Stricter mypy setup

* Move config to pyproject.toml
* Turn on useful mypy options
* Don't check tests with mypy: too much to fix right now
* Add py.typed to announce this project is type annotated
* Fix various annotation issues

Issues remain in hash module

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

mypy.ini

@@ -62,7 +62,6 @@ include = [
   "/securesystemslib",
   "/requirements*.txt",
   "/tox.ini",
-  "/mypy.ini",
   "/CHANGELOG.md",
   "/.coveragerc",
 ]
@@ -87,4 +86,41 @@ indent-width = 4
 "tests/*" = [
     "S",      # bandit: Not running bandit on tests
     "E501"    # line-too-long
-]
+]
+
+[tool.mypy]
+warn_unused_configs = "True"
+warn_redundant_casts = "True"
+warn_unused_ignores = "True"
+warn_unreachable = "True"
+strict_equality = "True"
+disallow_untyped_defs = "True"
+show_error_codes = "True"
+
+exclude = [
+  "^securesystemslib/_vendor/",
+  "^securesystemslib/_gpg/"
+]
+
+[[tool.mypy.overrides]]
+module = [
+  # let's not install typeshed annotations for GCPSigner
+  "google.*",
+  # Suppress error messages for non-annotating dependencies
+  "PyKCS11.*",
+  "asn1crypto.*",
+  "sigstore_protobuf_specs.*",
+  "pyspx.*",
+  "azure.*",
+  "boto3.*",
+  "botocore.*",
+  "hvac.*",
+]
+ignore_missing_imports = "True"
+
+[[tool.mypy.overrides]]
+module = [
+  "securesystemslib._gpg.*",
+  "securesystemslib._vendor.*",
+]
+follow_imports = "skip"

pyproject.toml

@@ -64,7 +64,7 @@
 _PYKCS11LIB = None
 
 
-def PYKCS11LIB():  # noqa: N802
+def PYKCS11LIB():  # type: ignore[no-untyped-def] # noqa: N802
     """Pseudo-singleton to load shared library using PYKCS11LIB envvar only once."""
     global _PYKCS11LIB  # noqa: PLW0603
     if _PYKCS11LIB is None:

securesystemslib/py.typed

@@ -26,6 +26,7 @@
         SECP256R1,
         SECP384R1,
         SECP521R1,
+        EllipticCurve,
         EllipticCurvePublicKey,
     )
     from cryptography.hazmat.primitives.asymmetric.ed25519 import (
@@ -346,11 +347,13 @@ def _verify_ed25519_fallback(self, signature: bytes, data: bytes) -> None:
     def _verify(self, signature: bytes, data: bytes) -> None:
         """Helper to verify signature using pyca/cryptography (default)."""
 
-        def _validate_type(key, type_):
+        def _validate_type(key: object, type_: type) -> None:
             if not isinstance(key, type_):
                 raise ValueError(f"bad key {key} for {self.scheme}")
 
-        def _validate_curve(key, curve):
+        def _validate_curve(
+            key: EllipticCurvePublicKey, curve: type[EllipticCurve]
+        ) -> None:
             if not isinstance(key.curve, curve):
                 raise ValueError(f"bad curve {key.curve} for {self.scheme}")
 

securesystemslib/signer/_hsm_signer.py

@@ -9,7 +9,7 @@
 from securesystemslib.hash import digest
 
 
-def compute_default_keyid(keytype: str, scheme, keyval: dict[str, Any]) -> str:
+def compute_default_keyid(keytype: str, scheme: str, keyval: dict[str, Any]) -> str:
     """Return sha256 hexdigest of the canonical json of the key."""
     data: str | None = encode_canonical(
         {

securesystemslib/signer/_key.py

@@ -25,7 +25,7 @@
 from abc import ABCMeta, abstractmethod
 from collections.abc import Iterator
 from contextlib import contextmanager
-from typing import IO, BinaryIO
+from typing import IO, Any, BinaryIO
 
 from securesystemslib import exceptions
 
@@ -189,7 +189,7 @@ class FilesystemBackend(StorageBackendInterface):
     # objects.
     _instance = None
 
-    def __new__(cls, *args, **kwargs):
+    def __new__(cls, *args: Any, **kwargs: Any) -> FilesystemBackend:
         if cls._instance is None:
             cls._instance = object.__new__(cls, *args, **kwargs)
         return cls._instance

securesystemslib/signer/_utils.py

@@ -69,7 +69,7 @@ commands =
     ruff format --diff {[testenv:lint]lint_dirs}
     ruff check {[testenv:lint]lint_dirs}
 
-    mypy {[testenv:lint]lint_dirs}
+    mypy securesystemslib
     zizmor --persona=pedantic -q .
 
 [testenv:fix]