`cosign verify-attestation` hangs indefinitely in GitHub Actions

Question

`cosign verify-attestation` hangs indefinitely in GitHub Actions

AliSajid opened this issue 3 months ago · 17 comments

Description

I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.

I'm using syft for SBOM generation and right now using a practically empty Dockerfile.

Version

cosign: v2.2.3
syft: v1.0.1

These are the logs from an example run.
logs_21813240831.zip

The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml

Answer 1 · 2024-03-19T20:48:07.000Z

This sounds like a one-off GHA failure, is it still occurring?

Answer 2 · 2024-03-19T20:50:17.000Z

This has been consistently occurring over the past ~3 days. Sometimes it succeeds, but with an inordinately long time. An example of a very long run before success is here.

I have one action run happening right now which is going through the same process.