maelvls
commented
3 days ago Hey, thanks for raising this. I hadn't noticed the failing builds on master.
For anyone looking at this, the error seems (ex: this build) to be related to the cosign.pub that is pulled from the slsa-provenance-action:
INFO: Downloading slsa-provenance_0.7.2_linux_amd64.tar.gz.sig from [https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/slsa-provenance_0.7.2_linux_amd64.tar.gz.sig…](https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/slsa-provenance_0.7.2_linux_amd64.tar.gz.sig%E2%80%A6)
INFO: Downloading cosign.pub from [https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/cosign.pub…](https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/cosign.pub%E2%80%A6)
INFO: Verifying signature…
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log
Error: Process completed with exit code 1.This same issue was seen in https://github.com/philips-labs/slsa-provenance-action/issues/161. Our makefile does use COSIGN_EXPERIMENTAL=1 (see Makefile) but I can't why the GitHub Actions workflow would also get this env var set...
The suggested fix is to disable COSIGN_EXPERIMENTAL:
- name: Generate provenance
uses: philips-labs/SLSA-Provenance-Action@v0.9.0
with:
command: generate
subcommand: files
arguments: --artifact-path mock
+ env:
+ COSIGN_EXPERIMENTAL: 0
The following step in the workflow always seems to fail for quite a while: https://github.com/jetstack/jetstack-secure/blob/master/.github/workflows/release-master.yml#L95-L100
We don't see it because it only runs on master branch. Given no-one has noticed or reported I take it is not a huge issue. But perhaps we should check why it is failing and look to fix?