Hello,
it happens quite often to me when using Sigstore-related tooling to get TUF failures like:
# sigstore sign <file>
[10:47:50] ERROR Failed to refresh TUF metadata. errors.py:42
Please check any Sigstore instance related arguments and consider reporting the issue at <https://github.com/sigstore/sigstore-python/issues/new>.
# model_signing sign <file>
Signing failed with error: Failed to refresh TUF metadata
The reason is that the TUF repository is blocking access from my IP:
# curl https://tuf-repo-cdn.sigstore.dev
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/</code> from this server.</h2>
<h2></h2>
</body></html>
I'm using a freshly spawned Hetzner VPS, but it also happened from home using a VPN a bunch of times, and on other servers.
I'm hitting the endpoint at 34.117.62.14 from ip 46.62.151.237.
I can workaround by passing the trusted_root manually, but I wonder how many automated jobs or CI pipelines risk failing due to this? I do understand DoS and bot mitigation requirements, but at the same time the CDN is to be consumed by machines
Hello,
it happens quite often to me when using Sigstore-related tooling to get TUF failures like:
The reason is that the TUF repository is blocking access from my IP:
I'm using a freshly spawned Hetzner VPS, but it also happened from home using a VPN a bunch of times, and on other servers.
I'm hitting the endpoint at 34.117.62.14 from ip 46.62.151.237.
I can workaround by passing the trusted_root manually, but I wonder how many automated jobs or CI pipelines risk failing due to this? I do understand DoS and bot mitigation requirements, but at the same time the CDN is to be consumed by machines