search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.53k stars 546 forks source link

Release 1.11.1 attest command with keyless fails #2240

Closed ybelMekk closed 2 years ago

ybelMekk commented 2 years ago

Description When running cosign attest command with keyless, cosign outputs an error thats not present when running cosign locally.

cosign attest --identity-token eyJhbGciOiJSUzI1NiIsImtpZ... --predicate salsa.provenance --type slsaprovenance  ttl.sh/test-keyless:1h

Error output: Error: signing ttl.sh/test-keyless:1h: getting signer: getting key from Fulcio: verifying SCT: unmarshal: unexpected end of JSON input main.go:46: error during command execution: signing ttl.sh/test-keyless:1h: getting signer: getting key from Fulcio: verifying SCT: unmarshal: unexpected end of JSON input

if I clone and compile cosign locally with

make cosign

the same command over with the same identity-token runs smooth.

cosign attest --identity-token eyJhbGciOiJSUzI1NiIsImtpZ... --predicate salsa.provenance --type slsaprovenance ttl.sh/test-keyless:1h
Generating ephemeral keys... Retrieving signed certificate...

    Note that there may be personally identifiable information associated with this signed artifact.
    This may include the email address associated with the account with which you authenticate.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.

Successfully verified SCT... Using payload from: salsa.provenance using ephemeral certificate: -----BEGIN CERTIFICATE----- MIICyzCCAlGgAwIBAgIUW0nacoN2kteR5cfQ/vTjEAarjR4wCgYIKoZIzj0EAwMw NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl cm1lZGlhdGUwHhcNMjIwOTA5MjExMzA4WhcNMjIwOTA5MjEyMzA4WjAAMFkwEwYH KoZIzj0CAQYIKoZIzj0DAQcDQgAEGjAoPG4hMzvVum9IPXdDieLlm+Iny3/cVRlg X2vidkLaWgeZpLdRYlL49SRrh7zfsZi73uPja+CUzSkly2E3BaOCAXAwggFsMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUIlre HRKfWo0d4JxsTWiY71s0gnkwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y ZD8wTAYDVR0RAQH/BEIwQIE+Y29zaWduLWttc0BwbGF0dGZvcm1zaWtrZXJoZXQt ZGV2LTQ5NmUuaWFtLmdzZXJ2aWNlYWNjb3VudC5jb20wKQYKKwYBBAGDvzABAQQb aHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGLBgorBgEEAdZ5AgQCBH0EewB5 AHcACGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3IAAAGDJBloDgAABAMA SDBGAiEA0+3ufVvYQLxnIO8Jj2yEy4gQGDYaGpifsUL1yLijUjYCIQDfx5HiMFJS 8fG2O1l47Ls3kmmIaMdlLWqB6twr5ySUXjAKBggqhkjOPQQDAwNoADBlAjBdAwYJ XuDK7y4ZlD/b6br33SpX9rx3+whlJiT2RV5m2m4Y9nUBZa4HOyrrPp2AOZwCMQDR C1hYJAuAO4V98VhSLUugrTvAG95Skd8PJPH+1897jD7zptH9N4z8fc+p0TtLcCY= -----END CERTIFICATE-----

tlog entry created with index: 3452932

Worth mentioning is that i use Google service account and workload identity pool.

I wounder why?

UPDATE 1:

I can confirm that it works with cosign version 1.9.0

UPDATE 2:

I can confirm that it works with cosign version 1.10.1

Version 1.11.1

ybelMekk commented 2 years ago

seems like i got I to work with 1.11.1 for some reason, closing this.