Merge pull request #158438 from fkautz/init-witness-0.1.1

witness: init at 0.1.1

maintainers/maintainer-list.nix

@@ -4022,6 +4022,12 @@
     github = "fitzgibbon";
     githubId = 617048;
   };
+  fkautz = {
+    name = "Frederick F. Kautz IV";
+    email = "fkautz@alumni.cmu.edu";
+    github = "fkautz";
+    githubId = 135706;
+  };
   Flakebi = {
     email = "flakebi@t-online.de";
     github = "Flakebi";

pkgs/tools/security/witness/default.nix

@@ -0,0 +1,25 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "witness";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "testifysec";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-NnDsiDUTCdjsHVA/mHnB8WRnvwFTzETkWUOd7IgMIWE=";
+  };
+
+  vendorSha256 = "sha256-zkLparWJsuqrhOQxxV37dBqt6fwpSinTO+paJkbl+sM=";
+
+  # We only want the witness binary, not the helper utilities for generating docs.
+  subPackages = [ "cmd/witness" ];
+
+  meta = with lib; {
+    description = "A pluggable framework for software supply chain security. Witness prevents tampering of build materials and verifies the integrity of the build process from source to target";
+    homepage = "https://github.com/testifysec/witness";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fkautz ];
+  };
+}

pkgs/top-level/all-packages.nix

@@ -10750,6 +10750,8 @@ with pkgs;
     SDL = SDL_sixel;
   };
 
+  witness = callPackage ../tools/security/witness { };
+
   openconnect = openconnect_gnutls;
 
   openconnect_openssl = callPackage ../tools/networking/openconnect {