search

ossf / scorecard-action

Official GitHub Action for OpenSSF Scorecard.
Apache License 2.0
266 stars 70 forks source link

Scorecard workflow is failing: error signing scorecard json results #997

Closed miguelnietoa closed 2 years ago

miguelnietoa commented 2 years ago

Description

Hi there! 👋🏻

I don't know why my Scorecard workflow failed. See https://github.com/kommitters/editorjs-tooltip/actions/runs/3333046579/jobs/5514733112

2022/10/26 22:50:17 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
remote status:{
    "mirror": "https://sigstore-tuf-root.storage.googleapis.com/",
    "metadata": {
        "root.json": {
            "version": 5,
            "len": 6388,
            "expiration": "18 Apr 23 18:13 UTC",
            "error": ""
        },
        "snapshot.json": {
            "version": 53,
            "len": 1973,
            "expiration": "10 Nov 22 21:10 UTC",
            "error": ""
        },
        "targets.json": {
            "version": 5,
            "len": 4188,
            "expiration": "18 Apr 23 18:13 UTC",
            "error": ""
        },
        "timestamp.json": {
            "version": 53,
            "len": 719,
            "expiration": "03 Nov 22 21:10 UTC",
            "error": ""
        }
    }
}

Searching a little bit, I found that the issue https://github.com/systemd/systemd/pull/25054#issuecomment-1282671974 had the same problem.

Any idea on how to solve it?

spencerschrock commented 2 years ago

This error looks like its coming from inside https://github.com/sigstore/cosign and https://github.com/sigstore/sigstore. I notice your workflow is using an older version of scorecard-action (v2.0.2) https://github.com/kommitters/editorjs-tooltip/blob/f9239e0ae59d4d222598da8a359d33ffeb370b9e/.github/workflows/scorecards.yml#L29-L30

sigstore/cosign had some breaking changes between the version we used in 2.0.2 and the version currently used in 2.0.6. Can you try updating your scorecard action to our latest release (tag v2.0.6, commit sha99c53751e09b9529366343771cc321ec74e9bd3d) and see if the issue persists?

asraa commented 2 years ago

Hey this is a known issue, and requires a bump of sigstore/sigstore (pulled thru sigstore/cosign). Sigstore/cosign v1.13.1 has the fix.

EDIT: see below, v1.13.0+

asraa commented 2 years ago

Related: https://github.com/sigstore/cosign/issues/2390 https://github.com/slsa-framework/slsa-github-generator/issues/1163

for more context: https://github.com/slsa-framework/slsa-github-generator/issues/1163#issuecomment-1293340081

miguelnietoa commented 2 years ago

Thanks a lot for your answers, guys! @spencerschrock @asraa

I got a question: If sigstore/cosign v1.13.1 has the fix, then shouldn't a new version of scorecard-action (v2.0.7) be released? Since scorecard-action v2.0.6 has sigstore/cosign v1.13.0 instead of v1.13.1.

asraa commented 2 years ago

I think so:

FWIW we had a similar problem in slsa-github-generators. We are working to add some stability to detect these changes by being able to test against Sigstore's staging and pre-prod environments. @spencerschrock @azeemsgoogle please get in touch if you need to do this as well, we can synch on steps.

asraa commented 2 years ago

Correction, @spencerschrock got me :)

cosign v1.13.0 had the fix too.

naveensrinivasan commented 2 years ago

Going to close this. Please reopen if it is an issue. Thanks

echeran commented 7 months ago

Our project's repo was using v2 for the last several months, at least, but for some reason, this issue only started occurring yesterday (example). The good news is updating to the latest version, v2.3.1, worked.

(Note: I first tried using a less recent version v2.1.3, which still comes after v.2.0.6, but that didn't work in my testing.)

spencerschrock commented 7 months ago

Our project's repo was using v2 for the last several months, at least, but for some reason, this issue only started occurring yesterday (example). The good news is updating to the latest version, v2.3.1, worked.

This was due to a change Sigstore made: https://blog.sigstore.dev/tuf-root-update/ Only v2.3.1 uses a new enough version of cosign

aremmell commented 7 months ago

I am experiencing this as of last week-ish. I tried reverting my .github/workflows/scorecard.yml to the one you get when you add Scorecard to your repository just now. No dice:

error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

Since I don't know what Fulcio or SCT are, I am in the dark. I am unaware of any signing key that I am managing.

spencerschrock commented 7 months ago

Please see above and upgrade scorecard-action to v2.3.1 if you need an example workflow, see the Scorecard repo:

https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml

We're working on getting the starter workflow fixed