Upgrade Cosign to v2.0 #1665

suzuki-shunsuke · 2023-02-25T06:03:56Z

Lines 1 to 13 in d7d89dc

    
           package cosign 
        
           const Version = "v1.13.1" 
        
           func Checksums() map[string]string { 
        
           	return map[string]string{ 
        
           		"darwin/amd64":  "1d164b8b1fcfef1e1870d809edbb9862afd5995cab63687a440b84cca5680ecf", 
        
           		"darwin/arm64":  "02bef878916be048fd7dcf742105639f53706a59b5b03f4e4eaccc01d05bc7ab", 
        
           		"linux/amd64":   "a50651a67b42714d6f1a66eb6773bf214dacae321f04323c0885f6a433051f95", 
        
           		"linux/arm64":   "a7a79a52c7747e2c21554cad4600e6c7130c0429017dd258f9c558d957fa9090", 
        
           		"windows/amd64": "78a2774b68b995cc698944f6c235b1c93dcb6d57593a58a565ee7a56d64e4b85", 
        
           	} 
        
           }

suzuki-shunsuke · 2023-02-25T06:13:09Z

Breaking Changes

COSIGN_EXPERIMENTAL=1 is no longer required to have identity-based (“keyless”) signing and transparency.

Verification now requires identity flags, --certificate-identity and --certificate-oidc-issuer

verify-blob no longer searches for a certificate. You must provide one with either --certificate or --bundle.

suzuki-shunsuke · 2023-03-11T03:46:31Z

Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows

--certificate-identity string

The identity expected in a valid Fulcio certificate.
Valid values include email address, DNS names, IP addresses, and URIs.

--certificate-identity-regexp string

A regular expression alternative to --certificate-identity.
Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. .

suzuki-shunsuke · 2023-03-11T03:50:48Z

https://zenn.dev/link/comments/9934cf1be71d89

suzuki-shunsuke · 2024-03-20T02:51:32Z

https://twitter.com/szkdash/status/1770279982088233427

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299

Probably we have to handle this issue as soon as possible because a new TUF trust root for Sigstore has been published and it isn't compatible with Cosign v1.

https://blog.sigstore.dev/tuf-root-update/

v1.x will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to Cosign v2 for the latest bug and security fixes

Workaround: Disable Cosign

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#how-to-disable-cosign-and-slsa

As a workaround, you can disable Cosign verification.

suzuki-shunsuke · 2024-03-20T03:27:55Z

https://github.com/aquasecurity/trivy/blob/8ec3938e01a93855503e3400eae9831abbb5de4a/docs/getting-started/signature-verification.md?plain=1#L14

--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+'

https://github.com/goreleaser/goreleaser/blob/08851dce616615c966ece450631d3d0a822430cc/www/docs/install.md?plain=1#L297

--certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__'

--certificate-oidc-issuer

--certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

https://github.com/goreleaser/goreleaser/blob/08851dce616615c966ece450631d3d0a822430cc/www/docs/install.md?plain=1#L299-L300

--cert 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem' \
--signature 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig' \

aquaproj/aqua#1665 (comment)

suzuki-shunsuke · 2024-03-20T04:29:07Z

fix: upgrade Cosign to v2 #2757

suzuki-shunsuke · 2024-03-20T05:42:40Z

suzuki-shunsuke · 2024-03-20T06:08:27Z

[bug] "Generate builder" and "Run sigstore/cosign-installer" steps failing with error updating to TUF remote mirror: invalid key slsa-framework/slsa-github-generator#3350

suzuki-shunsuke · 2024-03-21T21:30:01Z

suzuki-shunsuke · 2024-03-21T22:45:34Z

Release aqua v2.25.1
- To install some packages such as tfcmt, aqua-registry >= v4.155.0 is required
Release aqua-registry v4.155.0
- To install some packages such as tfcmt, aqua >= v2.25.1 is required
Release aqua-installer v3.0.0
- TODO upgrade bootstrap version to v2.25.1
- Please upgrade aqua to v2.25.1 or later
Re-enable Cosign and slsa-verifier and release new versions

suzuki-shunsuke · 2024-03-22T00:06:54Z

v2.25.1 is out 🎉
https://github.com/aquaproj/aqua/releases/tag/v2.25.1

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `b4ffde6` -> `692973e` | | [aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer) | action | minor | `v2.2.0` -> `v2.3.2` | --- ### Release Notes <details> <summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary> ### [`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2) [#607](https://togithub.com/aquaproj/aqua-installer/issues/607) export environment variable `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA` [https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759) To disable Cosign and slsa-verifier on subsequent steps. ### [`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1) [#605](https://togithub.com/aquaproj/aqua-installer/issues/605) Disable Cosign and slsa-verifier Until we will finish upgrading Cosign to v2, we disable Cosign and slsa-verifier. [https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288) ### [`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0) | aquaproj/aqua-installer@v2.2.0...v2.3.0 #### Features [#580](https://togithub.com/aquaproj/aqua-installer/issues/580) Support disabling the verification with Cosign and SLSA Provenance > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. The bootstrap version is updated to [aqua v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0). From this version, [aqua supports disabling the verification with Cosign and SLSA Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance). To disable the verification with Cosign and SLSA Provenance when you install aqua with aqua-installer, please set the environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. ```sh export AQUA_DISABLE_COSIGN=true export AQUA_DISABLE_SLSA=true ./aqua-installer ``` ```yaml - uses: aquaproj/[email protected] with: aqua_version: v2.22.0 env: AQUA_DISABLE_COSIGN: "true" AQUA_DISABLE_SLSA: "true" ``` </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `b4ffde6` -> `692973e` | | [aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer) | action | minor | `v2.0.2` -> `v2.3.2` | | [docker/login-action](https://togithub.com/docker/login-action) | action | digest | `343f7c4` -> `0d4c9c5` | --- ### Release Notes <details> <summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary> ### [`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2) [#607](https://togithub.com/aquaproj/aqua-installer/issues/607) export environment variable `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA` [https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759) To disable Cosign and slsa-verifier on subsequent steps. ### [`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1) [#605](https://togithub.com/aquaproj/aqua-installer/issues/605) Disable Cosign and slsa-verifier Until we will finish upgrading Cosign to v2, we disable Cosign and slsa-verifier. [https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288) ### [`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0) | aquaproj/aqua-installer@v2.2.0...v2.3.0 #### Features [#580](https://togithub.com/aquaproj/aqua-installer/issues/580) Support disabling the verification with Cosign and SLSA Provenance > \[!CAUTION] > This feature is for users who can't use Cosign and slsa-verifier. > Most users can use them, so most users don't need this feature. > aqua installs Cosign and slsa-verifier internally, so you don't need to install them yourself. > If you can use Cosign and slsa-verifier, you should not disable them because they are important for security. The bootstrap version is updated to [aqua v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0). From this version, [aqua supports disabling the verification with Cosign and SLSA Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance). To disable the verification with Cosign and SLSA Provenance when you install aqua with aqua-installer, please set the environment variables `AQUA_DISABLE_COSIGN` and `AQUA_DISABLE_SLSA`. ```sh export AQUA_DISABLE_COSIGN=true export AQUA_DISABLE_SLSA=true ./aqua-installer ``` ```yaml - uses: aquaproj/[email protected] with: aqua_version: v2.22.0 env: AQUA_DISABLE_COSIGN: "true" AQUA_DISABLE_SLSA: "true" ``` ### [`v2.2.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.2.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.3...v2.2.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.2.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.2.0) | aquaproj/aqua-installer@v2.1.3...v2.2.0 ##### Features [#365](https://togithub.com/aquaproj/aqua-installer/issues/365) [#550](https://togithub.com/aquaproj/aqua-installer/issues/550) [#551](https://togithub.com/aquaproj/aqua-installer/issues/551) Output the guide to set the environment variable `PATH` `aqua-installer` outputs the following guide. =============================================================== [INFO] aqua is installed into /root/.local/share/aquaproj-aqua/bin/aqua [INFO] Please add the path to the environment variable "PATH" [INFO] export PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH =============================================================== [#551](https://togithub.com/aquaproj/aqua-installer/issues/551) Use wget if curl isn't found ### [`v2.1.3`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.3) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.2...v2.1.3) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.3) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.3) | aquaproj/aqua-installer@v2.1.2...v2.1.3 [#545](https://togithub.com/aquaproj/aqua-installer/issues/545) Update the bootstrap version to v2.16.4 To support aqua v2.17.0 or later on Windows. https://github.com/aquaproj/aqua/releases/tag/v2.16.1 > To upgrade aqua to v2.17.0 or later on Windows, you need to upgrade aqua to v2.16.1 or later first. ### [`v2.1.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.2) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.1...v2.1.2) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.2) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.2) | aquaproj/aqua-installer@v2.1.1...v2.1.2 ##### Fixes [#432](https://togithub.com/aquaproj/aqua-installer/issues/432) Fix typo [#461](https://togithub.com/aquaproj/aqua-installer/issues/461) [#463](https://togithub.com/aquaproj/aqua-installer/issues/463) Fix a bug that action doesn't work in a container ##### Fix a bug that action doesn't work in a container [#461](https://togithub.com/aquaproj/aqua-installer/issues/461) [#463](https://togithub.com/aquaproj/aqua-installer/issues/463) GitHub Actions supports running a job in a container. https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container But in a container the variable `${{ github.action_path }}` is wrong, so action can't access the script `aqua-installer`. This is a known issue of GitHub Actions. - [https://github.com/actions/runner/issues/2185](https://togithub.com/actions/runner/issues/2185) To solve the issue, we copy the content of the script `aqua-installer` into action itself, then action don't have to access the script `aqua-installer`. ### [`v2.1.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.1) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.0...v2.1.1) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.1) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.1) | aquaproj/aqua-installer@v2.1.0...v2.1.1 ##### Others [#411](https://togithub.com/aquaproj/aqua-installer/issues/411) Update the bootstrapping aqua v1.26.2 to v2.2.3 This update enables to verify prerelease versions by Cosign and slsa-verifier. ref. https://aquaproj.github.io/docs/reference/upgrade-guide/v2/change-semver ### [`v2.1.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.0) [Compare Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.0.2...v2.1.0) [Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.0) | aquaproj/aqua-installer@v2.0.2...v2.1.0 #### Features [#403](https://togithub.com/aquaproj/aqua-installer/issues/403) Add an input `policy_allow` to run `aqua policy allow` aqua >= v2.3.0 If `policy_allow` is `true`, `aqua policy allow` command is run. If a Policy file path is set, `aqua policy allow "${{inputs.policy_allow}}"` is run. ##### See also - [Tutorial](https://aquaproj.github.io/docs/guides/policy-as-code) - [Reference](https://aquaproj.github.io/docs/reference/security/policy-as-code) - [Reference - Git Repository root's policy file and policy commands](https://aquaproj.github.io/docs/reference/security/policy-as-code/git-policy) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/dsv-github-action).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sheldon Hull <[email protected]>

suzuki-shunsuke added the enhancement New feature or request label Feb 25, 2023

suzuki-shunsuke added this to main Feb 25, 2023

suzuki-shunsuke moved this to Backlog in main Feb 25, 2023

suzuki-shunsuke moved this from Backlog to Todo in main Mar 3, 2023

suzuki-shunsuke pinned this issue Mar 8, 2023

suzuki-shunsuke mentioned this issue Mar 9, 2023

Update Cosign to v2.0 #1712

Closed

suzuki-shunsuke added security cosign labels Mar 9, 2023

suzuki-shunsuke moved this from Todo to In Progress in main Mar 11, 2023

suzuki-shunsuke moved this from In Progress to Backlog in main Mar 13, 2023

suzuki-shunsuke unpinned this issue Jul 25, 2023

suzuki-shunsuke pinned this issue Mar 20, 2024

suzuki-shunsuke moved this from Backlog to Todo in main Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 20, 2024

fix(yaml): Fix spaces before comments #2756

Merged

suzuki-shunsuke added a commit to suzuki-shunsuke/go-release-workflow that referenced this issue Mar 20, 2024

chore: disable cosign and slsa

2bb1b20

aquaproj/aqua#1665 (comment)

suzuki-shunsuke mentioned this issue Mar 20, 2024

chore: disable cosign and slsa suzuki-shunsuke/go-release-workflow#69

Closed

suzuki-shunsuke changed the title ~~Update Cosign to v2.0~~ Upgrade Cosign to v2.0 Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 20, 2024

fix: upgrade Cosign to v2 #2757

Merged

This was referenced Mar 20, 2024

feat: add zaghaghi/openapi-tui aquaproj/aqua-registry#21079

Merged

chore: disable cosign and slsa aquaproj/aqua-registry#21080

Merged

Fail to install tools because of the error of Cosign #2759

Closed

suzuki-shunsuke unpinned this issue Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 21, 2024

fix: upgrade Cosign to v2 aquaproj/aqua-registry#21122

Merged

suzuki-shunsuke closed this as completed Mar 22, 2024

github-project-automation bot moved this from Todo to Done in main Mar 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade Cosign to v2.0 #1665

Upgrade Cosign to v2.0 #1665

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Mar 11, 2023 •

edited

Loading

suzuki-shunsuke commented Mar 11, 2023

suzuki-shunsuke commented Mar 20, 2024 •

edited

Loading

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024 •

edited

Loading

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 22, 2024

Upgrade Cosign to v2.0 #1665

Upgrade Cosign to v2.0 #1665

Comments

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Feb 25, 2023

Breaking Changes

suzuki-shunsuke commented Mar 11, 2023 • edited Loading

--certificate-identity string

--certificate-identity-regexp string

suzuki-shunsuke commented Mar 11, 2023

suzuki-shunsuke commented Mar 20, 2024 • edited Loading

Workaround: Disable Cosign

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024 • edited Loading

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 22, 2024

suzuki-shunsuke commented Mar 11, 2023 •

edited

Loading

suzuki-shunsuke commented Mar 20, 2024 •

edited

Loading

suzuki-shunsuke commented Mar 20, 2024 •

edited

Loading