From 5c2f95437e589e5db1aa5cbdd3dea523572703b1 Mon Sep 17 00:00:00 2001
From: Roger Luethi <luethi@osism.tech>
Date: Mon, 18 May 2026 13:53:20 +0200
Subject: [PATCH] build: add cosign 409 diagnostic message

When cosign sign exits non-zero with a createLogEntryConflict HTTP
409 response, the raw error message from Rekor gives no indication
of why the retry will also fail or what to do next. This can happen
when Rekor accepts the signing bundle but the subsequent OCI .sig
push fails transiently; any retry of the full cosign sign command
then sees a duplicate Rekor entry and exits rc=1 permanently.

Wrap the cosign call so that on failure the output is checked for
the createLogEntryConflict string. When found, a NOTE is printed
that points to the upstream cosign bug and explains that the next
build will succeed because it produces a fresh image digest. The
build still fails with the original non-zero exit code; no
behaviour change for any other cosign error.

Upstream: https://github.com/sigstore/cosign/issues/4711

AI-assisted: Claude Code
Signed-off-by: Roger Luethi <luethi@osism.tech>
---
 playbooks/build.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/playbooks/build.yml b/playbooks/build.yml
index 8268c0de..998a73a5 100644
--- a/playbooks/build.yml
+++ b/playbooks/build.yml
@@ -128,7 +128,19 @@
 
           curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
           chmod +x cosign-linux-amd64
-          ./cosign-linux-amd64 sign --yes --key env://COSIGN_PRIVATE_KEY "$repository:$version"
+          set +e
+          ./cosign-linux-amd64 sign --yes --key env://COSIGN_PRIVATE_KEY "$repository:$version" 2>&1 | tee cosign-output.txt
+          cosign_rc=${PIPESTATUS[0]}
+          set -e
+          if [[ $cosign_rc -ne 0 ]]; then
+            if grep -q "createLogEntryConflict" cosign-output.txt 2>/dev/null; then
+              echo "NOTE: https://github.com/sigstore/cosign/issues/4711 --"
+              echo "  Rekor accepted the signing bundle but the OCI .sig push then failed,"
+              echo "  causing this retry to see a duplicate Rekor entry. The next build"
+              echo "  will produce a fresh image digest and sign successfully."
+            fi
+            exit $cosign_rc
+          fi
 
       when: push_image | default(false) | bool
       changed_when: true