sigstore
generate-key-pair fails on Azure Key Vault
Description
cosign generate-key-pair --kms "azurekms://URLHERE.vault.usgovcloudapi.net/cosignkey" Error: failed to get public key: public key: public key: GET https://URLHERE.vault.usgovcloudapi.net/keys/cosignkey/
RESPONSE 404: 404 Not Found ERROR CODE: KeyNotFound
{ "error": { "code": "KeyNotFound", "message": "A key with (name/id) cosignkey was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving thi s issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" } }
main.go:74: error during command execution: failed to get public key: public key: public key: GET https://URLHERE.vault.usgovcloudapi.net/keys/cosignkey/
RESPONSE 404: 404 Not Found ERROR CODE: KeyNotFound
{ "error": { "code": "KeyNotFound", "message": "A key with (name/id) cosignkey was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving thi s issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" } }
Version
cosign version
______ ______ . __ _______ . .
/ | / __ \ / || | / || \ | |
| ,----'| | | | | (----| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . |
| ----.| --' | .----) | | | | || | | |\ |
_| ______/ |_/ || __| || _|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.
GitVersion: v2.1.1 GitCommit: baf97ccb4926ed09c8f204b537dc0ee77b60d043 GitTreeState: clean BuildDate: 2023-06-27T06:57:11Z GoVersion: go1.20.5 Compiler: gc Platform: linux/amd64
The fix is in, but we haven't cut a new release of the library. We will be this week though.
This issue is still persists in version 2.2.0.
cosign generate-key-pair --kms azurekms://<redacted>.vault.azure.net/cosign
Error: failed to get public key: public key: public key: GET https://<redacted>.vault.azure.net/keys/cosign/
--------------------------------------------------------------------------------
RESPONSE 404: 404 Not Found
ERROR CODE: KeyNotFound
--------------------------------------------------------------------------------
{
"error": {
"code": "KeyNotFound",
"message": "A key with (name/id) cosign was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"
}
}
--------------------------------------------------------------------------------
main.go:74: error during command execution: failed to get public key: public key: public key: GET https://<redacted>.vault.azure.net/keys/cosign/
--------------------------------------------------------------------------------
RESPONSE 404: 404 Not Found
ERROR CODE: KeyNotFound
--------------------------------------------------------------------------------
{
"error": {
"code": "KeyNotFound",
"message": "A key with (name/id) cosign was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"
}
}
--------------------------------------------------------------------------------
Version info: GitVersion: 2.2.0 GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5 GitTreeState: "clean" BuildDate: 2023-08-31T18:52:52Z GoVersion: go1.21.0 Compiler: gc Platform: linux/amd64
Are there any work-arounds for creating an integration with Azure Keyvault in the meanwhile?
This issue is still persists in version 2.2.0.
cosign generate-key-pair --kms azurekms://
.vault.azure.net/cosign Error: failed to get public key: public key: public key: GET https://<redacted>.vault.azure.net/keys/cosign/ -------------------------------------------------------------------------------- RESPONSE 404: 404 Not Found ERROR CODE: KeyNotFound -------------------------------------------------------------------------------- { "error": { "code": "KeyNotFound", "message": "A key with (name/id) cosign was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" } } -------------------------------------------------------------------------------- main.go:74: error during command execution: failed to get public key: public key: public key: GET https://<redacted>.vault.azure.net/keys/cosign/ -------------------------------------------------------------------------------- RESPONSE 404: 404 Not Found ERROR CODE: KeyNotFound -------------------------------------------------------------------------------- { "error": { "code": "KeyNotFound", "message": "A key with (name/id) cosign was not found in this key vault. If you recently deleted this key you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" } } --------------------------------------------------------------------------------Version info: GitVersion: 2.2.0 GitCommit: 546f1c5 GitTreeState: "clean" BuildDate: 2023-08-31T18:52:52Z GoVersion: go1.21.0 Compiler: gc Platform: linux/amd64
Are there any work-arounds for creating an integration with Azure Keyvault in the meanwhile?
I found the same issue. The workarounds for me are:
- Manual create Azure Key vault keys name: cosign
- Run cosign generate-key-pair --kms azurekms://
.vault.azure.net/cosign command
@haydentherapper I have a pull request with the fix ready for review when you have time: https://github.com/sigstore/sigstore/pull/1525
@malancas Approved and merged. I'll work on cutting a new release. Were you able to test Cosign with this change integrated?
@haydentherapper great, thanks. Yes, I was able to test the cosign generate-key-pair command with these changes integrated.
Awesome, thanks. I'm fixing a few open issues on Cosign, will cut 2.3.0 by EOW with the library update merged.