k8s-manifest-sigstore icon indicating copy to clipboard operation
k8s-manifest-sigstore copied to clipboard

Published 20 hours ago verified publisher icon sigstore

feature request: update k8s-manifest-sigstore to the latest cosign version

Open bbigras opened this issue 1 year ago • 3 comments

Description

I'm trying to use kubectl-sigstore sign --no-tlog-upload offline, but I still get the "The sigstore service, hosted by sigstore" warning.

When I try kubectl-sigstore sign -f verify-image-slsa.yaml -k cosign.key --tarball no -o secret-signed.yaml --no-tlog-upload --rekor-url http://127.0.0.1:9988/ it still tries to connect to localhost:9988 even if I have --no-tlog-upload.

see https://sigstore.slack.com/archives/C01DGF0G8U9/p1723223631912019

bbigras avatar Aug 15 '24 15:08 bbigras

@bbigras Thank you for letting us know this. I will try updating the cosign version in k8s-manifest-sigstore.

hirokuni-kitahara avatar Aug 22 '24 07:08 hirokuni-kitahara

Hello @bbigras. Sorry for my late response. The cosign version has been updated to v2.4.1 with this PR and it is already merged to main branch. I would appreciate it if you could check whether your problem is solved.

hirokuni-kitahara avatar Oct 11 '24 06:10 hirokuni-kitahara

with c4b3958232f29fffbe5f2b5a53a79b104f888bb7

❯ kubectl-sigstore sign -f verify-image-slsa.yaml -k cosign.key --tarball no -o secret-signed.yaml --no-tlog-upload --rekor-url http://127.0.0.1:9988/
Enter password for private key:
Using payload from: /tmp/kubectl-sigstore-temp-dir2811359921/tmp-blob-file

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
FATA[0021] error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: Post "http://127.0.0.1:9988/api/v1/log/entries": POST http://127.0.0.1:9988/api/v1/log/entries giving up after 4 attempt(s): Post "http://127.0.0.1:9988/api/v1/log/entries": dial tcp 127.0.0.1:9988: connect: connection refused

When I tested the last time, I mentioned in slack: "Also note that I didn't have to type y/n to accept/reject the warning.". This is still the case.

bbigras avatar Oct 15 '24 07:10 bbigras