error updating to TUF remote mirror: tuf: invalid key

[ianlewis]

It seems that there is an error reading the TUF key when verifying signatures. This is occurring in v1.3.1 at least and is breaking the slsa-github-generator workflows at their latest version of v1.2.1 as well.

FAILED: SLSA verification failed: could not find a matching valid signature entry: got unexpected errors updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key

Not sure if this is a backwards incompatibility issue after a Rekor server upgrade or whether the TUF keys are just broken, but I assume it's the former?

/cc @asraa

Related slsa-framework/slsa-github-generator#1163

[asraa]

Thank you! Repeating some wording from the generator issue but just for clarity here:

This is because the Sigstore TUF root (that distributes all the key material for sigstore) had an update to meet TUF compliance which meant a change in key formats. Old versions of the TUF client library (go-tuf) do not understand the new compliant key format.

We would be able to catch it if we can configure the generator and verifier against other TUF roots, and test other roots as well as catch the failure in pre-production at least (and hopefully staging): slsa-framework/slsa-github-generator#387

[ianlewis]

Can we close this since we've released new versions of the verifier? Should we mark the old releases as unusable? We've gotten a lot of push-back about older releases of slsa-github-generator not being usable anymore so we've needed to mark them as clearly not usable (e.g. v1.2.1).

🚨⚠️ DO NOT USE THIS RELEASE. This version will no longer work and is not supported due to errors described in slsa-framework/slsa-github-generator#1163. Please upgrade to v1.2.2 or later. ⚠️🚨

[asraa]

Closing, this is a known issue documented in https://github.com/slsa-framework/slsa-verifier#known-issues