From eb87c66063b5eba11e799940ddfc6aa74d03eca4 Mon Sep 17 00:00:00 2001 From: Uwe Schwaeke Date: Mon, 9 Feb 2026 11:30:55 +0100 Subject: [PATCH 1/2] cbscore/builder: ignore cosign install if already installed * what: if the return code of the rpm process is 2, check if the failure reason is that the package is already installed. * why: when reusing a container, the package might already be present. this occurs when a build runner job must be debugged. Signed-off-by: Uwe Schwaeke --- cbscore/src/cbscore/builder/prepare.py | 35 +++++++++++++------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/cbscore/src/cbscore/builder/prepare.py b/cbscore/src/cbscore/builder/prepare.py index 7c6c1119..f34512d9 100644 --- a/cbscore/src/cbscore/builder/prepare.py +++ b/cbscore/src/cbscore/builder/prepare.py @@ -104,23 +104,24 @@ async def _cb(s: str) -> None: logger.error(f"error installing builder packages: {stderr}") raise BuilderError(msg="unable to install dependencies") - # install cosign rpm - rc, stdout, stderr = await async_run_cmd( - [ - "rpm", - "-Uvh", - "https://github.com/sigstore/cosign/releases/download/v2.4.3/" - + "cosign-2.4.3-1.x86_64.rpm", - ], - ) - logger.debug(stdout) - if rc == 2 and re.match(".*already installed.*", stderr): - msg = f'skip install cosign. allready installed' - logger.debug(msg) - elif rc != 0: - msg = f"error installing cosign package: {stderr}" - logger.error(msg) - raise BuilderError(msg) + # install cosign rpm if not already installed + rc, _, _ = await async_run_cmd(["rpm", "-q", "cosign"]) + if rc != 0: + rc, stdout, stderr = await async_run_cmd( + [ + "rpm", + "-Uvh", + "https://github.com/sigstore/cosign/releases/download/v2.4.3/" + + "cosign-2.4.3-1.x86_64.rpm", + ], + ) + logger.debug(stdout) + if rc != 0: + msg = f"error installing cosign package: {stderr}" + logger.error(msg) + raise BuilderError(msg) + else: + logger.debug("skip install cosign. already installed") except CommandError as e: logger.exception("unable to run 'dnf'") raise BuilderError(msg=f"error running 'dnf': {e}") from e From 98d78f8fdf716b05670d586582dd427cb4bc0e13 Mon Sep 17 00:00:00 2001 From: Uwe Schwaeke Date: Mon, 9 Feb 2026 11:31:46 +0100 Subject: [PATCH 2/2] cbscore: let skopeo handle local registries * what: add option --tls-verify to subcommands build and runner build. pass the tls-verify flag to skopeo when querying the registry. check if the return value from skopeo inspect equals "not found" (exit code 2). * why: if the image is pushed to a local container registry with a self-signed certificate, skopeo must not verify the certificate to avoid errors. current versions of skopeo (1.20.0) return exit code 2 if an image is not found. Signed-off-by: Uwe Schwaeke --- cbscore/src/cbscore/builder/builder.py | 2 +- cbscore/src/cbscore/images/skopeo.py | 7 ++++++- cbscore/src/cbscore/runner.py | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/cbscore/src/cbscore/builder/builder.py b/cbscore/src/cbscore/builder/builder.py index 984f2b57..4dde4bb8 100644 --- a/cbscore/src/cbscore/builder/builder.py +++ b/cbscore/src/cbscore/builder/builder.py @@ -73,7 +73,7 @@ def __init__( *, skip_build: bool = False, force: bool = False, - tls_verify: bool = True + tls_verify: bool = True, ) -> None: self.desc = desc self.config = config diff --git a/cbscore/src/cbscore/images/skopeo.py b/cbscore/src/cbscore/images/skopeo.py index a00064cd..e85490e2 100644 --- a/cbscore/src/cbscore/images/skopeo.py +++ b/cbscore/src/cbscore/images/skopeo.py @@ -16,6 +16,7 @@ # # pyright: reportAny=false, reportUnknownArgumentType=false +import errno import re import pydantic @@ -147,7 +148,11 @@ def skopeo_inspect(img: str, secrets: SecretsMgr, *, tls_verify: bool = True) -> if retcode != 0: msg = f"error inspecting image '{img}': {err}" - if retcode == 2 or re.match(r".*not\s+found.*", err): + # Handle "image not found" across different Skopeo versions: + # - Newer versions of Skopeo explicitly return exit code 2. + # - Older versions return a generic error code but include "not found" in + # stderr. + if retcode == errno.ENOENT or re.match(r".*not\s+found.*", err): logger.debug(msg) raise ImageNotFoundError(img) from None logger.error(msg) diff --git a/cbscore/src/cbscore/runner.py b/cbscore/src/cbscore/runner.py index c3029f85..8c127ffe 100644 --- a/cbscore/src/cbscore/runner.py +++ b/cbscore/src/cbscore/runner.py @@ -278,6 +278,9 @@ async def runner( if force: podman_args.append("--force") + if not tls_verify: + podman_args.append("--tls-verify=false") + ctr_name = run_name if run_name else gen_run_name() try: