This repository was archived by the owner on Jul 22, 2024. It is now read-only.
This repository was archived by the owner on Jul 22, 2024. It is now read-only.
jarsigner: VerificationException: Could not find public key for provided keyId #151
Description
Description
The jarsigner task uses https://www.googleapis.com/oauth2/v3/certs to get provider certificate information.
Version
sigstore:0.4.0:jarsign
Additional Information
Stacktrace
[INFO] --- sigstore:0.4.0:jarsign (sigstore-jarsign) @ josm ---
[INFO] generating keypair using EC with secp256r1 parameters
Please open the following address in your browser:
https://oauth2.sigstore.dev/auth/auth?client_id=sigstore&code_challenge=<code_challenge>&code_challenge_method=S256&redirect_uri=http://localhost:53394/Callback&response_type=code&scope=openid%20email
Attempting to open that address in the default browser now...
Nov 09, 2023 7:03:38 AM com.google.api.client.auth.openidconnect.IdTokenVerifier verify
SEVERE: id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options
com.google.api.client.auth.openidconnect.IdTokenVerifier$VerificationException: Could not find public key for provided keyId: <keyId>
at com.google.api.client.auth.openidconnect.IdTokenVerifier.verifySignature(IdTokenVerifier.java:306)
at com.google.api.client.auth.openidconnect.IdTokenVerifier.verify(IdTokenVerifier.java:243)
at dev.sigstore.plugin.JarSign.getIDToken(JarSign.java:346)
at dev.sigstore.plugin.JarSign.execute(JarSign.java:207)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:126)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:328)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:316)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:174)
at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:75)
at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:162)
at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:159)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:105)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:53)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:118)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:261)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:173)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:101)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:906)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:283)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:206)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:283)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:226)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:407)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:348)
Looking at the code, it looks like it is using the default certificates from https://www.googleapis.com/oauth2/v3/certs for verification. I assume this is wrong, and that the IdTokenVerifier should be initialized using a builder.