Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scorecard workflow is failing: error signing scorecard json results #997

Closed
miguelnietoa opened this issue Oct 26, 2022 · 11 comments
Closed

Scorecard workflow is failing: error signing scorecard json results #997

miguelnietoa opened this issue Oct 26, 2022 · 11 comments

Comments

@miguelnietoa
Copy link

Description

Hi there! 👋🏻

I don't know why my Scorecard workflow failed. See https://github.com/kommitters/editorjs-tooltip/actions/runs/3333046579/jobs/5514733112

2022/10/26 22:50:17 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
remote status:{
	"mirror": "https://sigstore-tuf-root.storage.googleapis.com/",
	"metadata": {
		"root.json": {
			"version": 5,
			"len": 6388,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 53,
			"len": 1973,
			"expiration": "10 Nov 22 21:10 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 5,
			"len": 4188,
			"expiration": "18 Apr 23 18:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 53,
			"len": 719,
			"expiration": "03 Nov 22 21:10 UTC",
			"error": ""
		}
	}
}

Searching a little bit, I found that the issue systemd/systemd#25054 (comment) had the same problem.

Any idea on how to solve it?
@miguelnietoa miguelnietoa changed the title Scorecard workflow is failing Scorecard workflow is failing: error signing scorecard json results Oct 26, 2022
@spencerschrock
Copy link
Contributor

This error looks like its coming from inside https://github.com/sigstore/cosign and https://github.com/sigstore/sigstore. I notice your workflow is using an older version of scorecard-action (v2.0.2)
https://github.com/kommitters/editorjs-tooltip/blob/f9239e0ae59d4d222598da8a359d33ffeb370b9e/.github/workflows/scorecards.yml#L29-L30

sigstore/cosign had some breaking changes between the version we used in 2.0.2 and the version currently used in 2.0.6. Can you try updating your scorecard action to our latest release (tag v2.0.6, commit sha99c53751e09b9529366343771cc321ec74e9bd3d) and see if the issue persists?

@asraa
Copy link

asraa commented Oct 27, 2022
edited

Hey this is a known issue, and requires a bump of sigstore/sigstore (pulled thru sigstore/cosign). Sigstore/cosign v1.13.1 has the fix.

EDIT: see below, v1.13.0+

@asraa
Copy link

asraa commented Oct 27, 2022

Related: sigstore/cosign#2390
slsa-framework/slsa-github-generator#1163

for more context: slsa-framework/slsa-github-generator#1163 (comment)

@miguelnietoa
Copy link
Author

Thanks a lot for your answers, guys! @spencerschrock @asraa

I got a question:
If sigstore/cosign v1.13.1 has the fix, then shouldn't a new version of scorecard-action (v2.0.7) be released?
Since scorecard-action v2.0.6 has sigstore/cosign v1.13.0 instead of v1.13.1.

@asraa
Copy link

asraa commented Oct 27, 2022

I think so:

FWIW we had a similar problem in slsa-github-generators. We are working to add some stability to detect these changes by being able to test against Sigstore's staging and pre-prod environments. @spencerschrock @azeemsgoogle please get in touch if you need to do this as well, we can synch on steps.

@asraa
Copy link

asraa commented Oct 27, 2022

Correction, @spencerschrock got me :)

cosign v1.13.0 had the fix too.

This was referenced Oct 27, 2022
Merged
Merged
@naveensrinivasan
Copy link
Member

Going to close this. Please reopen if it is an issue. Thanks

@joycebrum joycebrum mentioned this issue Oct 31, 2022
Closed
@miguelnietoa miguelnietoa mentioned this issue Oct 31, 2022
Merged
Merged
This was referenced Nov 1, 2022
Merged
Closed
@spencerschrock spencerschrock pinned this issue Nov 4, 2022
@gdha gdha mentioned this issue Nov 5, 2022
Closed
gdha added a commit to gdha/pi4-graphite that referenced this issue Nov 6, 2022
@gdha
Update docker-publish.yml
dfda40b 
Use cosign 99c53751e09b9529366343771cc321ec74e9bd3d
See ossf/scorecard-action#997 (comment)
@miguelnietoa miguelnietoa mentioned this issue Nov 9, 2022
Merged
scbizu added a commit to helm/chartmuseum that referenced this issue Nov 11, 2022
@scbizu
action: fix cosign invalid key
4803da2 
Also see: ossf/scorecard-action#997

Signed-off-by: scbizu <scbizu@gmail.com>
SamuAlfageme added a commit to cernbox/reva that referenced this issue Nov 15, 2022
@SamuAlfageme
Bump cosign version to v.1.13.0
175d104 
ref. ossf/scorecard-action#997
@miguelnietoa miguelnietoa mentioned this issue Nov 18, 2022
Merged
@miguelnietoa miguelnietoa mentioned this issue Dec 21, 2022
Merged
gnadt added a commit to MIT-AI-Accelerator/MagNav.jl that referenced this issue Jan 4, 2023
@gnadt
Attempt to fix cosign...
c622847 
error: "getting signer: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key"

sigstore/cosign-installer@f3c664d #v2.6.0
- this is actually v3.3.0 it seems, not v2.6.0
- also uses default cosign-release: 'v1.11.1', but 'v1.11.0' was fine too

need at least cosign-release: 'v1.13.0' to avoid docker failure
- see ossf/scorecard-action#997
- main branch uses cosign-release: 'v1.13.1' as of v2.8.1
@gnadt gnadt mentioned this issue Jan 4, 2023
Merged
@raghavkaul raghavkaul unpinned this issue Mar 20, 2023
@L-Zuluaga L-Zuluaga mentioned this issue Feb 6, 2024
Merged
@echeran echeran mentioned this issue Mar 21, 2024
Merged
7 tasks
@echeran
Copy link

echeran commented Mar 21, 2024

Our project's repo was using v2 for the last several months, at least, but for some reason, this issue only started occurring yesterday (example). The good news is updating to the latest version, v2.3.1, worked.

(Note: I first tried using a less recent version v2.1.3, which still comes after v.2.0.6, but that didn't work in my testing.)

@spencerschrock
Copy link
Contributor

Our project's repo was using v2 for the last several months, at least, but for some reason, this issue only started occurring yesterday (example). The good news is updating to the latest version, v2.3.1, worked.

This was due to a change Sigstore made: https://blog.sigstore.dev/tuf-root-update/
Only v2.3.1 uses a new enough version of cosign

ranjan-mohanty added a commit to ranjan-mohanty/amazon-product-details-scraper that referenced this issue Mar 21, 2024
@ranjan-mohanty
Bugfix: bump ossf version
aa7a023 
Ref: ossf/scorecard-action#997
@ranjan-mohanty ranjan-mohanty mentioned this issue Mar 21, 2024
Merged
ranjan-mohanty added a commit to ranjan-mohanty/amazon-product-details-scraper that referenced this issue Mar 21, 2024
@ranjan-mohanty
Bugfix: bump ossf version
f47ef0b 
Ref: ossf/scorecard-action#997
@spencerschrock spencerschrock mentioned this issue Mar 22, 2024
Closed
@aremmell
Copy link

I am experiencing this as of last week-ish. I tried reverting my .github/workflows/scorecard.yml to the one you get when you add Scorecard to your repository just now. No dice:

error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

Since I don't know what Fulcio or SCT are, I am in the dark. I am unaware of any signing key that I am managing.

@spencerschrock
Copy link
Contributor

Please see above and upgrade scorecard-action to v2.3.1 if you need an example workflow, see the Scorecard repo:

https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml

We're working on getting the starter workflow fixed

LicorneRose765 added a commit to Nephty/calculator-cucumber-2024 that referenced this issue Mar 25, 2024
@LicorneRose765
Issue with ossf/scorecard version.
3bdca30 
ossf/scorecard-action#997
@mannycarrera4 mannycarrera4 mentioned this issue Mar 25, 2024
Merged
10 tasks
alanbsmith pushed a commit to Workday/canvas-kit that referenced this issue Mar 25, 2024
@mannycarrera4
fix: Update scorecard.yml [skip release] (#2664)
6ab7bbd 
Looks like scorecard had a breaking change, updating it to a non breaking change: ossf/scorecard-action#997

[category:Actions]
@tico88612 tico88612 mentioned this issue Mar 29, 2024
Merged
Palaptin added a commit to Palaptin/pingus_kasm_docker_images that referenced this issue Mar 29, 2024
@Palaptin
Update docker-publish.yml
b1275c1 
updated cosign, as mentioned in following issue (ossf/scorecard-action#997 (comment)), since signing the build is not possible otherwise
ignoramous added a commit to celzero/firestack that referenced this issue Mar 29, 2024
@ignoramous
gh-action: fix ossf/scorecard-action/issues/997
05e0347
@knelasevero knelasevero mentioned this issue Mar 30, 2024
Closed
@mcserep mcserep mentioned this issue Apr 1, 2024
Merged
hussainmohd-a added a commit to celzero/rethink-app that referenced this issue Apr 1, 2024
@hussainmohd-a
gh-action: fix ossf/scorecard-action/issues/997
503ad49
@aramase aramase mentioned this issue Apr 4, 2024
Merged
nolexa added a commit to FortnoxAB/reactive-wizard that referenced this issue Apr 8, 2024
@nolexa
Resolving the scorecard workflow issue: error signing scorecard json …
a6a6c2b 
…results

The issue is addressed in the following discussion: ossf/scorecard-action#997
@nolexa nolexa mentioned this issue Apr 8, 2024
Merged
This was referenced Apr 15, 2024
Merged
Merged
aramase added a commit to Azure/kubernetes-kms that referenced this issue Apr 19, 2024
@aramase
ci: bump ossf/scorecard-action to v2.3.1 (#366)
d59c3e0 
Updating `ossf/scorecard-action` to latest (v2.3.1) to resolves
[failures](https://github.com/Azure/kubernetes-kms/actions/runs/8742259890/job/23990093097).

xref: ossf/scorecard-action#997

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@masterleinad masterleinad mentioned this issue Jun 3, 2024
Merged
@ytsarev ytsarev mentioned this issue Jun 7, 2024
Closed
ignoramous added a commit to serverless-dns/serverless-dns that referenced this issue Jun 12, 2024
@ignoramous
gh-action: ossf/scorecard-action#997
b003bd9
ytsarev added a commit to ytsarev/k8gb that referenced this issue Jun 30, 2024
@ytsarev
Update scorecard-action
983ea3a 
* Fixes k8gb-io#1566
* Attemp is based on info from ossf/scorecard-action#997

Signed-off-by: Yury Tsarev <yury@upbound.io>
@ytsarev ytsarev mentioned this issue Jun 30, 2024
Merged
ytsarev added a commit to k8gb-io/k8gb that referenced this issue Jun 30, 2024
@ytsarev
Update scorecard-action (#1626)
a98c250 
* Fixes #1566
* Attemp is based on info from ossf/scorecard-action#997

Signed-off-by: Yury Tsarev <yury@upbound.io>
@stevecheckoway stevecheckoway mentioned this issue Jul 3, 2024
Closed
annguyen0 added a commit to annguyen0/serverless-dns that referenced this issue Aug 3, 2024
@annguyen0 @ignoramous
Merge (#197)
d139778 
* gh-action: ossf/scorecard-action#997

* dockerfile: node 22

* gh-action: wrangler 3.56

* wrangler: upload source maps

* fly: mmap to read trie on disk

* node: rmv webpack for backend

* use mmap for node 22

* node: type assertions with type accessors

* node: use @aryaskov/mmap-io

* deno: v1.44.4

* node: fix container cwd

* gh-action: denoland/deployctl version

* deno: import_map mmap-io

* fly: webpack bundle target node 22

* fly: webpack externalize native module mmap

* node: rmv unused var from blocklists.js

* node: omit dev deps in docker

* fly: bundle node_modules instead of copying

brings down image size down from 900+mb (400mb+ due to node_modules, mostly
devDependencies) to 300mb+

* fly: do not omit-dev in setup (dep: webpack)

* fly: fix entrypoint

* gh-action: ghcr for node-alpine mk1

---------

Co-authored-by: ignoramous <ignoramous@users.noreply.github.com>
Co-authored-by: Murtaza Aliakbar <murtaza@live.in>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@naveensrinivasan @aremmell @echeran @asraa @spencerschrock @miguelnietoa