Upgrade Cosign to v2.0 #1665

suzuki-shunsuke · 2023-02-25T06:03:56Z

Lines 1 to 13 in d7d89dc

    
           package cosign 
        
           const Version = "v1.13.1" 
        
           func Checksums() map[string]string { 
        
           	return map[string]string{ 
        
           		"darwin/amd64":  "1d164b8b1fcfef1e1870d809edbb9862afd5995cab63687a440b84cca5680ecf", 
        
           		"darwin/arm64":  "02bef878916be048fd7dcf742105639f53706a59b5b03f4e4eaccc01d05bc7ab", 
        
           		"linux/amd64":   "a50651a67b42714d6f1a66eb6773bf214dacae321f04323c0885f6a433051f95", 
        
           		"linux/arm64":   "a7a79a52c7747e2c21554cad4600e6c7130c0429017dd258f9c558d957fa9090", 
        
           		"windows/amd64": "78a2774b68b995cc698944f6c235b1c93dcb6d57593a58a565ee7a56d64e4b85", 
        
           	} 
        
           }

suzuki-shunsuke · 2023-02-25T06:13:09Z

Breaking Changes

COSIGN_EXPERIMENTAL=1 is no longer required to have identity-based (“keyless”) signing and transparency.

Verification now requires identity flags, --certificate-identity and --certificate-oidc-issuer

verify-blob no longer searches for a certificate. You must provide one with either --certificate or --bundle.

suzuki-shunsuke · 2023-03-11T03:46:31Z

Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows

--certificate-identity string

The identity expected in a valid Fulcio certificate.
Valid values include email address, DNS names, IP addresses, and URIs.

--certificate-identity-regexp string

A regular expression alternative to --certificate-identity.
Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. .

suzuki-shunsuke · 2023-03-11T03:50:48Z

https://zenn.dev/link/comments/9934cf1be71d89

suzuki-shunsuke · 2024-03-20T02:51:32Z

https://twitter.com/szkdash/status/1770279982088233427

https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299

Probably we have to handle this issue as soon as possible because a new TUF trust root for Sigstore has been published and it isn't compatible with Cosign v1.

https://blog.sigstore.dev/tuf-root-update/

v1.x will not work, though we are backporting support with an upcoming v1.13.3 release. We strongly encourage updating to Cosign v2 for the latest bug and security fixes

Workaround: Disable Cosign

https://aquaproj.github.io/docs/reference/security/cosign-slsa/#how-to-disable-cosign-and-slsa

As a workaround, you can disable Cosign verification.

suzuki-shunsuke · 2024-03-20T03:27:55Z

https://github.com/aquasecurity/trivy/blob/8ec3938e01a93855503e3400eae9831abbb5de4a/docs/getting-started/signature-verification.md?plain=1#L14

--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+'

https://github.com/goreleaser/goreleaser/blob/08851dce616615c966ece450631d3d0a822430cc/www/docs/install.md?plain=1#L297

--certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__'

--certificate-oidc-issuer

--certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

https://github.com/goreleaser/goreleaser/blob/08851dce616615c966ece450631d3d0a822430cc/www/docs/install.md?plain=1#L299-L300

--cert 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem' \
--signature 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig' \

aquaproj/aqua#1665 (comment)

suzuki-shunsuke · 2024-03-20T04:29:07Z

fix: upgrade Cosign to v2 #2757

suzuki-shunsuke · 2024-03-20T05:42:40Z

suzuki-shunsuke · 2024-03-20T06:08:27Z

[bug] "Generate builder" and "Run sigstore/cosign-installer" steps failing with error updating to TUF remote mirror: invalid key slsa-framework/slsa-github-generator#3350

suzuki-shunsuke · 2024-03-21T21:30:01Z

suzuki-shunsuke · 2024-03-21T22:45:34Z

Release aqua v2.25.1
- To install some packages such as tfcmt, aqua-registry >= v4.155.0 is required
Release aqua-registry v4.155.0
- To install some packages such as tfcmt, aqua >= v2.25.1 is required
Release aqua-installer v3.0.0
- TODO upgrade bootstrap version to v2.25.1
- Please upgrade aqua to v2.25.1 or later
Re-enable Cosign and slsa-verifier and release new versions

suzuki-shunsuke · 2024-03-22T00:06:54Z

v2.25.1 is out 🎉
https://github.com/aquaproj/aqua/releases/tag/v2.25.1

suzuki-shunsuke added the enhancement New feature or request label Feb 25, 2023

suzuki-shunsuke pinned this issue Mar 8, 2023

suzuki-shunsuke mentioned this issue Mar 9, 2023

Update Cosign to v2.0 #1712

Draft

suzuki-shunsuke added security cosign labels Mar 9, 2023

suzuki-shunsuke unpinned this issue Jul 25, 2023

suzuki-shunsuke pinned this issue Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 20, 2024

fix(yaml): Fix spaces before comments #2756

Merged

suzuki-shunsuke added a commit to suzuki-shunsuke/go-release-workflow that referenced this issue Mar 20, 2024

chore: disable cosign and slsa

2bb1b20

aquaproj/aqua#1665 (comment)

suzuki-shunsuke mentioned this issue Mar 20, 2024

chore: disable cosign and slsa suzuki-shunsuke/go-release-workflow#69

Closed

suzuki-shunsuke changed the title ~~Update Cosign to v2.0~~ Upgrade Cosign to v2.0 Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 20, 2024

fix: upgrade Cosign to v2 #2757

Merged

This was referenced Mar 20, 2024

feat: add zaghaghi/openapi-tui aquaproj/aqua-registry#21079

Merged

chore: disable cosign and slsa aquaproj/aqua-registry#21080

Merged

Fail to install tools because of the error of Cosign #2759

Closed

suzuki-shunsuke unpinned this issue Mar 20, 2024

suzuki-shunsuke mentioned this issue Mar 21, 2024

fix: upgrade Cosign to v2 aquaproj/aqua-registry#21122

Merged

suzuki-shunsuke closed this as completed Mar 22, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade Cosign to v2.0 #1665

Upgrade Cosign to v2.0 #1665

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Mar 11, 2023 •

edited

suzuki-shunsuke commented Mar 11, 2023

suzuki-shunsuke commented Mar 20, 2024 •

edited

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024 •

edited

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 22, 2024

Upgrade Cosign to v2.0 #1665

Upgrade Cosign to v2.0 #1665

Comments

suzuki-shunsuke commented Feb 25, 2023

suzuki-shunsuke commented Feb 25, 2023

Breaking Changes

suzuki-shunsuke commented Mar 11, 2023 • edited

--certificate-identity string

--certificate-identity-regexp string

suzuki-shunsuke commented Mar 11, 2023

suzuki-shunsuke commented Mar 20, 2024 • edited

Workaround: Disable Cosign

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 20, 2024 • edited

suzuki-shunsuke commented Mar 20, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 21, 2024

suzuki-shunsuke commented Mar 22, 2024

suzuki-shunsuke commented Mar 11, 2023 •

edited

suzuki-shunsuke commented Mar 20, 2024 •

edited

suzuki-shunsuke commented Mar 20, 2024 •

edited