Ensure cosign is installed before trying to use it

2025-04-28 18:02:38 +02:00 · 2025-01-29 19:31:54 +01:00 · 2025-01-29 19:31:54 +01:00 · d4547b8964
commit d4547b8964
parent 9b60a101a1
5 changed files with 22 additions and 9 deletions
--- a/dangerzone/updater/attestations.py
+++ b/dangerzone/updater/attestations.py
@ -1,6 +1,8 @@
 import subprocess
 from tempfile import NamedTemporaryFile

+from . import utils
+

 def verify_attestation(
    manifest: bytes, attestation_bundle: bytes, image_tag: str, expected_repo: str
@ -9,6 +11,7 @@ def verify_attestation(
    Look up the image attestation to see if the image has been built
    on Github runners, and from a given repository.
    """
+    utils.ensure_cosign()

    # Put the value in files and verify with cosign
    with (
--- a/dangerzone/updater/errors.py
+++ b/dangerzone/updater/errors.py
@ -36,3 +36,7 @@ class SignatureMismatch(SignatureError):

 class LocalSignatureNotFound(SignatureError):
    pass
+
+
+class CosignNotInstalledError(SignatureError):
+    pass
--- a/dangerzone/updater/registry.py
+++ b/dangerzone/updater/registry.py
@ -12,6 +12,8 @@ __all__ = [
    "list_tags",
    "get_manifest",
    "get_attestation",
+    "Image",
+    "parse_image_location",
 ]

 SIGSTORE_BUNDLE = "application/vnd.dev.sigstore.bundle.v0.3+json"
--- a/dangerzone/updater/signatures.py
+++ b/dangerzone/updater/signatures.py
@ -9,7 +9,7 @@ from tempfile import NamedTemporaryFile
 from typing import Dict, List, Tuple

 from ..container_utils import container_pull, load_image_hash
-from . import errors, log
+from . import errors, log, utils
 from .registry import get_manifest_hash

 try:
@ -32,14 +32,6 @@ __all__ = [
 ]


-def is_cosign_installed() -> bool:
-    try:
-        subprocess.run(["cosign", "version"], capture_output=True, check=True)
-        return True
-    except subprocess.CalledProcessError:
-        return False
-
-
 def signature_to_bundle(sig: Dict) -> Dict:
    """Convert a cosign-download signature to the format expected by cosign bundle."""
    bundle = sig["Bundle"]
@ -65,6 +57,7 @@ def signature_to_bundle(sig: Dict) -> Dict:
 def verify_signature(signature: dict, pubkey: str) -> bool:
    """Verify a signature against a given public key"""

+    utils.ensure_cosign()
    signature_bundle = signature_to_bundle(signature)

    with (
@ -221,6 +214,7 @@ def get_signatures(image: str, hash: str) -> List[Dict]:
    """
    Retrieve the signatures from cosign download signature and convert each one to the "cosign bundle" format.
    """
+    utils.ensure_cosign()

    process = subprocess.run(
        ["cosign", "download", "signature", f"{image}@sha256:{hash}"],
--- a/dangerzone/updater/utils.py
+++ b/dangerzone/updater/utils.py
@ -0,0 +1,10 @@
+import subprocess
+
+from . import errors
+
+
+def ensure_cosign() -> None:
+    try:
+        subprocess.run(["cosign", "version"], capture_output=True, check=True)
+    except subprocess.CalledProcessError:
+        raise errors.CosignNotInstalledError()