mayaCostantini
commented
11 months ago Hi @VikramPunnam, thanks! Could you please provide the command you ran and a full stack trace of the error?
Open VikramPunnam opened 11 months ago
mayaCostantini
commented
11 months ago Hi @VikramPunnam, thanks! Could you please provide the command you ran and a full stack trace of the error?
VikramPunnam
commented
11 months ago Here it is the full trace,
(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4 Generating ephemeral keys... Retrieving signed certificate...
The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. Are you sure you would like to continue? [y/N] y error opening browser: exec: "xdg-open": executable file not found in $PATH Go to the following link in a browser:
https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=57CUh0toaK-qYF9fKkMLFyxvQmem6btGM7O-wTZMud0&code_challenge_method=S256&nonce=2WyZsTEYtSGwVvWkrSowp0mQbrd&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WyZsS42vXuL29I1AQ0YiM18q8QEnter verification code: 84436eec-df9d-46c8-84c0-e8fd82207a43.a6e62f89-c5da-4ef3-a7ad-5e320944d296.c495c10d-393a-41d1-b58e-6759f95828ed
Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid" main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"
config.json: config.json: |- { "OIDCIssuers": { "https://qa-keycloak.crisil.local/realms/sigstore": { "ClientID": "sigstore", "IssuerURL": "https://qa-keycloak.crisil.local/realms/sigstore", "Type": "email" } } }
mayaCostantini
commented
11 months ago I think this might either be an issue with your Keycloak realm/client config or with the verification code itself (it might have already been used or timed out). Could you also provide your Keycloak config?
VikramPunnam
commented
11 months ago yes,
The issue is with the keycloak config. The client token is valid only once.
I have tried with new client token. but getting different issue.
(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4 Generating ephemeral keys... Retrieving signed certificate...
The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. Are you sure you would like to continue? [y/N] y error opening browser: exec: "xdg-open": executable file not found in $PATH Go to the following link in a browser:
https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=Vz8lPv-yNvvso6ywxkWGe2CAi5ti2d0pDn9qRR93gpw&code_challenge_method=S256&nonce=2WynijkoKIqBNgNZWUySGyX0roN&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WynimbguQpw7UpUbAu6MGDno6MEnter verification code: 0a448d9d-a6df-43ac-8f0f-02355e56e925.00966ac9-1387-497a-a59a-81a0caea411d.c495c10d-393a-41d1-b58e-6759f95828ed
Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{\"code\":13, \"message\":\"Error entering certificate in CTL\", \"details\":[]}" main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{\"code\":13, \"message\":\"Error entering certificate in CTL\", \"details\":[]}"
mayaCostantini
commented
11 months ago Error entering certificate in CTL could be caused by different issues with Fulcio's CTL, you might want to check the CTL server logs directly, a more precise stack trace should be visible there.
Hi @mayaCostantini , the guide which you wrote is very helpful for local sigstore setup.
I have configured the keycloak and fulcio as mentioned, but Im getting the below error.
main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"
If you have any idea,
Could you please help on this?