Signing images with cosign fails with KDF error

[ThomasVitale]

What happened

When using kpack to sign the built images with Cosign, the signing step fails if the key pair has been created with the Cosing CLI 2.2.0 (the latest version at the moment). It works when using the previous version of the CLI (2.1.1).

I can see there's an open Dependabot PR (#1318) to update the Cosign version to 2.2.0 (the latest one). I assume the defect would be fixed by updating the Cosign dependencies in that pull request.

Logs

This is the error log I get from the kpack build.

cosign sign: unable to sign image with /var/build-secrets/cosign/supply-chain-cosign-key-pair/cosign.key: getting signer: reading key: decrypt: encrypted: unexpected kdf parameters

Versions

I tried both using the latest kpack version (0.12.0) and the previous one (0.11.2). Same result.

[chenbh]

Root cause is that the keys generated by Cosign v2.2.0 has a higher default scrypt iteration count than what Cosign v2.1.1 supported.

The PR that did this is sigstore/cosign#3183, but the actual discussion occurred in sigstore/cosign#3128. Bit of a bummer that it wasn't called out in the release notes, but yeah a dependency bump will fix this issue.

[ThomasVitale]

@chenbh thanks for the information. I've been trying to find the root cause, but couldn't find anything in the release notes and related issues. Now I see why. It's unfortunate to have such a breaking change in a minor upgrade without info.

I can see the PR upgrading cosign in kpack is now green: #1318. Once it's merged, I guess we can close this issue.

[chenbh]

v0.12.1 released with the fix