slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
[bug] verification error during build for Go builder
Scorecard build failed https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true:
Fetching the builder with ref: refs/tags/v1.0.0
Builder version: v1.0.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd
verifier hash verification has passed
panic: error getting targets
goroutine 1 [running]:
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:48 +0x57
sync.(*Once).doSlow(0xc000be3b30?, 0xc0008de700?)
sync/once.go:68 +0xc2
sync.(*Once).Do(...)
sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:[44](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:45) +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcio.go:157
github.com/slsa-framework/slsa-verifier/pkg.FindSigningCertificate({0x221b510, 0xc000118000}, {0xc00012a500, 0x1, 0xf0f41934e555386?}, {{0xc000a260a0, 0x1c}, {0xc000a30000, 0x38[48](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:49)}, {0xc0005f2000, ...}}, ...)
github.com/slsa-framework/slsa-verifier/pkg/provenance.go:326 +0x1d9
main.verify({0x221b510, 0xc000118000}, {0xc00061a000, 0x3908, 0x3909}, {0xc00064dfc0, 0x40}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, ...}, ...)
github.com/slsa-framework/slsa-verifier/main.go:[50](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:51) +0x1a7
main.runVerify({0x7ffcb3a72e03?, 0x3106ff0?}, {0x7ffcb3a72e2c, 0x28}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, 0x4}, 0xc0004d3f70?, 0x0)
github.com/slsa-framework/slsa-verifier/main.go:1[66](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:67) +0x34a
main.main()
github.com/slsa-framework/slsa-verifier/main.go:127 +0x3f6
Error: Process completed with exit code 6.
Looks like it's about verification.
@asraa do you know what this is?
Let's also add some e2e tests for all previous released builders. Nothing expressive, just a simple build. This way we will be alerted before our users if sigstore break backward compatibility.
@asraa do you know what this is?
Yeah, that's right -- it's because old versions of cosign just had a faulty TUF client that couldn't handle any updates to the server. We've had to update the TUF server going forward, and this causes old clients (below 1.9.0) to break.
I think the only thing possible is a patch release, either updating cosign's TUF client or potentially hard-coding the verification certificates, which is bad
Gotcha. Patch release is the best way I suppose? But that won't help clients who don't update. Scorecard repo, for some reasons, is still using v1.0.0... I'm starting to wonder if dependabot knows about re-usable workflows or not...
I think we probably have fixed this error but I think scorecards is failing with the TUF error in #1163. I think we are tracking that issue there so maybe we can close this issue?
