Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[22.05] cosign: 1.8.0 -> 1.12.0 #191885

Merged
merged 7 commits into from
Oct 12, 2022
Merged

[22.05] cosign: 1.8.0 -> 1.12.0 #191885

merged 7 commits into from
Oct 12, 2022

Conversation

LeSuisse
Copy link
Contributor

Description of changes

Those upgrades include the fixes for CVE-2022-35929 and CVE-2022-36056.

The patches are too big/complex to be backported without troubles (see discussion in #187071).

https://github.com/sigstore/cosign/blob/ff18e6639526c2442d5cba25cc7522c649c03652/CHANGELOG.md

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@LeSuisse LeSuisse added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Sep 19, 2022
@LeSuisse LeSuisse mentioned this pull request Sep 19, 2022
Closed
13 tasks
@ofborg ofborg bot requested a review from 06kellyjac September 19, 2022 07:44
@risicle
Copy link
Contributor

risicle commented Sep 19, 2022

Hmm build fails for me on macos 10.15 as it does in ofborg

@risicle
Copy link
Contributor

risicle commented Sep 19, 2022
edited
Loading

Think we're not seeing this on master because of some fix contained in #185604 (0ec77e3 perhaps?) nope

@LeSuisse
Copy link
Contributor Author

AFAIK it is related to the SDK version we have on 22.05 #168984 (comment)

@LeSuisse
Copy link
Contributor Author

Not sure what to do here: maybe provide 1.8.0 with the patch proposed in #187071 for macOS with the knownVulnerabilities flag and provide 1.12.0 for everyone else?

@risicle
Copy link
Contributor

risicle commented Sep 19, 2022

How critical is using go 1.18?

@risicle
Copy link
Contributor

risicle commented Sep 19, 2022

Go 1.18 works on x86 darwin upstream because it uses the darwin.apple_sdk_11_0.callPackage trick, which isn't available on 22.05.

@LeSuisse
Copy link
Contributor Author

How critical is using go 1.18?

The package cannot be built without it because it has dependencies requiring Go 1.18. Since they have bumped to Go 1.18 (sigstore/cosign#2059) the number of deps requiring it has increased so trying to make it build with Go 1.17 will not be easy.

@reckenrode reckenrode mentioned this pull request Oct 3, 2022
Merged
13 tasks
@reckenrode
Copy link
Contributor

I opened #194145 to backport the 11.0 SDK changes to x86_64-darwin.

@risicle risicle mentioned this pull request Oct 7, 2022
Merged
13 tasks
@risicle
Copy link
Contributor

risicle commented Oct 9, 2022

@ofborg build cosign

LeSuisse and others added 7 commits October 9, 2022 16:40
@LeSuisse
cosign: 1.8.0 -> 1.9.0
14a91db 
Release notes:
https://github.com/sigstore/cosign/releases/tag/v1.9.0

(cherry picked from commit 85ac5d8)
@LeSuisse
cosign: 1.9.0 -> 1.10.0
ccc96b2 
`cosigned` is no more part of the cosign repository and it has been moved
into a `sigstore/policy-controller` repository. A new package should probably
be created to replace it.

https://github.com/sigstore/cosign/releases/tag/v1.10.0
(cherry picked from commit 595932c)
@LeSuisse
cosign: 1.10.0 -> 1.10.1
643240a 
https://github.com/sigstore/cosign/releases/tag/v1.10.1

Includes a fix for CVE-2022-35929
GHSA-vjxv-45g9-9296

(cherry picked from commit 958dd9a)
@r-ryantm @LeSuisse
cosign: 1.10.1 -> 1.11.0
6e62007 
(cherry picked from commit c7f4385)
@LeSuisse
cosign: 1.11.0 -> 1.11.1
8b3ce5a 
https://github.com/sigstore/cosign/releases/tag/v1.11.1
(cherry picked from commit f9cd86e)
@r-ryantm @LeSuisse
cosign: 1.11.1 -> 1.12.0
5e72849 
(cherry picked from commit f535732)
@LeSuisse
cosign: build with Go 1.18
fde3553
@LeSuisse
Copy link
Contributor Author

LeSuisse commented Oct 9, 2022

I rebased the contribution to make it easier to test since the change for darwin has been backported

@risicle
Copy link
Contributor

risicle commented Oct 10, 2022

@ofborg build cosign

@risicle risicle merged commit f313706 into NixOS:release-22.05 Oct 12, 2022
@risicle
Copy link
Contributor

risicle commented Oct 12, 2022

Well done everyone, we got there.

@LeSuisse LeSuisse deleted the cosign-22.05-1.12.0 branch October 13, 2022 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@06kellyjac 06kellyjac Awaiting requested review from 06kellyjac

Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 1-10 10.rebuild-darwin: 1 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer This PR was created by the maintainer of the package it changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LeSuisse @risicle @reckenrode @r-ryantm