Publish cosign signatures to Sigstore public-good Rekor #81
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#81
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
First successful release build (after #79, #76, #16 all landed) produces a signed image, but the verification command from the release notes fails:
That message comes from cosign querying Sigstore's public-good Rekor transparency log and finding no entry matching the signature's public key + image digest. Most likely the sign step in our workflow isn't actually uploading to Rekor — cosign 2.5.x changed the default for
--tlog-uploadon keyed signing, and we're relying on the (now-different) default.Decision
Publish to Rekor explicitly. The verification command stays the default-shape (
cosign verify --key ... <image>@<digest>); we just need to make sure the sign step actually uploads the entry that verify is going to look for.This gives us:
Trade-off: a public log entry per release reveals the existence and timing of every release to anyone watching
https://rekor.sigstore.dev. For an open-source project that is acceptable (everything is public anyway). The runtime dependency on Sigstore's public infrastructure is a real one; ifrekor.sigstore.devis down during a release, the sign step fails the release. The mitigation if that becomes painful is self-hosting Rekor — explicitly out of scope (see "Out of scope" below).Scope
--tlog-upload=trueexplicitly tocosign signandcosign attestin.forgejo/workflows/release.yml. Today's defaults may already do this in some cosign versions, but the explicit flag survives future default flips and documents intent.--insecure-ignore-tlog, no--rekor-urloverride). Default verify is what self-hosters will type.docs/ci.md"Release pipeline → Verifying a published image" with a one-paragraph note explaining that signatures are published to Sigstore's public Rekor and what that means for the trust chain (timestamping + reproducibility check).Acceptance criteria
v0.0.1-rc.2or similar) produces an image whose signature shows up in Rekor —cosign tree forge.wynning.tech/james/carol@<digest>reports both the signature and the SLSA attestation, each with a Rekor entry.Verified OKon bothcosign verifyandcosign verify-attestation.docs/ci.mdand ADR-0014 reflect the explicit Rekor dependency.Out of scope
--tlog-upload=false/--insecure-ignore-tlog) — considered and rejected in favor of the timestamping property.Part of epic #2. Follow-up from #16.
cosign verify fails against Rekor: opt out of the transparency logto Publish cosign signatures to Sigstore public-good Rekorcosign.pubURL must be anonymously fetchable; clarify "verified offline" Rekor behaviour #83Root-cause correction for future readers:
The user-visible
Error: no matching signatures: no known key found for this signature in databasechased here was not caused by the missing--tlog-upload=trueflag — it was caused by repo visibility. The repo was private at debug time, and cosign's HTTP client does an anonymous GET on--key <URL>without carrying a Forgejo session, so the URL returned a login page (HTML) instead of the PEM. The error message is what cosign emits when it can't load any usable key.The fix made in #82 (
--tlog-upload=trueon sign and attest) is still a real improvement — release signatures are now genuinely uploaded to Sigstore's public-good Rekor (confirmedlogIndex: 1854384861on the rc.2 sign step), and verify reportsExistence of the claims in the transparency log was verified offlineagainst the embeddedSignedEntryTimestampbundle. So this issue's outcome was correct, just for a different reason than the symptom.The missing prerequisite (cosign.pub URL must be anonymously fetchable) and a troubleshooting entry for the misleading error message are documented in #83 / PR #84.