-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scorecard workflow is failing: error signing scorecard json results #997
Comments
This error looks like its coming from inside https://github.com/sigstore/cosign and https://github.com/sigstore/sigstore. I notice your workflow is using an older version of scorecard-action (v2.0.2)
|
Hey this is a known issue, and requires a bump of sigstore/sigstore (pulled thru sigstore/cosign). Sigstore/cosign v1.13.1 has the fix. EDIT: see below, v1.13.0+ |
Related: sigstore/cosign#2390 for more context: slsa-framework/slsa-github-generator#1163 (comment) |
Thanks a lot for your answers, guys! @spencerschrock @asraa I got a question: |
I think so: FWIW we had a similar problem in slsa-github-generators. We are working to add some stability to detect these changes by being able to test against Sigstore's staging and pre-prod environments. @spencerschrock @azeemsgoogle please get in touch if you need to do this as well, we can synch on steps. |
Correction, @spencerschrock got me :) cosign v1.13.0 had the fix too. |
Going to close this. Please reopen if it is an issue. Thanks |
Use cosign 99c53751e09b9529366343771cc321ec74e9bd3d See ossf/scorecard-action#997 (comment)
Also see: ossf/scorecard-action#997 Signed-off-by: scbizu <scbizu@gmail.com>
error: "getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key" sigstore/cosign-installer@f3c664d #v2.6.0 - this is actually v3.3.0 it seems, not v2.6.0 - also uses default cosign-release: 'v1.11.1', but 'v1.11.0' was fine too need at least cosign-release: 'v1.13.0' to avoid docker failure - see ossf/scorecard-action#997 - main branch uses cosign-release: 'v1.13.1' as of v2.8.1
Our project's repo was using (Note: I first tried using a less recent version |
This was due to a change Sigstore made: https://blog.sigstore.dev/tuf-root-update/ |
I am experiencing this as of last week-ish. I tried reverting my .github/workflows/scorecard.yml to the one you get when you add Scorecard to your repository just now. No dice:
Since I don't know what Fulcio or SCT are, I am in the dark. I am unaware of any signing key that I am managing. |
Please see above and upgrade scorecard-action to v2.3.1 if you need an example workflow, see the Scorecard repo: https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml We're working on getting the starter workflow fixed |
Looks like scorecard had a breaking change, updating it to a non breaking change: ossf/scorecard-action#997 [category:Actions]
updated cosign, as mentioned in following issue (ossf/scorecard-action#997 (comment)), since signing the build is not possible otherwise
…results The issue is addressed in the following discussion: ossf/scorecard-action#997
Updating `ossf/scorecard-action` to latest (v2.3.1) to resolves [failures](https://github.com/Azure/kubernetes-kms/actions/runs/8742259890/job/23990093097). xref: ossf/scorecard-action#997 Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
* Fixes k8gb-io#1566 * Attemp is based on info from ossf/scorecard-action#997 Signed-off-by: Yury Tsarev <yury@upbound.io>
* Fixes #1566 * Attemp is based on info from ossf/scorecard-action#997 Signed-off-by: Yury Tsarev <yury@upbound.io>
* gh-action: ossf/scorecard-action#997 * dockerfile: node 22 * gh-action: wrangler 3.56 * wrangler: upload source maps * fly: mmap to read trie on disk * node: rmv webpack for backend * use mmap for node 22 * node: type assertions with type accessors * node: use @aryaskov/mmap-io * deno: v1.44.4 * node: fix container cwd * gh-action: denoland/deployctl version * deno: import_map mmap-io * fly: webpack bundle target node 22 * fly: webpack externalize native module mmap * node: rmv unused var from blocklists.js * node: omit dev deps in docker * fly: bundle node_modules instead of copying brings down image size down from 900+mb (400mb+ due to node_modules, mostly devDependencies) to 300mb+ * fly: do not omit-dev in setup (dep: webpack) * fly: fix entrypoint * gh-action: ghcr for node-alpine mk1 --------- Co-authored-by: ignoramous <ignoramous@users.noreply.github.com> Co-authored-by: Murtaza Aliakbar <murtaza@live.in>
Description
Hi there! 👋🏻
I don't know why my Scorecard workflow failed. See https://github.com/kommitters/editorjs-tooltip/actions/runs/3333046579/jobs/5514733112
Searching a little bit, I found that the issue systemd/systemd#25054 (comment) had the same problem.
Any idea on how to solve it?
The text was updated successfully, but these errors were encountered: