Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cosign 1.12.0 broke Flux build #899

Closed
stefanprodan opened this issue Sep 15, 2022 · 28 comments
Closed

Cosign 1.12.0 broke Flux build #899

stefanprodan opened this issue Sep 15, 2022 · 28 comments

Comments

@stefanprodan
Copy link
Member

stefanprodan commented Sep 15, 2022

After Cosign v1.12.0 our builds are failing with:

cosign verify-blob --cert /tmp/tmp.RrJ3ntuOFG/checksums.txt.pem --signature /tmp/tmp.RrJ3ntuOFG/checksums.txt.sig /tmp/tmp.RrJ3ntuOFG/checksums.txt
Error: verifying blob [/tmp/tmp.RrJ3ntuOFG/checksums.txt]: x509: certificate signed by unknown authority
main.go:62: error during command execution: verifying blob [/tmp/tmp.RrJ3ntuOFG/checksums.txt]: x509: certificate signed by unknown authority

We use keyless to sign the golang-with-libgit2 release assets and we use cosign verify-blob in all Flux controllers that make use of those assets. Since this basically broke Flux build all over, we have two options: remove cosign from our build system or revert to cosign 1.11.0 that is affected by CVE-2022-36056.

@znewman01
Copy link

znewman01 commented Sep 15, 2022

Happy to help debug from the Sigstore side of things.

If I had to guess, it's actually related to the fix to GHSA-8gw7-4j42-w388, which made verification more strict for verify-blob (possibly introducing false positives).

If you can point me to the following, I'd be grateful:

  1. Where these files are signed: EDIT 2: found it
  2. Where these files are verified EDIT 3: is this it?
  3. An example .sig, .pem, and checksums.txt EDIT: found them

@stefanprodan
Copy link
Member Author

@znewman01 to reproduce this locally do:

curl -o ./checksums.txt -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt
curl -o ./checksums.txt.pem -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.pem
curl -o ./checksums.txt.sig -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.sig
cosign verify-blob --cert ./checksums.txt.pem --signature ./checksums.txt.sig ./checksums.txt

@znewman01
Copy link

Will reproduce, 1 sec...

In the meantime: does it still happen if you set COSIGN_EXPERIMENTAL=1 for the verify-blob call?

@stefanprodan
Copy link
Member Author

With experimental enabled it doesn't fail but I see lots of duplicate warnings....

 COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert ./checksums.txt.pem --signature ./checksums.txt.sig ./checksums.txt
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tlog entry verified with uuid: 6d82e9ef2755da1cdfd7f566dfbeb6b7877c5d699dbde90e8fa108908ca780fb index: 3070702
Verified OK

@znewman01
Copy link

Okay, it's expected that verify-blob should fail without COSIGN_EXPERIMENTAL=1; that's part of the resolution to GHSA-8gw7-4j42-w388 .

With COSIGN_EXPERIMENTAL=0: you provided a certificate which was signed by the keyless CA to verify against, but without COSIGN_EXPERIMENTAL, cosign isn't supposed to know about the keyless CA.

Sorry about the warnings....that's an unintended consequence of sigstore/cosign#2232. A fix is being tracked upstream: theupdateframework/go-tuf#376 . We're hoping to push a minor version bump soon to address that.

@stefanprodan
Copy link
Member Author

@znewman01 shouldn't this be documented as a breaking change in Cosign release notes?

@znewman01
Copy link

Yup, filed sigstore/cosign#2253

@asraa
Copy link

asraa commented Sep 15, 2022

Hi! Thank you for filing this issue! I want to call out two details too:

  1. Without COSIGN_EXPERIMENTAL we were not checking the signature validity against the certificate. The keyless certificate is short-lived: and validating the signature requires validating (against the TLOG) that the signature was produced during the validity period. Thanks @znewman01 for filing the change documentation.
  2. If you would like to avoid COSIGN_EXPERIMENTAL making the Rekor lookup to check the signature timestamp, then you can also create a bundle when you create the signature. This will copy the timestamp to a bundle file. Users would need to pass --bundle into the verify-blob command. The bundle also contains the cert and sig, so their call would be cosign verify-blob --bundle bundle.sig checksums.txt

The signing command would add an output bundle flag.

caarlos0 pushed a commit to goreleaser/goreleaser that referenced this issue Sep 15, 2022
Signed-off-by: Batuhan Apaydın <[email protected]>

<!--

Hi, thanks for contributing!

