fix(release): publish cosign sigs to Sigstore Rekor (#81) #82
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!82
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "81-cosign-no-rekor"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #81.
(Branch is misnamed
81-cosign-no-rekor— that was the original direction before the trade-off was reconsidered. The fix is the opposite: publish to Rekor explicitly.)What happened
First successful release build (after #79, #76, #16 all landed) produces a signed image, but the verification command from the release notes fails:
That message is Rekor returning "no entry matches the signature's public key + image digest". cosign 2.5.x changed the default for
--tlog-uploadon keyed signing, so our sign step stopped publishing to Sigstore's public-good Rekor — but the verify step (which still consults Rekor by default) can't find the entry it expects.Fix
Explicitly
--tlog-upload=trueon bothcosign signandcosign attest. This:--insecure-ignore-tlog, no--rekor-urloverride). A self-hoster's verify command is plaincosign verify --key ... <image>@<digest>— what they'd type by reflex.rekor.sigstore.dev. If Rekor is unreachable during a tag push, the sign step fails and the release doesn't publish; that's the intentional fail-closed behaviour, documented.Files
.forgejo/workflows/release.ymlcosign sign --tlog-upload=true,cosign attest --tlog-upload=true, with a comment explaining the default-flip and why we're being explicitdocs/ci.mdcosign tree, and the failure mode if Rekor is downdocs/adr/0014-release-pipeline.mdAcceptance criteria
--tlog-upload=trueon sign and attest, with intent-explaining comments.docs/ci.mdandADR-0014document the explicit Rekor dependency.v0.0.1-rc.2) produces an image whose signature is in Rekor —cosign tree forge.wynning.tech/james/carol@<digest>reports the entry; verify command from release notes succeeds withVerified OK. (CI to confirm.)Out of scope
cosign 2.5.x changed the default for --tlog-upload on keyed signing, so the workflow's sign step stopped uploading to Sigstore's public-good Rekor transparency log. The verify command (which still queries Rekor by default) then fails with "no known key found for this signature in database" because the entry isn't there. Be explicit on both sign and attest: --tlog-upload=true. This: - Keeps verify commands at the canonical default shape (no --insecure-ignore-tlog), so what self-hosters paste from the release notes is plain `cosign verify --key ...`. - Gives every release a public, append-only Rekor entry — useful forensically if the key is ever compromised. - Takes a runtime dep on rekor.sigstore.dev; sign fails if Rekor is unreachable. Documented in ADR-0014 + docs/ci.md. Old releases signed before this fix can't be re-verified without re-signing (the legitimate Rekor entry never existed). Forward-only. Closes #81. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>cosign.pubURL must be anonymously fetchable; clarify "verified offline" Rekor behaviour #83Post-merge note: this PR did upload sigs to Rekor as designed (
logIndex: 1854384861on the rc.2 sign step), but the user-visible "no known key found" verify error it was meant to fix turned out to have a different root cause — the repo was private at debug time, and cosign's anonymous GET on thecosign.pubURL was getting a Forgejo login page instead of the PEM. Once the repo was made public, verify succeeded withExistence of the claims in the transparency log was verified offline, which is the intended fast path against the embeddedSignedEntryTimestampbundle.The
--tlog-upload=truechange is still a real improvement (we are genuinely uploading to Rekor now, and a future verifier without the embedded-bundle fast path can still find the entry). The missing prerequisite + troubleshooting are documented in #83 / PR #84.