Failed to verify the artifact: failed to fetch attestations for subject

Question

Failed to verify the artifact: failed to fetch attestations for subject

DL6ER opened this issue a month ago · 5 comments

DL6ER commented a month ago

Describe the bug

We just added attestation building to our workflow to join the beta.

Steps to reproduce the behavior

Added steps to build job as described in the docs (pi-hole/FTL@633b825)
Job built fine and resulted in an attestation as expected: https://github.com/pi-hole/FTL/attestations/793098
Downloading the binary and running gh attestation verify pihole-FTL-amd64 is expected to work, but we get
```
Failed to verify the artifact: failed to fetch attestations for subject: sha256:...
```
Also tried downloading the JSON from the attestations page above and validating using this file but the same error occurs.

Expected vs actual behavior

Expect attestation to be validated. The sha256sum of the built and downloaded binaries match:

67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e  pihole-FTL-amd64

Logs

# gh attestation verify pihole-FTL-amd64 --owner pi-hole
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

# gh attestation verify pihole-FTL-amd64 --repo pi-hole/FTL
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

gh attestation verify pihole-FTL-amd64 --owner pi-hole --bundle ./pi-hole-FTL-attestation-793098.sigstore.json
Verifying attestations for the artifact found at file://pihole-FTL-amd64
Failed to verify the artifact: failed to fetch attestations for subject: sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e

Files for reproduction

Answer 1 · 2024-05-06T06:06:10.000Z

I believe this is due to an older version of gh being used. See below for my local attempt:

$ gh attestation verify pihole-FTL-amd64 --owner pi-hole --bundle ./pi-hole-FTL-attestation-793098.sigstore.json
Loaded digest sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e for file://pihole-FTL-amd64
Loaded 1 attestation from pi-hole-FTL-attestation-793098.sigstore.json
✓ Verification succeeded!

sha256:67e7d2451a29ff3cd21c4a7c489ac4b1d43993f4a69bf9fbe989dda47f24685e was attested by:
REPO         PREDICATE_TYPE                  WORKFLOW
pi-hole/FTL  https://slsa.dev/provenance/v1  .github/workflows/build.yml@refs/heads/new/artifact_attestations
$ gh version
gh version 2.49.0 (2024-04-30)
https://github.com/cli/cli/releases/tag/v2.49.0

Answer 2 · 2024-05-06T16:46:57.000Z

Search Penny luksa

Answer 3 · 2024-05-06T16:47:42.000Z

Social Media

Answer 4 · 2024-05-06T17:15:04.000Z

Good to know. I've been trying with github-cli@community on alpine which promised to be (more) recent. I'll soon retest with a more recent version...