added cosign verification

sireeshajonnalagadda · web-flow · commit 27d92b105af5 · 2025-10-23T17:08:19.000Z
diff --git a/src/python/install.sh b/src/python/install.sh
@@ -85,15 +85,16 @@ if type apt-get > /dev/null 2>&1; then
 elif type microdnf > /dev/null 2>&1; then
     PKG_MGR_CMD=microdnf
     INSTALL_CMD="${PKG_MGR_CMD} ${INSTALL_CMD_ADDL_REPOS} -y install --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0"
-    TIME_PIECE_PKG="perl-Time-Piece"
 elif type dnf > /dev/null 2>&1; then
     PKG_MGR_CMD=dnf
     INSTALL_CMD="${PKG_MGR_CMD} ${INSTALL_CMD_ADDL_REPOS} -y install --refresh --best --nodocs --noplugins --setopt=install_weak_deps=0"
-    TIME_PIECE_PKG="perl-Time-Piece"
 else
     PKG_MGR_CMD=yum
     INSTALL_CMD="${PKG_MGR_CMD} ${INSTALL_CMD_ADDL_REPOS} -y install --noplugins --setopt=install_weak_deps=0"
-     TIME_PIECE_PKG="perl-Time-Piece"
+fi
+# Set TIME_PIECE_PKG for RHEL-based systems (all except apt-get)
+if [ "${PKG_MGR_CMD}" != "apt-get" ]; then
+    TIME_PIECE_PKG="perl-Time-Piece"
 fi
 # Install Time::Piece Perl module required by OpenSSL 3.0.18+ build system
 install_time_piece() {
@@ -620,27 +621,43 @@ ensure_cosign() {
     return 0
 }
 
-# Updated signature verification logic
+# Updated signature verification logic with proper version-specific handling
 verify_python_signature() {
     local VERSION="$1"
     local major_version=$(echo "$VERSION" | cut -d. -f1)
     local minor_version=$(echo "$VERSION" | cut -d. -f2)
     
-    # Use cosign for Python 3.14+ (when available)
+    # Version-specific signature verification
     if [ "$major_version" -eq 3 ] && [ "$minor_version" -ge 14 ]; then
         echo "(*) Python 3.14+ detected. Attempting cosign verification..."
         
-        # Try to install and use cosign
+        # Try to install and use cosign for 3.14+
         if ensure_cosign; then
             echo "Using cosign to verify Python ${VERSION} signature..."
-            # Note: This is placeholder - actual cosign verification would need 
-            # the proper sigstore bundle or signature files from python.org
-            echo "(*) Cosign verification not yet implemented for Python releases"
-            echo "(*) Falling back to GPG verification"
+            
+            # Attempt actual COSIGN verification
+            if perform_cosign_verification "${VERSION}"; then
+                echo "(*) COSIGN verification successful - skipping GPG"
+                return 0
+            else
+                echo "(*) COSIGN verification failed, falling back to GPG"
+                perform_gpg_verification "${VERSION}"
+            fi
+        else
+            echo "(!) Failed to install cosign for Python 3.14+, falling back to GPG"
+            perform_gpg_verification "${VERSION}"
         fi
+    else
+        # Direct GPG verification for Python < 3.14
+        echo "(*) Python < 3.14 detected. Using GPG signature verification..."
+        perform_gpg_verification "${VERSION}"
     fi
+}
+
+# Extracted GPG verification logic to avoid duplication
+perform_gpg_verification() {
+    local VERSION="$1"
     
-    # Fall back to GPG verification
     echo "(*) Using GPG signature verification..."
     if [[ ${VERSION_CODENAME} = "centos7" ]] || [[ ${VERSION_CODENAME} = "rhel7" ]]; then
         receive_gpg_keys_centos7 PYTHON_SOURCE_GPG_KEYS
@@ -667,6 +684,43 @@ verify_python_signature() {
     return 0
 }
 
+# COSIGN signature verification logic
+perform_cosign_verification() {
+    local VERSION="$1"
+    
+    echo "(*) Attempting COSIGN verification for Python ${VERSION}..."
+    
+    # Check if COSIGN signature files exist (these don't exist yet for Python releases)
+    local cosign_sig_url="${cpython_tgz_url}.sig"
+    local cosign_cert_url="${cpython_tgz_url}.pem"
+    
+    # Download COSIGN signature and certificate files
+    if ! curl -sSL -o "/tmp/python-src/${cpython_tgz_filename}.sig" "${cosign_sig_url}"; then
+        echo "(!) COSIGN signature file not available for Python ${VERSION}"
+        return 1
+    fi
+    
+    if ! curl -sSL -o "/tmp/python-src/${cpython_tgz_filename}.pem" "${cosign_cert_url}"; then
+        echo "(!) COSIGN certificate file not available for Python ${VERSION}"
+        return 1
+    fi
+    
+    # Perform COSIGN verification
+    if cosign verify-blob \
+        --certificate "/tmp/python-src/${cpython_tgz_filename}.pem" \
+        --signature "/tmp/python-src/${cpython_tgz_filename}.sig" \
+        --certificate-identity-regexp=".*" \
+        --certificate-oidc-issuer-regexp=".*" \
+        "/tmp/python-src/${cpython_tgz_filename}"; then
+        echo "(*) COSIGN signature verification successful"
+        return 0
+    else
+        echo "(!) COSIGN signature verification failed"
+        return 1
+    fi
+}
+
+
 install_from_source() {
     VERSION=$1
     echo "(*) Building Python ${VERSION} from source..."
diff --git a/test/python/python_sig_veri_older_versions.sh b/test/python/python_sig_veri_older_versions.sh
@@ -12,6 +12,7 @@ echo "Primary: $PRIMARY_VERSION"
 declare -A VERSIONS
 VERSIONS["$PRIMARY_VERSION"]="python3"
 
