almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Ensure cosign is installed before trying to use it
Some checks failed
Build dev environments / Build dev-env (debian-bookworm) (push) Has been cancelled
Details
Build dev environments / Build dev-env (debian-bullseye) (push) Has been cancelled
Details
Build dev environments / Build dev-env (debian-trixie) (push) Has been cancelled
Details
Build dev environments / Build dev-env (fedora-40) (push) Has been cancelled
Details
Build dev environments / Build dev-env (fedora-41) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-20.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-22.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-24.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-24.10) (push) Has been cancelled
Details
Build dev environments / build-container-image (push) Has been cancelled
Details
Tests / run-lint (push) Has been cancelled
Details
Tests / build-container-image (push) Has been cancelled
Details
Tests / Download and cache Tesseract data (push) Has been cancelled
Details
Tests / check-reproducibility (push) Has been cancelled
Details
Release container image / build-container-image (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details

Browse source
This commit is contained in:
Alexis Métaireau 2025-01-29 19:31:54 +01:00
parent 7bbd260c72
commit f7069a9c16
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
5 changed files with 22 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dangerzone/updater/attestations.py
View file

@ -1,6 +1,8 @@
import subprocess import subprocess
from tempfile import NamedTemporaryFile from tempfile import NamedTemporaryFile
from . import utils
def verify_attestation( def verify_attestation(
manifest: bytes, attestation_bundle: bytes, image_tag: str, expected_repo: str manifest: bytes, attestation_bundle: bytes, image_tag: str, expected_repo: str
@ -9,6 +11,7 @@ def verify_attestation(
Look up the image attestation to see if the image has been built Look up the image attestation to see if the image has been built
on Github runners, and from a given repository. on Github runners, and from a given repository.
""" """
utils.ensure_cosign()
# Put the value in files and verify with cosign # Put the value in files and verify with cosign
with ( with (

4
dangerzone/updater/errors.py
View file

@ -36,3 +36,7 @@ class SignatureMismatch(SignatureError):
class LocalSignatureNotFound(SignatureError): class LocalSignatureNotFound(SignatureError):
pass pass
class CosignNotInstalledError(SignatureError):
pass

2
dangerzone/updater/registry.py
View file

@ -12,6 +12,8 @@ __all__ = [
"list_tags", "list_tags",
"get_manifest", "get_manifest",
"get_attestation", "get_attestation",
"Image",
"parse_image_location",
] ]
SIGSTORE_BUNDLE = "application/vnd.dev.sigstore.bundle.v0.3+json" SIGSTORE_BUNDLE = "application/vnd.dev.sigstore.bundle.v0.3+json"

12
dangerzone/updater/signatures.py
View file

@ -9,7 +9,7 @@ from tempfile import NamedTemporaryFile
from typing import Dict, List, Tuple from typing import Dict, List, Tuple
from ..container_utils import container_pull, load_image_hash from ..container_utils import container_pull, load_image_hash
from . import errors, log from . import errors, log, utils
from .registry import get_manifest_hash from .registry import get_manifest_hash
try: try:
@ -32,14 +32,6 @@ __all__ = [
] ]
def is_cosign_installed() -> bool:
try:
subprocess.run(["cosign", "version"], capture_output=True, check=True)
return True
except subprocess.CalledProcessError:
return False
def signature_to_bundle(sig: Dict) -> Dict: def signature_to_bundle(sig: Dict) -> Dict:
"""Convert a cosign-download signature to the format expected by cosign bundle.""" """Convert a cosign-download signature to the format expected by cosign bundle."""
bundle = sig["Bundle"] bundle = sig["Bundle"]
@ -65,6 +57,7 @@ def signature_to_bundle(sig: Dict) -> Dict:
def verify_signature(signature: dict, pubkey: str) -> bool: def verify_signature(signature: dict, pubkey: str) -> bool:
"""Verify a signature against a given public key""" """Verify a signature against a given public key"""
utils.ensure_cosign()
signature_bundle = signature_to_bundle(signature) signature_bundle = signature_to_bundle(signature)
with ( with (
@ -221,6 +214,7 @@ def get_signatures(image: str, hash: str) -> List[Dict]:
""" """
Retrieve the signatures from cosign download signature and convert each one to the "cosign bundle" format. Retrieve the signatures from cosign download signature and convert each one to the "cosign bundle" format.
""" """
utils.ensure_cosign()
process = subprocess.run( process = subprocess.run(
["cosign", "download", "signature", f"{image}@sha256:{hash}"], ["cosign", "download", "signature", f"{image}@sha256:{hash}"],

10
dangerzone/updater/utils.py Normal file
View file

@ -0,0 +1,10 @@
import subprocess
from . import errors
def ensure_cosign() -> None:
try:
subprocess.run(["cosign", "version"], capture_output=True, check=True)
except subprocess.CalledProcessError:
raise errors.CosignNotInstalledError()