Skip to content

Upload cosign transparency log and verify signatures before release#5724

Merged
juanluisvaladas merged 2 commits into
k0sproject:mainfrom
juanluisvaladas:fix-cosign
Apr 7, 2025
Merged

Upload cosign transparency log and verify signatures before release#5724
juanluisvaladas merged 2 commits into
k0sproject:mainfrom
juanluisvaladas:fix-cosign

Conversation

@juanluisvaladas

@juanluisvaladas juanluisvaladas commented Apr 4, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Description

It was reported to us that cosign verify-blob fails with:

cosign verify-blob \
  --key https://github.com/k0sproject/k0s/releases/download/v1.32.2%2Bk0s.0/cosign.pub \
  --signature https://github.com/k0sproject/k0s/releases/download/v1.32.2%2Bk0s.0/k0s-v1.32.2+k0s.0-amd64.sig \
  k0s-v1.32.2+k0s.0-amd64
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log

The ultimate root cause for this is that we don't upload the transparency log, so the verification process can only be done by adding the flag --insecure-ignore-tlog.

This commit does 2 things:
1- Set --tlog-upload=trueso that the transparency log can be verified
2- Remove the flag --payload from the documentation. This flags was probably removed at some point and now is invalid.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

How Has This Been Tested?

  • Manual test
  • Auto test added

Checklist

  • My code follows the style guidelines of this project
  • My commit messages are signed-off
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

makhov
makhov previously approved these changes Apr 4, 2025
View reviewed changes

@makhov makhov left a comment
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a question to make sure, that there is no typo

Comment thread docs/verifying-signs.md Outdated
Upload cosign transparency log
a01579d 
Without this, cosign verify-blob fails with requires the flag
--insecure-ignore-tlog in order to verify the binary.

Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <jvaladas@mirantis.com>
@juanluisvaladas juanluisvaladas added bug Something isn't working area/ci github_actions Pull requests that update GitHub Actions code labels Apr 4, 2025
@juanluisvaladas

juanluisvaladas commented Apr 4, 2025

Copy link
Copy Markdown
Contributor Author

I verified the fake release and this fixes the issue:

➜  Downloads cosign  verify-blob  --key cosign.pub  --signature k0s-vFAKEvaladas5-amd64.exe.sig k0s-vFAKEvaladas5-amd64.exe
Verified OK

https://github.com/k0sproject/k0s/actions/runs/14267310886/job/39992711970

@juanluisvaladas juanluisvaladas marked this pull request as ready for review April 4, 2025 14:45
@juanluisvaladas juanluisvaladas requested review from a team as code owners April 4, 2025 14:45
@juanluisvaladas juanluisvaladas requested review from jnummelin and kke April 4, 2025 14:45
@juanluisvaladas juanluisvaladas added backport/release-1.29 PR that needs to be backported/cherrypicked to the release-1.29 branch backport/release-1.30 PR that needs to be backported/cherrypicked to the release-1.30 branch backport/release-1.31 PR that needs to be backported/cherrypicked to the release-1.31 branch backport/release-1.32 PR that needs to be backported/cherrypicked to release-1.32 branch labels Apr 4, 2025
Fix documentation for cosign verify blob
ff63799 
Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <jvaladas@mirantis.com>
@juanluisvaladas juanluisvaladas merged commit d15207b into k0sproject:main Apr 7, 2025
@k0s-bot

k0s-bot commented Apr 7, 2025

Copy link
Copy Markdown
Contributor

Successfully created backport PR for release-1.29:

@k0s-bot k0s-bot mentioned this pull request Apr 7, 2025
Merged
@k0s-bot

k0s-bot commented Apr 7, 2025

Copy link
Copy Markdown
Contributor

Successfully created backport PR for release-1.30:

@k0s-bot k0s-bot mentioned this pull request Apr 7, 2025
Merged
@k0s-bot

k0s-bot commented Apr 7, 2025

Copy link
Copy Markdown
Contributor

Successfully created backport PR for release-1.31:

@k0s-bot k0s-bot mentioned this pull request Apr 7, 2025
Merged
@k0s-bot

k0s-bot commented Apr 7, 2025

Copy link
Copy Markdown
Contributor

Successfully created backport PR for release-1.32:

@k0s-bot k0s-bot mentioned this pull request Apr 7, 2025
Merged
@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Apr 27, 2025
Merged
7 tasks
takumin added a commit to takumin/aqua-registry that referenced this pull request Apr 28, 2025
@takumin
fix(k0sproject/k0s): support cosign transparency log
54bee55 
Transparency logs are now uploaded upstream.

see also:
k0sproject/k0s#5724
k0sproject/k0s@a01579d
suzuki-shunsuke pushed a commit to aquaproj/aqua-registry that referenced this pull request Apr 30, 2025
@takumin
Re-scaffold k0sproject/k0s (support cosign) (#35740)
3973716 
* feat(k0sproject/k0s): scaffold k0sproject/k0s

* fix(k0sproject/k0s): pass cmdx t

* fix(k0sproject/k0s): support cosign transparency log

Transparency logs are now uploaded upstream.

see also:
k0sproject/k0s#5724
k0sproject/k0s@a01579d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jnummelin jnummelin jnummelin approved these changes

@makhov makhov makhov left review comments

@kke kke Awaiting requested review from kke kke is a code owner automatically assigned from k0sproject/k0s-maintainers

Assignees

No one assigned

Labels

area/ci backport/release-1.29 PR that needs to be backported/cherrypicked to the release-1.29 branch backport/release-1.30 PR that needs to be backported/cherrypicked to the release-1.30 branch backport/release-1.31 PR that needs to be backported/cherrypicked to the release-1.31 branch backport/release-1.32 PR that needs to be backported/cherrypicked to release-1.32 branch bug Something isn't working github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juanluisvaladas @k0s-bot @makhov @jnummelin