:17:29 +02:00
%define revision e981811726530c70ec707902022c336d1f1c37b4
2021-12-10 10:11:57 +01:00
Summary : Supply Chain Transparency Log
License : Apache-2.0
2022-01-06 16:04:12 +01:00
URL : https://github.com/sigstore/rekor
2021-12-10 10:11:57 +01:00
Source : https://github.com/sigstore/rekor/archive/refs/tags/v%{version} .tar.gz#/%{name}-%{version}.tar.gz
Source1 : vendor.tar.xz
2022-06-29 14:42:40 +02:00
Source2 : rekor-zypper-verify.sh
2021-12-10 10:11:57 +01:00
BuildRequires : golang-packaging
2022-01-06 16:04:12 +01:00
BuildRequires : golang(API)
2021-12-10 10:11:57 +01:00
%{go_nostrip}
%description
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rekor will enable software maintainers and build systems to record signed metadata to an immutable record. Other parties can then query said metadata to enable them to make informed decisions on trust and non-repudiation of an object' s lifecycle. For more details visit the sigstore website
The Rekor project provides a restful API based server for validation and a transparency log for storage. A CLI application is available to make and verify entries, query the transparency log for inclusion proof, integrity verification of the transparency log or retrieval of entries by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software signing infrastructure. However, Rekor can be run on its own and is designed to be extensible to working with different manifest schemas and PKI tooling.
%prep
%autosetup -p1 -a1
%build
2022-01-25 09:44:46 +01:00
DATE_FMT=" + % % Y - % % m - % % d T % % H : % % M : % % S Z "
BUILD_DATE=$(date -u -d " @ $ { S O U R C E _ D A T E _ E P O C H } " " $ { D A T E _ F M T } " 2>/dev/null || date -u -r " $ { S O U R C E _ D A T E _ E P O C H } " " $ { D A T E _ F M T } " 2>/dev/null || date -u " $ { D A T E _ F M T } " )
2021-12-10 10:11:57 +01:00
for app in %{apps} ; do
CLI_PKG=github.com/sigstore/rekor/cmd/rekor-${app}/app
CLI_LDFLAGS=" - X $ { C L I _ P K G } . g i t V e r s i o n = %{version} - X $ { C L I _ P K G } . g i t C o m m i t = %{revision} - X $ { C L I _ P K G } . g i t T r e e S t a t e = r e l e a s e - X $ { C L I _ P K G } . b u i l d D a t e = $ { B U I L D _ D A T E } "
go build -mod=vendor -buildmode=pie -ldflags " $ { C L I _ L D F L A G S } " ./cmd/rekor-${app}
./rekor-${app} version
done
%install
for app in %{apps} ; do
install -D -m 0755 rekor-${app} %{buildroot} %{_bindir} /rekor-${app}
done
2022-06-29 14:42:40 +02:00
install -m 0755 %SOURCE2 %{buildroot} %{_bindir} /rekor-zypp-verify
2021-12-10 10:11:57 +01:00
%files
%license LICENSE
%doc *.md
%{_bindir} /rekor-*
%changelog
