diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index d88394dd4f..441331f3ad 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -160,7 +160,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: "1.21" + go-version: "1.23.1" binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-generator }}" directory: "${{ env.BUILDER_DIR }}" diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b9a7e3fef..9c321f14d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) + - [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder) - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance) - [v2.0.0](#v200) - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact) @@ -106,6 +107,15 @@ duplication." ## Unreleased +### Unreleased: Sigstore Bundles for Generic Generator and Go Builder + +The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml` +have been updated to produce signed Sigstore Bundles, just like all the other builders +that use the BYOB framework. + +The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on +https://search.sigstore.dev/. + ### Unreleased: Vars context recorded in provenance - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and diff --git a/github/oidc.go b/github/oidc.go index be74e39543..330817dd75 100644 --- a/github/oidc.go +++ b/github/oidc.go @@ -39,6 +39,9 @@ const ( // OIDCToken represents the contents of a GitHub OIDC JWT token. type OIDCToken struct { + // Expiry is the expiration date of the token. + Expiry time.Time + // Issuer is the token issuer. Issuer string @@ -54,8 +57,8 @@ type OIDCToken struct { // ActorID is the unique ID of the actor who triggered the build. ActorID string `json:"actor_id"` - // Expiry is the expiration date of the token. - Expiry time.Time + // RawToken is the unparsed oidc token. + RawToken string // Audience is the audience for which the token was granted. Audience []string @@ -247,6 +250,8 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken, return nil, err } + token.RawToken = tokenPayload + return token, nil } diff --git a/go.mod b/go.mod index 41f8393202..6ac43db276 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/sigstore/cosign/v2 v2.4.1 github.com/sigstore/rekor v1.3.6 github.com/sigstore/sigstore v1.8.10 + github.com/sigstore/sigstore-go v0.6.1 github.com/spf13/cobra v1.8.1 golang.org/x/oauth2 v0.23.0 gopkg.in/square/go-jose.v2 v2.6.0 @@ -120,6 +121,7 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/imdario/mergo v0.3.16 // indirect + github.com/in-toto/attestation v1.1.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -165,6 +167,7 @@ require ( github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect diff --git a/go.sum b/go.sum index c5e9f850e2..6001fd7d51 100644 --- a/go.sum +++ b/go.sum @@ -280,6 +280,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= @@ -386,6 +388,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU= github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= @@ -537,6 +542,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU= diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go index d38ba2b4ff..4bb9bba1f4 100644 --- a/internal/builders/generic/attest.go +++ b/internal/builders/generic/attest.go @@ -23,9 +23,9 @@ import ( "os" "path" - intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/spf13/cobra" + intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/slsa-framework/slsa-github-generator/github" "github.com/slsa-framework/slsa-github-generator/internal/builders/common" "github.com/slsa-framework/slsa-github-generator/internal/utils" @@ -35,7 +35,7 @@ import ( // attestCmd returns the 'attest' command. func attestCmd(provider slsa.ClientProvider, check func(error), - signer signing.Signer, tlog signing.TransparencyLog, + signer signing.Signer, ) *cobra.Command { var attPath string var subjectsFilename string @@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error), Use: "attest", Short: "Create a signed SLSA provenance attestation from a Github Action", Long: `Generate and sign SLSA provenance from a Github Action to form an attestation -and upload to a Rekor transparency log. This command assumes that it is being +and create a Sigstore Bundle. This command assumes that it is being run in the context of a Github Actions workflow.`, Run: func(_ *cobra.Command, _ []string) { @@ -114,9 +114,6 @@ run in the context of a Github Actions workflow.`, }) check(err) - _, err = tlog.Upload(ctx, att) - check(err) - attBytes = att.Bytes() } diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go index dc7564eec1..6399ec0eff 100644 --- a/internal/builders/generic/attest_test.go +++ b/internal/builders/generic/attest_test.go @@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c artifact2`))) t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, diff --git a/internal/builders/generic/main.go b/internal/builders/generic/main.go index 06e4b1e7cc..329152f75c 100644 --- a/internal/builders/generic/main.go +++ b/internal/builders/generic/main.go @@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`, }, } c.AddCommand(versionCmd()) - c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor())) + c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner())) return c } diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index 0c5d3a4008..92e539270c 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error { return nil } -func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error { - r := sigstore.NewRekor(rekor) - s := sigstore.NewDefaultFulcio() +func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error { + s := sigstore.NewDefaultBundleSigner() + attBytes, err := pkg.GenerateProvenance(subject, digest, - commands, envs, workingDir, s, r, nil) + commands, envs, workingDir, s, nil) if err != nil { return err } @@ -118,7 +118,6 @@ func main() { provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary") provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary") provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands") - provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance") // Expect a sub-command. if len(os.Args) < 2 { @@ -145,7 +144,7 @@ func main() { } err := runProvenanceGeneration(*provenanceName, *provenanceDigest, - *provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor) + *provenanceCommand, *provenanceEnv, *provenanceWorkingDir) check(err) default: diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index 6791650592..787f7fbc93 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) { // attestation. // Spec: https://slsa.dev/provenance/v0.2 func GenerateProvenance(name, digest, command, envs, workingDir string, - s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider, + s signing.Signer, provider slsa.ClientProvider, ) ([]byte, error) { gh, err := github.GetWorkflowContext() if err != nil { @@ -180,14 +180,5 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, if err != nil { return nil, err } - - // Upload the signed attestation to rekor. - logEntry, err := r.Upload(ctx, att) - if err != nil { - return nil, err - } - - fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) - return att.Bytes(), nil } diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go index a6770ca07c..47d059e5b3 100644 --- a/internal/builders/go/pkg/provenance_test.go +++ b/internal/builders/go/pkg/provenance_test.go @@ -21,7 +21,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/slsa" ) -func TestGenerateProvenance_withErr(t *testing.T) { +func TestGenerateProvenance(t *testing.T) { // Disable pre-submit detection. // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove t.Setenv("GITHUB_EVENT_NAME", "non_event") @@ -30,10 +30,13 @@ func TestGenerateProvenance_withErr(t *testing.T) { sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" _, err := GenerateProvenance( "foo", sha256, "", "", "/home/foo", - &testutil.TestSigner{}, &testutil.TransparencyLogWithErr{}, + &testutil.TestSigner{}, &slsa.NilClientProvider{}, ) - if want, got := testutil.ErrTransparencyLog, err; want != got { - t.Errorf("expected error, want: %v, got: %v", want, got) + + var want error + got := err + if want != got { + t.Errorf("unexpected error, want: %v, got: %v", want, got) } } diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go new file mode 100644 index 0000000000..d1f0e9b88c --- /dev/null +++ b/signing/sigstore/bundle.go @@ -0,0 +1,146 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package sigstore + +import ( + "context" + "encoding/json" + "fmt" + + intoto "github.com/in-toto/in-toto-golang/in_toto" + sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" + sigstoreSign "github.com/sigstore/sigstore-go/pkg/sign" + "github.com/slsa-framework/slsa-github-generator/github" + "github.com/slsa-framework/slsa-github-generator/signing" +) + +// BundleSigner is used to produce Sigstore Bundles from provenance statements. +type BundleSigner struct{} + +type sigstoreBundleAtt struct { + cert []byte + att []byte +} + +// Cert returns the certificate used to sign the Bundle. +func (s *sigstoreBundleAtt) Cert() []byte { + return s.cert +} + +// attestation is a signed Sigstore Bundle. +func (s *sigstoreBundleAtt) Bytes() []byte { + return s.att +} + +// NewDefaultBundleSigner creates a new BundleSigner instance. +func NewDefaultBundleSigner() *BundleSigner { + return &BundleSigner{} +} + +// Sign signs the given provenance statement and returns the signed Sigstore Bundle. +func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (signing.Attestation, error) { + // content to sign + statementBytes, err := json.Marshal(*statement) + if err != nil { + return nil, err + } + content := &sigstoreSign.DSSEData{ + Data: statementBytes, + PayloadType: intoto.PayloadType, + } + + // keypair for the certificate + keypair, err := sigstoreSign.NewEphemeralKeypair(nil) + if err != nil { + return nil, err + } + + // get the oidc token. + oidcClient, err := github.NewOIDCClient() + if err != nil { + return nil, err + } + tokenStruct, err := oidcClient.Token(ctx, []string{"sigstore"}) + if err != nil { + return nil, err + } + rawToken := tokenStruct.RawToken + + // signing opts. + bundleOpts, err := getBundleOpts(ctx, &rawToken) + if err != nil { + return nil, err + } + + // sign. + innerBundle, err := sigstoreSign.Bundle(content, keypair, *bundleOpts) + if err != nil { + return nil, err + } + + // print the logIndex. + // Bundle will have already verified that the TLog entries are signed. + logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex() + fmt.Printf("Signed attestation is in rekor with Log Index %d.\n", logIndex) + fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+ + " $ rekor-cli get --log-index %[1]d\n\n"+ + "In addition to that, you could also use the Rekor Search UI:\n\n"+ + " https://search.sigstore.dev/?logIndex=%[1]d", logIndex) + + // marshall to json. + bundleWrapper := &sigstoreBundle.Bundle{ + Bundle: innerBundle, + } + bundleBytes, err := bundleWrapper.MarshalJSON() + if err != nil { + return nil, err + } + bundleAtt := &sigstoreBundleAtt{ + cert: innerBundle.GetVerificationMaterial().GetCertificate().GetRawBytes(), + att: bundleBytes, + } + return bundleAtt, nil +} + +// getBundleOpts provides the opts for sigstoreSign.Bundle(). +func getBundleOpts( + ctx context.Context, + identityToken *string, +) (*sigstoreSign.BundleOptions, error) { + bundleOpts := &sigstoreSign.BundleOptions{ + Context: ctx, + } + + trustedRoot, err := sigstoreRoot.FetchTrustedRoot() + if err != nil { + return nil, err + } + bundleOpts.TrustedRoot = trustedRoot + + fulcioOpts := &sigstoreSign.FulcioOptions{ + BaseURL: defaultFulcioAddr, + } + bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts) + bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{ + IDToken: *identityToken, + } + + rekorOpts := &sigstoreSign.RekorOptions{ + BaseURL: DefaultRekorAddr, + } + bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts)) + return bundleOpts, nil +}