mayaCostantini / sigstore-keycloak-setup

A guide for setting up Sigstore with Keycloak as an identity provider
GNU General Public License v3.0
4 stars 0 forks source link

issue while signing (sigstore-keycloak-setup) #2

Open VikramPunnam opened 1 year ago

VikramPunnam commented 1 year ago

Hi @mayaCostantini , the guide which you wrote is very helpful for local sigstore setup.

I have configured the keycloak and fulcio as mentioned, but Im getting the below error.

main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"

If you have any idea,

Could you please help on this?

mayaCostantini commented 1 year ago

Hi @VikramPunnam, thanks! Could you please provide the command you ran and a full stack trace of the error?

VikramPunnam commented 1 year ago

Here it is the full trace,

(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4 Generating ephemeral keys... Retrieving signed certificate...

    The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
    Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
    This may include the email address associated with the account with which you authenticate your contractual Agreement.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. Are you sure you would like to continue? [y/N] y error opening browser: exec: "xdg-open": executable file not found in $PATH Go to the following link in a browser:

     https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=57CUh0toaK-qYF9fKkMLFyxvQmem6btGM7O-wTZMud0&code_challenge_method=S256&nonce=2WyZsTEYtSGwVvWkrSowp0mQbrd&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WyZsS42vXuL29I1AQ0YiM18q8Q

Enter verification code: 84436eec-df9d-46c8-84c0-e8fd82207a43.a6e62f89-c5da-4ef3-a7ad-5e320944d296.c495c10d-393a-41d1-b58e-6759f95828ed

Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid" main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"

config.json: config.json: |- { "OIDCIssuers": { "https://qa-keycloak.crisil.local/realms/sigstore": { "ClientID": "sigstore", "IssuerURL": "https://qa-keycloak.crisil.local/realms/sigstore", "Type": "email" } } }

mayaCostantini commented 1 year ago

I think this might either be an issue with your Keycloak realm/client config or with the verification code itself (it might have already been used or timed out). Could you also provide your Keycloak config?

VikramPunnam commented 1 year ago

yes,

The issue is with the keycloak config. The client token is valid only once.

I have tried with new client token. but getting different issue.

(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4 Generating ephemeral keys... Retrieving signed certificate...

    The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
    Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
    This may include the email address associated with the account with which you authenticate your contractual Agreement.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. Are you sure you would like to continue? [y/N] y error opening browser: exec: "xdg-open": executable file not found in $PATH Go to the following link in a browser:

     https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=Vz8lPv-yNvvso6ywxkWGe2CAi5ti2d0pDn9qRR93gpw&code_challenge_method=S256&nonce=2WynijkoKIqBNgNZWUySGyX0roN&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WynimbguQpw7UpUbAu6MGDno6M

Enter verification code: 0a448d9d-a6df-43ac-8f0f-02355e56e925.00966ac9-1387-497a-a59a-81a0caea411d.c495c10d-393a-41d1-b58e-6759f95828ed

Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{\"code\":13, \"message\":\"Error entering certificate in CTL\", \"details\":[]}" main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{\"code\":13, \"message\":\"Error entering certificate in CTL\", \"details\":[]}"

mayaCostantini commented 1 year ago

Error entering certificate in CTL could be caused by different issues with Fulcio's CTL, you might want to check the CTL server logs directly, a more precise stack trace should be visible there.