Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scorecard: error signing scorecard results #1362

Open
NithyaThiraviaRaj opened this issue Apr 12, 2024 · 10 comments
Open

Scorecard: error signing scorecard results #1362

NithyaThiraviaRaj opened this issue Apr 12, 2024 · 10 comments

Comments

@NithyaThiraviaRaj
Copy link

NithyaThiraviaRaj commented Apr 12, 2024

I tried to integrate Open SSF Scorecard to my Organisation private repository but getting signing error

Steps to Replicate the issue:

  1. Created new GitHub action same as https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
  2. Added GH_HOST = <myOrgRepo> in environment variable

Now while running the GitHub actions I'm getting following error

error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert:
POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"

ossf/scorecard-action - v2.3.1

@spencerschrock
Copy link
Member

GH_HOST is for self hosted GitHub enterprise servers. You shouldn't need it for private repos hosted on github.com.
I'm not sure if that's the specific problem here, but it may help to remove.

You should be able to see the JSON output from scorecard in the details, does it look like Scorecard ran successfully?

@NithyaThiraviaRaj
Copy link
Author

@spencerschrock Sorry my bad. Yes, it is an enterprise server so I need GH_HOST (without this scorecard was pointing to github.com rather than our org url ).
Yes, look likes scorecard ran successfully but at last I'm getting error as below

Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:54 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:54 retrying in 1s...
Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:55 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:55 retrying in 3s...
Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:58 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:58 retrying in 10s...
2024/04/12 13:47:08 error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"

@spencerschrock
Copy link
Member

I don't think Fulcio supports enterprise servers. sigstore/fulcio#1022 (comment)

You can always turn publish_results: false so the action succeeds, but you won't be able to publish scores to our API.

@NithyaThiraviaRaj
Copy link
Author

@spencerschrock , thanks for your input.
My GitHub action is successful if I set publish_results: false.

When you say I can't publish score, what that actually means ? am I not allowed to upload artifact or upload to code scanning ?
Could you please tell me how could I view my score ?

@spencerschrock
Copy link
Member

spencerschrock commented Apr 15, 2024

Sorry for any confusion. You can still upload the results an artifact or to the code scanning dashboard.

publish_results is our configuration flag which would send the results to our API for everyone to see at api.scorecard.dev, which is the only part that is unavailable to you with an enterprise server

@NithyaThiraviaRaj
Copy link
Author

When I try to upload artifact,
- name: "Upload artifact"
uses: actions/upload-artifact@5d5d22a # v4.3.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

I'm getting below error

Error: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.

any alternative ?

@spencerschrock
Copy link
Member

Can you try an older version of upload-artifact?
Such as

uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20

For reference there was some discussion here about it

@NithyaThiraviaRaj
Copy link
Author

@spencerschrock , Thanks a lot for your input I could able to upload the artifact successfully using upload-artifact.

Next, when I tried to upload it to Code Scanning, I got an error saying
Error: An action could not be found at the URI 'https:///api/v3/repos/github-org/codeql-action/tarball/4355270be187e1b672a7a1c7c7bae5afdc1ab94a'

Please Note: I couldn't see Code scanning Option under Security tab in GitHub. I created a stackoverflow question for the same (https://stackoverflow.com/questions/78308703/github-code-scanning-section-not-available-under-security-tab-code-security). Is it because, it is disabled from the Organisation's Enterprise owners ? or not available for GHES ?

I believe that could be the reason why I'm encountering an error when attempting to upload to code scanning.

This is what I tried :
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action@4355270 # v3.24.10
with:
sarif_file: results.sarif

@NithyaThiraviaRaj
Copy link
Author

@spencerschrock , is code scanning is not available for GHES or it need any additional subscription ?

@spencerschrock
Copy link
Member

I'm not 100% certain, as I've only used the GitHub hosted version. GitHub's documentation seems to say it's supported with an additional subscription / $$$.

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants