slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[bug] Certificates signed by unknown authority

Open asraa opened this issue 3 years ago • 2 comments
trafficstars

Describe the bug A clear and concise description of what the bug is. The verify job is failing with the following error:

$ go run . -artifact-path ~/Downloads/binary-linux-amd64 -provenance ~/Downloads/binary-linux-amd64.intoto.jsonl -source github.com/slsa-framework/example-package
got uuid x509: certificate signed by unknown authority
verification failed: could not find a matching valid signature entry

which may be related to the new endpoint. Investigating @laurentsimon

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

asraa avatar Aug 25 '22 14:08 asraa

Thanks @asraa! /cc'ing @bobcallaway in case he has some ideas / pointers

laurentsimon avatar Aug 25 '22 15:08 laurentsimon

Figured it out.

I guess at some point (not sure why it wasn't caught before) intermediates became necessary. Adding the fix. I will put out a patch release for v1.0 - v1.3

EDIT: only v1.0 is needed. related https://github.com/slsa-framework/slsa-verifier/issues/232

asraa avatar Aug 25 '22 15:08 asraa

This should be fixed in the patches linked above!

asraa avatar Oct 05 '22 14:10 asraa