what is Rekor UUID?
willzhang opened this issue · 2 comments
willzhang commented
release page:https://github.com/tektoncd/operator/releases
root@ubuntu:~# cat test.sh
RELEASE_FILE=https://storage.googleapis.com/tekton-releases/operator/previous/v0.69.1/release.yaml
REKOR_UUID=
# Obtains the list of images with sha from the attestation
REKOR_ATTESTATION_IMAGES=$(rekor-cli get --uuid "$REKOR_UUID" --format json | jq -r .Attestation | jq -r '.subject[]|.name + ":v0.69.1@sha256:" + .digest.sha256')
# Download the release file
curl "$RELEASE_FILE" > release.yaml
# For each image in the attestation, match it to the release file
for image in $REKOR_ATTESTATION_IMAGES; do
printf $image; grep -q $image release.yaml && echo " ===> ok" || echo " ===> no match";
done
root@ubuntu:~#
root@ubuntu:~#
root@ubuntu:~# bash test.sh
Error: invalid argument "" for "--uuid" flag: ID len error, expected 80 (EntryID) or 64 (UUID) but got len 0 for ID
Usage:
rekor-cli get [flags]
Flags:
-h, --help help for get
--log-index logIndex the index of the entry in the transparency log
--uuid uuid UUID of entry in transparency log (if known)
Global Flags:
--config string config file (default is $HOME/.rekor.yaml)
--format format Command output format (default default)
--rekor_server url Server address:port (default https://rekor.sigstore.dev)
--retry uint Number of times to retry HTTP requests (default 3)
--store_tree_state whether to store tree state in between invocations for additional verification (default true)
--timeout format HTTP timeout (default 30s)
invalid argument "" for "--uuid" flag: ID len error, expected 80 (EntryID) or 64 (UUID) but got len 0 for ID
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 26922 100 26922 0 0 198k 0 --:--:-- --:--:-- --:--:-- 199k
root@ubuntu:~#
jkandasa commented
vdemeester commented
This is coming from the "shared" create-draft-release task. In tektoncd/pipeline
, it's is a step between the release pipeline and that task to get that rekor uuid to check the images, … see point 12 of the release-cheat-shee.md
.
I guess we do not have this step in the release (and maybe not the pipeline configured to get the images handled by chains
).