-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error updating to TUF remote mirror: tuf: invalid key #325
Comments
Thank you! Repeating some wording from the generator issue but just for clarity here: This is because the Sigstore TUF root (that distributes all the key material for sigstore) had an update to meet TUF compliance which meant a change in key formats. Old versions of the TUF client library (go-tuf) do not understand the new compliant key format. We would be able to catch it if we can configure the generator and verifier against other TUF roots, and test other roots as well as catch the failure in pre-production at least (and hopefully staging): slsa-framework/slsa-github-generator#387 |
Can we close this since we've released new versions of the verifier? Should we mark the old releases as unusable? We've gotten a lot of push-back about older releases of slsa-github-generator not being usable anymore so we've needed to mark them as clearly not usable (e.g. v1.2.1). 🚨 |
Closing, this is a known issue documented in https://github.com/slsa-framework/slsa-verifier#known-issues |
It seems that there is an error reading the TUF key when verifying signatures. This is occurring in v1.3.1 at least and is breaking the slsa-github-generator workflows at their latest version of v1.2.1 as well.
Not sure if this is a backwards incompatibility issue after a Rekor server upgrade or whether the TUF keys are just broken, but I assume it's the former?
/cc @asraa
Related slsa-framework/slsa-github-generator#1163
The text was updated successfully, but these errors were encountered: