Fail to install tools because of the error of Cosign

[suzuki-shunsuke]

aqua info

aqua v2.25.0

Overview

aqua uses Cosign v1.

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#verify-packages-with-cosign

Recently, Sigstore has published a new TUF trust root.

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299

https://blog.sigstore.dev/tuf-root-update/

A new TUF trust root doesn't support Cosign v1 but aqua is still using Cosign v1, so aqua fails to install tools which enable Cosign verification. Due to the issue, aqua-installer can't install aqua.

To solve the issue, we have two options.

• Disable Cosign verification until we upgrade Cosign to v2
  • https://github.com/aquaproj/aqua/pull/2758
  • https://github.com/aquaproj/aqua-installer/pull/605
  • https://github.com/aquaproj/circleci-orb-aqua/pull/537
  • https://aquaproj.github.io/docs/reference/security/cosign-slsa/#how-to-disable-cosign-and-slsa
• Upgrade Cosign to v2 https://github.com/aquaproj/aqua/issues/1665
  • https://github.com/aquaproj/aqua/pull/2757

How to reproduce

Run aqua-installer or aqua update-aqua.

Debug output

$ 

Expected behaviour

aqua and aqua-installer can install tools.

Actual behaviour

It fails to instal tools.

https://github.com/aquaproj/aqua-registry/actions/runs/8355302244/job/22870132650

time="2024-03-20T07:35:36Z" level=info msg="Verification by Cosign failed temporarily, retring" aqua_version=2.25.0 env=linux/amd64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard retry_count=1 wait_time=459ms
Error: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key
main.go:62: error during command execution: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key

Note

No response

[suzuki-shunsuke]

About aqua-installer, we solve this issue by disabling cosign verification temporarily.

• https://github.com/aquaproj/aqua-installer/pull/605
• https://github.com/aquaproj/aqua-installer/releases/tag/v2.3.1

[suzuki-shunsuke]

What to do when you face the issue

• Upgrade aqua to v2.2.0 or newer
  • aqua v2.22.0 supports disabling Cosign and SLSA verification
• Update aqua-installer to v2.3.1 v2.3.2 or newer
• Update circleci-orb-aqua to 0.3.4 or newer
• Disable Cosign verification until we upgrade Cosign to v2
  • https://aquaproj.github.io/docs/reference/security/cosign-slsa/#how-to-disable-cosign-and-slsa
  • aqua-installer (GitHub Action) v2.3.2 disables Cosign verification, so you don't have to disable it yourself

export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true

GitHub Actions Workflows

env:
  AQUA_DISABLE_COSIGN: "true"
  AQUA_DISABLE_SLSA: "true"

[suzuki-shunsuke]

We're working on upgrading Cosign to v2, but it is being blocked by https://github.com/slsa-framework/slsa-github-generator/issues/3350 . We're waiting for a new release of slsa-github-generator.

[suzuki-shunsuke]

v2.25.1 is out 🎉 https://github.com/aquaproj/aqua/releases/tag/v2.25.1

[suzuki-shunsuke]

Announced.

• https://github.com/orgs/aquaproj/discussions/2768
• https://twitter.com/aquaclivm/status/1771011230125498394