Cosign v3.6.0 issue

[alexbelgium]

Error during build process :

Error: no matching signatures
main.go:69: error during command execution: no matching signatures
Error: Process completed with exit code 12.

Full log :

Run home-assistant/builder@master
Run sigstore/[email protected]
Run #!/bin/bash
INFO: Downloading bootstrap version 'v2.4.0' of cosign to verify version to be installed...
      https://github.com/sigstore/cosign/releases/download/v2.4.0/cosign-linux-amd64
INFO: Custom cosign version 'v2.2.3' requested
INFO: Downloading platform-specific version 'v2.2.3' of cosign...
      https://github.com/sigstore/cosign/releases/download/v2.2.3/cosign-linux-amd64
INFO: Downloading detached signature for platform-specific 'v2.2.3' of cosign...
      https://github.com/sigstore/cosign/releases/download/v2.2.3/cosign-linux-amd64.sig
INFO: Downloading cosign public key 'v2.2.3' of cosign...
    https://raw.githubusercontent.com/sigstore/cosign/v2.2.3/release/release-cosign.pub
INFO: Verifying public key matches expected value
INFO: Using bootstrap cosign to verify signature of desired cosign version
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the blob.
Verified OK
INFO: Installation complete!
Run echo "$HOME/.cosign" >> $GITHUB_PATH
Run input=$(echo "/home/runner/work/_actions/home-assistant/builder/master" | rev | cut -d"/" -f1 | rev)
Run docker pull ghcr.io/home-assistant/amd64-builder:latest
latest: Pulling from home-assistant/amd64-builder
73baa7ef167e: Pulling fs layer
647930ad0bbe: Pulling fs layer
6b7dbd8ce86e: Pulling fs layer
97d3806ade9e: Pulling fs layer
ed1d09f645ed: Pulling fs layer
9d43e556ac06: Pulling fs layer
feccd12[13](https://github.com/alexbelgium/hassio-addons/actions/runs/10299589179/job/28507220267#step:8:14)76f: Pulling fs layer
97d3806ade9e: Waiting
ed1d09f645ed: Waiting
9d43e556ac06: Waiting
feccd1[21](https://github.com/alexbelgium/hassio-addons/actions/runs/10299589179/job/28507220267#step:8:23)376f: Waiting
73baa7ef167e: Verifying Checksum
73baa7ef167e: Download complete
647930ad0bbe: Verifying Checksum
647930ad0bbe: Download complete
97d3806ade9e: Verifying Checksum
97d3806ade9e: Download complete
6b7dbd8ce86e: Verifying Checksum
6b7dbd8ce86e: Download complete
9d43e556ac06: Download complete
73baa7ef167e: Pull complete
feccd121376f: Verifying Checksum
feccd121376f: Download complete
647930ad0bbe: Pull complete
6b7dbd8ce86e: Pull complete
97d3806ade9e: Pull complete
ed1d09f645ed: Verifying Checksum
ed1d09f645ed: Download complete
ed1d09f645ed: Pull complete
9d43e556ac06: Pull complete
feccd121376f: Pull complete
Digest: sha256:a975007692aaf11e1996c7b2df083abddf51b5850b2d58d85473a3eb8760ae2e
Status: Downloaded newer image for ghcr.io/home-assistant/amd64-builder:latest
ghcr.io/home-assistant/amd64-builder:latest
Error: no matching signatures
main.go:69: error during command execution: no matching signatures
Error: Process completed with exit code 12.

[agners]

Hm, I see, since https://github.com/sigstore/cosign-installer/pull/168/files the cosign-installer defaults to co-sign v2.4.0 (previously v2.2.4). But I wonder why that is a problem, from what I can tell looking at the cosign releases there was no breaking change in the last few releases (also only minor updates, which usually indicate no breaking changes 🤔 ).

Last time sigstore broke it was caused by an old version which were incompatible with infrastructure updates on their end (see also #196). But from what I can tell, this is not the case this time.

[agners]

Hm, this is probably related to the failed build. And the re-run failed because the already published builder is broken.

https://github.com/home-assistant/builder/actions/runs/10297373354/attempts/1
https://github.com/home-assistant/builder/actions/runs/10297373354/attempts/2

[alexbelgium]

Thanks very much for the super fast response

[agners]

This seems to be a problem of the current master branch. What you can do is using the latest release of the builder (and it's action) by using home-assistant/[email protected]. Dependabot should create bump PRs to keep your repository updated.

[alexbelgium]

All good for me, thanks. And indeed much better practice from my side to pin a version number instead of using latest ;-)

I'll keep the issue open for traceability for others, or if you prefer I'll close it as anyway you are already following the issue