search

sigstore / gitsign

Keyless Git signing using Sigstore
Other
950 stars 63 forks source link

gitsign fails with "There was an error processing the identity token" #515

Closed ScottGarman closed 6 months ago

ScottGarman commented 6 months ago

I'm trying to get gitsign working for the first time and keep running into the following error:

error getting signer: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}"
failed to get identity: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}"
error: gpg failed to sign the data:
Error: failed to get identity: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}"

Details:

To eliminate any factors related to my OS environment, I set up a fresh virtual machine with Ubuntu 24.04, and installed gitsign v0.10.2. My ~/.gitconfig consists only of the bare minimum, my user.name and user.email.

I've enabled gitsign support locally in my repo clone with:

git config --local commit.gpgsign true
git config --local tag.gpgsign true
git config --local gpg.x509.program gitsign
git config --local gpg.format x509

If I then try to create a new commit, the oath2.sigstore.dev web site is opened, and I select Log in with GitHub. I see the dialog to authorize sigstore for my GitHub account. I approve this, and then I see the sigstore authentication successful! page.

But my git commit fails due to gitsign failing with the errors I posted at the start of this report. I've left out the url that precedes those errors since I'm not sure whether it includes auth tokens or not, or how long the auth tokens are valid for. Let me know if that's relevant information.

I do not see many references to this error online. What are some issues that could cause my identity token to be invalid? Is there anything I can do to provide more relevant information?

Thank you.

ScottGarman commented 6 months ago

One additional thing I've tried is running gitsign initialize to populate my ~/.sigstore/ directory. That doesn't seem to make any difference.

ScottGarman commented 6 months ago

Well, I figured out the cause of this. You can close this ticket, but this is an interesting tidbit that I hope a future person might find. I created a second, test GitHub account and was able to use gitsign with the same environment. So I knew it had to do with my GitHub account somehow, and likely something related to my username or email.

Back when I created my GitHub account, it was in fashion to post my public profile email address as "username at domain dot com" to avoid spammers. This was what the problem was. Once I set this to my actual email address, things started working with the original account. Kinda blows me away...