`cosign verify-attestation` hangs indefinitely in GitHub Actions
AliSajid opened this issue · 17 comments
Description
I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.
I'm using syft for SBOM generation and right now using a practically empty Dockerfile.
Version
cosign: v2.2.3
syft: v1.0.1
These are the logs from an example run.
logs_21813240831.zip
The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml
This sounds like a one-off GHA failure, is it still occurring?