fix: add compile-generator workaround for SLSA #3848
Conversation
|
Kudos, SonarCloud Quality Gate passed!
|
|
this was a temporary problem due to Sigstore going GA with non-backward compatibility changes. @asraa worked on the fixes and will have more context to comment; and have a timeline when you can remove the |
Thank you, the context and timeline for removing the workaround would be helpful! Will merge this PR to try the release again, but feel free to add more comments to this thread and I will open an issue later to track its removal. |
Adding in some context here! tldr; Context: Sigstore GA went last week and as part of that, we updated the online TUF root where the root of trust is fetched to a TUF-compliant format. This broke old clients, and we have regressions in place with other TUF clients now to detect this. At some point that needed to happen and we decided GA was the right time. The old TUF clients in older Sigstore versions do not understand the new format. Timeline: We're currently releasing backports of slsa-verifier that includes this fix, and should have slsa-github-generator updated with a new version in the next week. We're trying to figure out faster ways to workaround these types of issues: slsa-framework/slsa-github-generator#1175 and add docs on known issues. |
|
@asraa Thanks for the info! The workaround unblocked our latest release, but we'll keep an eye out to make the version update and remove it when no longer needed. |
Latest attempts to release Jib CLI v0.12.0 has been running into SLSA (added in #3722, #3726) issues similar to described in slsa-framework/slsa-github-generator#1163 (comment).
We have bumped slsa-github-generator version to v1.2.1, and this PR adds the suggested
compile-generator: trueworkaround.@laurentsimon @ianlewis Would you be able to help provide any additional pointers or context on this issue?