Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tuf: failed to download 8.root.json #4026

Closed
monkeysandy opened this issue Jan 29, 2025 · 1 comment
Closed

tuf: failed to download 8.root.json #4026

monkeysandy opened this issue Jan 29, 2025 · 1 comment
Labels
question Further information is requested

Comments

@monkeysandy
Copy link

I'm using Cosign v1.13.6 now and running cosign verify --key <key> <image url>, meeting this error when verifying. I found some reviews mentioning upgrade to the latest version will fix, but I tried and didn't work for me, when using Cosign v2.4.1 the error become request for 10.root.json.

Error: no matching signatures:
unable to verify bundle: retrieving rekor public key: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "[https://tuf-repo-cdn.sigstore.dev/8.root.json"](https://tuf-repo-cdn.sigstore.dev/8.root.json%22): EOF
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev",/
	"metadata": {}
}
main.go:62: error during command execution: no matching signatures:
unable to verify bundle: retrieving rekor public key: updating local metadata and targets: error updating to TUF remote mirror: tuf: failed to download 8.root.json: Get "[https://tuf-repo-cdn.sigstore.dev/8.root.json"](https://tuf-repo-cdn.sigstore.dev/8.root.json%22): EOF
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev",/
	"metadata": {}
}

I think there might be some network isolation in my code environment, is there any flag or env to set so I can bypass this by providing this root.json file from local side?

I know there is --insecure-ignore-tlog but I don't want to skip for this validation.

Thanks!
@monkeysandy monkeysandy added the question Further information is requested label Jan 29, 2025
@haydentherapper
Copy link
Contributor

haydentherapper commented Feb 10, 2025
edited
Loading

Does the latest version of Cosign work? Under the hood, the TUF client will attempt to fetch up to one past the latest root, so you might see a 404 error if you're monitoring network logs, but cosign initialize should work.

If you're updating to Cosign v2 from v1, by default, signing events will be recorded to a transparency log, if you're using a key or a code signing certificate. If the signing event is not in the log, --insecure-ignore-tlog is needed, or the signature needs to be regenerated or the entry needs to be uploaded to the transparency log separately (via https://docs.sigstore.dev/logging/cli/ for example)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @monkeysandy