Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error during command execution: signing ***: reading key: invalid pem block #4020

Open
DHEEMAN2912 opened this issue Jan 24, 2025 · 0 comments
Open

error during command execution: signing ***: reading key: invalid pem block #4020

DHEEMAN2912 opened this issue Jan 24, 2025 · 0 comments
Labels
question Further information is requested

Comments

@DHEEMAN2912
Copy link

Hi i am trying to sign sbom using cosign. so this is yaml file see my code below:

code:

parameters:

name: sbomFilePath
type: string
name: cosignPassword
type: string
name: cosignKey
type: string
steps:

Install Cosign
script: |
echo "Installing Cosign..."
curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v2.3.0/cosign-linux-amd64
chmod +x /usr/local/bin/cosign
cosign version || { echo "Error: Cosign installation failed."; exit 1; }
displayName: 'Install Cosign'
Sign SBOM
script: |
echo "Signing SBOM using Cosign..."

Create a temporary directory for the key
TEMP_DIR=$(mktemp -d)
KEY_FILE="$TEMP_DIR/cosign.key"

Write the key content to the file with proper PEM formatting
echo "-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----" > "$KEY_FILE"
echo "$COSIGN_KEY" | sed 's/\n/\n/g' >> "$KEY_FILE"
echo "-----END ENCRYPTED COSIGN PRIVATE KEY-----" >> "$KEY_FILE"
chmod 600 "$KEY_FILE"

Sign the SBOM
cosign sign-blob
--key "$KEY_FILE"
--yes
"${{ parameters.sbomFilePath }}" || {
echo "Error: Cosign signing failed.";
rm -rf "$TEMP_DIR";
exit 1;
}

Clean up
rm -rf "$TEMP_DIR"
echo "SBOM signing completed successfully."
displayName: 'Sign SBOM'
env:
COSIGN_PASSWORD: ${{ parameters.cosignPassword }}
COSIGN_KEY: ${{ parameters.cosignKey }}

when executing the above code getting this below error:

Sign SBOM

View raw log
Starting: Sign SBOM
Task : Command line
Description : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version : 2.246.1
Author : Microsoft Corporation
Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
Generating script***
========================== Starting Command Output ===========================
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/833b27c9-7cde-1-99bb-db670aa129bash
Signing SBOM using Cosign***
Using payload from: ***
Error: signing : reading key: invalid pem block
maingo:7***: error during command execution: signing : reading key: invalid pem block
Error: Cosign signing failed

##[error]Bash exited with code '1'***
Finishing: Sign SBOM

the private cosign key i am using for sign the SBOM:

-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
OCwicCI6MX0sInNhbHQiOiJ4WU1lWWpIVHgwVG5vVWlkWTEzZHZjc0U5ZHpuakNE
WiswdERRdFNjMHBNPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJDT2ZwVldXTnNrOVVXU2p3a3dRUU5vemtrRXlhZjF6cSJ9LCJj
aXBoZXJ0ZXh0Ijoidk9LUDFxNzhLUHltUTFTbEgrOXV0cmR3d1VpV2hLVWp5TW55
Rk5HVTRSNUVYYVgwNGNKc1M1RG8vb1JWTXlJbVRpV3BMY2J1WFo4blZQZTc0OFdD
WUdLODR3cXRYd1dyS1pERjlBZHNSaGZuYUhRNHhaK1pqckp5RWtsT1hPdWdrb09E
bjFzRk1CbmNYWbk5qN3c9PSJ9
-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

Don't worry i have changed the key.

I am trying to fetch the cosign Key from azure key vault.

azure-pipeline.yaml code

variables:

group: KeyVaultVariables
pool:
vmImage: 'ubuntu-latest'

resources:
repositories:

  • repository: Reusable_pipelines
    type: git
    name: Reusable_pipelines/Reusable_pipelines
    ref: refs/heads/main

stages:

stage: DevSecOps_Pipeline_Stage
jobs:
job: devSecOps_pipeline_job
steps:

checkout: self # Checkout the current repository
#Template references for pipeline steps

template: core-templates/Pipeline-Metadata.yaml@Reusable_pipelines

template: core-templates/Azure-keyvault-v1.yaml@Reusable_pipelines
parameters:
azureSubscription: '$(azureSubscription)'
keyVaultName: '$(keyVaultName)'
azureResourceGroup: '$(azureResourceGroup)'
secretsFilter: '$(secretsFilter)'

template: core-templates/SBOM-generation-syft-V1.yaml@Reusable_pipelines
parameters:
syftUrl: '$(syftUrl)'

template: core-templates/Upload-SBOM-Dependency-Tracker-V1.yaml@Reusable_pipelines
parameters:
dtrackAPIKey: '$(dtrackAPIKey)'
dtrackURI: '$(dtrackURI)'
thresholdAction: '$(thresholdAction)'
SbomFileName: '$(SbomFileName)'
dtrackProjId: '$(dtrackProjId)'

template: core-templates/Sign-Sbom-Using-Cosign-v1.yaml@Reusable_pipelines
parameters:
sbomFilePath: '$(sbomFilePath)'
cosignPassword: '$(cosignPassword)'
cosignKey: '$(cosignKey)'

Someone please help to solve the issue properly? what i am doing wrong here?? please help me it is urgent.

Thanks in Advance.
@DHEEMAN2912 DHEEMAN2912 added the question Further information is requested label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DHEEMAN2912