BUG: rekor search

[laurentsimon]

I intermittently get errors when trying to verify attestation. I suspect it's a rekor problem?

calculated root:
[132 232 216 48 108 59 50 197 236 185 146 185 227 68 190 133 21 213 122 121 1 147 162 124 107 174 49 111 31 250 222 55]
 does not match expected root:
[23 93 206 14 188 138 123 76 20 90 197 85 245 154 233 32 233 26 65 69 91 221 43 184 6 252 85 24 60 92 168 117]: verifying inclusion proofverification failed: could not find a matching signature entry
exit status 2while verifying the same provenance

calculated root:
[128 119 111 49 254 53 189 249 195 141 0 27 246 84 213 157 191 22 221 250 116 235 9 254 122 25 214 232 229 215 253 244]
 does not match expected root:
[236 214 7 183 14 217 72 75 194 121 46 12 227 70 223 102 211 40 95 189 150 32 202 72 173 127 241 7 182 167 110 244]: verifying inclusion proofverification failed: could not find a matching signature entry
exit status 2

/cc @asraa

[asraa]

Hmmmm this error is coming from verifying the inclusion proof for the log entry.

I had seen it once before running go test but am having trouble reproducing it. Do you have an entry that can occassionally trigger it? Or is it any entry. (Currently running go test to see if any of those trigger)

I took a quick look over our entry log verification and didn't see anything, but I'm not sure what could be happening

[laurentsimon]

It happened a couple times with https://github.com/slsa-framework/example-package/releases/tag/v10.0.9
Since we have the bytes of the root, maybe that will help debug. It's odd that both expected and computed root differ for each run

[laurentsimon]

https://github.com/slsa-framework/slsa-verifier/runs/6560807030?check_suite_focus=true

=== CONT  Test_runVerify/versioned_tag_no_match_empty_tag_workflow_dispatch
    main_test.go:304:   (*errors.errorString)(
        - 	e"could not find a matching signature entry",
        + 	e"invalid semantic version",
          )
calculated root:
[30 131 14 243 243 54 125 231 215 158 208 211 131 4 60 95 139 108 199 236 237 180 145 72 133 89 113 77 115 86 90 5]
 does not match expected root:
[99 162 240 228 26 97 158 145 186 26 222 48 211 156 144 224 234 189 58 38 5 216 205 201 15 153 138 78 227 229 235 215]: verifying inclusion proof=== CONT  Test_runVerify/valid_main_branch_set
    main_test.go:304:   any(
        - 	e"could not find a matching signature entry",
          )
--- FAIL: Test_runVerify (0.00s)

[ianlewis]

@asraa @laurentsimon
Is this still an issue? Can we close?

[laurentsimon]

I think good to close. But let's wait for @asraa to ack and close.

[asraa]

Yes! Can close. The fixed issue on rekor is: sigstore/rekor#956