Troubleshooting Cosign Connection Issues with Private Rekor Server for Secure Log Storage

[DHEEMAN2912]

Select Topic Area

Question

Body

I have created a private Rekor server to store the logs generated by the code above when executed in my GitHub Actions pipeline. This process generates a tlog index, which is stored in my private Rekor server. Using a public Rekor server would store the tlog publicly, which my client does not want.

The main issue is that although my private Rekor server is up and running, the Cosign command is unable to reach it to store the logs. Could you please help identify why this issue is occurring? I need to fix this as soon as possible. Thank you!

Cosign version: 2.41

For spin rekor server i am using rekor office docker compose file. https://github.com/sigstore/rekor/blob/main/docker-compose.yml

Code:

• name: Sign Docker Image
  id: sign_docker_image
  run: |
  echo "${{ secrets.COSIGN_KEY }}" | tr -d '\r' > cosign.key
  chmod 600 cosign.key

      # Set the COSIGN_REKOR_SKIP_VERIFY variable to true to bypass SSL verification
      if COSIGN_REKOR_SKIP_VERIFY=true cosign sign \
        --key cosign.key \
        --rekor-url http://52.172.140.64:3000/ \
        ${{ secrets.IMAGE_NAME }}@${{ env.IMAGE_SHA }} --yes; then
        echo "Success: Image sign successful."
      else
        echo "Error: Image sign failed."
        exit 1
      fi
   env:
      COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSPHRASE }}
      COSIGN_REKOR_SKIP_VERIFY: true
  

Error Message:

Run echo "***

The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
This may include the email address associated with the account with which you authenticate your contractual Agreement.
This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Error: signing [@sha256:fea9673bc309205942525a1f15be14cecfa264a71ad017cf66068140e732dfa1]: signing digest: Post "http://52.172.140.64:3000/api/v1/log/entries": POST http://52.172.140.64:3000/api/v1/log/entries giving up after 4 attempt(s): Post "http://52.172.140.64:3000/api/v1/log/entries": dial tcp 52.172.140.64:3000: i/o timeout
main.go:74: error during command execution: signing [@sha256:fea9673bc309205942525a1f15be14cecfa264a71ad017cf66068140e732dfa1]: signing digest: Post "http://52.172.140.64:3000/api/v1/log/entries": POST http://52.172.140.64:3000/api/v1/log/entries giving up after 4 attempt(s): Post "http://52.172.140.64:3000/api/v1/log/entries": dial tcp 52.172.140.64:3000: i/o timeout
Error: Image sign failed.
Error: Process completed with exit code 1.