KEMBAR78
[bug] Creating and signing provenance fails because retrieving signed certificate fails. · Issue #1163 · slsa-framework/slsa-github-generator · GitHub
Skip to content

[bug] Creating and signing provenance fails because retrieving signed certificate fails. #1163

New issue
New issue
Closed
Closed
[bug] Creating and signing provenance fails because retrieving signed certificate fails.#1163
Labels
area:containerIssue with the generic container generatorarea:genericIssue with the generic generatorarea:goIssue related to the Go ecosystemtype:bugSomething isn't working
Milestone
Sigstore Stability Improvements
@jenstroeger

Description

@jenstroeger
jenstroeger
opened on Oct 26, 2022

Describe the bug

Creating signed provenance fails with

##[debug]/usr/bin/bash --noprofile --norc -e -o pipefail /home/runner/work/_temp/12f3ed8f-b71f-4b24-816e-9adc5a6a9d03.sh
Retrieving signed certificate...

        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
remote status:{
	"mirror": "sigstore-tuf-root",
	"metadata": {
		"root.json": {
			"version": 5,
			"len": 6388,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 53,
			"len": 1973,
			"expiration": "10 Nov 22 21:10 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 5,
			"len": 4188,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 53,
			"len": 719,
			"expiration": "03 Nov 22 21:10 UTC",
			"error": ""
		}
	}
}
Error: Process completed with exit code 1.
##[debug]Finishing: Create and sign provenance

To Reproduce

This happens in a private repository, based on the this job:

  provenance:
    needs: build
    # The generator should be referenced with a semantic version.
    # The build will fail if we reference it using the commit sha.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
    with:
      base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.

Expected behavior

Finish successfully.

Screenshots

Additional context

I’m going to be honest: I’m trying to convince people in my org to integrate SLSA into the CI and build processes, but it’s getting harder when the actions break with different issues every other week.

I just updated to v1.2.1 and hope that’ll work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:containerIssue with the generic container generatorarea:genericIssue with the generic generatorarea:goIssue related to the Go ecosystemtype:bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions