Not able to read keys from Jenkins slave workspace

[SaiJyothiGudibandi]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.263.4 OS: Linux - 3.10.0-862.14.4.el7.x86_64 --- ace-editor:1.1 analysis-model-api:10.5.4 ansicolor:1.0.0 ant:1.11 antisamy-markup-formatter:2.1 apache-httpcomponents-client-4-api:4.5.13-1.0 artifactory:3.13.0 authentication-tokens:1.4 basic-branch-build-strategies:1.3.2 bitbucket-approve:1.0.3 bitbucket-build-status-notifier:1.4.2 bitbucket-oauth:0.10 bitbucket-pullrequest-builder:1.5.0 bitbucket-push-and-pull-request:2.7.2 blackduck-detect:2.1.1 blueocean:1.24.8 blueocean-autofavorite:1.2.4 blueocean-bitbucket-pipeline:1.24.8 blueocean-commons:1.24.8 blueocean-config:1.24.8 blueocean-core-js:1.24.8 blueocean-dashboard:1.24.8 blueocean-display-url:2.4.1 blueocean-events:1.24.8 blueocean-git-pipeline:1.24.8 blueocean-github-pipeline:1.24.8 blueocean-i18n:1.24.8 blueocean-jira:1.24.8 blueocean-jwt:1.24.8 blueocean-personalization:1.24.8 blueocean-pipeline-api-impl:1.24.8 blueocean-pipeline-editor:1.24.8 blueocean-pipeline-scm-api:1.24.8 blueocean-rest:1.24.8 blueocean-rest-impl:1.24.8 blueocean-web:1.24.8 bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.1-1 bouncycastle-api:2.23 branch-api:2.6.2 build-name-setter:2.1.0 build-timeout:1.20 caffeine-api:2.9.2-29.v717aac953ff3 checks-api:1.7.2 cloudbees-bitbucket-branch-source:2.9.10 cloudbees-folder:6.16 clover:4.12.1 cobertura:1.16 code-coverage-api:1.4.0 command-launcher:1.6 config-file-provider:3.8.0 credentials:2.6.1 credentials-binding:1.27 cvs:2.19 dashboard-view:2.16 data-tables-api:1.11.3-1 description-setter:1.10 display-url-api:2.3.5 docker-build-step:2.8 docker-commons:1.17 docker-java-api:3.1.5.2 docker-plugin:1.2.3 docker-workflow:1.26 dtkit-api:3.0.0 durable-task:1.37 echarts-api:5.2.1-2 email-ext:2.83 embeddable-build-status:2.0.3 envinject:2.3.0 envinject-api:1.7 extended-choice-parameter:0.82 extensible-choice-parameter:1.8.0 external-monitor-job:1.7 favorite:2.3.2 folder-auth:1.3 folder-properties:1.2.1 font-awesome-api:5.15.4-1 forensics-api:1.3.0 gcp-secrets-manager-credentials-provider:0.2.6 generic-webhook-trigger:1.75 ghprb:1.42.2 git:4.8.2 git-client:3.9.0 git-server:1.9 github:1.34.0 github-api:1.123 github-branch-source:2.9.9 github-checks:1.0.13 github-oauth:0.33 github-organization-folder:1.6 github-pr-coverage-status:2.1.1 github-pullrequest:0.3.0 global-build-stats:1.5 google-chat-notification:1.4 google-compute-engine:4.3.11 google-hangouts-chat-notifier:1.0 google-kubernetes-engine:0.8.6 google-metadata-plugin:0.3.1 google-oauth-plugin:1.0.6 google-storage-plugin:1.5.4 gradle:1.37.1 greenballs:1.15.1 h2-api:1.4.199 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-1.0 hashicorp-vault-plugin:3.8.0 htmlpublisher:1.25 http_request:1.10 icon-shim:2.0.3 in-toto:0.3.1 ivy:2.1 jackson2-api:2.12.4 jacoco:3.2.0 javadoc:1.6 jaxb:2.3.0.1 jdk-tool:1.5 jenkins-design-language:1.24.8 jenkins-jira-issue-updater:1.18 jira:3.3 jira-steps:1.6.0 jjwt-api:0.11.2-9.c8b45b8bb173 job-dsl:1.77 job-import-plugin:3.4 jobConfigHistory:2.28.1 jobrevision:0.6 join:1.21 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.52 kubernetes:1.30.1 kubernetes-client-api:5.4.1 kubernetes-credentials:0.9.0 ldap:1.26 lockable-resources:2.11 locks-and-latches:0.6 log-parser:2.1 mailer:1.34 mapdb-api:1.0.9.0 matrix-auth:2.6.8 matrix-project:1.18 maven-plugin:3.8 mercurial:2.15 metrics:4.0.2.8 momentjs:1.1.1 monitoring:1.88.0 multibranch-build-strategy-extension:1.0.10 multibranch-scan-webhook-trigger:1.0.9 multiple-scms:0.6 nodejs:1.4.0 oauth-credentials:0.4 okhttp-api:3.14.9 pam-auth:1.6 percentage-du-node-column:0.1.0 pipeline-build-step:2.15 pipeline-github:2.7 pipeline-github-lib:1.0 pipeline-githubnotify-step:1.0.5 pipeline-graph-analysis:1.11 pipeline-input-step:2.12 pipeline-maven:3.10.0 pipeline-milestone-step:1.3.2 pipeline-model-api:1.9.1 pipeline-model-declarative-agent:1.1.1 pipeline-model-definition:1.9.1 pipeline-model-extensions:1.9.1 pipeline-rest-api:2.19 pipeline-stage-step:2.5 pipeline-stage-tags-metadata:1.9.1 pipeline-stage-view:2.19 pipeline-utility-steps:2.8.0 plain-credentials:1.7 plugin-util-api:2.5.0 popper-api:1.16.1-2 popper2-api:2.10.2-1 postbuild-task:1.9 pubsub-light:1.13 python:1.3 qualys-cs:1.6.2.5 resource-disposer:0.16 role-strategy:3.2.0 run-condition:1.5 scm-api:2.6.5 scm-filter-branch-pr:0.5.1 script-security:1.78 shared-objects:0.44 simple-build-for-pipeline:0.2 slack:2.48 snakeyaml-api:1.29.1 sonar:2.13.1 sonarqube-generic-coverage:1.0 sse-gateway:1.24 ssh-agent:1.22 ssh-credentials:1.18.1 ssh-slaves:1.31.5 stashNotifier:1.20 structs:1.23 subversion:2.14.4 synopsys-coverity:2.4.1 timestamper:1.13 token-macro:2.13 trilead-api:1.0.13 variant:1.4 violation-comments-to-stash:1.127 violations:0.7.11 warnings-ng:9.5.2 webhook-step:1.4 windows-slaves:1.8 workflow-aggregator:2.6 workflow-api:2.46 workflow-basic-steps:2.24 workflow-cps:2.93 workflow-cps-global-lib:2.19 workflow-durable-task-step:2.39 workflow-job:2.41 workflow-multibranch:2.24 workflow-scm-step:2.13 workflow-step-api:2.24 workflow-support:3.8 ws-cleanup:0.39 xml-job-to-job-dsl:0.1.13 xunit:2.3.9 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

Reproduction steps

1. Using slave to run the pipeline.
2. in one of the step I am using below code in one of the step def keyPathTest = "${WORKSPACE}/resources/keys/cosign" sh("chmod 777 ${WORKSPACE}/resources/keys/cosign") sh("cat ${WORKSPACE}/resources/keys/cosign") in_toto_wrap(['stepName': 'Test','keyPath': keyPathTest,'transport': '']) { echo "## At parallel 3" sh("ls -al") }
3. Problem is, I am able to see the cosign key and able to print. But getting This signing keypath (/tmp/workspace/helm-helloworld_feature-rekor-sg/resources/keys/cosign) does not exist! error.
4. I tried using jenkins credential, same problem with that also.

Note: When I run this code on msater directly, its able to find the provided key path.

Expected Results

Key Should be found from the slave workspace and proceed with the next step in creating link meta data.

Actual Results

ERROR: Key path or credentialId not found.

Anything else?

No response

[SaiJyothiGudibandi]

@lakshya8066 Can you please look into this.

[adityasaky]

Hi @SaiJyothiGudibandi, thanks for opening this issue. Are you running into this error specifically? https://github.com/jenkinsci/in-toto-plugin/blob/master/src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java#L434-L435

I want to confirm it's indeed that and not a key type mismatch. Can you share the stack trace?

[SaiJyothiGudibandi]

@adityasaky Thanks for the response.

I am running pipeline on slave I tried with both key path and credential(secret file type).

For key path getting the below error.

• pwd /tmp/tools/gcp-jenkins/workspace/test-sg/gtso-cicd-helm-helloworld [Pipeline] sh + ls -al resources/keys/ total 4 drwxr-xr-x 2 root root 20 Nov 7 21:23 . drwxr-xr-x 3 root root 323 Nov 7 21:23 .. -rw-r--r-- 1 root root 2459 Nov 7 21:23 cosign [Pipeline] wrap [in-toto] wrapping step [in-toto] using step name: Test [in-toto] transport: [in-toto] CredentialId not found, but the keyPath is resources/keys/cosign [in-toto] Dumping metadata... [Pipeline] { [Pipeline] sh
• echo testing testing [Pipeline] } [Pipeline] // wrap [Pipeline] } [Pipeline] // dir [Pipeline] } [Pipeline] // withCredentials [Pipeline] } [Pipeline] // script [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline java.lang.RuntimeException: This signing keypath (resources/keys/cosign) does not exist! at io.jenkins.plugins.intotorecorder.InTotoWrapper$PostWrap.loadKey(InTotoWrapper.java:434) at io.jenkins.plugins.intotorecorder.InTotoWrapper$PostWrap.tearDown(InTotoWrapper.java:389) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Callback.finished(CoreWrapperStep.java:192) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2$Callback2.finished(CoreWrapperStep.java:146) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution$TailCall.lambda$onSuccess$0(GeneralNonBlockingStepExecution.java:140) at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Finished: FAILURE

[adityasaky]

Hmm, as an initial step, can you try passing in the absolute path to the key?