Merge pull request #970 from jku/annotate-hash

lukpueh · web-flow · commit 0b6e01868f4d · 2025-03-25T12:41:56.000+01:00
Annotate the library (add py.typed)
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -16,6 +16,7 @@ jobs:
         include:
           # Run macOS tests on 3.9 (current OS X python) and latest,
           # Run Windows and "special" tests on latest Python version only
+          # Run linter on oldest supported Python
           - python-version: "3.9"
             os: macos-latest
             toxenv: py
@@ -34,7 +35,7 @@ jobs:
           - python-version: "3.13"
             os: ubuntu-latest
             toxenv: py-test-gpg-fails
-          - python-version: "3.13"
+          - python-version: "3.9"
             os: ubuntu-latest
             toxenv: lint
 
diff --git a/mypy.ini b/mypy.ini
diff --git a/pyproject.toml b/pyproject.toml
@@ -62,7 +62,6 @@ include = [
   "/securesystemslib",
   "/requirements*.txt",
   "/tox.ini",
-  "/mypy.ini",
   "/CHANGELOG.md",
   "/.coveragerc",
 ]
@@ -87,4 +86,43 @@ indent-width = 4
 "tests/*" = [
     "S",      # bandit: Not running bandit on tests
     "E501"    # line-too-long
-]
+]
+
+[tool.mypy]
+warn_unused_configs = "True"
+warn_redundant_casts = "True"
+warn_unused_ignores = "True"
+warn_unreachable = "True"
+strict_equality = "True"
+disallow_untyped_defs = "True"
+show_error_codes = "True"
+
+exclude = [
+  "^securesystemslib/_vendor/",
+  "^securesystemslib/_gpg/",
+  "^securesystemslib/hash.py",
+]
+
+[[tool.mypy.overrides]]
+module = [
+  # let's not install typeshed annotations for GCPSigner
+  "google.*",
+  # Suppress error messages for non-annotating dependencies
+  "PyKCS11.*",
+  "asn1crypto.*",
+  "sigstore_protobuf_specs.*",
+  "pyspx.*",
+  "azure.*",
+  "boto3.*",
+  "botocore.*",
+  "hvac.*",
+]
+ignore_missing_imports = "True"
+
+[[tool.mypy.overrides]]
+module = [
+  "securesystemslib._gpg.*",
+  "securesystemslib._vendor.*",
+  "securesystemslib.hash",
+]
+follow_imports = "skip"
diff --git a/securesystemslib/py.typed b/securesystemslib/py.typed
diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py
@@ -64,7 +64,7 @@
 _PYKCS11LIB = None
 
 
-def PYKCS11LIB():  # noqa: N802
+def PYKCS11LIB():  # type: ignore[no-untyped-def] # noqa: N802
     """Pseudo-singleton to load shared library using PYKCS11LIB envvar only once."""
     global _PYKCS11LIB  # noqa: PLW0603
     if _PYKCS11LIB is None:
diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py
@@ -26,6 +26,7 @@
         SECP256R1,
         SECP384R1,
         SECP521R1,
+        EllipticCurve,
         EllipticCurvePublicKey,
     )
     from cryptography.hazmat.primitives.asymmetric.ed25519 import (
@@ -346,11 +347,13 @@ def _verify_ed25519_fallback(self, signature: bytes, data: bytes) -> None:
     def _verify(self, signature: bytes, data: bytes) -> None:
         """Helper to verify signature using pyca/cryptography (default)."""
 
-        def _validate_type(key, type_):
+        def _validate_type(key: object, type_: type) -> None:
             if not isinstance(key, type_):
                 raise ValueError(f"bad key {key} for {self.scheme}")
 
-        def _validate_curve(key, curve):
+        def _validate_curve(
+            key: EllipticCurvePublicKey, curve: type[EllipticCurve]
+        ) -> None:
             if not isinstance(key.curve, curve):
                 raise ValueError(f"bad curve {key.curve} for {self.scheme}")
 
diff --git a/securesystemslib/signer/_utils.py b/securesystemslib/signer/_utils.py
@@ -9,7 +9,7 @@
 from securesystemslib.formats import encode_canonical
 
 
-def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:
+def compute_default_keyid(keytype: str, scheme: str, keyval: dict[str, Any]) -> str:
     """Return sha256 hexdigest of the canonical json of the key."""
     data: str | None = encode_canonical(
         {
diff --git a/securesystemslib/storage.py b/securesystemslib/storage.py
@@ -25,7 +25,7 @@
 from abc import ABCMeta, abstractmethod
 from collections.abc import Iterator
 from contextlib import contextmanager
-from typing import IO, BinaryIO
+from typing import IO, Any, BinaryIO
 
 from securesystemslib import exceptions
 
@@ -189,7 +189,7 @@ class FilesystemBackend(StorageBackendInterface):
     # objects.
     _instance = None
 
-    def __new__(cls, *args, **kwargs):
+    def __new__(cls, *args: Any, **kwargs: Any) -> FilesystemBackend:
         if cls._instance is None:
             cls._instance = object.__new__(cls, *args, **kwargs)
         return cls._instance
diff --git a/tox.ini b/tox.ini
@@ -69,7 +69,7 @@ commands =
     ruff format --diff {[testenv:lint]lint_dirs}
     ruff check {[testenv:lint]lint_dirs}
 
-    mypy {[testenv:lint]lint_dirs}
+    mypy securesystemslib
     zizmor --persona=pedantic -q .
 
 [testenv:fix]

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`from securesystemslib.formats import encode_canonical`
`10`	`10`
`11`	`11`
`12`		`-def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:`
	`12`	`+def compute_default_keyid(keytype: str, scheme: str, keyval: dict[str, Any]) -> str:`
`13`	`13`	`"""Return sha256 hexdigest of the canonical json of the key."""`
`14`	`14`	`data: str \| None = encode_canonical(`
`15`	`15`	`{`