Skip to content

install.sh: silent failure when cosign reports non-semver version #578

Closed
#580
Closed
install.sh: silent failure when cosign reports non-semver version#578
#580
Assignees
dimitris-m
@dimitris-m

Description

@dimitris-m
dimitris-m
opened on Feb 9, 2026

Problem

install.sh silently exits with code 1 and no error message when cosign is installed but reports a non-standard version string. This happens on systems where cosign was installed via a distro package manager (e.g. apt on Debian) rather than from the official GitHub releases.

Root cause

Lines 269-272 of install.sh parse the cosign version:

COSIGN_MAJOR_VERSION=$(cosign version | grep GitVersion | sed 's/GitVersion:[[:space:]]*v\{0,1\}//' | grep -oE '^[0-9]+')
if [[ "$COSIGN_MAJOR_VERSION" -lt 2 ]]; then
    echo "Warning: cosign version is less than 2.0.0, signature validation may fail."
fi

When cosign is built from source by a distro packager without setting -ldflags, it reports:

GitVersion:    devel

instead of e.g. GitVersion: v2.5.0. The pipeline then yields an empty COSIGN_MAJOR_VERSION, and the integer comparison [[ "" -lt 2 ]] fails. Because set -euo pipefail is active, the script exits immediately -- before any output is printed to the user.

How to reproduce

  1. Install cosign via apt on Debian trixie (arm64):

    sudo apt install cosign

    This installs cosign 2.5.0, but the binary reports GitVersion: devel.

  2. Run the install script:

    curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash

    The script exits silently with code 1.

Suggested fix

Guard the version comparison so that an unparseable version does not crash the script. For example:

COSIGN_MAJOR_VERSION=$(cosign version | grep GitVersion | sed 's/GitVersion:[[:space:]]*v\{0,1\}//' | grep -oE '^[0-9]+' || true)
if [[ -z "$COSIGN_MAJOR_VERSION" ]]; then
    echo "Warning: could not determine cosign version. Signature validation may not work correctly."
elif [[ "$COSIGN_MAJOR_VERSION" -lt 2 ]]; then
    echo "Warning: cosign version is less than 2.0.0, signature validation may fail."
fi

Environment

  • Debian trixie (13), aarch64 (Raspberry Pi)
  • cosign 2.5.0 installed via apt (dpkg -l cosign shows 2.5.0-2+b4)
  • cosign version output: GitVersion: devel

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions