Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

error updating to TUF remote mirror: tuf: invalid key #325

Closed
ianlewis opened this issue Oct 27, 2022 · 3 comments
Closed

error updating to TUF remote mirror: tuf: invalid key #325

ianlewis opened this issue Oct 27, 2022 · 3 comments
Labels
type:bug Something isn't working

Comments

@ianlewis
Copy link
Member

It seems that there is an error reading the TUF key when verifying signatures. This is occurring in v1.3.1 at least and is breaking the slsa-github-generator workflows at their latest version of v1.2.1 as well.

FAILED: SLSA verification failed: could not find a matching valid signature entry: got unexpected errors updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key

Not sure if this is a backwards incompatibility issue after a Rekor server upgrade or whether the TUF keys are just broken, but I assume it's the former?

/cc @asraa

Related slsa-framework/slsa-github-generator#1163

@asraa
Copy link
Contributor

asraa commented Oct 27, 2022

Thank you! Repeating some wording from the generator issue but just for clarity here:

This is because the Sigstore TUF root (that distributes all the key material for sigstore) had an update to meet TUF compliance which meant a change in key formats. Old versions of the TUF client library (go-tuf) do not understand the new compliant key format.

We would be able to catch it if we can configure the generator and verifier against other TUF roots, and test other roots as well as catch the failure in pre-production at least (and hopefully staging): slsa-framework/slsa-github-generator#387

@ianlewis
Copy link
Member Author

ianlewis commented Nov 25, 2022

Can we close this since we've released new versions of the verifier? Should we mark the old releases as unusable? We've gotten a lot of push-back about older releases of slsa-github-generator not being usable anymore so we've needed to mark them as clearly not usable (e.g. v1.2.1).

🚨⚠️ DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in slsa-framework/slsa-github-generator#1163. Please upgrade to v1.2.2 or later. ⚠️🚨

@ianlewis ianlewis added the type:bug Something isn't working label Nov 25, 2022
@asraa
Copy link
Contributor

asraa commented Jan 11, 2023

Closing, this is a known issue documented in https://github.com/slsa-framework/slsa-verifier#known-issues

@asraa asraa closed this as completed Jan 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants