BUG .sigstore bundles are not being found by Signed-Releases check
#3913
Comments
|
I think the issue is just that there hasn't been a new release in a while. After that, the scorecard-action Docker image should be updated. |
|
@edgarrmondragon now that I look... 🤦 I'm so accustomed to 'release early, release often' (and so used to bumping the Scorecard workflow for CodeQL changes) I'd missed that 5 months have rolled by without a release. |
|
We've been working on a major release, and haven't released in a while as we work through some breaking changes. I can try to see how many breaking changes have slipped in, and if an interim release is possible. |
|
Cutting a Scorecard release may be challenging at this point before our v5 release within the month. Would it be sufficient for us to update Scorecard Action to use a newer version of scorecard (via a Go pseudo-version) |
Yeah, I guess most folks are using scorecard via ossf/scorecard-action. It'd at least work for me. |
|
The fix has now been included in both a |
Describe the bug
The Signed-Releases score is 0 even when
.sigstorebundles are present for the last 5 releases.Reproduction steps
Steps to reproduce the behavior:
.sigstorebundles)Expected behavior
Signed-Releases score should be 8 after 5 releases with
.sigstorebundles.Additional context
This was initially raised by @edgarrmondragon in #3771 and should have been fixed by #3772
I first noticed this with the at_python repo I maintain:
{ "name": "Signed-Releases", "score": 0, "reason": "0 out of 5 artifacts are signed or have provenance", "details": [ "Warn: release artifact v0.2.6 does not have provenance: https://api.github.com/repos/atsign-foundation/at_python/releases/143607745", "Warn: release artifact v0.2.6 not signed: https://api.github.com/repos/atsign-foundation/at_python/releases/143607745", "Warn: release artifact v0.2.5 does not have provenance: https://api.github.com/repos/atsign-foundation/at_python/releases/143063709", "Warn: release artifact v0.2.5 not signed: https://api.github.com/repos/atsign-foundation/at_python/releases/143063709", "Warn: release artifact v0.2.4 does not have provenance: https://api.github.com/repos/atsign-foundation/at_python/releases/142574958", "Warn: release artifact v0.2.4 not signed: https://api.github.com/repos/atsign-foundation/at_python/releases/142574958", "Warn: release artifact v0.2.3 does not have provenance: https://api.github.com/repos/atsign-foundation/at_python/releases/140371553", "Warn: release artifact v0.2.3 not signed: https://api.github.com/repos/atsign-foundation/at_python/releases/140371553", "Warn: release artifact v0.2.2 does not have provenance: https://api.github.com/repos/atsign-foundation/at_python/releases/138635865", "Warn: release artifact v0.2.2 not signed: https://api.github.com/repos/atsign-foundation/at_python/releases/138635865" ], "documentation": { "short": "Determines if the project cryptographically signs release artifacts.", "url": "https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases" } }Here's the latest release assets using
gh release view --json assets -q .assets.[].namePrevious releases are the same aside from the semver bumps.
As @edgarrmondragon previously raised this I took a look at his citric and the same is happening there. The
.sigstorebundles are present, but the Signed-Releases score is 0.The text was updated successfully, but these errors were encountered: