I am getting below error in signing images using cosign, It used to work but it seems not working anymore. I use keyless mode to sign these images and with error it looks like the private/public key used by fulcio is failing to be used now.
getting signer: getting key from Fulcio: getting CTFE public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
"mirror": "https://sigstore-tuf-root.storage.googleapis.com",
"metadata": {
"root.json": {
"version": 9,
"len": 6766,
"expiration": "12 Sep 24 06:53 UTC",
"error": ""
},
"snapshot.json": {
"version": 132,
"len": 2302,
"expiration": "09 Apr 24 16:16 UTC",
"error": ""
},
"targets.json": {
"version": 9,
"len": 5478,
"expiration": "12 Sep 24 06:13 UTC",
"error": ""
},
"timestamp.json": {
"version": 169,
"len": 723,
"expiration": "26 Mar 24 16:16 UTC",
"error": ""
}
}
}
It's always best to refer to Cosign GH page, I usually refer this, https://github.com/sigstore/cosign-installer
You may also find the sample workflow there.
jobs:
example:
runs-on: ubuntu-latest
permissions: {}
name: Install Cosign
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Check install!
run: cosign version