Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issue while signing (sigstore-keycloak-setup) #2

Open
VikramPunnam opened this issue Oct 19, 2023 · 5 comments
Open

issue while signing (sigstore-keycloak-setup) #2

VikramPunnam opened this issue Oct 19, 2023 · 5 comments

Comments

@VikramPunnam
Copy link

Hi @mayaCostantini , the guide which you wrote is very helpful for local sigstore setup.

I have configured the keycloak and fulcio as mentioned, but Im getting the below error.

main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"

If you have any idea,

Could you please help on this?
@mayaCostantini
Copy link
Owner

Hi @VikramPunnam, thanks!
Could you please provide the command you ran and a full stack trace of the error?

@VikramPunnam
Copy link
Author

Here it is the full trace,

(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4
Generating ephemeral keys...
Retrieving signed certificate...

    The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
    Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
    This may include the email address associated with the account with which you authenticate your contractual Agreement.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
error opening browser: exec: "xdg-open": executable file not found in $PATH
Go to the following link in a browser:

     https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=57CUh0toaK-qYF9fKkMLFyxvQmem6btGM7O-wTZMud0&code_challenge_method=S256&nonce=2WyZsTEYtSGwVvWkrSowp0mQbrd&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WyZsS42vXuL29I1AQ0YiM18q8Q

Enter verification code: 84436eec-df9d-46c8-84c0-e8fd82207a43.a6e62f89-c5da-4ef3-a7ad-5e320944d296.c495c10d-393a-41d1-b58e-6759f95828ed

Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"
main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: oauth2: "invalid_grant" "Code not valid"

config.json:
config.json: |-
{
"OIDCIssuers": {
"https://qa-keycloak.crisil.local/realms/sigstore": {
"ClientID": "sigstore",
"IssuerURL": "https://qa-keycloak.crisil.local/realms/sigstore",
"Type": "email"
}
}
}

@mayaCostantini
Copy link
Owner

I think this might either be an issue with your Keycloak realm/client config or with the verification code itself (it might have already been used or timed out). Could you also provide your Keycloak config?

@VikramPunnam
Copy link
Author

yes,

The issue is with the keycloak config. The client token is valid only once.

I have tried with new client token. but getting different issue.

(base) [ec2-user@mum1bado1q04 sigstore]$ cosign sign --fulcio-url https://dev-fulcio.crisil.com --oidc-issuer https://qa-keycloak.crisil.local/realms/sigstore --oidc-client-id='sigstore' --oidc-client-secret-file='secret' --rekor-url https://dev-rekor.crisil.com qa-harbor.crisil.local/eks/alpine:1.27.4
Generating ephemeral keys...
Retrieving signed certificate...

    The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
    Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
    This may include the email address associated with the account with which you authenticate your contractual Agreement.
    This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
Are you sure you would like to continue? [y/N] y
error opening browser: exec: "xdg-open": executable file not found in $PATH
Go to the following link in a browser:

     https://qa-keycloak.crisil.local/realms/sigstore/protocol/openid-connect/auth?access_type=online&client_id=sigstore&code_challenge=Vz8lPv-yNvvso6ywxkWGe2CAi5ti2d0pDn9qRR93gpw&code_challenge_method=S256&nonce=2WynijkoKIqBNgNZWUySGyX0roN&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=2WynimbguQpw7UpUbAu6MGDno6M

Enter verification code: 0a448d9d-a6df-43ac-8f0f-02355e56e925.00966ac9-1387-497a-a59a-81a0caea411d.c495c10d-393a-41d1-b58e-6759f95828ed

Error: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{"code":13, "message":"Error entering certificate in CTL", "details":[]}"
main.go:74: error during command execution: signing [qa-harbor.crisil.local/eks/alpine:1.27.4]: getting signer: getting key from Fulcio: retrieving cert: POST https://dev-fulcio.crisil.com/api/v1/signingCert returned 500 Internal Server Error: "{"code":13, "message":"Error entering certificate in CTL", "details":[]}"

@mayaCostantini
Copy link
Owner

Error entering certificate in CTL could be caused by different issues with Fulcio's CTL, you might want to check the CTL server logs directly, a more precise stack trace should be visible there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VikramPunnam @mayaCostantini