Fail to install tools because of the error of Cosign #2759
Labels
bug
Something isn't working
Comments
|
About aqua-installer, we solve this issue by disabling cosign verification temporarily. |
What to do when you face the issue
export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=trueGitHub Actions Workflows env:
AQUA_DISABLE_COSIGN: "true"
AQUA_DISABLE_SLSA: "true" |
|
We're working on upgrading Cosign to v2, but it is being blocked by slsa-framework/slsa-github-generator#3350 . |
This was referenced Mar 20, 2024
|
v2.25.1 is out 🎉 |
renovate bot
referenced
this issue
in DelineaXPM/terraform-provider-dsv
Jul 1, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `b4ffde6` -> `692973e` | | [aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer) | action | minor | `v2.2.0` -> `v2.3.2` | --- ### Release Notes <details> <summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary> ### [`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2) [#​607](https://togithub.com/aquaproj/aqua-installer/issues/607) export environment variable `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA` [https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759) To disable Cosign and slsa-verifier on subsequent steps. ### [`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1) [#​605](https://togithub.com/aquaproj/aqua-installer/issues/605) Disable Cosign and slsa-verifier Until we will finish upgrading Cosign to v2, we disable Cosign and slsa-verifier. [https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288) ### [`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0) | aquaproj/aqua-installer@v2.2.0...v2.3.0 #### Features [#​580](https://togithub.com/aquaproj/aqua-installer/issues/580) Support disabling the verification with Cosign and SLSA Provenance > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. The bootstrap version is updated to [aqua v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0). From this version, [aqua supports disabling the verification with Cosign and SLSA Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance). To disable the verification with Cosign and SLSA Provenance when you install aqua with aqua-installer, please set the environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. ```sh export AQUA_DISABLE_COSIGN=true export AQUA_DISABLE_SLSA=true ./aqua-installer ``` ```yaml - uses: aquaproj/aqua-installer@v2.3.0 with: aqua_version: v2.22.0 env: AQUA_DISABLE_COSIGN: "true" AQUA_DISABLE_SLSA: "true" ``` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot
referenced
this issue
in DelineaXPM/dsv-github-action
Jul 18, 2024
](https://renovatebot.com){kind=link}
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `b4ffde6` -> `692973e` | | [aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer) | action | minor | `v2.0.2` -> `v2.3.2` | | [docker/login-action](https://togithub.com/docker/login-action) | action | digest | `343f7c4` -> `0d4c9c5` | --- ### Release Notes <details> <summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary> ### [`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2) [#​607](https://togithub.com/aquaproj/aqua-installer/issues/607) export environment variable `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA` [https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759) To disable Cosign and slsa-verifier on subsequent steps. ### [`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1) [#​605](https://togithub.com/aquaproj/aqua-installer/issues/605) Disable Cosign and slsa-verifier Until we will finish upgrading Cosign to v2, we disable Cosign and slsa-verifier. [https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288) ### [`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0) | aquaproj/aqua-installer@v2.2.0...v2.3.0 #### Features [#​580](https://togithub.com/aquaproj/aqua-installer/issues/580) Support disabling the verification with Cosign and SLSA Provenance > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. The bootstrap version is updated to [aqua v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0). From this version, [aqua supports disabling the verification with Cosign and SLSA Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance). To disable the verification with Cosign and SLSA Provenance when you install aqua with aqua-installer, please set the environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. ```sh export AQUA_DISABLE_COSIGN=true export AQUA_DISABLE_SLSA=true ./aqua-installer ``` ```yaml - uses: aquaproj/aqua-installer@v2.3.0 with: aqua_version: v2.22.0 env: AQUA_DISABLE_COSIGN: "true" AQUA_DISABLE_SLSA: "true" ``` ### [`v2.2.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.2.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.3...v2.2.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.2.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.2.0) | aquaproj/aqua-installer@v2.1.3...v2.2.0 ##### Features [#​365](https://togithub.com/aquaproj/aqua-installer/issues/365) [#​550](https://togithub.com/aquaproj/aqua-installer/issues/550) [#​551](https://togithub.com/aquaproj/aqua-installer/issues/551) Output the guide to set the environment variable `PATH` `aqua-installer` outputs the following guide. =============================================================== [INFO] aqua is installed into /root/.local/share/aquaproj-aqua/bin/aqua [INFO] Please add the path to the environment variable "PATH" [INFO] export PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH =============================================================== [#​551](https://togithub.com/aquaproj/aqua-installer/issues/551) Use wget if curl isn't found ### [`v2.1.3`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.3) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.2...v2.1.3) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.3) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.3) | aquaproj/aqua-installer@v2.1.2...v2.1.3 [#​545](https://togithub.com/aquaproj/aqua-installer/issues/545) Update the bootstrap version to v2.16.4 To support aqua v2.17.0 or later on Windows. https://github.com/aquaproj/aqua/releases/tag/v2.16.1 > To upgrade aqua to v2.17.0 or later on Windows, you need to upgrade aqua to v2.16.1 or later first. ### [`v2.1.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.1...v2.1.2) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.2) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.2) | aquaproj/aqua-installer@v2.1.1...v2.1.2 ##### Fixes [#​432](https://togithub.com/aquaproj/aqua-installer/issues/432) Fix typo [#​461](https://togithub.com/aquaproj/aqua-installer/issues/461) [#​463](https://togithub.com/aquaproj/aqua-installer/issues/463) Fix a bug that action doesn't work in a container ##### Fix a bug that action doesn't work in a container [#​461](https://togithub.com/aquaproj/aqua-installer/issues/461) [#​463](https://togithub.com/aquaproj/aqua-installer/issues/463) GitHub Actions supports running a job in a container. https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container But in a container the variable `${{ github.action_path }}` is wrong, so action can't access the script `aqua-installer`. This is a known issue of GitHub Actions. - [https://github.com/actions/runner/issues/2185](https://togithub.com/actions/runner/issues/2185) To solve the issue, we copy the content of the script `aqua-installer` into action itself, then action don't have to access the script `aqua-installer`. ### [`v2.1.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.0...v2.1.1) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.1) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.1) | aquaproj/aqua-installer@v2.1.0...v2.1.1 ##### Others [#​411](https://togithub.com/aquaproj/aqua-installer/issues/411) Update the bootstrapping aqua v1.26.2 to v2.2.3 This update enables to verify prerelease versions by Cosign and slsa-verifier. ref. https://aquaproj.github.io/docs/reference/upgrade-guide/v2/change-semver ### [`v2.1.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.0.2...v2.1.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.0) | aquaproj/aqua-installer@v2.0.2...v2.1.0 #### Features [#​403](https://togithub.com/aquaproj/aqua-installer/issues/403) Add an input `policy_allow` to run `aqua policy allow` aqua >= v2.3.0 If `policy_allow` is `true`, `aqua policy allow` command is run. If a Policy file path is set, `aqua policy allow "${{inputs.policy_allow}}"` is run. ##### See also - [Tutorial](https://aquaproj.github.io/docs/guides/policy-as-code) - [Reference](https://aquaproj.github.io/docs/reference/security/policy-as-code) - [Reference - Git Repository root's policy file and policy commands](https://aquaproj.github.io/docs/reference/security/policy-as-code/git-policy) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/dsv-github-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sheldon Hull <sheldonhull@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
aqua info
aqua v2.25.0
Overview
aqua uses Cosign v1.
https://aquaproj.github.io/docs/reference/security/cosign-slsa/#verify-packages-with-cosign
Recently, Sigstore has published a new TUF trust root.
https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
https://blog.sigstore.dev/tuf-root-update/
A new TUF trust root doesn't support Cosign v1 but aqua is still using Cosign v1, so aqua fails to install tools which enable Cosign verification.
Due to the issue, aqua-installer can't install aqua.
To solve the issue, we have two options.
How to reproduce
Run aqua-installer or
aqua update-aqua.Debug output
Expected behaviour
aqua and aqua-installer can install tools.
Actual behaviour
It fails to instal tools.
https://github.com/aquaproj/aqua-registry/actions/runs/8355302244/job/22870132650
Note
No response
The text was updated successfully, but these errors were encountered: