Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cosign verify-attestation hangs indefinitely in GitHub Actions #3602

Open
AliSajid opened this issue Mar 18, 2024 · 6 comments
Open

cosign verify-attestation hangs indefinitely in GitHub Actions #3602

AliSajid opened this issue Mar 18, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@AliSajid
Copy link

Description

I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.

I'm using syft for SBOM generation and right now using a practically empty Dockerfile.

Version

cosign: v2.2.3
syft: v1.0.1

These are the logs from an example run.
logs_21813240831.zip

The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml

@AliSajid AliSajid added the bug Something isn't working label Mar 18, 2024
@haydentherapper
Copy link
Contributor

This sounds like a one-off GHA failure, is it still occurring?

@AliSajid
Copy link
Author

AliSajid commented Mar 19, 2024

This has been consistently occurring over the past ~3 days. Sometimes it succeeds, but with an inordinately long time. An example of a very long run before success is here.

I have one action run happening right now which is going through the same process.

@ckotzbauer
Copy link
Contributor

I can confirm the same behaviour in one of my actions.

@haydentherapper
Copy link
Contributor

Without logs, I'm unable to reproduce this.

@ckotzbauer
Copy link
Contributor

I create a repro build and share it here.

@ckotzbauer
Copy link
Contributor

ckotzbauer commented May 11, 2024

I created a simple reproduction repository and the workflow hung on the first execution: https://github.com/ckotzbauer/verify-attestation-repro/actions/runs/9044178111/job/24852568726

Between line 32 and 33/34 it took about 8 minutes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants