tirumerla
commented
2 months ago Started seeing the same just now.
Closed jkreileder closed 2 months ago
tirumerla
commented
2 months ago Started seeing the same just now.
brad-getpassport
commented
2 months ago +1 Seeing this across all our builds in the last 2 hours... this is holding up our release candidate...
Generating ephemeral keys...
Retrieving signed certificate...
creating signer: getting signer: getting key from Fulcio: getting CTFE public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
"mirror": "https://tuf-repo-cdn.sigstore.dev/",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 132,
"len": 2302,
"expiration": "09 Apr 24 16:16 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 169,
"len": 723,
"expiration": "26 Mar 24 16:16 UTC",
"error": ""
}
}
}
Error: Process completed with exit code 1.
jenstroeger
commented
2 months ago ‼️ @ianlewis @laurentsimon please advise! This is breaking all our build pipelines, and talking with folks their pipelines are also dead in the water ‼️
haydentherapper
commented
2 months ago @laurentsimon @ianlewis You just need to bump Cosign to at least v2.2.0, latest is v2.2.3.
I'd also recommend checking your renovate settings, I would have expected this bump to get picked up automatically.
behnazh-w
commented
2 months ago @haydentherapper Cosign in SLSA Verifier needs to be updated to the latest version as well.
suzuki-shunsuke
commented
2 months ago haydentherapper Cosign in SLSA Verifier needs to be updated to the latest version as well.
According to the announcement, v2.2.0 should support a new TUF Trust root, so I don't think we need to update Cosign in SLSA Verifier.
suzuki-shunsuke
commented
2 months ago I see. The latest slsa-github-generato v1.9.0 uses the old slsa-verifier which uses the old cosign v2.0.2
The main branch uses the latest slsa-verifier v2.4.1.
So we need to release a new version of slsa-github-generator, then the issue would be solved.
suzuki-shunsuke
commented
2 months ago @laurentsimon @ianlewis I'm sorry to bother you, but could you release a new version of slsa-github-generator to solve this issue? https://github.com/slsa-framework/slsa-github-generator/issues/3350#issuecomment-2008731217
laurentsimon
commented
2 months ago Hi, yes let's do that. I think we need to revert a few breaking PRs we made recently in the slsa-github-generator. slsa-verifier should be ready to be released. @ramonpetgrave64 could you send PRs to temporarily revert the few breaking PRs we made recently?
laurentsimon
commented
2 months ago Note: slsa-verifier's latest version uses cosign 2.2.0 https://github.com/slsa-framework/slsa-verifier/blob/v2.4.1/go.mod so need not be updated.
sgammon
commented
2 months ago I see this is closed, but v1.9.0 is marked as the latest release... in the release notes update, it says:
error updating to TUF remote mirror: invalid This will occur only when generating provenance with all builders and generators. Affected versions: all versions up and including v1.9.0
Can this bug be reopened until a release occurs? Or is there a way to work around this, or can we use the generator at main?
cc / @laurentsimon @ianlewis
laurentsimon
commented
2 months ago Generator at main won't pass verification. We need to cut the release. @kpk47 is working on it
sgammon
commented
2 months ago Thank you @laurentsimon for being so responsive on this issue; I understand the commit auto-closed the bug. It's helpful to have something to follow. Good luck and thank you for your hard work securing software supply chains.
jkreileder
commented
2 months ago Works again for me with the un-finalized v1.10.0 pre-release.
laurentsimon
commented
2 months ago Release is available v1.10.0 https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.10.0
ddworken
commented
2 months ago I upgraded to v1.10.0 and that fixed generation of new provenance files, but I'm wondering: Is there a way to make old versions of slsa-verifier still work? From what I can tell, this change appears to make all old provenances unverifiable which seems like a significant problem.
behnazh-w
commented
2 months ago @ddworken The latest version of slsa-verifier is still is able to verify old provenances. Why do you need to use an old version of slsa-verifier?
