Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG TUF invalid key when running Scorecard Github Action #998

Closed
joycebrum opened this issue Oct 28, 2022 · 3 comments
Closed

BUG TUF invalid key when running Scorecard Github Action #998

joycebrum opened this issue Oct 28, 2022 · 3 comments

Comments

@joycebrum
Copy link
Contributor

joycebrum commented Oct 28, 2022

Description

Version: 2.0.3

The action crashes with the error 2022/10/28 13:59:29 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key

I've tested in one repo to upgrade the scorecard-action to 2.0.6 and the error didn't happened anymore. Don't know if the error is just random or if it was really solved on the latest release.

It seems to be related to the error sigstore/cosign#2390.

Examples

dmlc/xgboost#8263 (comment)
https://github.com/cert-manager/cert-manager/actions/runs/3345975741

@faximan
Copy link

faximan commented Oct 31, 2022

+1
This went away when I changed to publish_results: false even though the comment says the value is ignored for private repos (seems like it isn't).

@asraa
Copy link

asraa commented Oct 31, 2022

Hi! Chiming in just to document: only cosign v1.13.0+ has the fix in, so any dependent code will fail on this error :|

So the problem was not just random, but definitely related to latest versioning.

This went away when I changed to publish_results: false even though the comment says the value is ignored for private repos (seems like it isn't).

Interesting. I wonder if the check and block for private repos occurs after some signing logic...

@joycebrum
Copy link
Contributor Author

Described and fixed in #997 (release 2.0.6)

Anguse added a commit to Anguse/docker-dev that referenced this issue Nov 8, 2022
Cosign 1.13 as it should have a fix for this according to ossf/scorecard-action#998 (comment)
adamvduke added a commit to Flank/flank that referenced this issue Nov 11, 2022
adamvduke added a commit to Flank/flank that referenced this issue Nov 11, 2022
adamvduke added a commit to Flank/flank that referenced this issue Nov 11, 2022
daniel-rabe pushed a commit to daniel-rabe/material-ui that referenced this issue Nov 29, 2022
feliperli pushed a commit to jesrodri/material-ui that referenced this issue Dec 6, 2022
nfacha added a commit to nfacha/PlaneAlert that referenced this issue Dec 15, 2022
AnishReddyRavula added a commit to ChameleonCloud/portal that referenced this issue Mar 22, 2024
Looks like they fixed here - ossf/scorecard-action#998

updating to a newer verison should not be a problem, so bumping up the verison of cosign
AnishReddyRavula added a commit to ChameleonCloud/portal that referenced this issue Mar 25, 2024
)

Looks like they fixed here - ossf/scorecard-action#998

updating to a newer verison should not be a problem, so bumping up the verison of cosign
TylerJang27 added a commit to trunk-io/configs that referenced this issue Mar 27, 2024
Update scorecard-action to
[fix](ossf/scorecard-action#998)
[failure](https://github.com/trunk-io/configs/actions/runs/8424216101).

Also adds dependabot file to hopefully catch this proactively going
forward.
vihangm added a commit to pixie-io/pixie that referenced this issue May 27, 2024
Summary: This upgrades pulls in a fix for
github.com/ossf/scorecard-action/issues/998 which was causing the action
to fail.

Relevant Issues: N/A

Type of change: /kind infra

Test Plan: Scorecard runs should succeed again after this.

Signed-off-by: Vihang Mehta <vihang@px.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants