zarf/0.67.0-r0: cve remediation

[octo-sts]

zarf/0.67.0-r0: fix GHSA-f83f-xpx7-ffpw

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/zarf.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

[octo-sts]

🛑 Build Failed: Compilation

undefined: cryptoutils.ValidatePubKey

Build Details

Category	Details
Build System	go
Failure Point	go build command during go/build step

Root Cause Analysis 🔍

The code is trying to use the function cryptoutils.ValidatePubKey which is not defined or accessible in the current context. This appears to be caused by a missing import, an API change in a dependency, or a version incompatibility issue. The error occurs in multiple locations within the github.com/sigstore/cosign/v3/pkg/cosign/keys.go file at lines 143, 152, 163, 168, and 173, indicating that the ValidatePubKey function from the cryptoutils package is not available.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: go.mod

• dependency_update (go.mod dependencies section)
  Original:

Current sigstore/cosign version (likely v3.x)

Replacement:

github.com/sigstore/cosign/v2 v2.2.4

Content:

Update sigstore/cosign dependency to a compatible version

File: Melange YAML pipeline

• go_mod_replacement at line After line with archiver replacement (After the existing go mod edit command)
  Original:

go mod edit -replace=github.com/mholt/archiver/v3=github.com/anchore/archiver/v3@v3.5.2
go get

Replacement:

go mod edit -replace=github.com/mholt/archiver/v3=github.com/anchore/archiver/v3@v3.5.2
go mod edit -replace=github.com/sigstore/cosign/v3=github.com/sigstore/cosign/v2@v2.2.4
go get

Content:

Add go mod edit command to replace cosign with compatible version

Click to expand fix analysis

Analysis

No similar past fixes were provided, so I cannot identify specific patterns from historical solutions. However, based on the error "undefined: cryptoutils.ValidatePubKey" occurring in github.com/sigstore/cosign/v3/pkg/cosign/keys.go, this appears to be a dependency version compatibility issue. The error suggests that the cryptoutils package API has changed or the function has been moved/renamed in a newer version of the sigstore dependencies.

Click to expand fix explanation

Explanation

The error indicates that the cryptoutils.ValidatePubKey function is not available in the current version of the sigstore/cosign dependency. This is likely due to API changes between major versions of cosign. The existing Melange YAML already shows a pattern of using go mod edit to replace problematic dependencies (as seen with the archiver replacement). By downgrading from cosign/v3 to cosign/v2 v2.2.4, we align with a more stable API that likely still contains the ValidatePubKey function. The fulcio dependency bump to v1.8.3 should remain compatible with cosign v2.2.4. This approach follows the established pattern in the build file of using specific dependency replacements to resolve compatibility issues.

Click to expand alternative approaches

Alternative Approaches

• Update the zarf source code to use the new cosign v3 API if cryptoutils.ValidatePubKey has been replaced with a different function
• Pin to a specific cosign v3 version that still contains the ValidatePubKey function
• Use a different sigstore client library version that maintains API compatibility
• Fork and maintain a compatibility layer for the missing function

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[OddBloke]

wolfi-dev/advisories#27939

[jamie-albert]

advisory merged