Support gpg signatures (copied from in-toto project)

.travis.yml

@@ -6,7 +6,6 @@ python: 3.6
 
 env:
   - TOXENV=py27
-  - TOXENV=py34
   - TOXENV=py36
 
 before_script:

ci-requirements.txt

@@ -5,4 +5,5 @@ coverage
 coveralls
 six
 colorama
-mock; python_version < '3.3'
+mock;
+subprocess32; python_version < '3'

dev-requirements.txt

@@ -5,6 +5,7 @@ tox==3.2.1
 coveralls==1.3.0
 coverage==4.5.1
 colorama==0.3.9
-mock==2.0.0; python_version < '3.3'
+mock==2.0.0;
+subprocess32; python_version < '3'
 
 --editable .

requirements.txt

@@ -2,3 +2,4 @@ cryptography
 pynacl
 six
 colorama
+subprocess32; python_version < '3'

securesystemslib/formats.py

@@ -355,8 +355,10 @@
 # That would be under the argument that a key should only be able to sign a
 # file once.
 SIGNATURE_SCHEMA = SCHEMA.Object(
-  object_name = 'SIGNATURE_SCHEMA',
+  object_name = "SIGNATURE_SCHEMA",
   keyid = KEYID_SCHEMA,
+  short_keyid = SCHEMA.Optional(KEYID_SCHEMA),
+  other_headers = SCHEMA.Optional(HEX_SCHEMA),
   sig = HEX_SCHEMA)
 
 # List of SIGNATURE_SCHEMA.

securesystemslib/gpg/__init__.py

@@ -0,0 +1,23 @@
+"""
+<Module Name>
+  gpg
+
+<Author>
+  Santiago Torres-Arias <[email protected]>
+
+<Started>
+  Nov 15, 2017
+
+<Copyright>
+  See LICENSE for licensing information.
+
+<Purpose>
+  This module was written due to the lack of other python (such as pygpg)
+  modules that can provide an abstraction to the RFC4480 encoded messages from
+  GPG. The closest candidate we could find was the python bindings for gpgme,
+  we oped to use a Popen-based python-only construction given that gpgme is
+  often shipped separately and other popular tools using gpg (e.g., git) don't
+  use these bindings either. This is because users willing to use gpg signing
+  are almost guaranteed to have gpg installed, yet the same assumption can't be
+  made for the gpgme python bindings.
+"""