slsa-github-generator: [bug] Creating and signing provenance fails because retrieving signed certificate fails.

Describe the bug

Creating signed provenance fails with

##[debug]/usr/bin/bash --noprofile --norc -e -o pipefail /home/runner/work/_temp/12f3ed8f-b71f-4b24-816e-9adc5a6a9d03.sh
Retrieving signed certificate...

        Note that there may be personally identifiable information associated with this signed artifact.
        This may include the email address associated with the account with which you authenticate.
        This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
remote status:{
	"mirror": "sigstore-tuf-root",
	"metadata": {
		"root.json": {
			"version": 5,
			"len": 6388,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 53,
			"len": 1973,
			"expiration": "10 Nov 22 21:10 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 5,
			"len": 4188,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 53,
			"len": 719,
			"expiration": "03 Nov 22 21:10 UTC",
			"error": ""
		}
	}
}
Error: Process completed with exit code 1.
##[debug]Finishing: Create and sign provenance

To Reproduce

This happens in a private repository, based on the this job:

  provenance:
    needs: build
    # The generator should be referenced with a semantic version.
    # The build will fail if we reference it using the commit sha.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
    with:
      base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.

Expected behavior

Finish successfully.

Screenshots

Additional context

I’m going to be honest: I’m trying to convince people in my org to integrate SLSA into the CI and build processes, but it’s getting harder when the actions break with different issues every other week.

I just updated to v1.2.1 and hope that’ll work.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 33 (19 by maintainers)

Commits related to this issue

Most upvoted comments

Referencing v1.2.1 results in:

For this, see the above thread, but adding the compile-builder: true option under with: inputs will workaround.

+1
asraa on Nov 9, 2022

@gal-legit 1.2.2 is a pre-release and not intended to be used until it’s been fully released. We should probably clarify a bit in the docs but pre-releases are needed for our release process and aren’t “beta” releases or anything. They are not-fully baked or tested.

+1
ianlewis on Nov 9, 2022

In this context returning the exit code to let the caller control the failure would be helpful: https://github.com/slsa-framework/slsa-github-generator/issues/1177

+1
behnazh-w on Nov 1, 2022

@FrimIdan I verified that the https://github.com/slsa-framework/slsa-github-generator/pull/864 fixes the issue by updating cosign in the workflow. It should be fixed in the next workflow release.

+1
ianlewis on Oct 31, 2022

@jenstroeger Yeah, I’ll probably just go ahead and document it (#1166). It was really only meant for our pre-submit tests because this kind of issue with Rekor is never supposed to happen but here we are…

+1
ianlewis on Oct 27, 2022
Read more comments on GitHub
← slsa-github-generator: [bug] Alternative ways required to pass large attestation subjects
slsa-github-generator: [bug] ”Generate Builder“ step fails →