[Question] Error while using cosign lib

[kameshsampath]

Question
I am trying to use cosign lib as part of my code to sign https://github.com/kameshsampath/drone-cosign-plugin/blob/874813bcb93a122ebfce444f8184ddf1d0337ece/plugin/plugin_test.go#L91-L92, when I try to run my test case to see if mechanics work I see the following error,

# k8s.io/client-go/applyconfigurations/meta/v1
../../../../go/pkg/mod/k8s.io/[email protected]/applyconfigurations/meta/v1/unstructured.go:64:38: cannot use doc (variable of type *"github.com/googleapis/gnostic/openapiv2".Document) as type *"github.com/google/gnostic/openapiv2".Document in argument to proto.NewOpenAPIData

I am not sure why there is a mismatch of the dependency lib and whats causing it.

While I am debugging it thought to get some ideas whats that I am doing wrong .

[kameshsampath]

Here is my analysis and the fix that I did to over come the issue,

I have dependency to github.com/ko-build/ko v0.12.0 that brings the dependency k8s.io/apimachinery v0.25.4 (https://github.com/ko-build/ko/blob/main/go.mod#L22), that brings an indirect dependency of k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 that was using github.com/google/gnostic/openapiv2 instead of github.com/googleapis/gnostic/openapiv2.

This happened when I was using github.com/sigstore/cosign v1.13.1 and github.com/google/ko v0.12.0 together as cosign uses k8s.io/apimachinery v0.24.4 and ko used k8s.io/apimachinery v0.25.4

Please let me know if my debug/analysis is wrong.

CC: @mattmoor @imjasonh

[imjasonh]

This should be resolved by bumping cosign's k8s.io dependencies to 0.25.4.

There's work underway to redesign cosign's and sigstore's Go APIs so they're a bit less crufty than relying on sign.SignCmd, which should also have the result of dropping the K8s dependencies and solve this Once And For All™️.

[eumel8]

@imjasonh
Any updates or workarounds here? I updated to 0.25.4 and got another error:

vendor/github.com/sigstore/cosign/v2/pkg/cosign/verify.go:1052:10: cannot use tsaverification.VerifyTimestampResponse(ts.SignedRFC3161Timestamp, bytes.NewReader(tsBytes), tsaCerts) (value of type *timestamp.Timestamp) as type error in assignment:
        *timestamp.Timestamp does not implement error (missing Error method)
vendor/github.com/sigstore/cosign/v2/pkg/cosign/verify.go:1052:103: cannot use tsaCerts (variable of type *x509.CertPool) as type verification.VerifyOpts in argument to tsaverification.VerifyTimestampResponse

[asraa]

What version of cosign are you using? You may need to update somewhere.

[eumel8]

It was more a downgrade.In this constellation it was working:

go 1.19

require (
	github.com/golang/glog v1.0.0
	github.com/google/go-containerregistry v0.12.1
	github.com/sigstore/cosign/v2 v2.0.0-rc.0
	github.com/sigstore/sigstore v1.5.0
	k8s.io/api v0.26.0
	k8s.io/apimachinery v0.26.0
)

require (
	github.com/sigstore/cosign v1.13.1 // indirect
	github.com/sigstore/rekor v1.0.1 // indirect
)

ref: https://github.com/eumel8/cosignwebhook/blob/cosign/go.mod

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.