Scorecard: error signing scorecard results

[NithyaThiraviaRaj]

I tried to integrate Open SSF Scorecard to my Organisation private repository but getting signing error

Steps to Replicate the issue:

1. Created new GitHub action same as https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml
2. Added GH_HOST = <myOrgRepo> in environment variable

Now while running the GitHub actions I'm getting following error

error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert:
POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"

ossf/scorecard-action - v2.3.1

[spencerschrock]

GH_HOST is for self hosted GitHub enterprise servers. You shouldn't need it for private repos hosted on github.com.
I'm not sure if that's the specific problem here, but it may help to remove.

You should be able to see the JSON output from scorecard in the details, does it look like Scorecard ran successfully?

[NithyaThiraviaRaj]

@spencerschrock Sorry my bad. Yes, it is an enterprise server so I need GH_HOST (without this scorecard was pointing to github.com rather than our org url ).
Yes, look likes scorecard ran successfully but at last I'm getting error as below

Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:54 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:54 retrying in 1s...
Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:55 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:55 retrying in 3s...
Using payload from: results.json
Generating ephemeral keys...
Retrieving signed certificate...
2024/04/12 13:46:58 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
2024/04/12 13:46:58 retrying in 10s...
2024/04/12 13:47:08 error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"

[spencerschrock]

I don't think Fulcio supports enterprise servers. sigstore/fulcio#1022 (comment)

You can always turn publish_results: false so the action succeeds, but you won't be able to publish scores to our API.

[NithyaThiraviaRaj]

@spencerschrock , thanks for your input.
My GitHub action is successful if I set publish_results: false.

When you say I can't publish score, what that actually means ? am I not allowed to upload artifact or upload to code scanning ?
Could you please tell me how could I view my score ?

[spencerschrock]

Sorry for any confusion. You can still upload the results an artifact or to the code scanning dashboard.

publish_results is our configuration flag which would send the results to our API for everyone to see at api.scorecard.dev, which is the only part that is unavailable to you with an enterprise server

[NithyaThiraviaRaj]

When I try to upload artifact,
- name: "Upload artifact"
uses: actions/upload-artifact@5d5d22a # v4.3.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

I'm getting below error

Error: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.

any alternative ?

[spencerschrock]

Can you try an older version of upload-artifact?
Such as

uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20

For reference there was some discussion here about it

[NithyaThiraviaRaj]

@spencerschrock , Thanks a lot for your input I could able to upload the artifact successfully using upload-artifact.

Next, when I tried to upload it to Code Scanning, I got an error saying
Error: An action could not be found at the URI 'https:///api/v3/repos/github-org/codeql-action/tarball/4355270be187e1b672a7a1c7c7bae5afdc1ab94a'

Please Note: I couldn't see Code scanning Option under Security tab in GitHub. I created a stackoverflow question for the same (https://stackoverflow.com/questions/78308703/github-code-scanning-section-not-available-under-security-tab-code-security). Is it because, it is disabled from the Organisation's Enterprise owners ? or not available for GHES ?

I believe that could be the reason why I'm encountering an error when attempting to upload to code scanning.

This is what I tried :
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action@4355270 # v3.24.10
with:
sarif_file: results.sarif

[NithyaThiraviaRaj]

@spencerschrock , is code scanning is not available for GHES or it need any additional subscription ?

[spencerschrock]

I'm not 100% certain, as I've only used the GitHub hosted version. GitHub's documentation seems to say it's supported with an additional subscription / $$$.

GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server