Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump libgit2 image and disable cosign verification for CI #921

Merged
merged 2 commits into from
Sep 29, 2022
Merged

Bump libgit2 image and disable cosign verification for CI #921

merged 2 commits into from
Sep 29, 2022

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Sep 29, 2022

The libgit2 libraries are downloaded and verified before
some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
#899

Paulo Gomes added 2 commits September 29, 2022 06:55
Bump libgit2 image to v0.3.0
1ab7626 
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
The libgit2 libraries are downloaded and verified before
6c06f4e 
some of the make targets are executed. This assures the
provenance of such files before using them and is very
important specially for end users running such tests on
their machines.

Note that has been disabled specially due to recent issues
we experienced at CI which can be seen in:
fluxcd#899

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
@pjbgf pjbgf added the area/ci CI related issues and pull requests label Sep 29, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Sep 29, 2022

When running the verification locally for the latest libgit2 image it is failing with:

+ COSIGN_EXPERIMENTAL=1
+ cosign verify-blob --cert /tmp/tmp.HOAXg9EIvk/checksums.txt.pem --signature /tmp/tmp.HOAXg9EIvk/checksums.txt.sig /tmp/tmp.HOAXg9EIvk/checksums.txt
Error: verifying blob [/tmp/tmp.HOAXg9EIvk/checksums.txt]: computed leaf hash did not match entry UUID
main.go:52: error during command execution: verifying blob [/tmp/tmp.HOAXg9EIvk/checksums.txt]: computed leaf hash did not match entry UUID

@stefanprodan
Copy link
Member

@pjbgf are you using Cosign v1.12.1?

@pjbgf pjbgf mentioned this pull request Sep 29, 2022
Closed
@pjbgf
Copy link
Member Author

pjbgf commented Sep 29, 2022

@stefanprodan thanks for that, I deleted the cached cosign for IAC but forgot to do the same for SC. Which meant I was using an earlier version, it is now working as expected. 👍

@pjbgf pjbgf merged commit 5ea4922 into fluxcd:main Sep 29, 2022
@pjbgf pjbgf deleted the bump-libgit2-image branch September 29, 2022 06:21
@darkowlzz darkowlzz mentioned this pull request Sep 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

Assignees
No one assigned
Labels
area/ci CI related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pjbgf @stefanprodan