sget: init at unstable-2022-10-04

This binary was provided by the `cosign` package until now but it is in
the process of being removed, see sigstore/cosign#2019

Since it might be removed during the 22.11 cycle we drop it
preventively. This will make possible security backports easier if we
need them.

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

@@ -501,7 +501,9 @@
       <listitem>
         <para>
           <literal>pkgs.cosign</literal> does not provide the
-          <literal>cosigned</literal> binary anymore.
+          <literal>cosigned</literal> binary anymore. The
+          <literal>sget</literal> binary has been moved into its own
+          package.
         </para>
       </listitem>
       <listitem>

nixos/doc/manual/release-notes/rl-2211.section.md

@@ -169,7 +169,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
 - PHP 7.4 is no longer supported due to upstream not supporting this
   version for the entire lifecycle of the 22.11 release.
 
-- `pkgs.cosign` does not provide the `cosigned` binary anymore.
+- `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package.
 
 - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
   Users who still wish to remain using GTK can do so by using `emacs-gtk`.

pkgs/tools/security/cosign/default.nix

@@ -20,7 +20,6 @@ buildGoModule rec {
 
   subPackages = [
     "cmd/cosign"
-    "cmd/sget"
   ];
 
   tags = [] ++ lib.optionals pivKeySupport [ "pivkey" ] ++ lib.optionals pkcs11Support [ "pkcs11key" ];
@@ -45,10 +44,6 @@ buildGoModule rec {
       --bash <($out/bin/cosign completion bash) \
       --fish <($out/bin/cosign completion fish) \
       --zsh <($out/bin/cosign completion zsh)
-    installShellCompletion --cmd sget \
-      --bash <($out/bin/sget completion bash) \
-      --fish <($out/bin/sget completion fish) \
-      --zsh <($out/bin/sget completion zsh)
   '';
 
   meta = with lib; {

pkgs/tools/security/sget/default.nix

@@ -0,0 +1,33 @@
+{ stdenv, lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "sget";
+  version = "unstable-2022-10-04";
+
+  src = fetchFromGitHub {
+    owner = "sigstore";
+    repo = pname;
+    rev = "d7d1e53b21ca906000e74474729854cb5ac48dbc";
+    sha256 = "sha256-BgxTlLmtKqtDq3HgLoH+j0vBrpRujmL9Wr8F4d+jPi0=";
+  };
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  vendorSha256 = "sha256-KPQHS7Hfco1ljOJgStIXMaol7j4dglcr0w+6Boj7GK8=";
+
+  ldflags = [ "-s" "-w" ];
+
+  postInstall = ''
+    installShellCompletion --cmd sget \
+      --bash <($out/bin/sget completion bash) \
+      --fish <($out/bin/sget completion fish) \
+      --zsh <($out/bin/sget completion zsh)
+  '';
+
+  meta = with lib; {
+    homepage = "https://github.com/sigstore/sget";
+    description = "Command for safer, automatic verification of signatures and integration with Sigstore's binary transparency log, Rekor";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ lesuisse ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -11059,6 +11059,8 @@ with pkgs;
 
   sg3_utils = callPackage ../tools/system/sg3_utils { };
 
+  sget = callPackage ../tools/security/sget { };
+
   sha1collisiondetection = callPackage ../tools/security/sha1collisiondetection { };
 
   shadowsocks-libev = callPackage ../tools/networking/shadowsocks-libev { };