Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestation part disappeared from Tekton entries in rekor.sigstore.dev #883

Closed
afrittoli opened this issue Jun 21, 2022 · 2 comments
Closed

Attestation part disappeared from Tekton entries in rekor.sigstore.dev #883

afrittoli opened this issue Jun 21, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@afrittoli
Copy link

afrittoli commented Jun 21, 2022
edited
Loading

Description

Starting with Tekton release v0.29.0 we sign Tekton releases through Tekton Chains / cosign and push attestations to the OCI registry as well as to rekor.sigstore.dev.

I noticed today when doing a new Tekton release (v0.37.0) that the rekor didn't return any entry when searching by the Tekton controller image sha. I went back to check older releases to understand when the problem started, and now there is no result for any of the Tekton releases.

Since the Rekor UUID is documented in the Tekton release notes, I could fetch the artifacts, but the attestation part is empty.
For instance, for Tekton v0.29.0:

$ rekor-cli get --uuid 8ba5dcc45b9fad4d879a8b6815cdaa85fdee1d9fc24cf8811f103d537c602908 --format json | jq .
{
  "Attestation": "",
  "AttestationType": "",
  "Body": {
    "IntotoObj": {
      "content": {
        "hash": {
          "algorithm": "sha256",
          "value": "58b7b733136e3e86c0918efc0befb2df895c1cca4c88c06b1f755b7b283afb28"
        }
      },
      "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFbkxOdzNSWXg5eFFqWGJVRXc4dm9uWDNVNCt0QgprUG5KcSt6dDM4NlNDb0cwZXdJSDVNQjgrR2pJREdBclVVTFNEZmpmTTMxRWFlLzcxa2F2QVVJME9BPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
    }
  },
  "LogIndex": 780992,
  "IntegratedTime": 1634644561,
  "UUID": "8ba5dcc45b9fad4d879a8b6815cdaa85fdee1d9fc24cf8811f103d537c602908",
  "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

Version

I discovered the issue with rekor-cli version v0.8.1, I tried earlier versions back until v0.4.0 and there was no difference.
@afrittoli afrittoli added the bug Something isn't working label Jun 21, 2022
@afrittoli
Copy link
Author

Retested against v0.8.2, the attestation is back 🎉

$ rekor-cli get --uuid 8ba5dcc45b9fad4d879a8b6815cdaa85fdee1d9fc24cf8811f103d537c602908 --format json | jq .
{
  "Attestation": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG (...)",
  "AttestationType": "",
  "Body": {
    "IntotoObj": {
      "content": {
        "hash": {
          "algorithm": "sha256",
          "value": "58b7b733136e3e86c0918efc0befb2df895c1cca4c88c06b1f755b7b283afb28"
        }
      },
      "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFbkxOdzNSWXg5eFFqWGJVRXc4dm9uWDNVNCt0QgprUG5KcSt6dDM4NlNDb0cwZXdJSDVNQjgrR2pJREdBclVVTFNEZmpmTTMxRWFlLzcxa2F2QVVJME9BPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
    }
  },
  "LogIndex": 780992,
  "IntegratedTime": 1634644561,
  "UUID": "8ba5dcc45b9fad4d879a8b6815cdaa85fdee1d9fc24cf8811f103d537c602908",
  "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

The attestation type is not there, I'm not sure if it was ever there though?

@afrittoli
Copy link
Author

afrittoli commented Jun 23, 2022
edited
Loading

I checked for the latest Tekton nightly build today, and search by sha is back, which is great :)

$ rekor-cli search --sha sha256:56884c214e5cc606d500c1dde0192a16b5dfad320c25ae3b7fb0f41dc1899263
Found matching entries (listed by UUID):
362f8ecba72f4326776d843aa28db811d1badb3a98db39abea142861d4ff8ff402e3008c167364d0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@afrittoli