Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failure to get Fulcio root #2121

Closed
laurentsimon opened this issue Aug 3, 2022 · 5 comments
Closed

failure to get Fulcio root #2121

laurentsimon opened this issue Aug 3, 2022 · 5 comments
Labels
bug Something isn't working

Comments

@laurentsimon
Copy link

As part of the native SLSA builders for GitHub https://github.com/slsa-framework/slsa-github-generator, we use cosign API to verify binaries.
Recently users who user the builder to release their binaries have encountered problems:

goroutine 1 [running]:
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:48 +0x57
sync.(*Once).doSlow(0xc000be3b30?, 0xc0008de700?)
	sync/once.go:68 +0xc2
sync.(*Once).Do(...)
	sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:[44](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:45) +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcio.go:157

The builder version is v1.0.0 from 2 months ago, and uses cosign@1.7.2. We have a more recent builder version, but not all users update promptly.

Is there a way to fix this?

/cc @asraa @ianlewis
@laurentsimon laurentsimon added the bug Something isn't working label Aug 3, 2022
@dlorenc
Copy link
Member

dlorenc commented Aug 3, 2022

you'll need to update to at least cosign 1.9. This will be stable going forward though!

@asraa
Copy link
Contributor

asraa commented Aug 3, 2022

@cpanato and etc -- can we do patch version releases for important fixes like this? I can prep backport patches for the fix, but we don't have a policy on which versions of cosign that we intend to backport to (e.g. maybe the last 3)

@laurentsimon
Copy link
Author

laurentsimon commented Aug 3, 2022
edited
Loading

+1 on a defined policy. Having a LTS version should also be stated clearly. As a user, I want to use the LTS version to be sure I have these fixes backported; and I want to know for how long it will be supported

@laurentsimon laurentsimon mentioned this issue Aug 3, 2022
Closed
@dlorenc
Copy link
Member

dlorenc commented Aug 20, 2022

When we move the transparency log features out of experimental, there will be a defined stability policy.

https://github.com/sigstore/cosign#anything-under-the-cosign_experimental-environment-variable

@dlorenc
Copy link
Member

dlorenc commented Aug 20, 2022

We can do a point release if you want to backport the code, but the API won't break after experimental comes off.

@dlorenc dlorenc closed this as completed Aug 20, 2022
@asraa asraa mentioned this issue Sep 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlorenc @asraa @laurentsimon