Cosign giving error signing ECR images. Keyless signing with github repo certificate using git_ref

Question

I am getting below error in signing images using cosign, It used to work but it seems not working anymore. I use keyless mode to sign these images and with error it looks like the private/public key used by fulcio is failing to be used now.

getting signer: getting key from Fulcio: getting CTFE public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
    "mirror": "https://sigstore-tuf-root.storage.googleapis.com",
    "metadata": {
        "root.json": {
            "version": 9,
            "len": 6766,
            "expiration": "12 Sep 24 06:53 UTC",
            "error": ""
        },
        "snapshot.json": {
            "version": 132,
            "len": 2302,
            "expiration": "09 Apr 24 16:16 UTC",
            "error": ""
        },
        "targets.json": {
            "version": 9,
            "len": 5478,
            "expiration": "12 Sep 24 06:13 UTC",
            "error": ""
        },
        "timestamp.json": {
            "version": 169,
            "len": 723,
            "expiration": "26 Mar 24 16:16 UTC",
            "error": ""
        }
    }
}

Answer 1

It's always best to refer to Cosign GH page, I usually refer this, https://github.com/sigstore/cosign-installer

You may also find the sample workflow there.

jobs:
  example:
    runs-on: ubuntu-latest

    permissions: {}

    name: Install Cosign
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.5.0
      - name: Check install!
        run: cosign version

Answer 2

I'm getting the same error too. You can fix it using the following cosign config

uses: sigstore/cosign-installer@v3.3.0
with:
  cosign-release: 'v2.2.2' # optional