-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ctfe public key default name breaks cosign #873
Comments
@federico-falconieri-form3 can you share your values file or the items unique to your deployment? |
Sure, however I cannot share the fulcio OIDC issuer configuration: trillian:
enabled: true
namespace:
create: true
mysql:
persistence:
enabled: true
ctlog:
enabled: true
namespace:
create: true
rekor:
enabled: true
namespace:
create: true
server:
ingress:
http:
enabled: false # I create the ingress manually elsewhere
attestation_storage:
enabled: false
fulcio:
enabled: true
namespace:
create: true
server:
args:
certificateAuthority: fileca
ingress:
http:
enabled: false # I create the ingress manually elsewhere
tuf:
enabled: true
namespace:
create: true
ingress:
enabled: false # I create the ingress manually elsewhere
copySecretJob:
enabled: true
tsa:
enabled: false |
@federico-falconieri-form3 if you want to add the following, it should solve the issues that you are facing tuf:
secrets:
fulcio:
path: fulcio_v1.crt.pem
rekor:
path: rekor.pub
ctlog:
path: ctfe.pub These will be the default values moving forward |
Can you share the tuf ...
"ctfe.pub": {
"length": 177,
"hashes": {
"sha256": "7fcb94a5d0ed541260473b990b99a6c39864c1fb16f3f3e594a5a3cebbfe138a",
"sha512": "4b20747d1afe2544238ad38cc0cc3010921b177d60ac743767e0ef675b915489bd01a36606c0ff83c06448622d7160f0d866c83d20f0c0f44653dcc3f9aa0bd4"
},
"custom": {
"sigstore": {
"status": "Active",
"uri": "https://ctfe.sigstore.dev/test",
"usage": "CTFE"
}
}
},
... So the |
@kommendorkapten One issue is I think this is lagging behind some of the updates to the expected Sigstore TUF metadata, it's not setting |
@haydentherapper ah, got it. I'm not very familiar with the scaffolding project and how the TUF repository is configured. |
Description
I am not sure if this is a bug or a documentation problem. I'm leaving this here as I imagine that anyone deploying these days probably has the same issue.
I deployed scaffold
0.6.36
, includingtuf
and got stuck with the following error with cosignv2.2.0
when performing signingI also noticed that I don't have
ctfe.pub
in my root targets... I havectlog_pubkey
.This is different from what I can find in all guides online to deploy sigstore, for instance https://blog.stephane-robert.info/post/devops-cosign-rekor-private/ (it's in french, sorry, scroll down to the
cosign -d initialize --root root.json --mirror https://tuf.robert.local
)Cosign does not seem to allow to override the filename, as it is hardcoded in https://github.com/sigstore/cosign/blob/878b6c766e17d59d5624c802a1e196e8e8d47f56/pkg/cosign/ctlog.go#L28.
In the end I was able to resolve this through the env variable
SIGSTORE_CT_LOG_PUBLIC_KEY_FILE
. But that is annoying because it requires to manually inspect the kubernetes secret to copy the public key...PS is there a way to fetch that public key like there is for rekor
api/v1/log/publicKey
?I do not understand currently if this is caused by configuration of
tuf
,ctlog
,fulcio
or thecopysecrets
jobsVersion
The text was updated successfully, but these errors were encountered: