Conversation
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.0.0 to 4.1.1. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...cad07c2) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
My memory is a bit vague, but I remember that it was due to some subcommands of the CLI binary not being yet compatible with the new formats. So it is very likely that this got fixed in the meantime. Have you managed to verify the signature as well? |
I did not, but I had to signin with my account and it was complaining like this: Should it be working? I did assume there was some extra in CI's parameters that I don't have access to, pointing to the correct "account/identity" |
mickmis
force-pushed
the
dependabot/github_actions/sigstore/cosign-installer-4.1.1
branch
11 times, most recently
from
a5aa4af to
f6ab882
Compare
mickmis
changed the title
|
So the issue with the upgrade was that there now seems to be a delay between the time that the signature is published to the registry and the time it is actually exposed. Since we were verifying it immediately after publishing it, the signature could not be found. The new version of cosign uses a new format to bundle the signature so that's probably why the issue appeared now. In any case, introducing a 30 seconds delay between signing and verifying signature addresses the issue. I've done so in this PR and will merge it. |
mickmis
force-pushed
the
dependabot/github_actions/sigstore/cosign-installer-4.1.1
branch
from
f6ab882 to
0c5acfc
Compare
dependabot
bot
deleted the
dependabot/github_actions/sigstore/cosign-installer-4.1.1
branch
2 participants
Bumps sigstore/cosign-installer from 4.0.0 to 4.1.1.
Release notes
Sourced from sigstore/cosign-installer's releases.
Commits
cad07c2chore: update default cosign-release to v3.0.5 (#223)ba7bc0afix: add retry to curl downloads for transient network failures (#210)5a292e1Bump cosign to 3.0.5 (#220)351ea76Bump actions/checkout from 6.0.1 to 6.0.2 (#217)c17565ftest with go 1.26 too (#221)a6fdd19Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)430b6a7docs: fix registry from gcr.io to ghcr.io (#213)4d14d7ffeat: update to v3.0.3 (#212)f148005fix: use env vars for template expansions; show curl errors (#207)c3f2d79Bump actions/checkout from 6.0.0 to 6.0.1 (#208)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)