Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: bump go-tuf to main to avoid excessive logging #701

Merged
merged 1 commit into from
Sep 21, 2022
Merged

deps: bump go-tuf to main to avoid excessive logging #701

merged 1 commit into from
Sep 21, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Sep 20, 2022

Signed-off-by: Asra Ali [email protected]

Summary

Release Note

Documentation

@asraa
Copy link
Contributor Author

asraa commented Sep 20, 2022

@bobcallaway @cpanato @haydentherapper @dlorenc
If this PR is merged we can update cosign to remove the tuf logging

@asraa
Copy link
Contributor Author

asraa commented Sep 20, 2022

wow, we are still on go 1.17 here. bumping that too

cpanato
cpanato reviewed Sep 20, 2022
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@asraa
deps: bump go-tuf to main to avoid excessive logging
f13baec 
Signed-off-by: Asra Ali <[email protected]>

bump go

Signed-off-by: Asra Ali <[email protected]>

go 1.19

Signed-off-by: Asra Ali <[email protected]>

revert

Signed-off-by: Asra Ali <[email protected]>
@cpanato cpanato merged commit 959c4c6 into sigstore:main Sep 21, 2022
@asraa asraa mentioned this pull request Sep 21, 2022
Closed
@cpanato cpanato mentioned this pull request Sep 24, 2022
Closed
@stefanprodan
Copy link

Is this supposed to be included in cosign 1.12.1? I see no changes in the output after upgrading to 1.12.1:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/fluxcd/flux-manifests
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys
tuf: warning using deprecated ecdsa hex-encoded keys

Verification for ghcr.io/fluxcd/flux-manifests:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":"ghcr.io/fluxcd/flux-manifests"},"image":{"docker-manifest-digest":"sha256:691e76e2eeeaec2b215fe871899611da4a36daec6d1e68db427710369dd97224"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.2":"workflow_dispatch","1.3.6.1.4.1.57264.1.3":"90f0d81532f6ea76c30974267956c7eaee5c1dea","1.3.6.1.4.1.57264.1.4":"release-manifests","1.3.6.1.4.1.57264.1.5":"fluxcd/flux2","1.3.6.1.4.1.57264.1.6":"refs/heads/main","Bundle":{"SignedEntryTimestamp":"MEUCIQDn4e++zyVQ+A30sVG/bT+I25r0s3HKe1Qc9sOYKZ1/NwIgE/uKz5RfSJUVhHJeZ2nWa/iu5mGeVAqHDJEQ2ihtXZM=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJkYTlkNmUwNjUzMDBiMGE5MWZkZDFjNjA1YjJiZjhkYTU4MzkxNDkzNjQ3ODdjNDMyYWI5OWE0NzYwN2MxYzMxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUMyUXVMTUR0dUtTV2xUTzVKTjkvd1E1NWUwNWhxZzduQ1JQL2VuK0xxaUV3SWhBSXpkWEpYTS9wVkpqYkkxVEV4VitoUDRDQmQ2bDU1YzBXZUw2ZVhMUTBrVCIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUndla05EUVhreVowRjNTVUpCWjBsVlUwMUJMMm93Y21ReFUxa3hWblZZYWxNMmFHUmFXRzVoZGtwM2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEpkMDlVUlhsTlZGVjNUVlJWTWxkb1kwNU5ha2wzVDFSRmVVMVVWWGhOVkZVeVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVY2TlZkNVJXRkxNRGhoTTJKQ0sxWnFPVGsyVWpSblRUbDBMMFJyYkV4SllrODFSa1lLV0VsdVNFazFXVTAyUzBSeU0wUlVVSEYwYW14blprcG1iM2M0YVhCck5HWnpOR2hxZUd4QlFUSmhhMFV5ZGpoRVduRlBRMEZyZDNkblowcEpUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ2YzBZekNucG5RM0ZvVkZkb2JtaFRPRzFJUjNWclVUUkVOVk13ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFwUldVUldVakJTUVZGSUwwSkdjM2RYV1ZwWVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKYWMyUllhR3BhUXpsdFlraFdOQXBOYVRoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGw1V2xkNGJGbFlUbXhNVnpGb1ltMXNiVnBZVGpCamVUVTFZbGQ0UVdOdFZtMWplVGx2Q2xwWFJtdGplVGwwV1Zkc2RVMUVhMGREYVhOSFFWRlJRbWMzT0hkQlVVVkZTekpvTUdSSVFucFBhVGgyWkVjNWNscFhOSFZaVjA0d1lWYzVkV041Tlc0S1lWaFNiMlJYU2pGak1sWjVXVEk1ZFdSSFZuVmtRelZxWWpJd2QwaDNXVXRMZDFsQ1FrRkhSSFo2UVVKQloxRlNaREk1ZVdFeVduTmlNMlJtV2tkc2VncGpSMFl3V1RKbmQwNW5XVXRMZDFsQ1FrRkhSSFo2UVVKQmQxRnZUMVJDYlUxSFVUUk5WRlY2VFcxWk1scFhSVE5PYlUxNlRVUnJNMDVFU1RKT2Vtc3hDazV0VFROYVYwWnNXbFJXYWsxWFVteFpWRUZtUW1kdmNrSm5SVVZCV1U4dlRVRkZSVUpDUm5sYVYzaHNXVmhPYkV4WE1XaGliV3h0V2xoT01HTjZRV0VLUW1kdmNrSm5SVVZCV1U4dlRVRkZSa0pCZUcxaVNGWTBXVEpSZGxwdGVERmxSRWwzU0ZGWlMwdDNXVUpDUVVkRWRucEJRa0puVVZCamJWWnRZM2s1YndwYVYwWnJZM2s1ZEZsWGJIVk5TVWRLUW1kdmNrSm5SVVZCWkZvMVFXZFJRMEpJYzBWbFVVSXpRVWhWUVVOSFExTTRRMmhUTHpKb1JqQmtSbkpLTkZOakNsSlhZMWx5UWxrNWQzcHFVMkpsWVRoSloxa3lZak5KUVVGQlIwUk5hbWxxY25kQlFVSkJUVUZTYWtKRlFXbENaVmhXYW1WRk9DOUhRa1ZwWTNoSGRFUUtOWGx2Tms5Tk1uaEpLMkZOZG1oWWEzb3ZPVU5ZYVROa05uZEpaMkZSTDA1cmVuUmhhRmhXTjAxc2RXSjNZbEJWVWt4RWFEUXhOREpFV1ZOaWRUWTRNQXBhWVRGMVlTOTNkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmQySk5TMHh2WjJ0V1oxUlpaMVpDT0hkWFdXaFpkbTU0Vm5CS1ZGZGFkRTluQ2xBM2IwYzBRVWN3YjFKc1NXZERTWEJwTTJweGRHUnNSbUpyVnpBcmFGZzFRV3BGUVd4aFkxTkZZbHBFYzJoV1JHVkxSQ3RuVld3dmExbzRkMjVWYTJVS2NrZ3lXazFGT0dwWk4wNVllbW95S3pWa2VsSlVSbFZGWjNoeVFuSlJlWFl2V2xsbUNpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19","integratedTime":1662994917,"logIndex":3472719,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/fluxcd/flux2/.github/workflows/release-manifests.yml@refs/heads/main"}}]

@asraa
Copy link
Contributor Author

asraa commented Sep 26, 2022

Is this supposed to be included in cosign 1.12.1? I see no changes in the output after upgrading to 1.12.1:

It should be at main, unfortunately, the 1.12.1 cosign update didn't get the sigstore/sigstore bump here: sigstore/cosign#2271

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

@dlorenc dlorenc dlorenc approved these changes

@haydentherapper haydentherapper haydentherapper left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@asraa @stefanprodan @dlorenc @cpanato @haydentherapper