-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify-blob not finding tlog on rekor, but it is there #1406
Comments
Both
That information is stored in the code signing cert, which can be printed using openssl + some jq trickery:
|
ok, so my mental model was more or less accurate, thanks!
ah, neat! Another question: what's the recommended way to instruct users to check if the public key et al are what they actually say they are? |
The recommended way should only use common tools, already preinstalled on most systems like Using |
That would probably be ideal @cardil @dlorenc are there any options for this? I could use something like
to get some info about the certificate, but how do I verify everything without installing cosign, rekor-cli, etc? is it even possible? |
Hi! Just FYI I think this is fixed, because we now also fallback on searching the redis index for the correct entry when you omit the PEM.. This works
|
RE the verifying public key, you could pin the verification against the workflow that signed, e.g. issuer github and subject name |
happening again with some newly signed releases: COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--signature https://github.com/goreleaser/goreleaser/releases/download/v1.10.3/checksums.txt.sig \
https://github.com/goreleaser/goreleaser/releases/download/v1.10.3/checksums.txt
WARNING: No valid entries were found in rekor to verify this blob.
Transparency log support for blobs is experimental, and occasionally an entry isn't found even if one exists.
We recommend requesting the certificate/signature from the original signer of this blob and manually verifying with cosign verify-blob --cert [cert] --signature [signature].
Error: verifying blob [https://github.com/goreleaser/goreleaser/releases/download/v1.10.3/checksums.txt]: could not find a valid tlog entry for provided blob, found 1 invalid entries
main.go:62: error during command execution: verifying blob [https://github.com/goreleaser/goreleaser/releases/download/v1.10.3/checksums.txt]: could not find a valid tlog entry for provided blob, found 1 invalid entries |
looks like sigstore/rekor#891 |
actually, i did some debugging. it's a UUID issue. Fixing now. |
EDIT: I never submitted this PR: #2058 |
ah, thanks @asraa ! |
Description
I might have found a bug, not sure if here, rekor, or elsewhere... or maybe my understanding of things is a bit wrong... in any case, here it goes:
First thing I noticed is that
rekor-cli
does not find any entries for some files:Here, it seems like after some time they are not available anymore, or at least, not searchable?
So, if I try to verify without the PEM, it doesn't work:
But, if I verify it with the PEM as well, it prints an UUID:
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob \ --cert https://github.com/goreleaser/goreleaser/releases/download/v1.4.1/checksums.txt.pem \ --signature https://github.com/goreleaser/goreleaser/releases/download/v1.4.1/checksums.txt.sig \ https://github.com/goreleaser/goreleaser/releases/download/v1.4.1/checksums.txt tlog entry verified with uuid: "190dbbf9ffc81cc77508cbdf3026a9acac00a879a70da8e67642d91e5221c063" index: 1173394 Verified OK
and then, if I get that UUID from rekor:
Similarly,
rekor-cli verify --uuid 190dbbf9ffc81cc77508cbdf3026a9acac00a879a70da8e67642d91e5221c063
also works.I also noticed that it doesn't print relevant info from GitHub's UIDC, e.g. the action run url and actor anymore... I have the impression that this did work at some point... maybe I'm misremembering thing though.
In any case, I would like to understand if this is expected, and if so, why - and how should I instruct users to verify the actual public key used to verify the release...
refs goreleaser/goreleaser#2876
The text was updated successfully, but these errors were encountered: