Generating ephemeral keys...
Retrieving signed certificate...
Note that there may be personally identifiable information associated with this signed artifact.
This may include the email address associated with the account with which you authenticate.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
2024/07/04 13:12:30 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
"mirror": "https://sigstore-tuf-root.storage.googleapis.com/",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 147,
"len": 2302,
"expiration": "23 Jul 24 16:06 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 199,
"len": 723,
"expiration": "09 Jul 24 16:06 UTC",
"error": ""
}
}
}
ANALYSIS
It appears that this issue is occurring on the step that is uploading the results to the Step Security API. This will be disabled.
ISSUE
The newly added Step Security Harden Runner jobs jobs are failing when attempting to sign/upload artifacts:
ANALYSIS
It appears that this issue is occurring on the step that is uploading the results to the Step Security API. This will be disabled.