Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request: update k8s-manifest-sigstore to the latest cosign version #138

Open
bbigras opened this issue Aug 15, 2024 · 3 comments
Open

feature request: update k8s-manifest-sigstore to the latest cosign version #138

bbigras opened this issue Aug 15, 2024 · 3 comments
Assignees
@hirokuni-kitahara
Labels
enhancement New feature or request

Comments

@bbigras
Copy link

bbigras commented Aug 15, 2024

Description

I'm trying to use kubectl-sigstore sign --no-tlog-upload offline, but I still get the "The sigstore service, hosted by sigstore" warning.

When I try kubectl-sigstore sign -f verify-image-slsa.yaml -k cosign.key --tarball no -o secret-signed.yaml --no-tlog-upload --rekor-url http://127.0.0.1:9988/ it still tries to connect to localhost:9988 even if I have --no-tlog-upload.

see https://sigstore.slack.com/archives/C01DGF0G8U9/p1723223631912019
@bbigras bbigras added the enhancement New feature or request label Aug 15, 2024
@hirokuni-kitahara
Copy link
Member

@bbigras Thank you for letting us know this.
I will try updating the cosign version in k8s-manifest-sigstore.

@hirokuni-kitahara
Copy link
Member

Hello @bbigras. Sorry for my late response.
The cosign version has been updated to v2.4.1 with this PR and it is already merged to main branch.
I would appreciate it if you could check whether your problem is solved.

@bbigras
Copy link
Author

bbigras commented Oct 15, 2024

with c4b3958

❯ kubectl-sigstore sign -f verify-image-slsa.yaml -k cosign.key --tarball no -o secret-signed.yaml --no-tlog-upload --rekor-url http://127.0.0.1:9988/
Enter password for private key:
Using payload from: /tmp/kubectl-sigstore-temp-dir2811359921/tmp-blob-file

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
FATA[0021] error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: Post "http://127.0.0.1:9988/api/v1/log/entries": POST http://127.0.0.1:9988/api/v1/log/entries giving up after 4 attempt(s): Post "http://127.0.0.1:9988/api/v1/log/entries": dial tcp 127.0.0.1:9988: connect: connection refused

When I tested the last time, I mentioned in slack: "Also note that I didn't have to type y/n to accept/reject the warning.". This is still the case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hirokuni-kitahara hirokuni-kitahara

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bbigras @hirokuni-kitahara