BUG TUF invalid key when running Scorecard Github Action #998
Comments
This was referenced Oct 28, 2022
|
+1 |
|
Hi! Chiming in just to document: only cosign v1.13.0+ has the fix in, so any dependent code will fail on this error :| So the problem was not just random, but definitely related to latest versioning.
Interesting. I wonder if the check and block for private repos occurs after some signing logic... |
|
Described and fixed in #997 (release 2.0.6) |
This was referenced Nov 1, 2022
oliviertassinari
added a commit
to mui/material-ui
that referenced
this issue
Nov 1, 2022
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
Anguse
added a commit
to Anguse/docker-dev
that referenced
this issue
Nov 8, 2022
Cosign 1.13 as it should have a fix for this according to ossf/scorecard-action#998 (comment)
adamvduke
added a commit
to Flank/flank
that referenced
this issue
Nov 11, 2022
fixes broken scorecard action ossf/scorecard-action#998
adamvduke
added a commit
to Flank/flank
that referenced
this issue
Nov 11, 2022
fixes broken scorecard action ossf/scorecard-action#998
adamvduke
added a commit
to Flank/flank
that referenced
this issue
Nov 11, 2022
fixes broken scorecard action ossf/scorecard-action#998
daniel-rabe
pushed a commit
to daniel-rabe/material-ui
that referenced
this issue
Nov 29, 2022
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
feliperli
pushed a commit
to jesrodri/material-ui
that referenced
this issue
Dec 6, 2022
See the fail in https://github.com/mui/material-ui/actions/runs/3366428356/jobs/5596551353 It's documented in ossf/scorecard-action#998 too.
nfacha
added a commit
to nfacha/PlaneAlert
that referenced
this issue
Dec 15, 2022
7 tasks
AnishReddyRavula
added a commit
to ChameleonCloud/portal
that referenced
this issue
Mar 22, 2024
Looks like they fixed here - ossf/scorecard-action#998 updating to a newer verison should not be a problem, so bumping up the verison of cosign
AnishReddyRavula
added a commit
to ChameleonCloud/portal
that referenced
this issue
Mar 25, 2024
) Looks like they fixed here - ossf/scorecard-action#998 updating to a newer verison should not be a problem, so bumping up the verison of cosign
TylerJang27
added a commit
to trunk-io/configs
that referenced
this issue
Mar 27, 2024
Update scorecard-action to [fix](ossf/scorecard-action#998) [failure](https://github.com/trunk-io/configs/actions/runs/8424216101). Also adds dependabot file to hopefully catch this proactively going forward.
This was referenced Apr 3, 2024
vihangm
added a commit
to pixie-io/pixie
that referenced
this issue
May 27, 2024
Summary: This upgrades pulls in a fix for github.com/ossf/scorecard-action/issues/998 which was causing the action to fail. Relevant Issues: N/A Type of change: /kind infra Test Plan: Scorecard runs should succeed again after this. Signed-off-by: Vihang Mehta <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Version: 2.0.3
The action crashes with the error
2022/10/28 13:59:29 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid keyI've tested in one repo to upgrade the scorecard-action to 2.0.6 and the error didn't happened anymore. Don't know if the error is just random or if it was really solved on the latest release.
It seems to be related to the error sigstore/cosign#2390.
Examples
dmlc/xgboost#8263 (comment)
https://github.com/cert-manager/cert-manager/actions/runs/3345975741
The text was updated successfully, but these errors were encountered: