crane: Build provenances have been failing since v0.19.2

[IAreKyleW00t]

Describe the bug

Build provenances are not properly included with releases since v0.19.2

No certificate provided, trying Redis search index to find entries by subject digest
Verifying artifact go-containerregistry.tar.gz: FAILED: error searching rekor entries: no matching entries found

FAILED: SLSA verification failed: error searching rekor entries: no matching entries found

To Reproduce

https://github.com./google/go-containerregistry/actions/runs/9966916706/job/27539952152
https://github.com./google/go-containerregistry/actions/runs/9845572711/job/27181699181
https://github.com./google/go-containerregistry/actions/runs/9527779284/job/26264811699

Expected behavior

Proper build provenances to be included in the release to they can be used for validation.

Additional context

N/A

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[IAreKyleW00t]

This is still a problem.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[ocraviotto]

This is still an issue.

I took a little time to check the latest failed workflow (goreleaser for v0.20.3) and I saw that the provenance job failed because it uses an old Action slsa-framework/slsa-github-generator/.github/workflows/[email protected] that as seen in the link calls another ([email protected]) with a very old version of the slsa-verifier (v1.3.2)

In quickly checking the Github Action repository, its README has

error updating to TUF remote mirror: invalid

This will occur when generating provenance with all builders and generators.

Affected versions: all versions up and including v1.9.0

error updating to TUF remote mirror: invalid

This issue is tracked by issue #3350. You must update to v1.10.0 to fix this issue.

The error matches what's in this project's provenance job Action output:

Getting rekor entry error error verifying tlog entry: updating local metadata and targets: error updating to TUF remote mirror: invalid key

The issue was reported end of March 2024, a few weeks after the v0.19.1 release here, the last that included the attestation.

So it seems the fix to this issue and the problems with following installation instructions that include signature verification should be as simple as bumping the currently used action from v1.5.0 to v1.10.0.

BTW, I saw a dependabot attempt to update that Action to v2.0.0 that was closed: https://github.com./google/go-containerregistry/pull/1935/files
Perhaps that could work but it would require more attention to a few breaking changes that would seem to be relevant for this project.

[cwpearce]

Confirming that this is still a problem:

1. Followed instructions in https://github.com./google/go-containerregistry/blob/main/cmd/crane/README.md
2. I see multiple.intoto.jsonl doesn't exist as an asset in the current release: https://github.com./google/go-containerregistry/releases/tag/v0.20.3

[Vyom-Yadav]

+1 Still a problem, no intoto provenance.