Skip to content

ci: correct image input to sign command#4488

Merged
erikgb merged 1 commit intoweaveworks:mainfrom
erikgb:sign-correct-image
Jan 11, 2025
Merged

ci: correct image input to sign command#4488
erikgb merged 1 commit intoweaveworks:mainfrom
erikgb:sign-correct-image

Conversation

@erikgb
Copy link
Copy Markdown
Contributor

@erikgb erikgb commented Jan 11, 2025
edited
Loading

Closes

What changed?

Another fix to #4483. This tries to supply the full image digest to the cosign commands. Extract from the last attempt to sign the image on the main branch:

Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...
WARNING: Image reference sha256:d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd uses a tag, not a digest, to identify the image to sign.
    This can lead you to sign a different image than the intended one. Please use a
    digest (example.com/ubuntu@sha256:abc123...) rather than tag
    (example.com/ubuntu:latest) for the input to cosign. The ability to refer to
    images by tag will be removed in a future release.

Error: signing [sha256:d611992eaadc60266[37](https://github.com/weaveworks/weave-gitops/actions/runs/12722807382/job/35467266713#step:9:38)57af08eba581126d6f518184fe66ec45198aba84cf7dd]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]
main.go:74: error during command execution: signing [sha256:d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd]: accessing entity: GET https://index.docker.io/v2/library/sha256/manifests/d611992eaadc602663757af08eba581126d6f518184fe66ec45198aba84cf7dd: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/sha256 Type:repository]]

So it seems like the job is trying to sign a simple DockerHub image tag - with a digest format. 🤠

Also adding an additional echo command - to see if the docker action can provide this information.

Why was this change made?

Try to make image signing work.

How was this change implemented?

How did you validate the change?

Release notes

Documentation Changes

@erikgb erikgb force-pushed the sign-correct-image branch from c80fe4a to 6918801 Compare January 11, 2025 08:42
@erikgb erikgb marked this pull request as ready for review January 11, 2025 08:49
@erikgb erikgb requested a review from casibbald January 11, 2025 08:50
@erikgb erikgb force-pushed the sign-correct-image branch from 6918801 to 5255b47 Compare January 11, 2025 08:52
@erikgb erikgb enabled auto-merge (rebase) January 11, 2025 08:53
@erikgb erikgb requested a review from tenstad January 11, 2025 08:56
tenstad
tenstad approved these changes Jan 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@tenstad tenstad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not 100% sure this works, we'll have to see :D LGTM!

@erikgb erikgb merged commit 2756b57 into weaveworks:main Jan 11, 2025
This was referenced Jan 15, 2025
Closed
Closed
This was referenced Jan 26, 2025
Closed
Closed
Closed
This was referenced Feb 4, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tenstad tenstad tenstad approved these changes

@casibbald casibbald Awaiting requested review from casibbald

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erikgb @tenstad