use panic-free logic

[Dentrax]

Signed-off-by: Furkan [email protected]

Related issue: #16 (This is not a fix PR)

Bump cosign to use panic free fulcio during getting root certs: sigstore/cosign#1965

PTAL @developer-guy

Summary

Ticket Link

Fixes

Release Note

* Bump cosign to v1.9.1
* Use panic-free logic
* Get root certs during initialization

[Dentrax]

No idea why pipeline throws the following error:

verifying github.com/docker/[email protected]+incompatible: checksum mismatch
	downloaded: h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=
	go.sum:     h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=

[mathieu-benoit]

Getting this error indeed:
k apply -f policy/examples/error.yaml:

Error from server (Forbidden): error when creating "policy/examples/error.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [cosign-gatekeeper-provider] invalid response: {"errors": null, "responses": null, "status_code": 500, "system_error": "failed to send external data request: Post \"http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090/validate\": EOF"}

k logs pod/cosign-gatekeeper-provider-585fdcbb74-64w22 -n cosign-gatekeeper-provider:

starting server...
verify signature for: devopps/alpine:notsigned
2023/02/05 21:22:50 http: panic serving 10.84.1.8:49576: creating root cert pool: retrieving trusted root; local cache may be corrupt: initializing root client: tuf: failed to decode root.json: encoding/hex: invalid byte: U+002D '-'
goroutine 19 [running]:
net/http.(*conn).serve.func1()
        /usr/local/go/src/net/http/server.go:1801 +0xb9
panic({0x1b9fa40, 0xc000cd6120})
        /usr/local/go/src/runtime/panic.go:1047 +0x266
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.initRoots()
        /go/pkg/mod/github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:67 +0x235
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
        /go/pkg/mod/github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:45 +0x17
sync.(*Once).doSlow(0xc0005e0420, 0x18)
        /usr/local/go/src/sync/once.go:68 +0xd2
sync.(*Once).Do(...)
        /usr/local/go/src/sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
        /go/pkg/mod/github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:44 +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
        /go/pkg/mod/github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcio.go:197
main.validate({0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /go/src/github.com/developer-guy/cosign-gatekeeper-provider/provider.go:72 +0x408
net/http.HandlerFunc.ServeHTTP(0x7f06a1473d18, {0x218ee50, 0xc00063a2a0}, 0xc00063a2a0)
        /usr/local/go/src/net/http/server.go:2046 +0x2f
net/http.(*ServeMux).ServeHTTP(0x0, {0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /usr/local/go/src/net/http/server.go:2424 +0x149
net/http.serverHandler.ServeHTTP({0x2182d08}, {0x218ee50, 0xc00063a2a0}, 0xc0000d2700)
        /usr/local/go/src/net/http/server.go:2878 +0x43b
net/http.(*conn).serve(0xc0002a2140, {0x2199b40, 0xc00068b8f0})
        /usr/local/go/src/net/http/server.go:1929 +0xb08
created by net/http.(*Server).Serve
        /usr/local/go/src/net/http/server.go:3033 +0x4e8

Out of curiosity @Dentrax @developer-guy, any update on this PR?

[Dentrax]

any update on this PR?

I almost forgot this one. 🙈 So no updates. Do you want to take it over? Let's merge yours #26. Have dropped some reviews.