WARNING: Fetching initial root from URL without providing its checksum is deprecated and will be disallowed in a future Cosign release. Please provide the initial root checksum via the --root-checksum argument.
Root status: 
 {
	"local": "/tekton/home/.sigstore/root",
	"remote": "http://tuf.tsf-tas.svc.cluster.local",
	"metadata": {
		"root.json": {
			"version": 1,
			"len": 4128,
			"expiration": "21 Apr 27 23:50 UTC",
			"error": ""
		},
		"snapshot.json": {
			"version": 1,
			"len": 994,
			"expiration": "21 Apr 27 23:50 UTC",
			"error": ""
		},
		"targets.json": {
			"version": 1,
			"len": 2071,
			"expiration": "21 Apr 27 23:50 UTC",
			"error": ""
		},
		"timestamp.json": {
			"version": 1,
			"len": 995,
			"expiration": "21 Apr 27 23:50 UTC",
			"error": ""
		}
	},
	"targets": [
		"rekor.pub",
		"fulcio_v1.crt.pem",
		"trusted_root.json",
		"ctfe.pub"
	]
}
+ SNAPSHOT_PATH=/var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
++ jq '.components |length' /var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
+ COMPONENTS_LENGTH=1
+ source memory-throttle.sh
+ log_memory_throttle_status 80
Memory throttle: enabled with 80% threshold, current usage: 7Mi/2Gi (0%)
+ RUNNING_JOBS='\j'
+ BURST_SIZE=5
+ STABILIZATION_DELAY=2
+ to_sign=()
+ declare -a to_sign
+ (( COMPONENTS_INDEX=0 ))
+ (( COMPONENTS_INDEX<COMPONENTS_LENGTH ))
++ jq -r '.components[0].name' /var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
+ COMPONENT_NAME=tsf-demo-comp
Processing component tsf-demo-comp
+ echo 'Processing component tsf-demo-comp'
++ jq -c '.components[0]' /var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
+ COMPONENT='{"containerImage":"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33","name":"tsf-demo-comp","source":{"git":{"revision":"26921b1a57fa8893530850a12dc857ca56019b8d","url":"https://github.com/rhads-tsf-qe/testrepo"}},"version":"","repository":"quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp","metadata":{"env_variables":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","container=oci"],"labels":[{"name":"architecture","value":"x86_64"},{"name":"build-date","value":"2026-04-23T00:05:44Z"},{"name":"com.redhat.component","value":"ubi8-container"},{"name":"com.redhat.license_terms","value":"https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI"},{"name":"cpe","value":"cpe:/a:redhat:enterprise_linux:8::appstream"},{"name":"description","value":"The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly."},{"name":"distribution-scope","value":"public"},{"name":"io.buildah.version","value":"1.42.2"},{"name":"io.k8s.description","value":"The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly."},{"name":"io.k8s.display-name","value":"Red Hat Universal Base Image 8"},{"name":"io.openshift.expose-services","value":""},{"name":"io.openshift.tags","value":"base rhel8"},{"name":"maintainer","value":"Red Hat, Inc."},{"name":"name","value":"ubi8/ubi"},{"name":"org.opencontainers.image.created","value":"2026-04-23T00:05:44Z"},{"name":"org.opencontainers.image.revision","value":"26921b1a57fa8893530850a12dc857ca56019b8d"},{"name":"org.opencontainers.image.source","value":"https://github.com/rhads-tsf-qe/testrepo"},{"name":"release","value":"1776748720"},{"name":"summary","value":"Provides the latest release of Red Hat Universal Base Image 8."},{"name":"url","value":"https://catalog.redhat.com/en/search?searchType=containers"},{"name":"vcs-ref","value":"26921b1a57fa8893530850a12dc857ca56019b8d"},{"name":"vcs-type","value":"git"},{"name":"vendor","value":"Red Hat, Inc."},{"name":"version","value":"8.10"}],"media_type":"application/vnd.docker.container.image.v1+json"},"tags":["latest","26921b1a57fa8893530850a12dc857ca56019b8d"],"repositories":[{"url":"quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp","tags":["latest","26921b1a57fa8893530850a12dc857ca56019b8d"]}]}'
++ jq -r '.components[0].containerImage' /var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
+ BUILD_CONTAINER_IMAGE=quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ DIGEST=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ LIST=0
+ MANIFEST_DIGESTS=
++ jq -c '.components[0].imageDigests // []' /var/workdir/release/7731cc58-d65d-4fc6-a106-569ab7733f6d/snapshot_spec.json
+ IMAGE_DIGESTS='[]'
++ jq length
+ IMAGE_DIGESTS_LENGTH=0
+ '[' 0 -gt 0 ']'
++ skopeo inspect --raw docker://quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ IMAGE='{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","size":7945,"digest":"sha256:dd2342874823aa122eaee4b1695c15b0257836fcc5635db0065b935e519587b6"},"layers":[{"mediaType":"application/vnd.docker.image.rootfs.diff.tar.gzip","size":77901084,"digest":"sha256:cbd336c39488baa6878157c806a17ae848097ab2cac12dcf1d07b7eba9d3f92c"},{"mediaType":"application/vnd.docker.image.rootfs.diff.tar.gzip","size":1028,"digest":"sha256:2c422962cdb5b5145492dd6a6326b4f9a619957b60c8864b7eff395fe4d23f43"}]}'
++ echo '{"schemaVersion":2,"mediaType":"application/vnd.docker.distribution.manifest.v2+json","config":{"mediaType":"application/vnd.docker.container.image.v1+json","size":7945,"digest":"sha256:dd2342874823aa122eaee4b1695c15b0257836fcc5635db0065b935e519587b6"},"layers":[{"mediaType":"application/vnd.docker.image.rootfs.diff.tar.gzip","size":77901084,"digest":"sha256:cbd336c39488baa6878157c806a17ae848097ab2cac12dcf1d07b7eba9d3f92c"},{"mediaType":"application/vnd.docker.image.rootfs.diff.tar.gzip","size":1028,"digest":"sha256:2c422962cdb5b5145492dd6a6326b4f9a619957b60c8864b7eff395fe4d23f43"}]}'
++ jq -r .mediaType
+ MEDIA_TYPE=application/vnd.docker.distribution.manifest.v2+json
+ '[' application/vnd.docker.distribution.manifest.v2+json = application/vnd.docker.distribution.manifest.list.v2+json ']'
+ '[' application/vnd.docker.distribution.manifest.v2+json = application/vnd.oci.image.index.v1+json ']'
+ '[' 0 -eq 1 ']'
++ jq '.repositories | length'
+ NUM_REPOSITORIES=1
+ (( i = 0 ))
+ (( i < NUM_REPOSITORIES ))
++ jq -c '.repositories[0]'
+ REPOSITORY_OBJECT='{"url":"quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp","tags":["latest","26921b1a57fa8893530850a12dc857ca56019b8d"]}'
++ jq -r .url
+ INTERNAL_CONTAINER_REF=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
++ jq -r '.tags[]? // empty'
+ REPO_TAGS='latest
26921b1a57fa8893530850a12dc857ca56019b8d'
+ '[' -z 'latest
26921b1a57fa8893530850a12dc857ca56019b8d' ']'
+ REGISTRY_REFERENCES=("${INTERNAL_CONTAINER_REF}")
+ '[' 0 -eq 1 ']'
+ for REGISTRY_REF in "${REGISTRY_REFERENCES[@]}"
+ for TAG in $REPO_TAGS
+ to_sign+=("${REGISTRY_REF}:${TAG}@${DIGEST}#${INTERNAL_CONTAINER_REF}")
+ for TAG in $REPO_TAGS
+ to_sign+=("${REGISTRY_REF}:${TAG}@${DIGEST}#${INTERNAL_CONTAINER_REF}")
+ (( i++  ))
+ (( i < NUM_REPOSITORIES ))
+ (( COMPONENTS_INDEX++  ))
+ (( COMPONENTS_INDEX<COMPONENTS_LENGTH ))
+ spawn_count=0
+ printf '%s\n' quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33#quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33#quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ python3 -c '
import sys
from itertools import zip_longest

digest_groups = {}
# Make groups based on reference + digest to avoid signing same digest in parallel
for line in sys.stdin:
  x = line.strip()
  if not x:
    continue
  rest, internal_ref = x.split('\''#'\'', 1)
  rest, digest = rest.rsplit('\''@'\'', 1)
  public_ref, tag = rest.rsplit('\'':'\'', 1)
  digest_groups.setdefault(internal_ref + '\''@'\'' + digest, []).append(
    (internal_ref, public_ref, digest, tag)
  )

for to_yield in zip_longest(*digest_groups.values()):
  for entry in filter(None, to_yield):
    print('\'' '\''.join(entry))
  print('\''---'\'')  # group separator
'
+ SUCCESS=true
+ read -r ENTRY
+ '[' 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 latest' = --- ']'
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 latest'
++ cut '-d ' -f1
+ INTERNAL_REF=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 latest'
++ cut '-d ' -f2
+ PUBLIC_REF=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 latest'
++ cut '-d ' -f3
+ DIGEST=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 latest'
++ cut '-d ' -f4
+ TAG=latest
+ wait_for_memory 80
+ ((  0 >= 90  ))
+ spawn_count=1
+ ((  spawn_count % BURST_SIZE == 0  ))
+ read -r ENTRY
+ '[' --- = --- ']'
+ echo '... waiting for group to be signed ...'
... waiting for group to be signed ...
+ ((  1 > 0  ))
+ check_and_sign quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ wait -n
+ local identity=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest
+ local reference=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ local digest=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ mktemp -d
+ DOCKER_CONFIG=/tmp/tmp.bVgspDvnh2
+ export DOCKER_CONFIG
+ select-oci-auth quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
Using token for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ COSIGN_REKOR_ARGS=()
+ declare -a COSIGN_REKOR_ARGS
++ check_existing_signatures quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ local identity=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest
++ local reference=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ local digest=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ COSIGN_REKOR_ARGS=()
++ declare -a COSIGN_REKOR_ARGS
++ COSIGN_REKOR_ARGS+=("--rekor-url=$REKOR_URL")
++ COSIGN_REKOR_ARGS+=("--certificate-identity=${CERTIFICATE_IDENTITY}" "--certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j")
+++ run_cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+++ attempt=0
+++ backoff1=2
+++ backoff2=3
+++ '[' 0 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 3
+++ old_backoff1=2
+++ backoff1=3
+++ backoff2=5
+++ attempt=1
+++ '[' 1 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 5
+++ old_backoff1=3
+++ backoff1=5
+++ backoff2=8
+++ attempt=2
+++ '[' 2 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 8
+++ old_backoff1=5
+++ backoff1=8
+++ backoff2=13
+++ attempt=3
+++ '[' 3 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 13
+++ old_backoff1=8
+++ backoff1=13
+++ backoff2=21
+++ attempt=4
+++ '[' 4 -gt 3 ']'
+++ '[' 4 -gt 3 ']'
+++ echopid 'Max retries exceeded.'
++++ jobpid
+++++ cut '-d ' -f4
++++ pid=216
++++ echo 216
+++ pid=216
+++ echo '216: Max retries exceeded.'
+++ exit 1
++ verify_output='216: Max retries exceeded.'
+++ echo '216: Max retries exceeded.'
+++ jq -j '[.[]|select(.critical.image."docker-manifest-digest"| contains("sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33"))|select(.critical.identity."docker-reference" == "quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest")]|length'
parse error: Expected string key before ':' at line 1, column 4
++ found_signatures=
++ echo ''
+ found_signatures=
+ '[' -z '' ']'
+ found_signatures=0
+ echopid 'FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0'
++ jobpid
+++ cut '-d ' -f4
++ pid=222
++ echo 222
+ pid=222
+ echo '222: FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0'
222: FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0
+ COSIGN_REKOR_ARGS+=("-y" "--rekor-url=$REKOR_URL")
+ '[' 0 -eq 0 ']'
+ COSIGN_REKOR_ARGS+=("--identity-token" "$SIGSTORE_ID_TOKEN")
+ COSIGN_REKOR_ARGS+=("--fulcio-url" "$FULCIO_URL")
+ run_cosign -t 3m0s sign -y --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --identity-token /var/run/secrets/tokens/oidc-token --fulcio-url http://fulcio-server.tsf-tas.svc.cluster.local --sign-container-identity quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ attempt=0
+ backoff1=2
+ backoff2=3
+ '[' 0 -gt 3 ']'
+ cosign -t 3m0s sign -y --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --identity-token /var/run/secrets/tokens/oidc-token --fulcio-url http://fulcio-server.tsf-tas.svc.cluster.local --sign-container-identity quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:latest quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 34
Pushing signature to: quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ break
+ '[' 0 -gt 3 ']'
+ ((  0 > 0  ))
+ spawn_count=0
+ continue
+ read -r ENTRY
+ '[' 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 26921b1a57fa8893530850a12dc857ca56019b8d' = --- ']'
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 26921b1a57fa8893530850a12dc857ca56019b8d'
++ cut '-d ' -f1
+ INTERNAL_REF=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 26921b1a57fa8893530850a12dc857ca56019b8d'
++ cut '-d ' -f2
+ PUBLIC_REF=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 26921b1a57fa8893530850a12dc857ca56019b8d'
++ cut '-d ' -f3
+ DIGEST=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ echo 'quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 26921b1a57fa8893530850a12dc857ca56019b8d'
++ cut '-d ' -f4
+ TAG=26921b1a57fa8893530850a12dc857ca56019b8d
+ wait_for_memory 80
+ ((  0 >= 90  ))
+ spawn_count=1
+ ((  spawn_count % BURST_SIZE == 0  ))
+ read -r ENTRY
+ '[' --- = --- ']'
+ echo '... waiting for group to be signed ...'
... waiting for group to be signed ...
+ ((  1 > 0  ))
+ wait -n
+ check_and_sign quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ local identity=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d
+ local reference=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ local digest=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ mktemp -d
+ DOCKER_CONFIG=/tmp/tmp.Mv6lohE8yv
+ export DOCKER_CONFIG
+ select-oci-auth quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
Using token for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ COSIGN_REKOR_ARGS=()
+ declare -a COSIGN_REKOR_ARGS
++ check_existing_signatures quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33 sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ local identity=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d
++ local reference=quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ local digest=sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
++ COSIGN_REKOR_ARGS=()
++ declare -a COSIGN_REKOR_ARGS
++ COSIGN_REKOR_ARGS+=("--rekor-url=$REKOR_URL")
++ COSIGN_REKOR_ARGS+=("--certificate-identity=${CERTIFICATE_IDENTITY}" "--certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j")
+++ run_cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+++ attempt=0
+++ backoff1=2
+++ backoff2=3
+++ '[' 0 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 3
+++ old_backoff1=2
+++ backoff1=3
+++ backoff2=5
+++ attempt=1
+++ '[' 1 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 5
+++ old_backoff1=3
+++ backoff1=5
+++ backoff2=8
+++ attempt=2
+++ '[' 2 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 8
+++ old_backoff1=5
+++ backoff1=8
+++ backoff2=13
+++ attempt=3
+++ '[' 3 -gt 3 ']'
+++ cosign verify --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --certificate-identity=https://kubernetes.io/default-managed-tenant-r485s/serviceaccounts/release-pipeline --certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Error: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
error during command execution: no matching signatures: none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-tenant/serviceaccounts/build-pipeline-tsf-demo-comp] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/default-managed-tenant-r485s/serviceaccounts/release-pipeline] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
 none of the expected identities matched what was in the certificate, got subjects [https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller] with issuer https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j
+++ sleep 13
+++ old_backoff1=8
+++ backoff1=13
+++ backoff2=21
+++ attempt=4
+++ '[' 4 -gt 3 ']'
+++ '[' 4 -gt 3 ']'
+++ echopid 'Max retries exceeded.'
++++ jobpid
+++++ cut '-d ' -f4
++++ pid=369
++++ echo 369
+++ pid=369
+++ echo '369: Max retries exceeded.'
+++ exit 1
++ verify_output='369: Max retries exceeded.'
+++ echo '369: Max retries exceeded.'
+++ jq -j '[.[]|select(.critical.image."docker-manifest-digest"| contains("sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33"))|select(.critical.identity."docker-reference" == "quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d")]|length'
parse error: Expected string key before ':' at line 1, column 4
++ found_signatures=
++ echo ''
+ found_signatures=
+ '[' -z '' ']'
+ found_signatures=0
+ echopid 'FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0'
++ jobpid
+++ cut '-d ' -f4
++ pid=375
++ echo 375
+ pid=375
+ echo '375: FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0'
375: FOUND SIGNATURES for quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33: 0
+ COSIGN_REKOR_ARGS+=("-y" "--rekor-url=$REKOR_URL")
+ '[' 0 -eq 0 ']'
+ COSIGN_REKOR_ARGS+=("--identity-token" "$SIGSTORE_ID_TOKEN")
+ COSIGN_REKOR_ARGS+=("--fulcio-url" "$FULCIO_URL")
+ run_cosign -t 3m0s sign -y --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --identity-token /var/run/secrets/tokens/oidc-token --fulcio-url http://fulcio-server.tsf-tas.svc.cluster.local --sign-container-identity quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
+ attempt=0
+ backoff1=2
+ backoff2=3
+ '[' 0 -gt 3 ']'
+ cosign -t 3m0s sign -y --rekor-url=http://rekor-server.tsf-tas.svc.cluster.local --identity-token /var/run/secrets/tokens/oidc-token --fulcio-url http://fulcio-server.tsf-tas.svc.cluster.local --sign-container-identity quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp:26921b1a57fa8893530850a12dc857ca56019b8d quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp@sha256:2f2e3a334913c53558dcb800d0ae0f1e3fff3098e57ec3c72baf4d8271d0ba33
Generating ephemeral keys...
Retrieving signed certificate...
Successfully verified SCT...

	The sigstore service, hosted by sigstore a Series of LF Projects, LLC, is provided pursuant to the Hosted Project Tools Terms of Use, available at https://lfprojects.org/policies/hosted-project-tools-terms-of-use/.
	Note that if your submission includes personal data associated with this signed artifact, it will be part of an immutable record.
	This may include the email address associated with the account with which you authenticate your contractual Agreement.
	This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later, and is subject to the Immutable Record notice at https://lfprojects.org/policies/hosted-project-tools-immutable-records/.

By typing 'y', you attest that (1) you are not submitting the personal data of any other person; and (2) you understand and agree to the statement and the Agreement terms at the URLs listed above.
tlog entry created with index: 35
Pushing signature to: quay.io/rhtap_qe/default-managed-tenant-r485s/default-managed-tenant-r485s-3e5831/tsf-demo-comp
+ break
+ '[' 0 -gt 3 ']'
+ ((  0 > 0  ))
+ spawn_count=0
+ continue
+ read -r ENTRY
+ '[' true '!=' true ']'
+ echo done
done