Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chalk may appear to hang while silently downloading cosign #27

Closed
ee7 opened this issue Oct 3, 2023 · 4 comments
Closed

Chalk may appear to hang while silently downloading cosign #27

ee7 opened this issue Oct 3, 2023 · 4 comments
Assignees
@MyNameIsMeerkat
Labels
enhancement New feature or request P2 Priority 2 (lower is higher)

Comments

@ee7
Copy link
Contributor

ee7 commented Oct 3, 2023

Example

For a given binary foo, run:

chalk insert foo

with Chalk version 175f32f.

Expected behavior

Should never appear to hang; should print a status message if some potentially slow operation is happening.

Observed behavior

May appear to hang when cosign is not found. The cosign binary is 98 MiB (for x86_64 Linux), so there can be significant delay on slower connections, or for transient network issues.

No information is printed, so a user may perform a keyboard interrupt.

Possible solution

Write to stderr, something like:

cosign not found in PATH, or at '/tmp/cosign'
Downloading cosign... success

Bonus: print download progress.

Other details

When there is no network connectivity, chalk does not appear to hang. It successfully adds the chalk mark, but warns:

warn:  When collecting chalk-time artifact data, plugin implementation metsys threw an exception it didn't
       handle (artifact = /path/to/foo.
@viega
Copy link
Contributor

viega commented Oct 3, 2023

Good idea for the interim. I was really hoping to not be dependent on the cosign tool. We're not using it to do anything too crazy, and I did start on some of the necessary work (the key generation), but also need to implement secret box on top of OpenSSL 3, which we really haven't found time to do.

@ee7
Copy link
Contributor Author

ee7 commented Oct 3, 2023

I'm ignorant of exactly what Chalk is doing with cosign. Can it use minisign instead? My understanding was that it's supported by sigstore.

@viega
Copy link
Contributor

viega commented Oct 3, 2023

Cool we'll check it out.

@MyNameIsMeerkat MyNameIsMeerkat self-assigned this Oct 3, 2023
@MyNameIsMeerkat MyNameIsMeerkat added the enhancement New feature or request label Oct 3, 2023
@MyNameIsMeerkat MyNameIsMeerkat mentioned this issue Oct 10, 2023
Merged
@MyNameIsMeerkat MyNameIsMeerkat added the P2 Priority 2 (lower is higher) label Oct 11, 2023
@MyNameIsMeerkat
Copy link
Contributor

This has been initially addressed in PR #49 by fixing an issue that caused cosign to be downloaded way more often than intended + additional user messaging.

Support for minisign has been prototyped in a dev branch alongside the abstraction of signing primitives in general, but in doing so a lot of larger signature strategy questions were raised that need further discussion before allocating dev cycles.

More to come on this in future but for the time being the changes #49 will hopefully improve the user experience for those making use of the signing features.

@MyNameIsMeerkat MyNameIsMeerkat mentioned this issue Oct 13, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MyNameIsMeerkat MyNameIsMeerkat

Labels
enhancement New feature or request P2 Priority 2 (lower is higher)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MyNameIsMeerkat @viega @ee7