Please make sure you read our CONTRIBUTING guide.

Also, add tests and the respective documentation changes as well.

-->

Cross-ref: fluxcd/source-controller#899

Signed-off-by: Batuhan Apaydın <[email protected]>
@stefanprodan
Copy link
Member Author

After setting COSIGN_EXPERIMENTAL=1, now the build randomly fails with:

COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert /tmp/tmp.A1DZECOi4A/checksums.txt.pem --signature /tmp/tmp.A1DZECOi4A/checksums.txt.sig /tmp/tmp.A1DZECOi4A/checksums.txt
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
Error: verifying blob [/tmp/tmp.A1DZECOi4A/checksums.txt]: verifying inclusion proof: calculated root:
[84 33 191 57 192 119 177 159 129 109 176 100 131 248 165 158 29 96 0 217 24 128 159 189 33 41 101 43 96 117 37 149]
 does not match expected root:
[51 193 90 65 152 179 40 32 127 150 118 23 148 13 246 91 250 232 132 247 110 37 188 231 187 29 21 199 193 77 99 73]
main.go:62: error during command execution: verifying blob [/tmp/tmp.A1DZECOi4A/checksums.txt]: verifying inclusion proof: calculated root:
[84 33 191 57 192 119 177 159 129 109 176 100 131 248 165 158 29 96 0 217 24 128 159 189 33 41 101 43 96 117 37 149]
 does not match expected root:
[51 193 90 65 152 179 40 32 127 150 118 23 148 13 246 91 250 232 132 247 110 37 188 231 187 29 21 199 193 77 99 73]

I have no clue why rerunning the job fixes it

@znewman01
Copy link

That's an intermittent failure, tracked here: sigstore/rekor#1055

@znewman01
Copy link

Update on that flake: it was fixed and we rolled out the fix, but then had to rollback for an unrelated reason. As soon as we can roll forward again it should disappear.

The previously-linked issue should have more details soon.

@stefanprodan
Copy link
Member Author

@znewman01 is there any way to suppress the tuf logs? In #876 we can’t use the 1.12 packages because this will mess up Flux json logging. Given that Flux only deals with verification of OCI artifacts, is it safe to ship Flux with Cosign 1.11?

@znewman01
Copy link

Yeah, the TUF logging bit is very annoying, and there's no easy way to suppress it ☹️ . The go-tuf library has been fixed and I've requested to the maintainers to cut a release today. Once that happens, it's just a matter of getting it in Cosign (should be easy, just merging a dependabot PR) and then cutting a Cosign release (unless you want to depend on HEAD). That's gonna take a few days, though (hopefully get done this week).

As you're alluding to, the most important thing about 1.12 is that it fixes [a vulnerability] when verifying blobs, not OCI artifacts. Looking at the fix, the only change to the pkg/ and internal/ code (which is what you'd depend on, directly or indirectly) affected test code or logging. So if none of the other release notes are pertinent, you're probably safe.

@stefanprodan
Copy link
Member Author

stefanprodan commented Sep 21, 2022

Thank you @znewman01 We'll go ahead with 1.11 and when 1.12 gets the tuf patch, we'll update the packages in Flux and do a patch release to please the scanners. It's hard to explain to some users that if a CVE is found in a Flux controller dependencies, that doesn't necessarily means Flux is affected by it.

@asraa
Copy link

asraa commented Sep 21, 2022

Hey! I updated the sigstore code to remove the logging (sigstore/sigstore#701) yesterday, and am updating cosign right now. It should be in the v1.12.1 patch!

@znewman01
Copy link

v1.12.1 just went out; I think we missed it: https://github.com/sigstore/cosign/releases/tag/v1.12.1

@stefanprodan
Copy link
Member Author

Awesome! Thanks @asraa and @znewman01

We'll give this a try in #876.

@stefanprodan
Copy link
Member Author

TUF logs are gone after updating the controller to 1.21.1 🎉

I'm going to close this issue now, thank a lot for all the help 🤗

@stefanprodan
Copy link
Member Author

Seems that blob verification is broken again (cosign v1.12.1), to reproduce do:

curl -o ./checksums.txt -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt
curl -o ./checksums.txt.pem -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.pem
curl -o ./checksums.txt.sig -sfL https://github.com/fluxcd/golang-with-libgit2/releases/download/v0.2.0/checksums.txt.sig

export COSIGN_EXPERIMENTAL=1
cosign verify-blob --cert ./checksums.txt.pem --signature ./checksums.txt.sig ./checksums.txt

And the output is:

tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
could not find entry in tlog: signature not found in transparency logError: verifying blob [./checksums.txt]: signature not found in transparency log
main.go:62: error during command execution: verifying blob [./checksums.txt]: signature not found in transparency log

@znewman01
Copy link

FYI we can repro and are investigating.

@asraa
Copy link

asraa commented Sep 28, 2022

Do you know the entry that was originally uploaded? Maybe in the logs of a signin workflow?

Got it:
362f8ecba72f43266d82e9ef2755da1cdfd7f566dfbeb6b7877c5d699dbde90e8fa108908ca780fb

@stefanprodan
Copy link
Member Author

@asraa the full build log is here if you need it https://github.com/fluxcd/golang-with-libgit2/actions/runs/3060959453/jobs/4940247065

@asraa
Copy link

asraa commented Sep 28, 2022

Thanks! We've identified the problem, working on fixes.
https://sigstore.slack.com/archives/C033FPC7EUQ/p1664386149753879

@znewman01
Copy link

znewman01 commented Sep 29, 2022

Okay, I've only followed this secondhand, but I think this is what happened; correct me if I'm wrong, @asraa :

There was a change to Rekor that enabled sharding. That change had a small bug where it's possible that an entry winds up stored on >1 shard. The Rekor bug is fixed now (not deployed yet, should happen soon) sigstore/rekor#1082 . After the fix, the duplicated entries won't happen anymore (unless users deliberately ask for it by uploading twice). If that happens, the client hadn't been updated to expect >1 result when retrieving the log entry from Rekor. So this only affects users doing online verification with Rekor in the loop. It will be fixed client side (tracked in
sigstore/cosign#2294)

So:

  • This happens now only rarely, on upload.
  • It will stop happening with the next Rekor deploy.
  • In the meantime, if you hit this, retrying the upload should fix it.
  • Soon, we'll ship a client fix that will help it handle this situation (including entries like this one).

EDIT: please ignore in favor of @asraa's comment below

@asraa
Copy link

asraa commented Sep 29, 2022

That change had a small bug where it's possible that an entry winds up stored on >1 shard. The Rekor bug is fixed now (not deployed yet, should happen soon)

This was not quite the problem: Rekor only searched the active shard. It would fail if the entry was not on it. (It doesn't matter if the entry was on >1 shard.)

With the fix, we'll now return all entries, even on previous shards. So if you were only on a previous shard, you'll get your entry.

If in the case where someone duplicated the entry, then your client will reieve >1 entry and fail.

In the meantime, if you hit this, retrying the upload should fix it.

I would suggest not! If you do then you'll fail UNTIL the client updates. If you don't and stay on the inactive old shards with a single entry, old clients can continue verifying because they'll receive only one entry when querying, as was always the expectation.

pjbgf pushed a commit to pjbgf/image-automation-controller that referenced this issue Sep 29, 2022
The libgit2 libraries are downloaded and verified before
some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
fluxcd/source-controller#899

Signed-off-by: Paulo Gomes <[email protected]>
pjbgf pushed a commit to pjbgf/source-controller that referenced this issue Sep 29, 2022
some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
fluxcd#899

Signed-off-by: Paulo Gomes <[email protected]>
@haydentherapper
Copy link

We're working on fixing the client, but in the meantime, we'd recommend re-signing to unblock you.

@asraa
Copy link

asraa commented Sep 30, 2022

This sigstore/cosign#2294 issue tracks the fix!

@stefanprodan
Copy link
Member Author

I've tested with latest Cosign and seems to work OK. Thanks!

souleb pushed a commit to souleb/image-automation-controller that referenced this issue Mar 12, 2024
The libgit2 libraries are downloaded and verified before
some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
fluxcd/source-controller#899

Signed-off-by: Paulo Gomes <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants