search

aquaproj / aqua

Declarative CLI Version manager written in Go. Support Lazy Install, Registry, and continuous update with Renovate. CLI version is switched seamlessly
https://aquaproj.github.io
757 stars 32 forks source link

Failed to slsa-verifier when executed `aqua update-aqua` #2892

Closed ponkio-o closed 1 month ago

ponkio-o commented 1 month ago

aqua info

$ aqua info
{
  "version": "2.24.0",
  "commit_hash": "4df269e479ac3364a3430ce77d52572cf01648e5",
  "os": "darwin",
  "arch": "arm64",
  "pwd": "/Users/(USER)",
  "root_dir": "/Users/(USER)/.local/share/aquaproj-aqua",
  "env": {
    "AQUA_GLOBAL_CONFIG": ":/Users/(USER)/.config/aquaproj-aqua/aqua.yaml:/Users/(USER)/.config/aquaproj-aqua/aqua.yaml"
  },
  "config_files": []
}

Overview

When I ran the “aqua update-aqua” failed to slsa-verifer.

How to reproduce

Executed command and output

$ aqua update-aqua
INFO[0000] download and unarchive the package            aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
INFO[0001] verify a package with slsa-verifier           aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/817949895: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0017] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=1 wait_time=297ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/817949895: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0018] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=2 wait_time=277ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/817949895: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0018] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=3 wait_time=741ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/817949895: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0020] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=4 wait_time=242ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/817949895: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
FATA[0020] aqua failed                                   aqua_version=2.24.0 env=darwin/arm64 error="download aqua: verify a package with slsa-verifier: verify with slsa-verifier" new_version=v2.28.0 program=aqua

Debug output

$ AQUA_LOG_LEVEL=debug aqua update-aqua 
DEBU[0000] match the version_constraint                  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_semver=v2.28.0 package_version=v2.28.0 program=aqua version_constraint="semver(\">= 2.17.0\")"
DEBU[0000] installing the package                        aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
DEBU[0000] check if the package is already installed     aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
INFO[0000] download and unarchive the package            aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
INFO[0001] verify a package with slsa-verifier           aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
DEBU[0001] no version_constraint                         aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry=
DEBU[0001] installing the package                        aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
DEBU[0001] check if the package is already installed     aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
DEBU[0001] check the permission                          aqua_version=2.24.0 env=darwin/arm64 file_name=slsa-verifier new_version=v2.28.0 package_name=slsa-framework/slsa-verifier package_version=v2.4.1 program=aqua registry=
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/913593922: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0014] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=1 wait_time=368ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/913593922: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0015] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=2 wait_time=417ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/913593922: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0016] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=3 wait_time=750ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/913593922: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0017] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 new_version=v2.28.0 package_name=aquaproj/aqua package_version=v2.28.0 program=aqua registry= retry_count=4 wait_time=594ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/913593922: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
FATA[0018] aqua failed                                   aqua_version=2.24.0 env=darwin/arm64 error="download aqua: verify a package with slsa-verifier: verify with slsa-verifier" new_version=v2.28.0 program=aqua

Expected behaviour

Successful completion of the update.

Actual behaviour

Error occur when performing update.

Note

No response

ponkio-o commented 1 month ago

And suzuki-shunsuke/tfmct is same behavior.

$ tfcmt
INFO[0000] download and unarchive the package            aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard
INFO[0000] verify a package with slsa-verifier           aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/291919139: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0005] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard retry_count=1 wait_time=882ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/291919139: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0011] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard retry_count=2 wait_time=410ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/291919139: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0012] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard retry_count=3 wait_time=355ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/291919139: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
INFO[0013] Verification by slsa-verifier failed temporarily, retring  aqua_version=2.24.0 env=darwin/arm64 exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua registry=standard retry_count=4 wait_time=156ms
Verifying artifact /var/folders/h8/by3h5l0x2wgfkypz9n784z9r0000gq/T/291919139: FAILED: error searching rekor entries: no matching rekor entries

FAILED: SLSA verification failed: error searching rekor entries: no matching rekor entries
FATA[0014] aqua failed                                   aqua_version=2.24.0 env=darwin/arm64 error="install the package: verify a package with slsa-verifier: verify with slsa-verifier" exe_name=tfcmt package_name=suzuki-shunsuke/tfcmt package_version=v4.9.1 program=aqua
suzuki-shunsuke commented 1 month ago

This is a known issue. You use aqua v2.24.0, which is too old.

aqua update-aqua doesn't work with aqua v2.24.0, so how about installing the latest aqua by aqua-installer? https://aquaproj.github.io/docs/products/aqua-installer#shell-script

ponkio-o commented 1 month ago

Oh sorry, I forgot that there was an announcement... (I reacted +1 this discussion 😂

ponkio-o commented 1 month ago

This issue resolved and close.