Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to install tools because of the error of Cosign #2759

Closed
suzuki-shunsuke opened this issue Mar 20, 2024 · 5 comments
Closed

Fail to install tools because of the error of Cosign #2759

suzuki-shunsuke opened this issue Mar 20, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Mar 20, 2024

aqua info

aqua v2.25.0

Overview

aqua uses Cosign v1.

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#verify-packages-with-cosign

Recently, Sigstore has published a new TUF trust root.

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299

https://blog.sigstore.dev/tuf-root-update/

A new TUF trust root doesn't support Cosign v1 but aqua is still using Cosign v1, so aqua fails to install tools which enable Cosign verification.
Due to the issue, aqua-installer can't install aqua.

To solve the issue, we have two options.

How to reproduce

Run aqua-installer or aqua update-aqua.

Debug output

$ 

Expected behaviour

aqua and aqua-installer can install tools.

Actual behaviour

It fails to instal tools.

https://github.com/aquaproj/aqua-registry/actions/runs/8355302244/job/22870132650

time="2024-03-20T07:35:36Z" level=info msg="Verification by Cosign failed temporarily, retring" aqua_version=2.25.0 env=linux/amd64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard retry_count=1 wait_time=459ms
Error: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key
main.go:62: error during command execution: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key

Note

No response

@suzuki-shunsuke suzuki-shunsuke added the bug Something isn't working label Mar 20, 2024
@suzuki-shunsuke suzuki-shunsuke pinned this issue Mar 20, 2024
@suzuki-shunsuke suzuki-shunsuke moved this to In Progress in main Mar 20, 2024
@suzuki-shunsuke
Copy link
Member Author

About aqua-installer, we solve this issue by disabling cosign verification temporarily.

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Mar 20, 2024

What to do when you face the issue

export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true

GitHub Actions Workflows

env:
  AQUA_DISABLE_COSIGN: "true"
  AQUA_DISABLE_SLSA: "true"

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Mar 20, 2024

We're working on upgrading Cosign to v2, but it is being blocked by slsa-framework/slsa-github-generator#3350 .
We're waiting for a new release of slsa-github-generator.

@suzuki-shunsuke
Copy link
Member Author

v2.25.1 is out 🎉
https://github.com/aquaproj/aqua/releases/tag/v2.25.1

@suzuki-shunsuke
Copy link
Member Author

@github-project-automation github-project-automation bot moved this from In Progress to Done in main Mar 22, 2024
@suzuki-shunsuke suzuki-shunsuke unpinned this issue Mar 22, 2024
renovate bot referenced this issue in DelineaXPM/terraform-provider-dsv Jul 1, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
digest | `b4ffde6` -> `692973e` |
|
[aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer)
| action | minor | `v2.2.0` -> `v2.3.2` |

---

### Release Notes

<details>
<summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary>

###
[`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2)

[#&#8203;607](https://togithub.com/aquaproj/aqua-installer/issues/607)
export environment variable `AQUA_DISABLE_COSIGN` and
`AQUA_DISABLE_SLSA`


[https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759)

To disable Cosign and slsa-verifier on subsequent steps.

###
[`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1)

[#&#8203;605](https://togithub.com/aquaproj/aqua-installer/issues/605)
Disable Cosign and slsa-verifier

Until we will finish upgrading Cosign to v2, we disable Cosign and
slsa-verifier.


[https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288)

###
[`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0)
| aquaproj/aqua-installer@v2.2.0...v2.3.0

#### Features

[#&#8203;580](https://togithub.com/aquaproj/aqua-installer/issues/580)
Support disabling the verification with Cosign and SLSA Provenance

> \[!CAUTION]
> This feature is for users who can't use Cosign and slsa-verifier.
> Most users can use them, so most users don't need this feature.
> aqua installs Cosign and slsa-verifier internally, so you don't need
to install them yourself.
> If you can use Cosign and slsa-verifier, you should not disable them
because they are important for security.

The bootstrap version is updated to [aqua
v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0).
From this version, [aqua supports disabling the verification with Cosign
and SLSA
Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance).

To disable the verification with Cosign and SLSA Provenance when you
install aqua with aqua-installer,
please set the environment variables `AQUA_DISABLE_COSIGN` and
`AQUA_DISABLE_SLSA`.

```sh
export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true
./aqua-installer
```

```yaml
- uses: aquaproj/aqua-installer@v2.3.0
  with:
    aqua_version: v2.22.0
  env:
    AQUA_DISABLE_COSIGN: "true"
    AQUA_DISABLE_SLSA: "true"
```

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/terraform-provider-dsv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate bot referenced this issue in DelineaXPM/dsv-github-action Jul 18, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
digest | `b4ffde6` -> `692973e` |
|
[aquaproj/aqua-installer](https://togithub.com/aquaproj/aqua-installer)
| action | minor | `v2.0.2` -> `v2.3.2` |
| [docker/login-action](https://togithub.com/docker/login-action) |
action | digest | `343f7c4` -> `0d4c9c5` |

---

### Release Notes

<details>
<summary>aquaproj/aqua-installer (aquaproj/aqua-installer)</summary>

###
[`v2.3.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.2)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.1...v2.3.2)

[#&#8203;607](https://togithub.com/aquaproj/aqua-installer/issues/607)
export environment variable `AQUA_DISABLE_COSIGN` and
`AQUA_DISABLE_SLSA`


[https://github.com/aquaproj/aqua/issues/2759](https://togithub.com/aquaproj/aqua/issues/2759)

To disable Cosign and slsa-verifier on subsequent steps.

###
[`v2.3.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.3.0...v2.3.1)

[#&#8203;605](https://togithub.com/aquaproj/aqua-installer/issues/605)
Disable Cosign and slsa-verifier

Until we will finish upgrading Cosign to v2, we disable Cosign and
slsa-verifier.


[https://github.com/aquaproj/aqua/issues/1665#issuecomment-2008588288](https://togithub.com/aquaproj/aqua/issues/1665#issuecomment-2008588288)

###
[`v2.3.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.3.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.2.0...v2.3.0)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.3.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.3.0)
| aquaproj/aqua-installer@v2.2.0...v2.3.0

#### Features

[#&#8203;580](https://togithub.com/aquaproj/aqua-installer/issues/580)
Support disabling the verification with Cosign and SLSA Provenance

> \[!CAUTION]
> This feature is for users who can't use Cosign and slsa-verifier.
> Most users can use them, so most users don't need this feature.
> aqua installs Cosign and slsa-verifier internally, so you don't need
to install them yourself.
> If you can use Cosign and slsa-verifier, you should not disable them
because they are important for security.

The bootstrap version is updated to [aqua
v2.22.0](https://togithub.com/aquaproj/aqua/releases/tag/v2.22.0).
From this version, [aqua supports disabling the verification with Cosign
and SLSA
Provenance](https://aquaproj.github.io/docs/reference/security/cosign-slsa#disable-the-verification-with-cosign-and-slsa-provenance).

To disable the verification with Cosign and SLSA Provenance when you
install aqua with aqua-installer,
please set the environment variables `AQUA_DISABLE_COSIGN` and
`AQUA_DISABLE_SLSA`.

```sh
export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true
./aqua-installer
```

```yaml
- uses: aquaproj/aqua-installer@v2.3.0
  with:
    aqua_version: v2.22.0
  env:
    AQUA_DISABLE_COSIGN: "true"
    AQUA_DISABLE_SLSA: "true"
```

###
[`v2.2.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.2.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.3...v2.2.0)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.2.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.2.0)
| aquaproj/aqua-installer@v2.1.3...v2.2.0

##### Features

[#&#8203;365](https://togithub.com/aquaproj/aqua-installer/issues/365)
[#&#8203;550](https://togithub.com/aquaproj/aqua-installer/issues/550)
[#&#8203;551](https://togithub.com/aquaproj/aqua-installer/issues/551)
Output the guide to set the environment variable `PATH`

`aqua-installer` outputs the following guide.

    ===============================================================
[INFO] aqua is installed into /root/.local/share/aquaproj-aqua/bin/aqua
    [INFO] Please add the path to the environment variable "PATH"
[INFO] export
PATH=${AQUA_ROOT_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/aquaproj-aqua}/bin:$PATH
    ===============================================================

[#&#8203;551](https://togithub.com/aquaproj/aqua-installer/issues/551)
Use wget if curl isn't found

###
[`v2.1.3`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.3)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.2...v2.1.3)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.3)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.3)
| aquaproj/aqua-installer@v2.1.2...v2.1.3

[#&#8203;545](https://togithub.com/aquaproj/aqua-installer/issues/545)
Update the bootstrap version to v2.16.4

To support aqua v2.17.0 or later on Windows.

https://github.com/aquaproj/aqua/releases/tag/v2.16.1

> To upgrade aqua to v2.17.0 or later on Windows, you need to upgrade
aqua to v2.16.1 or later first.

###
[`v2.1.2`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.2)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.1...v2.1.2)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.2)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.2)
| aquaproj/aqua-installer@v2.1.1...v2.1.2

##### Fixes

[#&#8203;432](https://togithub.com/aquaproj/aqua-installer/issues/432)
Fix typo
[#&#8203;461](https://togithub.com/aquaproj/aqua-installer/issues/461)
[#&#8203;463](https://togithub.com/aquaproj/aqua-installer/issues/463)
Fix a bug that action doesn't work in a container

##### Fix a bug that action doesn't work in a container

[#&#8203;461](https://togithub.com/aquaproj/aqua-installer/issues/461)
[#&#8203;463](https://togithub.com/aquaproj/aqua-installer/issues/463)

GitHub Actions supports running a job in a container.


https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container

But in a container the variable `${{ github.action_path }}` is wrong, so
action can't access the script `aqua-installer`.
This is a known issue of GitHub Actions.

-
[https://github.com/actions/runner/issues/2185](https://togithub.com/actions/runner/issues/2185)

To solve the issue, we copy the content of the script `aqua-installer`
into action itself, then action don't have to access the script
`aqua-installer`.

###
[`v2.1.1`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.1)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.1.0...v2.1.1)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.1)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.1)
| aquaproj/aqua-installer@v2.1.0...v2.1.1

##### Others

[#&#8203;411](https://togithub.com/aquaproj/aqua-installer/issues/411)
Update the bootstrapping aqua v1.26.2 to v2.2.3

This update enables to verify prerelease versions by Cosign and
slsa-verifier.

ref.
https://aquaproj.github.io/docs/reference/upgrade-guide/v2/change-semver

###
[`v2.1.0`](https://togithub.com/aquaproj/aqua-installer/releases/tag/v2.1.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-installer/compare/v2.0.2...v2.1.0)


[Issues](https://togithub.com/aquaproj/aqua-installer/issues?q=is%3Aissue+milestone%3Av2.1.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-installer/pulls?q=is%3Apr+milestone%3Av2.1.0)
| aquaproj/aqua-installer@v2.0.2...v2.1.0

#### Features

[#&#8203;403](https://togithub.com/aquaproj/aqua-installer/issues/403)
Add an input `policy_allow` to run `aqua policy allow`

aqua >= v2.3.0

If `policy_allow` is `true`, `aqua policy allow` command is run.
If a Policy file path is set, `aqua policy allow
"${{inputs.policy_allow}}"` is run.

##### See also

-   [Tutorial](https://aquaproj.github.io/docs/guides/policy-as-code)
-
[Reference](https://aquaproj.github.io/docs/reference/security/policy-as-code)
- [Reference - Git Repository root's policy file and policy
commands](https://aquaproj.github.io/docs/reference/security/policy-as-code/git-policy)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/DelineaXPM/dsv-github-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjM5My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Sheldon Hull <sheldonhull@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
No open projects
Status: Done
Development

No branches or pull requests

1 participant