haydentherapper
commented
1 month ago @ilia-medvedev-codefresh Sorry about that! We had assumed that all claims would be present in the token, otherwise we configure a default value based on what was present in the original provider code. We didn't see any comments about any claims being optional.
To confirm, are there any other claims that are not always set?
@javanlacerda Can you take a look at this? I think it would be sufficient to add scm_repo_url: "" to default-template-values in the config, and then the extension is simply skipped over when rendering.
We should also document the new requirement that all claims be present, or else a default value needs to be set. Can you also take a look at the error message, I don't think the JSON printing works well for logging - maybe just output as a string?
ilia-medvedev-codefresh
javanlacerda
Description
After the migration of OIDC providers to the new configuration in https://github.com/sigstore/fulcio/pull/1743/files signing from Codefresh is failing when scm_repo_url is not provided.
This is the error received from Cosign -
Error: signing [ilmedcodefresh/cosign-build-test@sha256:9a14f704ed630d8a73246acf9085e68c9971636fe88f459f408dbaa4669bcad8]: getting signer: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3,\"message\":\"value <scm_repo_url> not present in either claims or defaults. {\\n\\t\\\"ExtensionName\\\": \\\"SourceRepositoryURI\\\",\\n\\t\\\"Issuer\\\": \\\"https://oidc.codefresh.io\\\"\\n}\",\"details\":[]}"Repository urls are not always present in the pipeline context in Codefresh - for example when a build is executed manually and not triggered from git.
When I added the Codefresh OIDC provider initially it was taken to consideration, but with the new configuration it seems like all claims are mandatory.