Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to install rekor-cli latest version (1.3.2), broken dependencies #1771

Closed
Laiot opened this issue Oct 16, 2023 · 4 comments
Closed

Failed to install rekor-cli latest version (1.3.2), broken dependencies #1771

Laiot opened this issue Oct 16, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@Laiot
Copy link

Laiot commented Oct 16, 2023

Description
Hello there, I've tried to install rekor v1.3.2 following the documentation, running:
go install -v github.com/sigstore/rekor/cmd/rekor-cli@latest

But I get the following errors:

go/pkg/mod/github.com/letsencrypt/boulder@v0.0.0-20221109233200-85aa52084eaf/core/objects.go:15:2: unrecognized import path "gopkg.in/square/go-jose.v2": reading https://gopkg.in/square/go-jose.v2?go-get=1: 502 Bad Gateway
	server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/square/go-jose.git/info/refs?service=git-upload-pack: write tcp 10.131.9.20:52252->140.82.121.4:443: write: broken pipe
go/pkg/mod/github.com/sigstore/rekor@v1.3.2/pkg/types/cose/v0.0.1/entry.go:37:2: reading github.com/veraison/go-cose/go.mod at revision v1.2.0: unknown revision v1.2.0

I've noticed that project go-jose has moved from square/go-jose to go-jose/go-jose.
I've also noticed that project go-cose latest version is v1.1.0
Trying to install rekor v1.3.1 works correctly.

Version
1.3.2
@Laiot Laiot added the bug Something isn't working label Oct 16, 2023
@haydentherapper
Copy link
Contributor

Hey, I'm not able to replicate this, so I believe this was a one-off failure. Please try to install again.

Thanks for pointing out the deprecated package.

@haydentherapper
Copy link
Contributor

It looks like the square package is pulled in through a dependency, so we aren't directly using it.

@lrascao
Copy link

lrascao commented Mar 6, 2024

also seeing this issue, rekor is directly importing go-cose 1.2.0 which has been retracted
veraison/go-cose#152

haydentherapper added a commit to haydentherapper/rekor that referenced this issue Mar 6, 2024
@haydentherapper
Bump go-cose to non-retracted version
fe601ef 
Ref: sigstore#1771

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper haydentherapper mentioned this issue Mar 6, 2024
Merged
@haydentherapper
Copy link
Contributor

Thanks @lrascao, created #2030

haydentherapper added a commit that referenced this issue Mar 6, 2024
@haydentherapper
Bump go-cose to non-retracted version (#2030)
8e8efe8 
Ref: #1771

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lrascao @haydentherapper @Laiot