Merge commit '93883402a445ad467320925a0a5dbe43a949f25b'

Conflicts:
	nixpkgs/nixos/modules/programs/ssh.nix
	nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
	nixpkgs/pkgs/data/fonts/noto-fonts/default.nix
	nixpkgs/pkgs/development/go-modules/generic/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/default.nix
	nixpkgs/pkgs/development/libraries/mesa/default.nix

1 files changed, 25 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/tools/security/witness/default.nix b/nixpkgs/pkgs/tools/security/witness/default.nix
new file mode 100644
index 000000000000..571685afb400
--- /dev/null
+++ b/nixpkgs/pkgs/tools/security/witness/default.nix
@@ -0,0 +1,25 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "witness";
+  version = "0.1.1";
+
+  src = fetchFromGitHub {
+    owner = "testifysec";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-NnDsiDUTCdjsHVA/mHnB8WRnvwFTzETkWUOd7IgMIWE=";
+  };
+
+  vendorSha256 = "sha256-zkLparWJsuqrhOQxxV37dBqt6fwpSinTO+paJkbl+sM=";
+
+  # We only want the witness binary, not the helper utilities for generating docs.
+  subPackages = [ "cmd/witness" ];
+
+  meta = with lib; {
+    description = "A pluggable framework for software supply chain security. Witness prevents tampering of build materials and verifies the integrity of the build process from source to target";
+    homepage = "https://github.com/testifysec/witness";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ fkautz ];
+  };
+}