Trouble signing

[dvogeldev]

The README is a bit vague. I forked the repo, cloned it to local. cosign generate-key-pair > pushed changes to github. Added repo key to settings > security > actions with the title COSIGN_PRIVATE_KEY. It builds an image, but fails on SIGN CONTAINER IMAGE.

The TLDR debug msg:

====================================================
Run echo "***
654 cosign.key
Error: signing [ghcr.io/dvogeldev/boxkit@sha256:ccb6142c9fd622bcefba11242614588da900c335c0343b4ff12ef03aeb926f89]: getting signer: reading key: decrypt: encrypted: decryption failed
main.go:74: error during command execution: signing [ghcr.io/dvogeldev/boxkit@sha256:ccb6142c9fd622bcefba11242614588da900c335c0343b4ff12ef03aeb926f89]: getting signer: reading key: decrypt: encrypted: decryption failed
Error: Process completed with exit code 1.
====================================================

**What am I doing wrong?** 

A newb for sure when it comes to containers and cloud workflow. 
Thanks for all the hard work with UBlue-OS.

The full debug log:

0s
Run echo "***
  echo "***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  ***
  " > cosign.key
  wc -c cosign.key
  cosign sign -y --key cosign.key ghcr.io/dvogeldev/boxkit@${TAGS}
  shell: /usr/bin/bash -e {0}
  env:
    IMAGE_NAME: boxkit
    IMAGE_TAGS: latest
    IMAGE_REGISTRY: ghcr.io/dvogeldev
    DOCKER_METADATA_OUTPUT_VERSION: main
    DOCKER_METADATA_OUTPUT_TAGS: boxkit:main
    DOCKER_METADATA_OUTPUT_LABELS: org.opencontainers.image.title=boxkit
  org.opencontainers.image.description=
  org.opencontainers.image.url=https://github.com/dvogeldev/boxkit
  org.opencontainers.image.source=https://github.com/dvogeldev/boxkit
  org.opencontainers.image.version=main
  org.opencontainers.image.created=2023-04-[1](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:1)8T1[2](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:2):47:51.651Z
  org.opencontainers.image.revision=b[3](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:3)9241d778c66af5e5b994389fb2ca3b4d25e6d2
  org.opencontainers.image.licenses=Apache-2.0
  io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/boxkit/main/README.md
    DOCKER_METADATA_OUTPUT_JSON: {"tags":["boxkit:main"],"labels":{"org.opencontainers.image.title":"boxkit","org.opencontainers.image.description":"","org.opencontainers.image.url":"https://github.com/dvogeldev/boxkit","org.opencontainers.image.source":"https://github.com/dvogeldev/boxkit","org.opencontainers.image.version":"main","org.opencontainers.image.created":"2023-04-18T12:47:51.651Z","org.opencontainers.image.revision":"b39241d778c66af5e5b994389fb2ca3b4d25e6d2","org.opencontainers.image.licenses":"Apache-2.0","io.artifacthub.package.readme-url":"https://raw.githubusercontent.com/ublue-os/boxkit/main/README.md"}}
    DOCKER_METADATA_OUTPUT_BAKE_FILE: /tmp/docker-actions-toolkit-8x5QTj/docker-metadata-action-bake.json
    TAGS: sha256:ccb6142c9fd622bcefba11242614588da900c335c0343b4ff12ef03aeb926f89
    COSIGN_EXPERIMENTAL: false
    COSIGN_PRIVATE_KEY: ***
  
65[4](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:4) cosign.key
Error: signing [ghcr.io/dvogeldev/boxkit@sha2[5](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:5)[6](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:6):ccb6142c9fd622bcefba11242614588da900c335c0343b4ff12ef03aeb926f89]: getting signer: reading key: decrypt: encrypted: decryption failed
main.go:[7](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:7)4: error during command execution: signing [ghcr.io/dvogeldev/boxkit@sha256:ccb6142c9fd622bcefba112426145[8](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:8)8da[9](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:9)00c335c0343b4ff[12](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:12)ef03aeb9[26](https://github.com/dvogeldev/boxkit/actions/runs/4732535787/jobs/8398831129#step:9:26)f89]: getting signer: reading key: decrypt: encrypted: decryption failed
Error: Process completed with exit code 1.

[dvogeldev]

SOLUTION:

This issue was created by not using the declared variables from the github workflow.

env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}

Using the cosign command cosign generate-key-pair github:myUser/myRepo with the following environment variables:

export GITHUB_TOKEN=ghp_xyz123
export CONSIGN_PASSWORD=pwd123

I was able to automatically add secrets to my github repo. I still needed to change a couple of workflow envirnoment variables.

env:
TAGS: ${{ steps.push.outputs.digest }}
COSIGN_EXPERIMENTAL: false
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

I was able to figure this out referencing Sign Your Container Images with Cosign Github Actions and Container Registry