diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index 78bd6c6a22d..177af1d2afa 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -501,7 +501,9 @@
pkgs.cosign does not provide the
- cosigned binary anymore.
+ cosigned binary anymore. The
+ sget binary has been moved into its own
+ package.
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index 37b0db8a8ce..d0376b67c98 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -169,7 +169,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- PHP 7.4 is no longer supported due to upstream not supporting this
version for the entire lifecycle of the 22.11 release.
-- `pkgs.cosign` does not provide the `cosigned` binary anymore.
+- `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package.
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
Users who still wish to remain using GTK can do so by using `emacs-gtk`.
diff --git a/pkgs/tools/security/cosign/default.nix b/pkgs/tools/security/cosign/default.nix
index f64237b8254..6cfd46954e3 100644
--- a/pkgs/tools/security/cosign/default.nix
+++ b/pkgs/tools/security/cosign/default.nix
@@ -20,7 +20,6 @@ buildGoModule rec {
subPackages = [
"cmd/cosign"
- "cmd/sget"
];
tags = [] ++ lib.optionals pivKeySupport [ "pivkey" ] ++ lib.optionals pkcs11Support [ "pkcs11key" ];
@@ -45,10 +44,6 @@ buildGoModule rec {
--bash <($out/bin/cosign completion bash) \
--fish <($out/bin/cosign completion fish) \
--zsh <($out/bin/cosign completion zsh)
- installShellCompletion --cmd sget \
- --bash <($out/bin/sget completion bash) \
- --fish <($out/bin/sget completion fish) \
- --zsh <($out/bin/sget completion zsh)
'';
meta = with lib; {
diff --git a/pkgs/tools/security/sget/default.nix b/pkgs/tools/security/sget/default.nix
new file mode 100644
index 00000000000..ef59b5db334
--- /dev/null
+++ b/pkgs/tools/security/sget/default.nix
@@ -0,0 +1,33 @@
+{ stdenv, lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+ pname = "sget";
+ version = "unstable-2022-10-04";
+
+ src = fetchFromGitHub {
+ owner = "sigstore";
+ repo = pname;
+ rev = "d7d1e53b21ca906000e74474729854cb5ac48dbc";
+ sha256 = "sha256-BgxTlLmtKqtDq3HgLoH+j0vBrpRujmL9Wr8F4d+jPi0=";
+ };
+
+ nativeBuildInputs = [ installShellFiles ];
+
+ vendorSha256 = "sha256-KPQHS7Hfco1ljOJgStIXMaol7j4dglcr0w+6Boj7GK8=";
+
+ ldflags = [ "-s" "-w" ];
+
+ postInstall = ''
+ installShellCompletion --cmd sget \
+ --bash <($out/bin/sget completion bash) \
+ --fish <($out/bin/sget completion fish) \
+ --zsh <($out/bin/sget completion zsh)
+ '';
+
+ meta = with lib; {
+ homepage = "https://github.com/sigstore/sget";
+ description = "Command for safer, automatic verification of signatures and integration with Sigstore's binary transparency log, Rekor";
+ license = licenses.asl20;
+ maintainers = with maintainers; [ lesuisse ];
+ };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 33ca400bbb8..a5ad554e9c7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11059,6 +11059,8 @@ with pkgs;
sg3_utils = callPackage ../tools/system/sg3_utils { };
+ sget = callPackage ../tools/security/sget { };
+
sha1collisiondetection = callPackage ../tools/security/sha1collisiondetection { };
shadowsocks-libev = callPackage ../tools/networking/shadowsocks-libev { };