From 394d47c2579c821e5847b9d180d5d92d93d71795 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 21 Apr 2025 21:11:19 +0000
Subject: [PATCH 1/2] build(deps): bump securesystemslib in the dependencies
 group

Bumps the dependencies group with 1 update: [securesystemslib](https://github.com/secure-systems-lab/securesystemslib).


Updates `securesystemslib` from 1.2.0 to 1.3.0
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: securesystemslib
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements/pinned.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/pinned.txt b/requirements/pinned.txt
index 8767e1aa3f..aa8483f0f1 100644
--- a/requirements/pinned.txt
+++ b/requirements/pinned.txt
@@ -10,7 +10,7 @@ cryptography==44.0.2
     # via securesystemslib
 pycparser==2.22
     # via cffi
-securesystemslib==1.2.0
+securesystemslib==1.3.0
     # via -r requirements/main.txt
 urllib3==2.4.0
     # via -r requirements/main.txt

From ee50fea0c6443eadca73cdf43f702aeee05e7f50 Mon Sep 17 00:00:00 2001
From: Jussi Kukkonen <jkukkonen@google.com>
Date: Sat, 15 Mar 2025 17:08:45 +0200
Subject: [PATCH 2/2] annotation fixes

* Start linting securesystemslib calls
  (this requires new securesystemslib)
* Fix various issues that suddenly popup

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
---
 pyproject.toml    |  1 -
 tests/test_api.py | 43 +++++++++++++++++++++++--------------------
 2 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index a5c24fc987..266b2188f5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -135,7 +135,6 @@ disable_error_code = ["attr-defined"]
 [[tool.mypy.overrides]]
 module = [
   "requests.*",
-  "securesystemslib.*",
 ]
 ignore_missing_imports = "True"
 
diff --git a/tests/test_api.py b/tests/test_api.py
index 8006cd48e7..dabf50c86c 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -22,6 +22,7 @@
     Key,
     SecretsHandler,
     Signer,
+    SSlibKey,
 )
 
 from tests import utils
@@ -244,11 +245,11 @@ class FailingSigner(Signer):
             @classmethod
             def from_priv_key_uri(
                 cls,
-                priv_key_uri: str,
-                public_key: Key,
-                secrets_handler: SecretsHandler | None = None,
+                _priv_key_uri: str,
+                _public_key: Key,
+                _secrets_handler: SecretsHandler | None = None,
             ) -> Signer:
-                pass
+                raise RuntimeError("Not a real signer")
 
             @property
             def public_key(self) -> Key:
@@ -469,43 +470,45 @@ def test_signed_verify_delegate(self) -> None:
         )
 
     def test_verification_result(self) -> None:
-        vr = VerificationResult(3, {"a": None}, {"b": None})
+        key = SSlibKey("", "", "", {"public": ""})
+        vr = VerificationResult(3, {"a": key}, {"b": key})
         self.assertEqual(vr.missing, 2)
         self.assertFalse(vr.verified)
         self.assertFalse(vr)
 
         # Add a signature
-        vr.signed["c"] = None
+        vr.signed["c"] = key
         self.assertEqual(vr.missing, 1)
         self.assertFalse(vr.verified)
         self.assertFalse(vr)
 
         # Add last missing signature
-        vr.signed["d"] = None
+        vr.signed["d"] = key
         self.assertEqual(vr.missing, 0)
         self.assertTrue(vr.verified)
         self.assertTrue(vr)
 
         # Add one more signature
-        vr.signed["e"] = None
+        vr.signed["e"] = key
         self.assertEqual(vr.missing, 0)
         self.assertTrue(vr.verified)
         self.assertTrue(vr)
 
     def test_root_verification_result(self) -> None:
-        vr1 = VerificationResult(3, {"a": None}, {"b": None})
-        vr2 = VerificationResult(1, {"c": None}, {"b": None})
+        key = SSlibKey("", "", "", {"public": ""})
+        vr1 = VerificationResult(3, {"a": key}, {"b": key})
+        vr2 = VerificationResult(1, {"c": key}, {"b": key})
 
         vr = RootVerificationResult(vr1, vr2)
-        self.assertEqual(vr.signed, {"a": None, "c": None})
-        self.assertEqual(vr.unsigned, {"b": None})
+        self.assertEqual(vr.signed, {"a": key, "c": key})
+        self.assertEqual(vr.unsigned, {"b": key})
         self.assertFalse(vr.verified)
         self.assertFalse(vr)
 
-        vr1.signed["c"] = None
-        vr1.signed["f"] = None
-        self.assertEqual(vr.signed, {"a": None, "c": None, "f": None})
-        self.assertEqual(vr.unsigned, {"b": None})
+        vr1.signed["c"] = key
+        vr1.signed["f"] = key
+        self.assertEqual(vr.signed, {"a": key, "c": key, "f": key})
+        self.assertEqual(vr.unsigned, {"b": key})
         self.assertTrue(vr.verified)
         self.assertTrue(vr)
 
@@ -678,7 +681,7 @@ def test_root_add_key_and_revoke_key(self) -> None:
 
         # Assert that add_key with old argument order will raise an error
         with self.assertRaises(ValueError):
-            root.signed.add_key(Root.type, key)
+            root.signed.add_key(Root.type, key)  # type: ignore [arg-type]
 
         # Add new root key
         root.signed.add_key(key, Root.type)
@@ -778,7 +781,7 @@ def test_targets_key_api(self) -> None:
 
         # Assert that add_key with old argument order will raise an error
         with self.assertRaises(ValueError):
-            targets.add_key("role1", key)
+            targets.add_key(Root.type, key)  # type: ignore [arg-type]
 
         # Assert that delegated role "role1" does not contain the new key
         self.assertNotIn(key.keyid, targets.delegations.roles["role1"].keyids)
@@ -1178,7 +1181,7 @@ def test_serialization(self) -> None:
             self.assertEqual(metadata.signed, payload)
 
     def test_fail_envelope_serialization(self) -> None:
-        envelope = SimpleEnvelope(b"foo", "bar", ["baz"])
+        envelope = SimpleEnvelope(b"foo", "bar", [])  # type: ignore[arg-type]
         with self.assertRaises(SerializationError):
             envelope.to_bytes()
 
@@ -1193,7 +1196,7 @@ def test_fail_payload_serialization(self) -> None:
     def test_fail_payload_deserialization(self) -> None:
         payloads = [b"[", b'{"_type": "foo"}']
         for payload in payloads:
-            envelope = SimpleEnvelope(payload, "bar", [])
+            envelope = SimpleEnvelope(payload, "bar", {})
             with self.assertRaises(DeserializationError):
                 envelope.get_signed()