Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Installation failing with slsa-verifier 2.3.0 #1561

Open
anatoly-scherbakov opened this issue Sep 25, 2024 · 1 comment
Open

[bug] Installation failing with slsa-verifier 2.3.0 #1561

anatoly-scherbakov opened this issue Sep 25, 2024 · 1 comment
Assignees
@ianlewis
Labels
bug Something isn't working documentation Improvements or additions to documentation
Milestone
v1.0.0

Comments

@anatoly-scherbakov
Copy link
Contributor

Describe the bug
Using commands as per README.md leads to the following error:

$ ./slsa-verifier verify-artifact todos --provenance-path=todos.intoto.jsonl --source-uri=github.com/ianlewis/todos --source-tag=v0.8.0
Verifying artifact todos: FAILED: error retrieving Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
        "mirror": "https://tuf-repo-cdn.sigstore.dev",
        "metadata": {
                "timestamp.json": {
                        "version": 224,
                        "len": 449,
                        "expiration": "01 Oct 24 13:26 UTC",
                        "error": ""
                }
        }
}

FAILED: SLSA verification failed: error retrieving Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
        "mirror": "https://tuf-repo-cdn.sigstore.dev",
        "metadata": {
                "timestamp.json": {
                        "version": 224,
                        "len": 449,
                        "expiration": "01 Oct 24 13:26 UTC",
                        "error": ""
                }
        }
}

To Reproduce
Steps to reproduce the behavior:

Run the installation commands from README.md on Ubuntu AMD64.

Expected behavior
slsa-verifier should install the app.

Screenshots
Output provided above.

Additional context
Upgrading slsa-verifier to 2.6.0, and changing the checksum accordingly, fixes the issue.
@anatoly-scherbakov anatoly-scherbakov added bug Something isn't working triage This issue needs triage labels Sep 25, 2024
@ianlewis
Copy link
Owner

ianlewis commented Sep 28, 2024
edited
Loading

Unfortunately, sigstore updates their TUF root certificates every year and this is reflected in older versions of slsa-verifier not being able to verify provenance.

It should work with slsa-verifier. 2.6.0 and I'll update the documentation to use this version.

@ianlewis ianlewis added documentation Improvements or additions to documentation and removed triage This issue needs triage labels Sep 28, 2024
@ianlewis ianlewis added this to the v1.0.0 milestone Sep 28, 2024
anatoly-scherbakov added a commit to anatoly-scherbakov/todos that referenced this issue Oct 1, 2024
@anatoly-scherbakov
Merge pull request #1 from anatoly-scherbakov/1561-upgrade-versions-i…
5e05ae8 
…n-readme

Update install instructions @ `README.md` closing ianlewis#1561
@anatoly-scherbakov anatoly-scherbakov mentioned this issue Oct 1, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ianlewis ianlewis

Labels
bug Something isn't working documentation Improvements or additions to documentation
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@ianlewis @anatoly-scherbakov