tektoncd/operator

what is Rekor UUID?

willzhang opened this issue · 2 comments

release page:https://github.com/tektoncd/operator/releases

image

root@ubuntu:~# cat test.sh 
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/operator/previous/v0.69.1/release.yaml
REKOR_UUID=

# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.69.1@sha256:" + .digest.sha256')

# Download the release file
curl "$RELEASE_FILE" > release.yaml

# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
  printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
root@ubuntu:~# 
root@ubuntu:~# 
root@ubuntu:~# bash test.sh 
Error: invalid argument "" for "--uuid" flag: ID len error, expected 80 (EntryID) or 64 (UUID) but got len 0 for ID 
Usage:
  rekor-cli get [flags]

Flags:
  -h, --help                 help for get
      --log-index logIndex   the index of the entry in the transparency log
      --uuid uuid            UUID of entry in transparency log (if known)

Global Flags:
      --config string      config file (default is $HOME/.rekor.yaml)
      --format format      Command output format (default default)
      --rekor_server url   Server address:port (default https://rekor.sigstore.dev)
      --retry uint         Number of times to retry HTTP requests (default 3)
      --store_tree_state   whether to store tree state in between invocations for additional verification (default true)
      --timeout format     HTTP timeout (default 30s)

invalid argument "" for "--uuid" flag: ID len error, expected 80 (EntryID) or 64 (UUID) but got len 0 for ID 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 26922  100 26922    0     0   198k      0 --:--:-- --:--:-- --:--:--  199k
root@ubuntu:~# 

This is coming from the "shared" create-draft-release task. In tektoncd/pipeline, it's is a step between the release pipeline and that task to get that rekor uuid to check the images, … see point 12 of the release-cheat-shee.md.

I guess we do not have this step in the release (and maybe not the pipeline configured to get the images handled by chains).