cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

`cosign verify-attestation` hangs indefinitely in GitHub Actions

Open AliSajid opened this issue 1 year ago • 18 comments

Description

I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.

I'm using syft for SBOM generation and right now using a practically empty Dockerfile.

Version

cosign: v2.2.3 syft: v1.0.1

These are the logs from an example run. logs_21813240831.zip

The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml

AliSajid avatar Mar 18 '24 14:03 AliSajid

This sounds like a one-off GHA failure, is it still occurring?

haydentherapper avatar Mar 19 '24 20:03 haydentherapper

This has been consistently occurring over the past ~3 days. Sometimes it succeeds, but with an inordinately long time. An example of a very long run before success is here.

I have one action run happening right now which is going through the same process.

AliSajid avatar Mar 19 '24 20:03 AliSajid

I can confirm the same behaviour in one of my actions.

ckotzbauer avatar May 09 '24 10:05 ckotzbauer

Without logs, I'm unable to reproduce this.

haydentherapper avatar May 09 '24 15:05 haydentherapper

I create a repro build and share it here.

ckotzbauer avatar May 10 '24 07:05 ckotzbauer

I created a simple reproduction repository and the workflow hung on the first execution: https://github.com/ckotzbauer/verify-attestation-repro/actions/runs/9044178111/job/24852568726

Between line 32 and 33/34 it took about 8 minutes.

ckotzbauer avatar May 11 '24 13:05 ckotzbauer