Skip to content

fix: upgrade Cosign to v2#2757

Merged
suzuki-shunsuke merged 10 commits intomainfrom
fix-upgrade-cosign-to-v2
Mar 21, 2024
Merged

fix: upgrade Cosign to v2#2757
suzuki-shunsuke merged 10 commits intomainfrom
fix-upgrade-cosign-to-v2

Conversation

@suzuki-shunsuke
Copy link
Copy Markdown
Member

@suzuki-shunsuke suzuki-shunsuke commented Mar 20, 2024

@suzuki-shunsuke suzuki-shunsuke added this to the v2.25.1 milestone Mar 20, 2024
@suzuki-shunsuke
Copy link
Copy Markdown
Member Author

suzuki-shunsuke commented Mar 20, 2024

Release failed.

https://github.com/aquaproj/aqua/actions/runs/8353771292/job/22866035480?pr=2757

GoReleaser ran cosign sign-blob.

aqua/.goreleaser.yml

Lines 28 to 44 in 74a0c86

signs:
- cmd: cosign
artifacts: checksum
signature: ${artifact}.sig
certificate: ${artifact}.pem
output: true
env:
- COSIGN_EXPERIMENTAL=1
args:
- sign-blob
- --output-signature
- ${signature}
- --output-certificate
- ${certificate}
- --oidc-provider
- github
- ${artifact}

The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] Error: signing dist/aqua_2.25.1-1_checksums.txt: upload to tlog: user declined the prompt
main.go:74: error during command execution: signing dist/aqua_2.25.1-1_checksums.txt: upload to tlog: user declined the prompt
  ⨯ release failed after 1m58s               error=sign: cosign failed: exit status 1: Using payload from: dist/aqua_2.25.1-1_checksums.txt
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at [https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.](https://lfprojects.org/policies/hosted-project-tools-terms-of-use/)
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at [https://lfprojects.org/policies/hosted-project-tools-immutable-records/.](https://lfprojects.org/policies/hosted-project-tools-immutable-records/)

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] Error: signing dist/aqua_2.25.1-1_checksums.txt: upload to tlog: user declined the prompt
main.go:74: error during command execution: signing dist/aqua_2.25.1-1_checksums.txt: upload to tlog: user declined the prompt

Error: Process completed with exit code 1.
cosign sign-blob --help
    -y, --yes=false:
	skip confirmation prompts for non-destructive operations

@suzuki-shunsuke suzuki-shunsuke merged commit 37a5a2a into main Mar 21, 2024
@suzuki-shunsuke suzuki-shunsuke deleted the fix-upgrade-cosign-to-v2 branch March 21, 2024 21:26
jdx pushed a commit to jdx/mise that referenced this pull request Sep 22, 2025
`cosign.experimental` was removed in
aquaproj/aqua#2757. No registries are using it.
The implementation for experimental in
#6332 is never used, so I believe it's
fine to remove it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant