Not able to read keys from Jenkins slave workspace

[SaiJyothiGudibandi]

Jenkins and plugins versions report

Environment

Jenkins: 2.263.4
OS: Linux - 3.10.0-862.14.4.el7.x86_64
---
ace-editor:1.1
analysis-model-api:10.5.4
ansicolor:1.0.0
ant:1.11
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.13.0
authentication-tokens:1.4
basic-branch-build-strategies:1.3.2
bitbucket-approve:1.0.3
bitbucket-build-status-notifier:1.4.2
bitbucket-oauth:0.10
bitbucket-pullrequest-builder:1.5.0
bitbucket-push-and-pull-request:2.7.2
blackduck-detect:2.1.1
blueocean:1.24.8
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.8
blueocean-commons:1.24.8
blueocean-config:1.24.8
blueocean-core-js:1.24.8
blueocean-dashboard:1.24.8
blueocean-display-url:2.4.1
blueocean-events:1.24.8
blueocean-git-pipeline:1.24.8
blueocean-github-pipeline:1.24.8
blueocean-i18n:1.24.8
blueocean-jira:1.24.8
blueocean-jwt:1.24.8
blueocean-personalization:1.24.8
blueocean-pipeline-api-impl:1.24.8
blueocean-pipeline-editor:1.24.8
blueocean-pipeline-scm-api:1.24.8
blueocean-rest:1.24.8
blueocean-rest-impl:1.24.8
blueocean-web:1.24.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.23
branch-api:2.6.2
build-name-setter:2.1.0
build-timeout:1.20
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.9.10
cloudbees-folder:6.16
clover:4.12.1
cobertura:1.16
code-coverage-api:1.4.0
command-launcher:1.6
config-file-provider:3.8.0
credentials:2.6.1
credentials-binding:1.27
cvs:2.19
dashboard-view:2.16
data-tables-api:1.11.3-1
description-setter:1.10
display-url-api:2.3.5
docker-build-step:2.8
docker-commons:1.17
docker-java-api:3.1.5.2
docker-plugin:1.2.3
docker-workflow:1.26
dtkit-api:3.0.0
durable-task:1.37
echarts-api:5.2.1-2
email-ext:2.83
embeddable-build-status:2.0.3
envinject:2.3.0
envinject-api:1.7
extended-choice-parameter:0.82
extensible-choice-parameter:1.8.0
external-monitor-job:1.7
favorite:2.3.2
folder-auth:1.3
folder-properties:1.2.1
font-awesome-api:5.15.4-1
forensics-api:1.3.0
gcp-secrets-manager-credentials-provider:0.2.6
generic-webhook-trigger:1.75
ghprb:1.42.2
git:4.8.2
git-client:3.9.0
git-server:1.9
github:1.34.0
github-api:1.123
github-branch-source:2.9.9
github-checks:1.0.13
github-oauth:0.33
github-organization-folder:1.6
github-pr-coverage-status:2.1.1
github-pullrequest:0.3.0
global-build-stats:1.5
google-chat-notification:1.4
google-compute-engine:4.3.11
google-hangouts-chat-notifier:1.0
google-kubernetes-engine:0.8.6
google-metadata-plugin:0.3.1
google-oauth-plugin:1.0.6
google-storage-plugin:1.5.4
gradle:1.37.1
greenballs:1.15.1
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
hashicorp-vault-plugin:3.8.0
htmlpublisher:1.25
http_request:1.10
icon-shim:2.0.3
in-toto:0.3.1
ivy:2.1
jackson2-api:2.12.4
jacoco:3.2.0
javadoc:1.6
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.24.8
jenkins-jira-issue-updater:1.18
jira:3.3
jira-steps:1.6.0
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
job-import-plugin:3.4
jobConfigHistory:2.28.1
jobrevision:0.6
join:1.21
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.52
kubernetes:1.30.1
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:1.26
lockable-resources:2.11
locks-and-latches:0.6
log-parser:2.1
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.18
maven-plugin:3.8
mercurial:2.15
metrics:4.0.2.8
momentjs:1.1.1
monitoring:1.88.0
multibranch-build-strategy-extension:1.0.10
multibranch-scan-webhook-trigger:1.0.9
multiple-scms:0.6
nodejs:1.4.0
oauth-credentials:0.4
okhttp-api:3.14.9
pam-auth:1.6
percentage-du-node-column:0.1.0
pipeline-build-step:2.15
pipeline-github:2.7
pipeline-github-lib:1.0
pipeline-githubnotify-step:1.0.5
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-maven:3.10.0
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.1
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.9.1
pipeline-model-extensions:1.9.1
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.1
pipeline-stage-view:2.19
pipeline-utility-steps:2.8.0
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
postbuild-task:1.9
pubsub-light:1.13
python:1.3
qualys-cs:1.6.2.5
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
scm-api:2.6.5
scm-filter-branch-pr:0.5.1
script-security:1.78
shared-objects:0.44
simple-build-for-pipeline:0.2
slack:2.48
snakeyaml-api:1.29.1
sonar:2.13.1
sonarqube-generic-coverage:1.0
sse-gateway:1.24
ssh-agent:1.22
ssh-credentials:1.18.1
ssh-slaves:1.31.5
stashNotifier:1.20
structs:1.23
subversion:2.14.4
synopsys-coverity:2.4.1
timestamper:1.13
token-macro:2.13
trilead-api:1.0.13
variant:1.4
violation-comments-to-stash:1.127
violations:0.7.11
warnings-ng:9.5.2
webhook-step:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.46
workflow-basic-steps:2.24
workflow-cps:2.93
workflow-cps-global-lib:2.19
workflow-durable-task-step:2.39
workflow-job:2.41
workflow-multibranch:2.24
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xml-job-to-job-dsl:0.1.13
xunit:2.3.9

What Operating System are you using (both controller, and any agents involved in the problem)?

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Reproduction steps

1. Using slave to run the pipeline.
2. in one of the step I am using below code in one of the step
   def keyPathTest = "${WORKSPACE}/resources/keys/cosign" sh("chmod 777 ${WORKSPACE}/resources/keys/cosign") sh("cat ${WORKSPACE}/resources/keys/cosign") in_toto_wrap(['stepName': 'Test','keyPath': keyPathTest,'transport': '']) { echo "## At parallel 3" sh("ls -al") }
3. Problem is, I am able to see the cosign key and able to print. But getting This signing keypath (/tmp/workspace/helm-helloworld_feature-rekor-sg/resources/keys/cosign) does not exist! error.
4. I tried using jenkins credential, same problem with that also.

Note: When I run this code on msater directly, its able to find the provided key path.

Expected Results

Key Should be found from the slave workspace and proceed with the next step in creating link meta data.

Actual Results

ERROR: Key path or credentialId not found.

Anything else?

No response

[SaiJyothiGudibandi]

@lakshya8066 Can you please look into this.

[adityasaky]

Hi @SaiJyothiGudibandi, thanks for opening this issue. Are you running into this error specifically? https://github.com/jenkinsci/in-toto-plugin/blob/master/src/main/java/io/jenkins/plugins/intotorecorder/InTotoWrapper.java#L434-L435

I want to confirm it's indeed that and not a key type mismatch. Can you share the stack trace?

[SaiJyothiGudibandi]

@adityasaky Thanks for the response.

I am running pipeline on slave
I tried with both key path and credential(secret file type).

For key path getting the below error.

• pwd
  /tmp/tools/gcp-jenkins/workspace/test-sg/gtso-cicd-helm-helloworld
  [Pipeline] sh
  + ls -al resources/keys/
  total 4
  drwxr-xr-x 2 root root 20 Nov 7 21:23 .
  drwxr-xr-x 3 root root 323 Nov 7 21:23 ..
  -rw-r--r-- 1 root root 2459 Nov 7 21:23 cosign
  [Pipeline] wrap
  [in-toto] wrapping step
  [in-toto] using step name: Test
  [in-toto] transport:
  [in-toto] CredentialId not found, but the keyPath is resources/keys/cosign
  [in-toto] Dumping metadata...
  [Pipeline] {
  [Pipeline] sh
• echo testing
  testing
  [Pipeline] }
  [Pipeline] // wrap
  [Pipeline] }
  [Pipeline] // dir
  [Pipeline] }
  [Pipeline] // withCredentials
  [Pipeline] }
  [Pipeline] // script
  [Pipeline] }
  [Pipeline] // stage
  [Pipeline] }
  [Pipeline] // node
  [Pipeline] End of Pipeline
  java.lang.RuntimeException: This signing keypath (resources/keys/cosign) does not exist!
  at io.jenkins.plugins.intotorecorder.InTotoWrapper$PostWrap.loadKey(InTotoWrapper.java:434)
  at io.jenkins.plugins.intotorecorder.InTotoWrapper$PostWrap.tearDown(InTotoWrapper.java:389)
  at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Callback.finished(CoreWrapperStep.java:192)
  at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2$Callback2.finished(CoreWrapperStep.java:146)
  at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution$TailCall.lambda$onSuccess$0(GeneralNonBlockingStepExecution.java:140)
  at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
  at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
  at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
  at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
  at java.base/java.lang.Thread.run(Thread.java:829)
  Finished: FAILURE

[adityasaky]

Hmm, as an initial step, can you try passing in the absolute path to the key?