Skip to content

ci: correct image input to sign command #4488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 11, 2025
Merged

ci: correct image input to sign command #4488

merged 1 commit into from
Jan 11, 2025

Conversation

erikgb
Copy link
Contributor

@erikgb erikgb commented Jan 11, 2025
edited
Loading

Closes

What changed?

Another fix to #4483. This tries to supply the full image digest to the cosign commands. Extract from the last attempt to sign the image on the main branch:

Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
WARNING: Image reference sha256:d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.

Error: signing [sha256:d611992eaadc60266[37](https://github.com/weaveworks/weave-gitops/actions/runs/12722807382/job/35467266713#step:9:38)57af08eba581126d6f518184fe66ec45198aba84cf7dd]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]
main.go:74: error during command execution: signing [sha256:d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]

So it seems like the job is trying to sign a simple DockerHub image tag - with a digest format. 🤠

Also adding an additional echo command - to see if the docker action can provide this information.

Why was this change made?

Try to make image signing work.

How was this change implemented?

How did you validate the change?

Release notes

Documentation Changes

@erikgb erikgb force-pushed the sign-correct-image branch from c80fe4a to 6918801 Compare January 11, 2025 08:42
@erikgb erikgb marked this pull request as ready for review January 11, 2025 08:49
@erikgb erikgb requested a review from casibbald January 11, 2025 08:50
@erikgb erikgb force-pushed the sign-correct-image branch from 6918801 to 5255b47 Compare January 11, 2025 08:52
@erikgb erikgb enabled auto-merge (rebase) January 11, 2025 08:53
@erikgb erikgb requested a review from tenstad January 11, 2025 08:56
tenstad
tenstad approved these changes Jan 11, 2025
View reviewed changes
Copy link
Contributor

@tenstad tenstad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not 100% sure this works, we'll have to see :D LGTM!

@erikgb erikgb merged commit 2756b57 into weaveworks:main Jan 11, 2025
18 checks passed
This was referenced Jan 15, 2025
Closed
Closed
This was referenced Jan 26, 2025
Closed
Closed
Closed
This was referenced Feb 4, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tenstad tenstad tenstad approved these changes

@casibbald casibbald Awaiting requested review from casibbald

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erikgb @tenstad