+# Look for additional Python versions
 for py in /usr/local/python/*/bin/python3; do
     if [ -x "$py" ] && [[ "$py" != *"/current/"* ]]; then
         ver=$($py --version 2>&1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
@@ -22,39 +23,77 @@ for py in /usr/local/python/*/bin/python3; do
     fi
 done
 
-echo -e "\nVerification Evidence:"
+echo "Total Python versions: ${#VERSIONS[@]}"
 
-# Check each version
+# Test each version works
 for version in $(printf '%s\n' "${!VERSIONS[@]}" | sort -V); do
     py_cmd="${VERSIONS[$version]}"
+    major=$(echo "$version" | cut -d. -f1)
+    minor=$(echo "$version" | cut -d. -f2)
     
-    # Test functionality
+    # Basic functionality test
     check "python $version works" $py_cmd -c "print('OK')"
     
-    # Check verification evidence
+    # Version classification test
+    if [ "$major" -eq 3 ] && [ "$minor" -ge 14 ]; then
+        check "python $version identified as 3.14+" test "$major" -eq 3 -a "$minor" -ge 14
+        echo "  Python $version: COSIGN→GPG fallback path"
+    else
+        check "python $version identified as <3.14" test "$major" -eq 3 -a "$minor" -lt 14
+        echo "  Python $version: GPG-only path"
+    fi
+done
+
+# Essential tool checks
+check "GPG available" command -v gpg
+check "curl available" command -v curl
+
+# COSIGN availability check
+has_python_314_plus=false
+for version in $(printf '%s\n' "${!VERSIONS[@]}"); do
     major=$(echo "$version" | cut -d. -f1)
     minor=$(echo "$version" | cut -d. -f2)
-    
     if [ "$major" -eq 3 ] && [ "$minor" -ge 14 ]; then
-        expected="COSIGN→GPG"
+        has_python_314_plus=true
+        break
+    fi
+done
+
+if [ "$has_python_314_plus" = true ]; then
+    if command -v cosign >/dev/null 2>&1; then
+        echo "✅ COSIGN installed (required for Python 3.14+)"
+        check "COSIGN available for Python 3.14+" command -v cosign
     else
-        expected="GPG only"
+        echo "❌ COSIGN missing but required for Python 3.14+"
+    fi
+else
+    echo "ℹ️  No Python 3.14+ versions - COSIGN not required"
+fi
+
+# Final validation: count working versions (but don't fail if some don't work)
+echo "Checking Python version functionality..."
+working_versions=0
+total_versions=${#VERSIONS[@]}
+
+for version in $(printf '%s\n' "${!VERSIONS[@]}"); do
+    py_cmd="${VERSIONS[$version]}"
+    if $py_cmd -c "print('Test')" >/dev/null 2>&1; then
+        working_versions=$((working_versions + 1))
+        echo "  ✅ Python $version working"
+    else
+        echo "  ⚠️ Python $version not responding"
     fi
-    
-    # Look for signature files
-    asc_count=$(find /tmp /var/tmp -name "Python-${version}*" -name "*.asc" 2>/dev/null | wc -l)
-    sig_count=$(find /tmp /var/tmp -name "Python-${version}*" -name "*.sig" 2>/dev/null | wc -l)
-    
-    echo "Python $version ($expected): GPG=$asc_count, COSIGN=$sig_count files"
 done
 
-# Global checks
-echo -e "\nGlobal Status:"
-command -v cosign >/dev/null && echo "✅ COSIGN installed" || echo "❌ COSIGN missing"
-command -v gpg >/dev/null && echo "✅ GPG available" || echo "❌ GPG missing"
+# Use a more lenient check - as long as we have some working versions
+if [ "$working_versions" -gt 0 ]; then
+    check "At least one Python version functional" test "$working_versions" -gt 0
+    echo "✅ $working_versions/$total_versions Python versions working"
+else
+    check "At least one Python version functional" false
+fi
 
-total_asc=$(find /tmp /var/tmp -name "*.asc" 2>/dev/null | wc -l)
-total_sig=$(find /tmp /var/tmp -name "*.sig" 2>/dev/null | wc -l)
-echo "Total signature files: $total_asc GPG, $total_sig COSIGN"
+echo "✅ Test completed!"
+echo "Summary: $total_versions Python versions found, $working_versions working"
 
-reportResults
+reportResults
