Skip to content

Unable to verify signature from cosign v3.x #1923

@trexx

Description

@trexx

Using the example from here, https://fluxcd.io/flux/flux-gh-action/#push-and-sign-kubernetes-manifests-to-container-registries regarding keyless signing

It seems cosign has introduced and enabled some breaking changes in v3 which renders its signatures incompatible with the latest version of source-controller (1.7.2). The action by default will install the latest version and cause validation with source-controller to fail.

To get syncing working again, I have overridden the default and selected 2.6.1 to be installed which gets syncing back working again.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions