-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG TUF invalid key when running Scorecard Github Action #998
Comments
+1 |
Hi! Chiming in just to document: only cosign v1.13.0+ has the fix in, so any dependent code will fail on this error :| So the problem was not just random, but definitely related to latest versioning.
Interesting. I wonder if the check and block for private repos occurs after some signing logic... |
Described and fixed in #997 (release 2.0.6) |
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
Cosign 1.13 as it should have a fix for this according to ossf/scorecard-action#998 (comment)
fixes broken scorecard action ossf/scorecard-action#998
fixes broken scorecard action ossf/scorecard-action#998
fixes broken scorecard action ossf/scorecard-action#998
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
Looks like they fixed here - ossf/scorecard-action#998 updating to a newer verison should not be a problem, so bumping up the verison of cosign
) Looks like they fixed here - ossf/scorecard-action#998 updating to a newer verison should not be a problem, so bumping up the verison of cosign
Update scorecard-action to [fix](ossf/scorecard-action#998) [failure](https://github.com/trunk-io/configs/actions/runs/8424216101). Also adds dependabot file to hopefully catch this proactively going forward.
Summary: This upgrades pulls in a fix for github.com/ossf/scorecard-action/issues/998 which was causing the action to fail. Relevant Issues: N/A Type of change: /kind infra Test Plan: Scorecard runs should succeed again after this. Signed-off-by: Vihang Mehta <vihang@px.dev>
Description
Version: 2.0.3
The action crashes with the error
2022/10/28 13:59:29 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
I've tested in one repo to upgrade the scorecard-action to 2.0.6 and the error didn't happened anymore. Don't know if the error is just random or if it was really solved on the latest release.
It seems to be related to the error sigstore/cosign#2390.
Examples
dmlc/xgboost#8263 (comment)
https://github.com/cert-manager/cert-manager/actions/runs/3345975741
The text was updated successfully, but these errors were encountered: