Keyless signing does not provide input prompt in device mode

Question

Keyless signing does not provide input prompt in device mode

Closed this issue 3 years ago · 2 comments

Description

I am trying to use the keyless signing flow for signing a YAML file, and the command exits without providing a prompt to input the code:

I am using a windows / WSL2 environment and tried both windows and Linux:

On Ubuntu:

❯ kubectl-sigstore sign -f ~/kyverno.yaml

INFO[0001] Using payload from: /tmp/kubectl-sigstore-temp-dir2575530188/tmp-blob-file
Generating ephemeral keys...
Retrieving signed certificate...
error opening browser: exec: "xdg-open": executable file not found in $PATH
Go to the following link in a browser:

         https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=HVOHq8qZZUA3gcaeJbmhaWt-UTuLUOI_g6zd_ASzr7c&code_challenge_method=S256&nonce=21Zmm4YNIusln2axEqbJC8Xnroo&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=21Zmm4hHlnSDYzg8uqvNFQUSJyd
Enter verification code:
FATA[0001] error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: getting key from Fulcio: retrieving cert: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_request","error_description":"Required param: code."}

On Windows:

λ kubectl-sigstore sign -f C:\tmp\kyverno\kyverno.yaml
time="2021-11-27T18:11:19-08:00" level=info msg="Enter the verification code WNDB-WQTN in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=WNDB-WQTN\nCode will be valid for 300 seconds\nUsing payload from: C:\\Users\\jim\\AppData\\Local\\Temp\\kubectl-sigstore-temp-dir635928500\\tmp-blob-file\nGenerating ephemeral keys...\nRetrieving signed certificate...\nNon-interactive mode detected, using device flow.\n"
time="2021-11-27T18:11:19-08:00" level=fatal msg="error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: getting key from Fulcio: retrieving cert: error obtaining token: expired_token"

Answer 1 · 2021-11-29T09:16:41.000Z

Hi @JimBugwadia , Thank you very much for reporting this issue!
I have confirmed it can be reproduced on my windows PC. Let me check this in detail.

Answer 2 · 2021-12-01T18:42:09.000Z

I could confirm that the fix in PR #55 worked on my WSL2 and I could correctly sign a sample file in a keyless signing mode.

I also confirmed that an error occurs when we use cosign signing on windows in keyless & blob signing mode (I used MSYS2 on windows). Let us handle this as another issue in cosign.