[bug] Creating and signing provenance fails because retrieving signed certificate fails. #1163
Comments
jenstroeger
added
status:triage
|
And v1.2.1 fails with which isn’t documented. So based on the src I guess I need to use with:
private-repository: trueand that means that the name of the repository “leaks”… where’s that transparency log accessible? |
Yeah, forgetting to add that to the docs was an oversight on our part. The reason for it is that the repository name is uploaded as part of the transparency log entry on the public Rekor instance (rekor.sigstore.dev) and can be found via the Rekor API. This might be considered a "leak" if the repo is private but you can explicitly opt-in if you are ok with that. I will create a PR to document it today. For those who don't want repo names to leak on the public Rekor instance, we have an issue to track support for using a private Rekor instance (#34) and we may prioritize adding that now that Rekor 1.0 was released and the API and public instance will hopefully be a bit more stable. It's been a big concern for us so we've been working with that team to figure out ways to catch issues earlier so they don't end up affecting users. |
|
Thanks for the feedback. We'll try to adhere to semantic versioning better going forward. |
ianlewis
changed the title
ianlewis
added
type:documentation
|
@ianlewis what are you saying? That you folks intentionally broke v1.2.0? You’ve changed this issue to a documentation change… what’s with the invalid key that breaks the generator? |
|
I'm saying that the However, since it wasn't a simple bugfix upgrade from v1.2.0 to v1.2.1 without adding that input we probably should have set the version at 1.3.0 to indicate that.
|
|
Regarding v1.2.0: is that version dead and deprecated, or is it supposed to be functioning (because it isn’t, hence this bug report). |
|
Ok, I see. Sorry for the confusion. Yes. Version v1.2.0 is broken for reasons that are outside the scope of this project and is not likely to get fixed. I'll try to add some more doc to communicate that better. |
So… the supply chain tools are broken by their own supply chain? And by being broken as v1.2.0 is it itself becomes a faulty link in the software supply chain. Ironic. |
Indeed... We're working with them to improve things and catch them before they become a problem but they've been moving fast... |
|
I added a note to the v1.2.0 release indicating that users should upgrade. |
|
Frankly, that’s very disagreeable and frustrating 🙁 I suggest keeping the title of this issue as it was so people who still use v1.2.0 and who will now run into this problem can find this issue. Adding documentation to the v1.2.1 docs regarding the |
ianlewis
changed the title
|
Ok, I'll create a separate issue for that. Sorry for all the confusion. I misunderstood your core problem and thought this was more of a documentation issue. |
|
@jenstroeger Were you able to try it with v1.2.1? I'm now seeing failures like yours for v1.2.1 as well... https://github.com/slsa-framework/slsa-github-generator/actions/runs/3334679611/jobs/5517919607 (not sure if you can actually see that url but just adding for posterity) The workaround seems to be to add with:
compile-generator: true |
|
@jenstroeger Yeah, I'll probably just go ahead and document it (#1166). It was really only meant for our pre-submit tests because this kind of issue with Rekor is never supposed to happen but here we are... |
I can chime in very quick but am travelling after a conference :| Sigstore was using a non-compliant TUF rootversion, and a compliant version got pushed last night to the remote repository. The old libs sigstore (Go) was using to get the root verification material did not support compliant versions. I can update later, but this problem wasn't detected in our release workflows because we don't test sigstore root layouts (@kpk47 testing against pre-prod would have caught these issues, but only given us a 3 day window to fix issues). Sigstore's TUF root is inherently moving and has breaking changes because of using broken underlying libraries. We'll be able to fix, at least, I can relay and have plans to push the TUF root changes to staging (which gives a lot more of a window than pre-prod). More info: |
ianlewis
added
type:bug
|
Getting the same kind of errors with the go builder for a private repository: Referencing either v1.2.2 or main results in: Referencing v1.2.1 results in: |
|
@gal-legit 1.2.2 is a pre-release and not intended to be used until it's been fully released. We should probably clarify a bit in the docs but pre-releases are needed for our release process and aren't "beta" releases or anything. They are not-fully baked or tested. |
For this, see the above thread, but adding the |
Due to a breaking change in rekor for their GA announcement, the builders need a temporary workaround to avoid building failure. (slsa-framework/slsa-github-generator#1163)
Sigstore made a breaking change as part of their recent GA announcement. We need a temporary fix to avoid builder failure (see slsa-framework/slsa-github-generator#1163)
Sigstore made a breaking change as part of their recent GA announcement. We need a temporary fix to avoid builder failure (see slsa-framework/slsa-github-generator#1163) /cc @asraa
Sigstore made a breaking change as part of their recent GA announcement. We need a temporary fix to avoid builder failure (see slsa-framework/slsa-github-generator#1163) /cc @asraa
* Temporary fix for SLSA generators Sigstore made a breaking change as part of their recent GA announcement. We need a temporary fix to avoid builder failure (see slsa-framework/slsa-github-generator#1163) /cc @asraa * Update build.yml
Sigstore made a breaking change as part of their recent GA announcement. We need a temporary fix to avoid builder failure (see slsa-framework/slsa-github-generator#1163) /cc @asraa
Fixes ko-build#978 Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download. Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed. Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Fixes ko-build#978 Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download. Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed. Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Fixes ko-build#978 Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download. Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed. Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Fixes #978 Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download. Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed. Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
|
This is happening again, starting today... @ianlewis |
Yeah, Sigstore updates their TUF root keys for the public instance and expects everyone to upgrade to their latest version of the sigstore client. It makes it a bit difficult for downstream users like us to keep up or even know when breakages are coming (even when we are a sigstore adjacent project...) |
Describe the bug
Creating signed provenance fails with
To Reproduce
This happens in a private repository, based on the this job:
Expected behavior
Finish successfully.
Screenshots
Additional context
I’m going to be honest: I’m trying to convince people in my org to integrate SLSA into the CI and build processes, but it’s getting harder when the actions break with different issues every other week.
I just updated to v1.2.1 and hope that’ll work.
The text was updated successfully, but these errors were encountered: