Cosign with goreleaser fail with error: Bad Request PKCE S256 is required

[xmlking]

git fork repo https://github.com/goreleaser/supply-chain-example.git

run following command:

goreleaser release --snapshot --rm-dist

When I try to login via GitHub getting following error Bad Request PKCE S256 is required.

  • calculating checksums
  • signing artifacts
    • refreshing checksums                           file=checksums.txt
    • signing                                        artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Using payload from: dist/checksums.txt         artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Generating ephemeral keys...                   artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Retrieving signed certificate...               artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    •                                                artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    •         Note that there may be personally identifiable information associated with this signed artifact. artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    •         This may include the email address associated with the account with which you authenticate. artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    •         This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Non-interactive mode detected, using device flow. artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Enter the verification code AAAA-AAAA in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=AAAA-AAAA artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
    • Code will be valid for 300 seconds             artifact=checksums.txt certificate=dist/checksums.txt.pem cmd=cosign signature=dist/checksums.txt.sig
^C    ⨯ release failed after 34s               error=received: interrupt

[erichs]

Got the same results in GitHub Actions with goreleaser-action@v3, using cosign-installer v2.5.0 (which defaults to release 1.10.0 currently).

Also, got the same result (PKCE S256 required) when attempting a local cosign with:

GitVersion:    1.10.1
GitCommit:     a39ce91fadc582e0efce3321744a79ccd3c8b39c
GitTreeState:  "clean"
BuildDate:     2022-08-04T16:59:14Z
GoVersion:     go1.18.5
Compiler:      gc
Platform:      darwin/amd64

In case that helps.

[dlorenc]

cc @bobcallaway