almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Ensure cosign is installed before trying to use it
Some checks failed
Build dev environments / Build dev-env (debian-bookworm) (push) Has been cancelled
Details
Build dev environments / Build dev-env (debian-bullseye) (push) Has been cancelled
Details
Build dev environments / Build dev-env (debian-trixie) (push) Has been cancelled
Details
Build dev environments / Build dev-env (fedora-40) (push) Has been cancelled
Details
Build dev environments / Build dev-env (fedora-41) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-20.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-22.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-24.04) (push) Has been cancelled
Details
Build dev environments / Build dev-env (ubuntu-24.10) (push) Has been cancelled
Details
Build dev environments / build-container-image (push) Has been cancelled
Details
Tests / run-lint (push) Has been cancelled
Details
Tests / build-container-image (push) Has been cancelled
Details
Tests / Download and cache Tesseract data (push) Has been cancelled
Details
Tests / check-reproducibility (push) Has been cancelled
Details
Release container image / build-container-image (push) Has been cancelled
Details
Tests / windows (push) Has been cancelled
Details
Tests / macOS (arch64) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / macOS (x86_64) (push) Has been cancelled
Details
Tests / build-deb (debian bookworm) (push) Has been cancelled
Details
Tests / build-deb (debian bullseye) (push) Has been cancelled
Details
Tests / build-deb (debian trixie) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / install-deb (debian bookworm) (push) Has been cancelled
Details
Tests / install-deb (debian bullseye) (push) Has been cancelled
Details
Tests / install-deb (debian trixie) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Details
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Details
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Details
Tests / run tests (debian bookworm) (push) Has been cancelled
Details
Tests / run tests (debian bullseye) (push) Has been cancelled
Details
Tests / run tests (debian trixie) (push) Has been cancelled
Details
Tests / run tests (fedora 40) (push) Has been cancelled
Details
Tests / run tests (fedora 41) (push) Has been cancelled
Details
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Details
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Details

Browse source
This commit is contained in:
Alexis Métaireau 2025-01-29 19:31:54 +01:00
parent 7bbd260c72
commit f7069a9c16
No known key found for this signature in database
GPG key ID: C65C7A89A8FFC56E
5 changed files with 22 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dangerzone/updater/attestations.py
View file

@ -1,6 +1,8 @@
import subprocess
from tempfile import NamedTemporaryFile
from . import utils
def verify_attestation(
manifest: bytes, attestation_bundle: bytes, image_tag: str, expected_repo: str
@ -9,6 +11,7 @@ def verify_attestation(
Look up the image attestation to see if the image has been built
on Github runners, and from a given repository.
"""
utils.ensure_cosign()
# Put the value in files and verify with cosign
with (

4
dangerzone/updater/errors.py
View file

@ -36,3 +36,7 @@ class SignatureMismatch(SignatureError):
class LocalSignatureNotFound(SignatureError):
pass
class CosignNotInstalledError(SignatureError):
pass

2
dangerzone/updater/registry.py
View file

@ -12,6 +12,8 @@ __all__ = [
"list_tags",
"get_manifest",
"get_attestation",
"Image",
"parse_image_location",
]
SIGSTORE_BUNDLE = "application/vnd.dev.sigstore.bundle.v0.3+json"

12
dangerzone/updater/signatures.py
View file

@ -9,7 +9,7 @@ from tempfile import NamedTemporaryFile
from typing import Dict, List, Tuple
from ..container_utils import container_pull, load_image_hash
from . import errors, log
from . import errors, log, utils
from .registry import get_manifest_hash
try:
@ -32,14 +32,6 @@ __all__ = [
]
def is_cosign_installed() -> bool:
try:
subprocess.run(["cosign", "version"], capture_output=True, check=True)
return True
except subprocess.CalledProcessError:
return False
def signature_to_bundle(sig: Dict) -> Dict:
"""Convert a cosign-download signature to the format expected by cosign bundle."""
bundle = sig["Bundle"]
@ -65,6 +57,7 @@ def signature_to_bundle(sig: Dict) -> Dict:
def verify_signature(signature: dict, pubkey: str) -> bool:
"""Verify a signature against a given public key"""
utils.ensure_cosign()
signature_bundle = signature_to_bundle(signature)
with (
@ -221,6 +214,7 @@ def get_signatures(image: str, hash: str) -> List[Dict]:
"""
Retrieve the signatures from cosign download signature and convert each one to the "cosign bundle" format.
"""
utils.ensure_cosign()
process = subprocess.run(
["cosign", "download", "signature", f"{image}@sha256:{hash}"],

10
dangerzone/updater/utils.py Normal file
View file

@ -0,0 +1,10 @@
import subprocess
from . import errors
def ensure_cosign() -> None:
try:
subprocess.run(["cosign", "version"], capture_output=True, check=True)
except subprocess.CalledProcessError:
raise errors.CosignNotInstalledError()