@haydentherapper @bobcallaway Probably unrelated to this issue but what is the Sigstore/Cosign solution for revoked root keys and in general how does Sigstore provide backward compatibility with old versions of certificates, and therefore verifying existing legitimate provenances that were signed with revoked keys?
ddworken
commented
2 months ago The issue is that the old version of slsa-verifier isn't able to verify releases that were formerly valid. My project uses SLSA for releases and secure updates. I have daily tests running on Github Actions and it went from passing to failing in line with this bug:
You can see the test failure here. I also confirmed that this appears to apply to the main slsa-verifier binary, so this can easily be reproduced:
# From inside of the slsa-verifier git repo
# Check out the old version of slsa-verifier
git checkout v1.3.2
# Download a file and an old attestation
wget https://github.com/ddworken/hishtory/releases/download/v0.277/hishtory-linux-amd64
wget https://github.com/ddworken/hishtory/releases/download/v0.277/hishtory-linux-amd64.intoto.jsonl
# Run slsa-verifier
go run ./cli/slsa-verifier -artifact-path hishtory-linux-amd64 -provenance hishtory-linux-amd64.intoto.jsonl -source github.com/ddworken/hishtoryThis fails with the output:
So it seems to me that slsa-verifier is now failing to verify attestations that used to pass. It is true that the latest version of slsa-verifier is able to verify old attestations, but this doesn't seem to help anyone who is stuck with an old version of slsa-verifier.
Why do you need to use an old version of slsa-verifier?
This is because my project embeds slsa-verifier in order to provide secure updates. So when slsa-verifier suddenly breaks in this way, it means that any clients with the old version of slsa-verifier become effectively stranded since they cannot upgrade to new versions.
haydentherapper
commented
2 months ago Probably unrelated to this issue but what is the Sigstore/Cosign solution for revoked root keys and in general how does Sigstore provide backward compatibility with old versions of certificates, and therefore verifying existing legitimate provenances that were signed with revoked keys?
@behnazh-w Supporting validity windows was the motivation behind the design of the trust root spec. For each root of trust, a validity time period is specified. If a compromise were to occur, rather than revoking the root material entirely and assuming we can determine the window when compromise occurred, the root material would simply be specified as valid only up to the compromise.
All Sigstore clients (eg sigstore-python, js, etc) but Cosign support ingesting the roots of trust in this format currently. Cosign will be updated to read it soon.
laurentsimon
commented
2 months ago So it seems to me that slsa-verifier is now failing to verify attestations that used to pass. It is true that the latest version of slsa-verifier is able to verify old attestations, but this doesn't seem to help anyone who is stuck with an old version of slsa-verifier.
You're correct. The TUF root updates need an update of slsa-verifier to v2.4.1. We could backport the fixes, but it would still require you to update your slsa-verifier version.
ddworken
commented
2 months ago So it seems to me that slsa-verifier is now failing to verify attestations that used to pass. It is true that the latest version of slsa-verifier is able to verify old attestations, but this doesn't seem to help anyone who is stuck with an old version of slsa-verifier.
You're correct. The TUF root updates need an update of slsa-verifier to v2.4.1. We could backport the fixes, but it would still require you to update your slsa-verifier version.
Got it, thanks for confirming! I'm wondering: Is this class of breakage something you expect to continue to need to happen with slsa-verifier? If so, it seems like this may be an important caveat to document (maybe under the "Known Isssues" heading) since having a previously working verifier continue to work seems like a reasonable expectation.
laurentsimon
commented
2 months ago We don't expect this to happen. @haydentherapper can comment on the specifics of cosign.
haydentherapper
commented
2 months ago Breaking changes are not something that is going to happen frequently and if they do, there will be a significant period of time to have clients migrate over.
The "Generate builder" and "Run sigstore/cosign-installer" steps have started failing for my workflows. This used to work fine, not sure if it is just an intermittent error or something more fundamental:
Here's a build that worked 18 hours ago but is failing now (i.e. without any code changes): https://github.com/jkreileder/cf-ips-to-hcloud-fw/actions/runs/8339143012 (corresponding workflow)
Generate buildererror:Run sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06error: