Error running git attestor when following the quick start guide

[MFry]

Hello, I am currently attempting to try out witness and followed the quick start guide, but I must be missing something because I am seeing this error

$ witness run -s build -k buildkey.pem -o build-attestation.json -- bash -c "echo 'hello' > hello.txt"
INFO    Using config file: .witness.yaml
INFO    Starting environment attestor...
INFO    Starting git attestor...
ERROR   Error running git attestor: repository does not exist
ERROR   failed to run attestors: repository does not exist

when trying to follow the witness example.

My system is a VM Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-25-generic x86_64)
The witness version I am trying to run is latest, witness_0.1.13-linux_amd64.tar.gz.
And within the quick start section I have done both the create a keypair and the same create a witness configuration

[omitted]/witness$ ls -la
total 28149
drwxrwxrwx 1 vagrant vagrant     4096 Jul 19 14:51 .
drwxrwxrwx 1 vagrant vagrant     8192 Jul 18 22:13 ..
-rwxrwxrwx 1 vagrant vagrant        0 Jul 19 14:51 build-attestation.json
-rwxrwxrwx 1 vagrant vagrant     1704 Jul 19 13:42 buildkey.pem
-rwxrwxrwx 1 vagrant vagrant      451 Jul 19 13:42 buildpublic.pem
-rwxrwxrwx 1 vagrant vagrant    11346 Jun 22 05:30 LICENSE
-rwxrwxrwx 1 vagrant vagrant    17005 Jun 22 05:30 README.md
-rwxrwxrwx 1 vagrant vagrant 28774400 Jun 22 05:32 witness
-rwxrwxrwx 1 vagrant vagrant      179 Jul 19 14:51 .witness.yaml

[mikhailswift]

Hi @MFry ! Thanks for this issue.

This is due to the fact that by default witness will attempt to run the git and environment attestors. If the git attestor runs outside of a git repo this will cause the error you're seeing.

A fix for this is to either disable the git attestor by passing in -a environment, disabling the git attestor, or running git init to create a git repo in your example directory.

Coincidentally this issue with our example and UX is something we are actively tracking.

[kriscoleman]

Hello @MFry and welcome! Thanks for all the wonderful information, it's very helpful.

It looks like the error you are experiencing is with out git attestor

This attestor is meant to cover a git repository, is the folder you are running your command from a part of a git repository? If not, you can try running git init which may address this.

Alternatively, you may be able to update your witness config if you don't require a git attestor.

Let us know if this helps or if you have any more questions! Happy securing 😄

[mikhailswift]

Beat ya to the punch, @kriscoleman 😆

[kriscoleman]

haha I was so close!

this is the second time I've seen this question this week, I propose we throw a issue on updating the documentation next iteration. Shoul be a 1 pter and help some people out

[MFry]

Thank you for the fast response @mikhailswift (1st place 😆 ) and @kriscoleman , I was hoping there would be a open/closed issue in github, but my search came up with nothing.

Regarding the configuration of witness config to disable the git attestor, what would that look like? I wasn't able to find anything about it in git attestor.

[update] It also seems like initializing an empty repo isn't enough

/vagrant/witness$ git init
Initialized empty Git repository in /vagrant/witness/.git/

/vagrant/witness$ ls -la
total 28153
drwxrwxrwx 1 vagrant vagrant     4096 Jul 19 19:20 .
drwxrwxrwx 1 vagrant vagrant     8192 Jul 18 22:13 ..
-rwxrwxrwx 1 vagrant vagrant        0 Jul 19 19:20 build-attestation.json
-rwxrwxrwx 1 vagrant vagrant     1704 Jul 19 13:42 buildkey.pem
-rwxrwxrwx 1 vagrant vagrant      451 Jul 19 13:42 buildpublic.pem
drwxrwxrwx 1 vagrant vagrant     4096 Jul 19 19:20 .git
-rwxrwxrwx 1 vagrant vagrant    11346 Jun 22 05:30 LICENSE
-rwxrwxrwx 1 vagrant vagrant    17005 Jun 22 05:30 README.md
-rwxrwxrwx 1 vagrant vagrant 28774400 Jun 22 05:32 witness
-rwxrwxrwx 1 vagrant vagrant      179 Jul 19 14:51 .witness.yaml

/vagrant/witness$ witness run -s build -k buildkey.pem -o build-attestation.json -- bash -c "echo 'hello' > hello.txt"
INFO    Using config file: .witness.yaml
INFO    Starting environment attestor...
INFO    Starting git attestor...
ERROR   Error running git attestor: reference not found 
ERROR   failed to run attestors: reference not found 

Additionally, the method of adding the extra flag, -a environment worked well.

Thanks again!

[mikhailswift]

[update] It also seems like initializing an empty repo isn't enough

Ah yeah, it looks like our git attestor expects at least one commit to use as a baseline.

We may need to make some adjustments to the git attestor to handle empty repos.

[tannerjones4075]

We have updated the documentation for the witness-example. If you want to dive into the example, check out the walkthrough here: https://github.com/testifysec/witness-examples/blob/main/keypair/README.md.

[kriscoleman]

@MFry thanks so much for creating this issue, we have also updated our git attestor so that it will gracefully handle an empty git repo, your feedback is much appreciated 😄