Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload cosign transparency log and verify signatures before release #5724

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Upload cosign transparency log and verify signatures before release #5724

wants to merge 2 commits into from
+5 −5

Conversation

juanluisvaladas
Copy link
Contributor

@juanluisvaladas juanluisvaladas commented Apr 4, 2025
edited
Loading

Description

It was reported to us that cosign verify-blob fails with:

cosign verify-blob \
  --key https://github.com/k0sproject/k0s/releases/download/v1.32.2%2Bk0s.0/cosign.pub \
  --signature https://github.com/k0sproject/k0s/releases/download/v1.32.2%2Bk0s.0/k0s-v1.32.2+k0s.0-amd64.sig \
  k0s-v1.32.2+k0s.0-amd64
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log

The ultimate root cause for this is that we don't upload the transparency log, so the verification process can only be done by adding the flag --insecure-ignore-tlog.

This commit does 2 things:
1- Set --tlog-upload=trueso that the transparency log can be verified
2- Remove the flag --payload from the documentation. This flags was probably removed at some point and now is invalid.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

How Has This Been Tested?

  • Manual test
  • Auto test added

Checklist

  • My code follows the style guidelines of this project
  • My commit messages are signed-off
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

makhov
makhov previously approved these changes Apr 4, 2025
View reviewed changes
Copy link
Contributor

@makhov makhov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question to make sure, that there is no typo

@juanluisvaladas
Upload cosign transparency log
a01579d 
Without this, cosign verify-blob fails with requires the flag
--insecure-ignore-tlog in order to verify the binary.

Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]>
@juanluisvaladas juanluisvaladas added bug Something isn't working area/ci github_actions Pull requests that update GitHub Actions code labels Apr 4, 2025
@juanluisvaladas
Copy link
Contributor Author

I verified the fake release and this fixes the issue:

➜  Downloads cosign  verify-blob  --key cosign.pub  --signature k0s-vFAKEvaladas5-amd64.exe.sig k0s-vFAKEvaladas5-amd64.exe
Verified OK

https://github.com/k0sproject/k0s/actions/runs/14267310886/job/39992711970

@juanluisvaladas juanluisvaladas marked this pull request as ready for review April 4, 2025 14:45
@juanluisvaladas juanluisvaladas requested review from a team as code owners April 4, 2025 14:45
@juanluisvaladas juanluisvaladas requested review from kke and jnummelin April 4, 2025 14:45
@juanluisvaladas juanluisvaladas added backport/release-1.29 PR that needs to be backported/cherrypicked to the release-1.29 branch backport/release-1.30 PR that needs to be backported/cherrypicked to the release-1.30 branch backport/release-1.31 PR that needs to be backported/cherrypicked to the release-1.31 branch backport/release-1.32 PR that needs to be backported/cherrypicked to release-1.32 branch labels Apr 4, 2025
@juanluisvaladas
Fix documentation for cosign verify blob
ff63799 
Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@makhov makhov makhov left review comments

@kke kke Awaiting requested review from kke kke is a code owner automatically assigned from k0sproject/k0s-maintainers

@jnummelin jnummelin Awaiting requested review from jnummelin jnummelin is a code owner automatically assigned from k0sproject/k0s-maintainers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/ci backport/release-1.29 PR that needs to be backported/cherrypicked to the release-1.29 branch backport/release-1.30 PR that needs to be backported/cherrypicked to the release-1.30 branch backport/release-1.31 PR that needs to be backported/cherrypicked to the release-1.31 branch backport/release-1.32 PR that needs to be backported/cherrypicked to release-1.32 branch bug Something isn't working github_actions Pull requests that update GitHub Actions code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@juanluisvaladas @makhov