Started by user Mikaël Barbero Running as Mikaël Barbero [Pipeline] Start of Pipeline [Pipeline] node Still waiting to schedule task ‘basic-bgrml’ is offline ‘fmlw3-ubuntu1804’ is reserved for jobs with matching label expression Agent basic-bgrml is provisioned from template basic --- apiVersion: "v1" kind: "Pod" metadata: labels: jenkins: "slave" jenkins/label-digest: "61a7508ed1b04e9ada836fcd14d4d8ef5687c7dd" jenkins/label: "basic" name: "basic-bgrml" namespace: "cbi" spec: containers: - env: - name: "JENKINS_SECRET" value: "********" - name: "JENKINS_TUNNEL" value: "jenkins-discovery.cbi.svc.cluster.local:50000" - name: "JENKINS_AGENT_NAME" value: "basic-bgrml" - name: "JENKINS_REMOTING_JAVA_OPTS" value: "-showversion -XshowSettings:vm -Xmx256m -Dorg.jenkinsci.remoting.engine.JnlpProtocol3.disabled=true\ \ -Dorg.jenkinsci.plugins.gitclient.CliGitAPIImpl.useSETSID=true" - name: "JAVA_TOOL_OPTIONS" value: "" - name: "_JAVA_OPTIONS" value: "" - name: "OPENJ9_JAVA_OPTIONS" value: "-XX:+IgnoreUnrecognizedVMOptions -XX:+IdleTuningCompactOnIdle -XX:+IdleTuningGcOnIdle" - name: "JENKINS_NAME" value: "basic-bgrml" - name: "JENKINS_AGENT_WORKDIR" value: "/home/jenkins/agent" - name: "JENKINS_URL" value: "http://jenkins-ui.cbi.svc.cluster.local/cbi/" image: "docker.io/eclipsecbi/jiro-agent-basic:remoting-3160.vd76b_9ddd10cc" imagePullPolicy: "Always" name: "jnlp" resources: limits: cpu: "2000m" memory: "4096Mi" requests: cpu: "1000m" memory: "4096Mi" tty: true volumeMounts: - mountPath: "/home/jenkins/.gradle/daemon" name: "volume-6" readOnly: false - mountPath: "/home/jenkins/.gradle/caches" name: "volume-5" readOnly: false - mountPath: "/home/jenkins/.mavenrc" name: "m2-dir" readOnly: true subPath: ".mavenrc" - mountPath: "/home/jenkins/.m2/repository" name: "volume-3" readOnly: false - mountPath: "/home/jenkins/.m2/settings-security.xml" name: "m2-secret-dir" readOnly: true subPath: "settings-security.xml" - mountPath: "/home/jenkins/.gradle/gradle.properties" name: "gradle-secret-dir" readOnly: true subPath: "gradle.properties" - mountPath: "/home/jenkins/.gradle/workers" name: "volume-8" readOnly: false - mountPath: "/home/jenkins/.m2/toolchains.xml" name: "m2-dir" readOnly: true subPath: "toolchains.xml" - mountPath: "/opt/tools" name: "volume-0" readOnly: false - mountPath: "/home/jenkins" name: "volume-2" readOnly: false - mountPath: "/home/jenkins/.gradle/native" name: "volume-7" readOnly: false - mountPath: "/home/jenkins/.m2/wrapper" name: "volume-4" readOnly: false - mountPath: "/home/jenkins/.m2/settings.xml" name: "m2-secret-dir" readOnly: true subPath: "settings.xml" - mountPath: "/home/jenkins/.ssh" name: "volume-1" readOnly: false subPath: "" - mountPath: "/home/jenkins/.gradle/wrapper" name: "volume-9" readOnly: false - mountPath: "/home/jenkins/agent" name: "workspace-volume" readOnly: false workingDir: "/home/jenkins/agent" nodeSelector: kubernetes.io/os: "linux" restartPolicy: "Never" volumes: - name: "m2-secret-dir" secret: secretName: "m2-secret-dir" - emptyDir: medium: "" name: "volume-8" - emptyDir: medium: "" name: "volume-7" - emptyDir: medium: "" name: "volume-9" - emptyDir: medium: "" name: "workspace-volume" - emptyDir: medium: "" name: "volume-4" - emptyDir: medium: "" name: "volume-3" - emptyDir: medium: "" name: "volume-6" - emptyDir: medium: "" name: "volume-5" - name: "volume-0" persistentVolumeClaim: claimName: "tools-claim-jiro-cbi" readOnly: true - emptyDir: medium: "" name: "volume-2" - configMap: name: "m2-dir" name: "m2-dir" - configMap: name: "known-hosts" name: "volume-1" - name: "gradle-secret-dir" secret: secretName: "gradle-secret-dir" Running on basic-bgrml in /home/jenkins/agent/workspace/sigstore-demo/demo-blog-sign-verify [Pipeline] { [Pipeline] stage [Pipeline] { (Prepare) [Pipeline] sh + echo 'Hello World' + curl -sSL -o cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 + chmod u+x cosign [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Sign) [Pipeline] withCredentials Masking supported pattern matches of $_BOT__PASSWORD [Pipeline] { [Pipeline] sh ++ mktemp + IDP_DATA=/tmp/tmp.CTTfkZT2X1 ++ mktemp + OID_TOKEN=/tmp/tmp.YLaeHTqqBZ + chmod 600 /tmp/tmp.CTTfkZT2X1 /tmp/tmp.YLaeHTqqBZ + trap 'rm -vf "${IDP_DATA}" "${OID_TOKEN}"' EXIT + cat + curl -sSL -X POST --url https://auth.eclipse.org/auth/realms/sigstore/protocol/openid-connect/token --header 'Content-Type: application/x-www-form-urlencoded' --data @/tmp/tmp.CTTfkZT2X1 + jq -r .access_token + head -c -1 + ./cosign sign-blob README -y --bundle README.bundle --oidc-issuer=https://auth.eclipse.org/auth/realms/sigstore --identity-token=/tmp/tmp.YLaeHTqqBZ Using payload from: README Generating ephemeral keys... Retrieving signed certificate... Successfully verified SCT... The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/. Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record. This may include the email address associated with the account with which you authenticate your contractual Agreement. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/. By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above. using ephemeral certificate: -----BEGIN CERTIFICATE----- MIIC8DCCAnagAwIBAgIUM8SAi/TTc9QeI/0AYz36+l3N+JswCgYIKoZIzj0EAwMw NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl cm1lZGlhdGUwHhcNMjMxMjI4MjIyMzQwWhcNMjMxMjI4MjIzMzQwWjAAMFkwEwYH KoZIzj0CAQYIKoZIzj0DAQcDQgAEjyDcszsq0b7mmwIB6lWXLnMefpzmnFrcn2ma PGwKlSRUImhlLoJ3Zec/i9DbhN7g5iwUrsp2TIrUu1CBqn5geKOCAZUwggGRMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvVX5 RMX3vNxtqasRwZifOSI3xqQwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y ZD8wIQYDVR0RAQH/BBcwFYETY2JpLWRldkBlY2xpcHNlLm9yZzA7BgorBgEEAYO/ MAEBBC1odHRwczovL2F1dGguZWNsaXBzZS5vcmcvYXV0aC9yZWFsbXMvc2lnc3Rv cmUwPQYKKwYBBAGDvzABCAQvDC1odHRwczovL2F1dGguZWNsaXBzZS5vcmcvYXV0 aC9yZWFsbXMvc2lnc3RvcmUwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscR MmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYyyhq+sAAAEAwBHMEUCIQCCRjQD nrRoEDCOHJyRVYoi6pJQ4QAls708IKBTtgNNLgIgTO1TPgvKB+1fyTQInEpk5Bs2 OSt0LRMJ2be455kVGV0wCgYIKoZIzj0EAwMDaAAwZQIwZYMGhMUfbvQqd8PJUuIg IyQJDjt4oYDZFMHzwmgLK5l0o7KP5sWjnRnFYGwsenUUAjEAgSk50cZs3VjcOCUU vd9PDgLh6unX+e4ETeVwq5fS0SXWk6ly9EGOz8h1j+FeFs7/ -----END CERTIFICATE----- tlog entry created with index: 59910298 using ephemeral certificate: -----BEGIN CERTIFICATE----- MIIC8DCCAnagAwIBAgIUM8SAi/TTc9QeI/0AYz36+l3N+JswCgYIKoZIzj0EAwMw NzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl cm1lZGlhdGUwHhcNMjMxMjI4MjIyMzQwWhcNMjMxMjI4MjIzMzQwWjAAMFkwEwYH KoZIzj0CAQYIKoZIzj0DAQcDQgAEjyDcszsq0b7mmwIB6lWXLnMefpzmnFrcn2ma PGwKlSRUImhlLoJ3Zec/i9DbhN7g5iwUrsp2TIrUu1CBqn5geKOCAZUwggGRMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUvVX5 RMX3vNxtqasRwZifOSI3xqQwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y ZD8wIQYDVR0RAQH/BBcwFYETY2JpLWRldkBlY2xpcHNlLm9yZzA7BgorBgEEAYO/ MAEBBC1odHRwczovL2F1dGguZWNsaXBzZS5vcmcvYXV0aC9yZWFsbXMvc2lnc3Rv cmUwPQYKKwYBBAGDvzABCAQvDC1odHRwczovL2F1dGguZWNsaXBzZS5vcmcvYXV0 aC9yZWFsbXMvc2lnc3RvcmUwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscR MmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYyyhq+sAAAEAwBHMEUCIQCCRjQD nrRoEDCOHJyRVYoi6pJQ4QAls708IKBTtgNNLgIgTO1TPgvKB+1fyTQInEpk5Bs2 OSt0LRMJ2be455kVGV0wCgYIKoZIzj0EAwMDaAAwZQIwZYMGhMUfbvQqd8PJUuIg IyQJDjt4oYDZFMHzwmgLK5l0o7KP5sWjnRnFYGwsenUUAjEAgSk50cZs3VjcOCUU vd9PDgLh6unX+e4ETeVwq5fS0SXWk6ly9EGOz8h1j+FeFs7/ -----END CERTIFICATE----- Wrote bundle to file README.bundle MEUCIQDB3soq4qrr557hmSBfGFofV4zoP7LolWHOFv+nuzNNCgIgP1wAZGF9XXJ+cS6Z57IIsaUzfge4knS12aSKkYM7e1k= + rm -vf /tmp/tmp.CTTfkZT2X1 /tmp/tmp.YLaeHTqqBZ removed '/tmp/tmp.CTTfkZT2X1' removed '/tmp/tmp.YLaeHTqqBZ' [Pipeline] } [Pipeline] // withCredentials [Pipeline] sh + ./cosign verify-blob README --bundle README.bundle --certificate-oidc-issuer=https://auth.eclipse.org/auth/realms/sigstore --certificate-identity=cbi-dev@eclipse.org Verified OK [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS