From af90e9907d64d125186276665358fa21f3ad5624 Mon Sep 17 00:00:00 2001 From: Andrew Halberstadt Date: Fri, 30 Jan 2026 13:30:51 -0500 Subject: [PATCH 1/2] style: reformat with black --- src/scriptworker/cot/verify.py | 20 ++++++++++++++------ src/scriptworker/ed25519.py | 6 ++++-- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/scriptworker/cot/verify.py b/src/scriptworker/cot/verify.py index fff8e772..bf701e51 100644 --- a/src/scriptworker/cot/verify.py +++ b/src/scriptworker/cot/verify.py @@ -719,8 +719,12 @@ async def download_cot_artifact(chain, task_id, path): link = chain.get_link(task_id) log.debug("Verifying {} is in {} cot artifacts...".format(path, task_id)) if not link.cot: - log.warning('Chain of Trust for "{}" in {} does not exist. See above log for more details. \ -Skipping download of this artifact'.format(path, task_id)) + log.warning( + 'Chain of Trust for "{}" in {} does not exist. See above log for more details. \ +Skipping download of this artifact'.format( + path, task_id + ) + ) return if path not in link.cot["artifacts"]: @@ -2101,7 +2105,8 @@ def verify_cot_cmdln(args=None, event_loop=None): """ args = args or sys.argv[1:] - parser = argparse.ArgumentParser(description="""Verify a given task's chain of trust. + parser = argparse.ArgumentParser( + description="""Verify a given task's chain of trust. Given a task's `task_id`, get its task definition, then trace its chain of trust back to the tree. This doesn't verify chain of trust artifact signatures, @@ -2113,7 +2118,8 @@ def verify_cot_cmdln(args=None, event_loop=None): or in the CREDS_FILES http://bit.ly/2fVMu0A If you are verifying against a private github repo, please also set in environment -SCRIPTWORKER_GITHUB_OAUTH_TOKEN to an OAUTH token with read permissions to the repo""") +SCRIPTWORKER_GITHUB_OAUTH_TOKEN to an OAUTH token with read permissions to the repo""" + ) parser.add_argument("task_id", help="the task id to test") parser.add_argument("--task-type", help="the task type to test", choices=sorted(get_valid_task_types().keys()), required=True) parser.add_argument("--cleanup", help="clean up the temp dir afterwards", dest="cleanup", action="store_true", default=False) @@ -2180,13 +2186,15 @@ def create_test_workdir(args=None, event_loop=None): """ args = args or sys.argv[1:] - parser = argparse.ArgumentParser(description="""Populate a test `work_dir`. + parser = argparse.ArgumentParser( + description="""Populate a test `work_dir`. Given a scriptworker task's `task_id`, get its task definition, write it to `./work/task.json`, then download its `upstreamArtifacts` and put them in `./work/cot/TASK_ID/PATH`. -This is helpful in manually testing a *script run.""") +This is helpful in manually testing a *script run.""" + ) parser.add_argument("--path", help="relative path to the work_dir", default="work") parser.add_argument("--overwrite", help="overwrite an existing work_dir", action="store_true") parser.add_argument("task_id", help="the task id to test") diff --git a/src/scriptworker/ed25519.py b/src/scriptworker/ed25519.py index caf67672..e5d1513c 100644 --- a/src/scriptworker/ed25519.py +++ b/src/scriptworker/ed25519.py @@ -141,11 +141,13 @@ def verify_ed25519_signature_cmdln(args=None, exception=SystemExit): """ args = args or sys.argv[1:] - parser = argparse.ArgumentParser(description="""Verify an ed25519 signature from the command line. + parser = argparse.ArgumentParser( + description="""Verify an ed25519 signature from the command line. Given a file and its detached signature, verify that it has been signed with a valid key. This key can be specified on the command line; otherwise we'll -default to ``config['ed25519_public_keys']``.""") +default to ``config['ed25519_public_keys']``.""" + ) parser.add_argument("--pubkey", help="path to a base64-encoded ed25519 pubkey, optional") parser.add_argument("file_path") parser.add_argument("sig_path") From d22b0474779e8c7274cb353101460cb6654d3b51 Mon Sep 17 00:00:00 2001 From: Andrew Halberstadt Date: Fri, 30 Jan 2026 13:26:52 -0500 Subject: [PATCH 2/2] fix: remove misleading error about docker-worker artifacts We're no longer using docker-worker, so this error message is misleading. Update it with actual useful advice. --- src/scriptworker/cot/verify.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/scriptworker/cot/verify.py b/src/scriptworker/cot/verify.py index bf701e51..1867cfdd 100644 --- a/src/scriptworker/cot/verify.py +++ b/src/scriptworker/cot/verify.py @@ -728,12 +728,12 @@ async def download_cot_artifact(chain, task_id, path): return if path not in link.cot["artifacts"]: + cot_url = get_artifact_url(chain.context, link.task_id, "public/chain-of-trust.json") raise CoTError( - "path {path} not in {link_name} {task_id} chain of trust artifacts! This is likely " - "a bug in {task_id}: docker-worker does not fail if a declared artifact was never " - "generated by the task. Please download and make sure the artifact {path} is the " - "one you expect. If it is, then please reach out to the Release Engineering " - "team. For more information: https://github.com/taskcluster/taskgraph/issues/47".format(path=path, link_name=link.name, task_id=link.task_id) + "path {path} not in {link_name} {task_id} chain of trust artifacts! Verify {path} " + "is correct, was produced by task {task_id}, and is listed in {cot_url}".format( + path=path, link_name=link.name, task_id=link.task_id, cot_url=cot_url + ) ) url = get_artifact_url(chain.context, task_id, path) loggable_url = get_loggable_url(url)