Merge branch 'main' into revert-autopep8

Author: pickfire

src/azure-cli/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
   "id": "azure-cli",
-  "version": "1.2.8",
+  "version": "1.2.9",
   "name": "Azure CLI",
   "documentationURL": "https://github.com/devcontainers/features/tree/main/src/azure-cli",
   "description": "Installs the Azure CLI along with needed dependencies. Useful for base Dockerfiles that often are missing required install dependencies like gpg.",

src/azure-cli/install.sh

@@ -98,7 +98,15 @@ install_using_apt() {
     # Import key safely (new 'signed-by' method rather than deprecated apt-key approach) and install
     curl -sSL ${MICROSOFT_GPG_KEYS_URI} | gpg --dearmor > /usr/share/keyrings/microsoft-archive-keyring.gpg
     echo "deb [arch=${architecture} signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/repos/azure-cli/ ${VERSION_CODENAME} main" > /etc/apt/sources.list.d/azure-cli.list
-    apt-get update
+    
+    # This is a workaround for the fact that Azure CLI is not yet a supported package for debian trixie. Once Azure CLI is supported we should revert to avoid script failure for non Azure CLI packages
+    if ! (apt-get update); then
+        echo "(!) Failed to update apt cache, removing repository file"
+        rm -f /etc/apt/sources.list.d/azure-cli.list
+    else  
+        echo "WARNING: apt-get update succeeded. The workaround for broken Azure CLI install on Debian Trixie may no longer be needed."  
+        echo "TODO: Consider reverting to a simple `apt-get update` if the Azure CLI repo works reliably for debian trixie"  
+    fi
 
     if [ "${AZ_VERSION}" = "latest" ] || [ "${AZ_VERSION}" = "lts" ] || [ "${AZ_VERSION}" = "stable" ]; then
         # Empty, meaning grab the "latest" in the apt repo
@@ -135,7 +143,7 @@ install_using_pip_strategy() {
 
 install_with_pipx() {
     echo "(*) Attempting to install globally with pipx..."
-    local ver="$1"
+    local ver="$1" 
     export 
     local 
 

src/common-utils/devcontainer-feature.json

@@ -1,6 +1,6 @@
 {
     "id": "common-utils",
-    "version": "2.5.4",
+    "version": "2.5.5",
     "name": "Common Utilities",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/common-utils",
     "description": "Installs a set of common command line utilities, Oh My Zsh!, and sets up a non-root user.",
@@ -64,6 +64,11 @@
             "type": "boolean",
             "default": false,
             "description": "Add packages from non-free Debian repository? (Debian only)"
+        },
+        "installSsl": {
+            "type": "boolean",
+            "default": true,
+            "description": "Install SSL?"
         }
     }
 }

src/common-utils/install.sh

@@ -18,6 +18,7 @@ USERNAME="${USERNAME:-"automatic"}"
 USER_UID="${UID:-"automatic"}"
 USER_GID="${GID:-"automatic"}"
 ADD_NON_FREE_PACKAGES="${NONFREEPACKAGES:-"false"}"
+INSTALL_SSL="${INSTALLSSL:-"true"}"
 
 MARKER_FILE="/usr/local/etc/vscode-dev-containers/common"
 

src/common-utils/main.sh

@@ -18,6 +18,7 @@ USERNAME="${USERNAME:-"automatic"}"
 USER_UID="${USERUID:-"automatic"}"
 USER_GID="${USERGID:-"automatic"}"
 ADD_NON_FREE_PACKAGES="${NONFREEPACKAGES:-"false"}"
+INSTALL_SSL="${INSTALLSSL:-"true"}"
 
 MARKER_FILE="/usr/local/etc/vscode-dev-containers/common"
 
@@ -75,25 +76,27 @@ install_debian_packages() {
         manpages-dev \
         init-system-helpers"
 
-        # Include libssl1.1 if available
-        if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then
-            package_list="${package_list} libssl1.1"
-        fi
+        if [ "${INSTALL_SSL}" = "true" ]; then
+            # Include libssl1.1 if available
+            if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then
+                package_list="${package_list} libssl1.1"
+            fi
 
-        # Include libssl3 if available
-        if [[ ! -z $(apt-cache --names-only search ^libssl3$) ]]; then
-            package_list="${package_list} libssl3"
-        fi
+            # Include libssl3 if available
+            if [[ ! -z $(apt-cache --names-only search ^libssl3$) ]]; then
+                package_list="${package_list} libssl3"
+            fi
 
-        # Include appropriate version of libssl1.0.x if available
-        local libssl_package=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '')
-        if [ "$(echo "$libssl_package" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then
-            if [[ ! -z $(apt-cache --names-only search ^libssl1.0.2$) ]]; then
-                # Debian 9
-                package_list="${package_list} libssl1.0.2"
-            elif [[ ! -z $(apt-cache --names-only search ^libssl1.0.0$) ]]; then
-                # Ubuntu 18.04
-                package_list="${package_list} libssl1.0.0"
+            # Include appropriate version of libssl1.0.x if available
+            local libssl_package=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '')
+            if [ "$(echo "$libssl_package" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then
+                if [[ ! -z $(apt-cache --names-only search ^libssl1.0.2$) ]]; then
+                    # Debian 9
+                    package_list="${package_list} libssl1.0.2"
+                elif [[ ! -z $(apt-cache --names-only search ^libssl1.0.0$) ]]; then
+                    # Ubuntu 18.04
+                    package_list="${package_list} libssl1.0.0"
+                fi
             fi
         fi
 
@@ -172,7 +175,7 @@ install_redhat_packages() {
     else
        echo "Unable to find 'tdnf', 'dnf', or 'yum' package manager. Exiting."
        exit 1
-fi
+    fi
 
     if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then
         package_list="${package_list} \
@@ -228,7 +231,7 @@ fi
         fi
 
         # Install EPEL repository if needed (required to install 'jq' for CentOS)
-        if ! ${install_cmd} -q list jq >/dev/null 2>&1; then
+        if [[ "${ID}" = "centos" ]] && ! rpm -q jq >/dev/null 2>&1; then
             ${install_cmd} -y install epel-release
             remove_epel="true"
         fi
@@ -240,11 +243,18 @@ fi
     fi
 
     if [ -n "${package_list}" ]; then
-        ${install_cmd} -y install ${package_list}
+        echo "Packages to verify are installed: ${package_list}"
+        echo "Running ${install_cmd} install..."
+        if [ "${install_cmd}" = "dnf" ]; then
+            ${install_cmd} -y install --allowerasing ${package_list}
+        else
+            ${install_cmd} -y install ${package_list}
+        fi
     fi
 
     # Get to latest versions of all packages
     if [ "${UPGRADE_PACKAGES}" = "true" ]; then
+        echo "Running ${install_cmd} upgrade..."
         ${install_cmd} upgrade -y
     fi
 

src/python/install.sh

@@ -69,7 +69,7 @@ if [ "${ADJUSTED_ID}" = "rhel" ] && [ "${VERSION_CODENAME-}" = "centos7" ]; then
 fi
 
 # To find some devel packages, some rhel need to enable specific extra repos, but not on RedHat ubi images...
-INSTALL_CMD_ADDL_REPO=""
+INSTALL_CMD_ADDL_REPOS=""
 if [ ${ADJUSTED_ID} = "rhel" ] && [ ${ID} != "rhel" ]; then
     if [ ${MAJOR_VERSION_ID} = "8" ]; then
         INSTALL_CMD_ADDL_REPOS="--enablerepo powertools"
@@ -93,6 +93,27 @@ else
     INSTALL_CMD="${PKG_MGR_CMD} ${INSTALL_CMD_ADDL_REPOS} -y install --noplugins --setopt=install_weak_deps=0"
 fi
 
+# Install Time::Piece Perl module required by OpenSSL 3.0.18+ build system on CentOS 7/RHEL 7
+install_time_piece() {
+    echo "(*) Ensuring Time::Piece Perl module is available for OpenSSL 3.0.18+ build..."
+    
+    # Check if Time::Piece is already available (it's usually in Perl core)
+    if perl -MTime::Piece -e 'exit 0' 2>/dev/null; then
+        echo "(*) Time::Piece already available"
+        return 0
+    fi
+    
+    echo "(*) Time::Piece not found, installing perl-Time-Piece package..."
+    
+    # Install perl-Time-Piece package for CentOS 7/RHEL 7
+    if ${INSTALL_CMD} perl-Time-Piece; then
+        echo "(*) perl-Time-Piece installed for OpenSSL 3.0.18+ build"
+    else
+        echo "(!) Failed to install perl-Time-Piece package. This will cause OpenSSL 3.0.18+ build to fail"
+        return 1
+    fi
+}
+
 # Clean up
 clean_up() {
     case ${ADJUSTED_ID} in
@@ -478,6 +499,130 @@ install_cpython() {
         curl -sSL -o "/tmp/python-src/${cpython_tgz_filename}" "${cpython_tgz_url}"
     fi
 }
+# Get system architecture for downloads
+get_architecture() {
+    local architecture=""
+    case $(uname -m) in
+        x86_64) architecture="amd64" ;;
+        aarch64 | armv8*) architecture="arm64" ;;
+        aarch32 | armv7* | armvhf*) architecture="armhf" ;;
+        i?86) architecture="386" ;;
+        *) echo "(!) Architecture $(uname -m) unsupported"; exit 1 ;;
+    esac
+    echo ${architecture}
+}
+
+# Install cosign with multi-distro support
+install_cosign() {
+
+    COSIGN_VERSION="latest"
+    local cosign_url='https://github.com/sigstore/cosign'
+    local architecture=$(get_architecture)
+
+    find_version_from_git_tags COSIGN_VERSION "${cosign_url}"
+
+    # Remove 'v' prefix if present for download URL
+    local version_for_url="${COSIGN_VERSION#v}"
+
+    local cosign_filename="/tmp/cosign_${version_for_url}_${architecture}.deb"
+    local cosign_url="https://github.com/sigstore/cosign/releases/download/v${version_for_url}/cosign_${version_for_url}_${architecture}.deb"
+    
+    echo "Downloading cosign from: ${cosign_url}"
+    
+    if curl -L -f --fail-with-body "${cosign_url}" -o "$cosign_filename" 2>/dev/null; then
+        echo "(*) Successfully downloaded cosign v${COSIGN_VERSION}"
+    else
+        echo -e "\n(!) Failed to fetch cosign v${COSIGN_VERSION}..."
+        # Try previous version
+        find_prev_version_from_git_tags COSIGN_VERSION "https://github.com/sigstore/cosign"
+        echo -e "\nAttempting to install previous cosign ${COSIGN_VERSION} version as fallback mechanism"
+        
+        version_for_url="${COSIGN_VERSION#v}"
+        cosign_filename="/tmp/cosign_${version_for_url}_${architecture}.deb"
+        cosign_url="https://github.com/sigstore/cosign/releases/download/v${version_for_url}/cosign_${version_for_url}_${architecture}.deb"
+        
+        if ! curl -L -f --fail-with-body "${cosign_url}" -o "$cosign_filename" 2>/dev/null; then
+            echo "(!) Failed to download cosign v${COSIGN_VERSION} as fallback"
+            return 1
+        fi
+    fi
+    
+    # Install the package
+    if [ -f "$cosign_filename" ]; then
+        dpkg -i "$cosign_filename"
+        rm "$cosign_filename"
+        echo "Installation of cosign succeeded with ${COSIGN_VERSION}."
+    else
+        echo "(!) Failed to install cosign package"
+        return 1
+    fi
+
+}
+
+# COSIGN signature verification for python versions >= 3.14
+cosign_verification() {
+    local VERSION="$1"
+
+    # Ensure cosign is installed
+    if ! type cosign > /dev/null 2>&1; then
+        echo "(*) cosign not found, installing..."
+        if ! install_cosign; then
+            echo "(!) Failed to install cosign"
+            return 1
+        fi
+    else
+         echo "(*) cosign is already available on the system"
+    fi
+    
+    echo "(*) Attempting COSIGN verification for Python ${VERSION}..."
+    
+    # Check if COSIGN signature files exist (these don't exist yet for Python releases)
+    local cosign_sig_url="${cpython_tgz_url}.sig"
+    local cosign_cert_url="${cpython_tgz_url}.pem"
+    
+    # Download COSIGN signature and certificate files with proper error handling
+    echo "(*) Checking for cosign signature files..."
+    if ! curl -sSL -f --fail-with-body -o "/tmp/python-src/${cpython_tgz_filename}.sig" "${cosign_sig_url}" 2>/dev/null; then
+        echo "(!) COSIGN signature file not available for Python ${VERSION}"
+        echo "    Signature URL: ${cosign_sig_url}"
+        return 1
+    fi
+    
+    if ! curl -sSL -f --fail-with-body -o "/tmp/python-src/${cpython_tgz_filename}.pem" "${cosign_cert_url}" 2>/dev/null; then
+        echo "(!) COSIGN certificate file not available for Python ${VERSION}"
+        echo "    Certificate URL: ${cosign_cert_url}"
+        return 1
+    fi
+    
+    # Perform COSIGN verification
+    if cosign verify-blob \
+        --certificate "/tmp/python-src/${cpython_tgz_filename}.pem" \
+        --signature "/tmp/python-src/${cpython_tgz_filename}.sig" \
+        --certificate-identity-regexp=".*" \
+        --certificate-oidc-issuer-regexp=".*" \
+        "/tmp/python-src/${cpython_tgz_filename}"; then
+        echo "(*) COSIGN signature verification successful"
+        return 0
+    else
+        echo "(!) COSIGN signature verification failed"
+        return 1
+    fi
+}
+
+# GPG verification for python versions < 3.14
+gpg_verification() {    
+    echo "(*) Using GPG signature verification..."
+    if [[ ${VERSION_CODENAME} = "centos7" ]] || [[ ${VERSION_CODENAME} = "rhel7" ]]; then
+        receive_gpg_keys_centos7 PYTHON_SOURCE_GPG_KEYS
+    else
+        receive_gpg_keys PYTHON_SOURCE_GPG_KEYS
+    fi
+    echo "Downloading ${cpython_tgz_filename}.asc..."
+    curl -sSL -o "/tmp/python-src/${cpython_tgz_filename}.asc" "${cpython_tgz_url}.asc"
+    gpg --verify "${cpython_tgz_filename}.asc"
+    echo "(*) GPG signature verification successful"
+}
+
 
 install_from_source() {
     VERSION=$1
@@ -496,6 +641,8 @@ install_from_source() {
     case ${VERSION_CODENAME} in
         centos7|rhel7)
             check_packages perl-IPC-Cmd
+            # Install Time::Piece Perl module required by OpenSSL 3.0.18+ build system
+            install_time_piece
             install_openssl3
             ADDL_CONFIG_ARGS="--with-openssl=${SSL_INSTALL_PATH} --with-openssl-rpath=${SSL_INSTALL_PATH}/lib"
             ;;
@@ -507,15 +654,27 @@ install_from_source() {
             install_prev_vers_cpython "${VERSION}"
         fi
     fi;
-    # Verify signature
-    if [[ ${VERSION_CODENAME} = "centos7" ]] || [[ ${VERSION_CODENAME} = "rhel7" ]]; then
-        receive_gpg_keys_centos7 PYTHON_SOURCE_GPG_KEYS
+
+    # Discontinuation of PGP signatures for releases of Python 3.14 or future versions
+    # CPython release artifacts are additionally signed with Sigstore starting with the Python 3.11.0
+    local major_version=$(echo "$VERSION" | cut -d. -f1)
+    local minor_version=$(echo "$VERSION" | cut -d. -f2)
+    echo "(*) Detected Python version: ${major_version}.${minor_version}"    
+    if (( major_version > 3 )) || { (( major_version == 3 )) && (( minor_version >= 14 )); }; then
+        echo "(*) Python 3.14+ detected. Attempting cosign verification..."
+        if cosign_verification "$VERSION"; then
+            echo "(*) COSIGN verification successful."
+        else
+            echo "(*) COSIGN verification failed or not available for Python ${VERSION}"
+            echo "(*) WARNING: Installing Python ${VERSION} without signature verification"
+            echo "(*) This is expected for newly released versions where cosign signatures are not yet available"
+            echo "(*) Python 3.14+ discontinued PGP signatures in favor of cosign, but cosign signatures may take time to be published"
+        fi
     else
-        receive_gpg_keys PYTHON_SOURCE_GPG_KEYS
+        echo "(*) Python < 3.14 detected. Using GPG signature verification..."
+        gpg_verification
+        echo "(*) GPG verification successful."
     fi
-    echo "Downloading ${cpython_tgz_filename}.asc..."
-    curl -sSL -o "/tmp/python-src/${cpython_tgz_filename}.asc" "${cpython_tgz_url}.asc"
-    gpg --verify "${cpython_tgz_filename}.asc"
 
     # Update min protocol for testing only - https://bugs.python.org/issue41561
     if [ -f /etc/pki/tls/openssl.cnf ]; then

test/azure-cli/install_azcli_dotnet_dockerindocker_trixie.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+# Import test library for `check` command
+source dev-container-features-test-lib
+
+check "version" az  --version
+
+check "docker installed" bash -c "type docker"
+
+# Report result
+reportResults