[bug] could not find a matching valid signature entry

[lukehinds]

I just tried out the 1.40 release, but unfortunately I still see the FAILED: SLSA verification failed: could not find a matching valid signature entry

For recreation / debug, it's a public repo:

https://github.com/lukehinds/slsa-test/actions/runs/3601462237/jobs/6067342275#step:2:543

I used the generic github configurator (note this is still provided 1.20)

It could well be that I am using a 1.40 release against the generic template of 1.20, so I have approached this as a greenfield / new user.

[ianlewis]

Hi @lukehinds,

It looks like your GHA run is for a commit that is using the v1.2.0 version of the Go builder: https://github.com/lukehinds/slsa-test/blob/73867e91c9ed6bbdefcd2f394e80c9fa3ee839ed/.github/workflows/go-ossf-slsa3-publish.yml#L32

The release notes for v1.2.0 notes that it doesn't work due to issues with the verifier and pre-GA Rekor (See: #942).

If you re-run the workflow using v1.4.0, I think it should work.

That said, we do need to update the starter workflows with the latest versions so that users don't get caught by this issue.

[ianlewis]

That said, we do need to update the starter workflows with the latest versions so that users don't get caught by this issue.

I created #1302 to remind us to do this.

[ianlewis]

@lukehinds I'm going to go ahead and close this but feel free to re-open if you think something still needs to be addressed.