Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cosign to > v1.12.1 and sigstore to v1.4.2 #3188

Merged
merged 3 commits into from
Oct 4, 2022
Merged

Update cosign to > v1.12.1 and sigstore to v1.4.2 #3188

merged 3 commits into from
Oct 4, 2022

Conversation

RTann
Copy link
Contributor

@RTann RTann commented Sep 23, 2022

Checklist

  • Investigated and inspected CI test results
  • [ ] Unit test and regression tests added
  • [ ] Evaluated and added CHANGELOG entry if required
  • [ ] Determined and documented upgrade steps
  • [ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

Testing Performed

CI

RTann
RTann commented Sep 23, 2022
View reviewed changes
go.mod
@@ -444,17 +443,6 @@ replace (
// github.com/stackrox/helm-operator is a modified fork of github.com/operator-framework/helm-operator-plugins that
// we currently depend on.
github.com/operator-framework/helm-operator-plugins => github.com/stackrox/helm-operator v0.0.10-0.20220919093109-89f9785764c6
// github.com/sigstore/rekor is a transitive dep pulled in by cosign. The version pulled in by cosign is using
Copy link
Contributor Author

@RTann RTann Sep 23, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: the newer versions of cosign and sigstore use go-tuf >= v0.5.0 which has the fix for GHSA-66x3-6cw3-v5gj

@roxbot
Copy link
Contributor

roxbot commented Sep 23, 2022
edited

Images are ready for the commit at e80b371.

To use with deploy scripts, first export MAIN_IMAGE_TAG=3.72.x-218-ge80b371dfe.

@RTann
Copy link
Contributor Author

RTann commented Sep 23, 2022

/retest-required

@RTann
Copy link
Contributor Author

RTann commented Sep 23, 2022

Blocked by sigstore/cosign#2277

@RTann
Copy link
Contributor Author

RTann commented Sep 27, 2022

Update: sigstore/cosign#2277 has been resolved and will be released in v1.13.0, which I'd expect to be released sometime soon. I will wait until that is released before updating this PR and merging

RTann
RTann commented Oct 4, 2022
View reviewed changes
go.mod
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect
github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 // indirect
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This version of rekor uses go-tuf v0.5.0, which has the fix for GHSA-66x3-6cw3-v5gj

https://github.com/sigstore/rekor/blob/4bb6f441c1b27ccc7e625c721c7d3203acc7b313/go.mod

RTann
RTann commented Oct 4, 2022
View reviewed changes
go.mod
github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
github.com/theupdateframework/go-tuf v0.3.0 // indirect
github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 // indirect
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we even use a version > v0.2.0 explicitly here

@RTann RTann changed the title Update cosign to v1.12.1 and sigstore to v1.4.2 Update cosign to > v1.12.1 and sigstore to v1.4.2 Oct 4, 2022
@RTann
Copy link
Contributor Author

RTann commented Oct 4, 2022

I wanted to merge this asap so we can have the vuln fix asap. I imagine cosign v1.13.0 should come out before we cut a new release, so we will update to that before we cut the new release

@RTann RTann merged commit 0e5037e into master Oct 4, 2022
@RTann RTann deleted the ross/update-cosign-sigstore branch October 4, 2022 22:54
@RTann RTann mentioned this pull request Oct 5, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhaus67 dhaus67 dhaus67 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@RTann @roxbot @dhaus67