New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail to install tools because of the error of Cosign #2759
Labels
bug
Something isn't working
Comments
About aqua-installer, we solve this issue by disabling cosign verification temporarily. |
What to do when you face the issue
export AQUA_DISABLE_COSIGN=true
export AQUA_DISABLE_SLSA=true GitHub Actions Workflows env:
AQUA_DISABLE_COSIGN: "true"
AQUA_DISABLE_SLSA: "true" |
We're working on upgrading Cosign to v2, but it is being blocked by slsa-framework/slsa-github-generator#3350 . |
This was referenced Mar 20, 2024
v2.25.1 is out 🎉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
aqua info
aqua v2.25.0
Overview
aqua uses Cosign v1.
https://aquaproj.github.io/docs/reference/security/cosign-slsa/#verify-packages-with-cosign
Recently, Sigstore has published a new TUF trust root.
https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
https://blog.sigstore.dev/tuf-root-update/
A new TUF trust root doesn't support Cosign v1 but aqua is still using Cosign v1, so aqua fails to install tools which enable Cosign verification.
Due to the issue, aqua-installer can't install aqua.
To solve the issue, we have two options.
How to reproduce
Run aqua-installer or
aqua update-aqua
.Debug output
Expected behaviour
aqua and aqua-installer can install tools.
Actual behaviour
It fails to instal tools.
https://github.com/aquaproj/aqua-registry/actions/runs/8355302244/job/22870132650
Note
No response
The text was updated successfully, but these errors were encountered: