Please upgrade aqua, aqua-installer, and aqua-registry to solve the issue regarding a new TUF trust root for Sigstore

[suzuki-shunsuke]

This is an important announcement for aqua users, so please read and follow it.

Recently, aqua faced a trouble regarding a new TUF trust root for Sigstore.
Some people would face errors when they use aqua and aqua-installer.
To solve the issue, please follow the guide.

What should you do?

• Upgrade aqua, aqua-installer, aqua-registry, and circleci-orb-aqua
  • Upgrade aqua-installer to v3.0.0 or later
    • ⚠️ To do that, you have to upgrade aqua to v2.25.1 or later
  • Upgrade aqua to v2.25.1 or later
    • ⚠️ To install some packages which depend on Cosign such as suzuki-shunsuke/tfcmt, you have to upgrade aqua-registry to v4.155.0 or later
  • Upgrade aqua-registry to v4.155.0 or later
    • ⚠️ To install some packages which depend on Cosign such as suzuki-shunsuke/tfcmt, you have to upgrade aqua to v2.25.1 or later
  • Upgrade circleci-orb-aqua to 0.4.0 or later
    • ⚠️ To do that, you have to upgrade aqua to v2.25.1 or later
  • Update update-checksum-workflow to v1.0.0 or later
• After upgrading aqua to v2.25.1 or later, unset environment variables AQUA_DISABLE_COSIGN and AQUA_DISABLE_SLSA if you want to re-enable the verification with Cosign and slsa-verifier

The checksum of aqua-installer v3.0.0.

8299de6c19a8ff6b2cc6ac69669cf9e12a96cece385658310aea4f4646a5496d  aqua-installer

Background

In this section, we described the background of the announcement, but you don't necessarily have to read this.
Please read this if you're interested in.

• Fail to install tools because of the error of Cosign #2759

aqua uses Cosign and slsa-verifier to verify some packages.

Sigstore has published a new TUF trust root at 2024-03-20.

• https://sigstore.slack.com/archives/C01DGF0G8U9/p1710871645742299
• https://blog.sigstore.dev/tuf-root-update/

This broke aqua because aqua uses Cosign v1 and the new TUF trust root doesn't support Cosign v1.
aqua caused the following error.

time="2024-03-20T07:35:36Z" level=info msg="Verification by Cosign failed temporarily, retring" aqua_version=2.25.0 env=linux/amd64 exe_name=aqua-registry package_name=aquaproj/registry-tool package_version=v0.2.3 program=aqua registry=standard retry_count=1 wait_time=459ms
Error: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key
main.go:62: error during command execution: verifying blob [/tmp/091089404]: getting Fulcio roots: initializing tuf: unable to initialize client, local cache may be corrupt: invalid key

And if you use an old aqua, aqua would cause the following error because an old aqua uses an old slsa-verifier.

FAILED: SLSA verification failed: error retrieving Rekor public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key
remote status:{
	"mirror": "https://tuf-repo-cdn.sigstore.dev",
	"metadata": {
		"root.json": {
			"version": 9,
			"len": 6766,
			"expiration": "12 Sep 24 06:53 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 132,
			"len": 2302,
			"expiration": "09 Apr 24 16:16 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 9,
			"len": 5478,
			"expiration": "12 Sep 24 06:13 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 169,
			"len": 723,
			"expiration": "26 Mar 24 16:16 UTC",
			"error": ""
		}
	}
}
time="2024-03-22T00:07:54Z" level=fatal msg="aqua failed" aqua_version=2.16.4 env=linux/arm64 error="download aqua: verify a package with slsa-verifier: verify with slsa-verifier" new_version=v2.17.0 program=aqua

aqua-installer ran aqua update-aqua command to install aqua but the command caused the above error.
This means aqua-installer also got broken.

Furthermore, we uses the reusable workflow slsa-github-generator to release aqua but the workflow also got broken due to the update of TUF trust root.
So we couldn't release a new version to resolve the issue until slsa-github-generator was fixed.

How did we handle the issue?

We did two actions.

1. Disable the verification by Cosign and slsa-verifier
2. Upgrade Cosign to v2

We had to upgrade Cosign to v2 to solve the issue completely, but we couldn't do that soon, so we decided to disable the verification by Cosign and slsa-verifier first.
We released aqua-installer v2.3.1 and v2.3.2 and suggested to disable Cosign and slsa-verifier using environment variables X (twitter.

Same with aqua-installer, we released circleci-orb-aqua 0.3.4 to disable Cosign and slsa-verifier.

Fortunately, slsa-github-generator v1.10.0 was released and the issue of slsa-github-generator was solved.

• [bug] "Generate builder" and "Run sigstore/cosign-installer" steps failing with error updating to TUF remote mirror: invalid key slsa-framework/slsa-github-generator#3350

So we upgraded Cosign used in aqua to v2.2.3 and release aqua v2.25.1.

• fix: upgrade Cosign to v2 #2757

Furthermore, we released aqua-installer v3.0.0 to upgrade the bootstrap version of aqua in aqua-installer to v2.25.1 and re-enable the verification with Cosign and slsa-verifier.
This release re-enabled the verification with Cosign and slsa-verifier, so you have to upgrade aqua to v2.25.1 or later.

Same with aqua-installer, we released circleci-orb-aqua 0.4.0 to upgrade the bootstrap version of aqua to v2.25.1 and re-enable the verification with Cosign and slsa-verifier.

Some packages in the Standard Registry use Cosign but Cosign v2 requires additional options compared with Cosign v1, so we had to update those packages to support Cosign v2.

• fix: upgrade Cosign to v2 aqua-registry#21122
• https://github.com/aquaproj/aqua-registry/releases/tag/v4.155.0