search

sigstore / cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Apache License 2.0
75 stars 23 forks source link

`cosign` v1.13.1 and fix the `creating root cert pool` / `one of verifier or root certs is required` errors #26

Closed mathieu-benoit closed 1 year ago

mathieu-benoit commented 1 year ago

Signed-off-by: Mathieu Benoit mathieu-benoit@hotmail.fr

Bump cosign from v1.3.1 to v1.13.1.

Fixing the errors:

verify signature for: devopps/alpine:signed
2023/02/07 00:34:19 http: panic serving 10.0.3.172:34976: creating root cert pool: retrieving trusted root; local cache may be corrupt: initializing root client: tuf: failed to decode root.json: encoding/hex: invalid byte: U+002D '-'
goroutine 9 [running]:
net/http.(*conn).serve.func1()
    /usr/local/go/src/net/http/server.go:1801 +0xb9
panic({0x1b9fa40, 0xc000257c20})
    /usr/local/go/src/runtime/panic.go:1047 +0x266
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.initRoots()
    /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:67 +0x235
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
    /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:45 +0x17
sync.(*Once).doSlow(0xc0003ac138, 0x18)
    /usr/local/go/src/sync/once.go:68 +0xd2
sync.(*Once).Do(...)
    /usr/local/go/src/sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
    /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:44 +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
    /go/pkg/mod/github.com/sigstore/cosign@v1.3.1/cmd/cosign/cli/fulcio/fulcio.go:197
main.validate({0x218ee50, 0xc000562000}, 0xc000560300)
    /go/src/github.com/developer-guy/cosign-gatekeeper-provider/provider.go:72 +0x408
net/http.HandlerFunc.ServeHTTP(0x7fabe0ff4aa0, {0x218ee50, 0xc000562000}, 0xc000562000)
    /usr/local/go/src/net/http/server.go:2046 +0x2f
net/http.(*ServeMux).ServeHTTP(0x0, {0x218ee50, 0xc000562000}, 0xc000560300)
    /usr/local/go/src/net/http/server.go:2424 +0x149
net/http.serverHandler.ServeHTTP({0x2182d08}, {0x218ee50, 0xc000562000}, 0xc000560300)
    /usr/local/go/src/net/http/server.go:2878 +0x43b
net/http.(*conn).serve(0xc00041c3c0, {0x2199b40, 0xc000651980})
    /usr/local/go/src/net/http/server.go:1929 +0xb08
created by net/http.(*Server).Serve
    /usr/local/go/src/net/http/server.go:3033 +0x4e8
verify signature for: devopps/alpine:signed
one of verifier or root certs is required

I'm still getting this message with my own public signed image:

verify signature for: devopps/alpine:signed
no matching signatures:
no certificate found on signature

But that's the same message when I run this command COSIGN_EXPERIMENTAL=1 cosign verify devopps/alpine:signed:

Error: no matching signatures:
no certificate found on signature
main.go:62: error during command execution: no matching signatures:
no certificate found on signature

But at least we are making progress with this PR.

mathieu-benoit commented 1 year ago

I'm able to build locally this container image and test it in my Kubernetes cluster, no problem.

Plus, one of the Build / test check in the CI is green/successful.

Where I NEED HELP is to help me understand and fix the second Build / test check and the Test / test check in CI... not sure what I should do. Anyone here to help? Thanks!

For Build / test:

github.com/rogpeppe/go-internal/fmtsort loaded from github.com/rogpeppe/go-internal@v1.8.0,
    but go 1.16 would select v1.8.1

To upgrade to the versions selected by go 1.16:
    go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
    go mod tidy -compat=1.17

For Test / test:

Error: ../../../go/pkg/mod/github.com/theupdateframework/go-tuf@v0.5.2-0.20220930112810-3890c1e7ace4/internal/roles/roles.go:27:20: undefined: strings.Cut
note: module requires Go 1.18
# golang.org/x/exp/constraints
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:13:2: syntax error: unexpected ~, expecting method or interface name
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:20:2: syntax error: unexpected ~, expecting method or interface name
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:27:9: syntax error: unexpected |, expecting semicolon or newline or }
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:34:2: syntax error: unexpected ~, expecting method or interface name
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:41:2: syntax error: unexpected ~, expecting method or interface name
Error: ../../../go/pkg/mod/golang.org/x/exp@v0.0.0-20220823124025-807a23277127/constraints/constraints.go:49:10: syntax error: unexpected |, expecting semicolon or newline or }
note: module requires Go 1.18
# sigs.k8s.io/release-utils/version
Error: ../../../go/pkg/mod/sigs.k8s.io/release-utils@v0.7.3/version/version.go:122:25: bi.Settings undefined (type *debug.BuildInfo has no field or method Settings)
note: module requires Go 1.18
Error: running "go test ./... -race" failed with exit code 2
Error: The process '/opt/hostedtoolcache/mage-action/1.14.0/x64/mage' failed with exit code 2
mathieu-benoit commented 1 year ago

Thanks @Dentrax.

I think we should prioritize merging https://github.com/sigstore/cosign-gatekeeper-provider/pull/24 first to make it pass.

I agree with you.

mathieu-benoit commented 1 year ago

Woot! Woot! All checks have passed with #24.

I will soon work on the changes requested.

Dentrax commented 1 year ago

Good news! Looking forward to your changes. I will be sneaking around the merge button.

mathieu-benoit commented 1 year ago

We should be good to go, thanks for your review @Dentrax!