From eb95da14d22b4746f2da080572d8143a8584b66d Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 11 Feb 2025 12:18:07 -0500 Subject: [PATCH 1/3] add bundle support Signed-off-by: Ramon Petgrave --- .github/workflows/generator_generic_slsa3.yml | 2 +- CHANGELOG.md | 10 ++ github/oidc.go | 9 +- go.mod | 3 + go.sum | 7 + internal/builders/generic/attest.go | 9 +- internal/builders/generic/attest_test.go | 12 +- internal/builders/generic/main.go | 2 +- internal/builders/go/main.go | 11 +- internal/builders/go/pkg/provenance.go | 11 +- internal/builders/go/pkg/provenance_test.go | 11 +- signing/sigstore/bundle.go | 146 ++++++++++++++++++ 12 files changed, 197 insertions(+), 36 deletions(-) create mode 100644 signing/sigstore/bundle.go diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index d88394dd4f..441331f3ad 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -160,7 +160,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: "1.21" + go-version: "1.23.1" binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-generator }}" directory: "${{ env.BUILDER_DIR }}" diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b9a7e3fef..9c321f14d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) + - [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder) - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance) - [v2.0.0](#v200) - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact) @@ -106,6 +107,15 @@ duplication." ## Unreleased +### Unreleased: Sigstore Bundles for Generic Generator and Go Builder + +The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml` +have been updated to produce signed Sigstore Bundles, just like all the other builders +that use the BYOB framework. + +The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on +https://search.sigstore.dev/. + ### Unreleased: Vars context recorded in provenance - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and diff --git a/github/oidc.go b/github/oidc.go index be74e39543..330817dd75 100644 --- a/github/oidc.go +++ b/github/oidc.go @@ -39,6 +39,9 @@ const ( // OIDCToken represents the contents of a GitHub OIDC JWT token. type OIDCToken struct { + // Expiry is the expiration date of the token. + Expiry time.Time + // Issuer is the token issuer. Issuer string @@ -54,8 +57,8 @@ type OIDCToken struct { // ActorID is the unique ID of the actor who triggered the build. ActorID string `json:"actor_id"` - // Expiry is the expiration date of the token. - Expiry time.Time + // RawToken is the unparsed oidc token. + RawToken string // Audience is the audience for which the token was granted. Audience []string @@ -247,6 +250,8 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken, return nil, err } + token.RawToken = tokenPayload + return token, nil } diff --git a/go.mod b/go.mod index 41f8393202..6ac43db276 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/sigstore/cosign/v2 v2.4.1 github.com/sigstore/rekor v1.3.6 github.com/sigstore/sigstore v1.8.10 + github.com/sigstore/sigstore-go v0.6.1 github.com/spf13/cobra v1.8.1 golang.org/x/oauth2 v0.23.0 gopkg.in/square/go-jose.v2 v2.6.0 @@ -120,6 +121,7 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect github.com/imdario/mergo v0.3.16 // indirect + github.com/in-toto/attestation v1.1.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -165,6 +167,7 @@ require ( github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/thales-e-security/pool v0.0.2 // indirect github.com/theupdateframework/go-tuf v0.7.0 // indirect + github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect diff --git a/go.sum b/go.sum index c5e9f850e2..6001fd7d51 100644 --- a/go.sum +++ b/go.sum @@ -280,6 +280,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg= github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= @@ -386,6 +388,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU= github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= +github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU= @@ -537,6 +542,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU= github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU= diff --git a/internal/builders/generic/attest.go b/internal/builders/generic/attest.go index d38ba2b4ff..4bb9bba1f4 100644 --- a/internal/builders/generic/attest.go +++ b/internal/builders/generic/attest.go @@ -23,9 +23,9 @@ import ( "os" "path" - intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/spf13/cobra" + intoto "github.com/in-toto/in-toto-golang/in_toto" "github.com/slsa-framework/slsa-github-generator/github" "github.com/slsa-framework/slsa-github-generator/internal/builders/common" "github.com/slsa-framework/slsa-github-generator/internal/utils" @@ -35,7 +35,7 @@ import ( // attestCmd returns the 'attest' command. func attestCmd(provider slsa.ClientProvider, check func(error), - signer signing.Signer, tlog signing.TransparencyLog, + signer signing.Signer, ) *cobra.Command { var attPath string var subjectsFilename string @@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error), Use: "attest", Short: "Create a signed SLSA provenance attestation from a Github Action", Long: `Generate and sign SLSA provenance from a Github Action to form an attestation -and upload to a Rekor transparency log. This command assumes that it is being +and create a Sigstore Bundle. This command assumes that it is being run in the context of a Github Actions workflow.`, Run: func(_ *cobra.Command, _ []string) { @@ -114,9 +114,6 @@ run in the context of a Github Actions workflow.`, }) check(err) - _, err = tlog.Upload(ctx, att) - check(err) - attBytes = att.Bytes() } diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go index dc7564eec1..6399ec0eff 100644 --- a/internal/builders/generic/attest_test.go +++ b/internal/builders/generic/attest_test.go @@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c artifact2`))) t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, @@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) { t.Errorf("unexpected failure: %v", err) } defer os.Remove(fn) - c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{}) + c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}) c.SetOut(new(bytes.Buffer)) c.SetArgs([]string{ "--subjects-filename", fn, diff --git a/internal/builders/generic/main.go b/internal/builders/generic/main.go index 06e4b1e7cc..329152f75c 100644 --- a/internal/builders/generic/main.go +++ b/internal/builders/generic/main.go @@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`, }, } c.AddCommand(versionCmd()) - c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor())) + c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner())) return c } diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index 0c5d3a4008..92e539270c 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error { return nil } -func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error { - r := sigstore.NewRekor(rekor) - s := sigstore.NewDefaultFulcio() +func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error { + s := sigstore.NewDefaultBundleSigner() + attBytes, err := pkg.GenerateProvenance(subject, digest, - commands, envs, workingDir, s, r, nil) + commands, envs, workingDir, s, nil) if err != nil { return err } @@ -118,7 +118,6 @@ func main() { provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary") provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary") provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands") - provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance") // Expect a sub-command. if len(os.Args) < 2 { @@ -145,7 +144,7 @@ func main() { } err := runProvenanceGeneration(*provenanceName, *provenanceDigest, - *provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor) + *provenanceCommand, *provenanceEnv, *provenanceWorkingDir) check(err) default: diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index 6791650592..787f7fbc93 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) { // attestation. // Spec: https://slsa.dev/provenance/v0.2 func GenerateProvenance(name, digest, command, envs, workingDir string, - s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider, + s signing.Signer, provider slsa.ClientProvider, ) ([]byte, error) { gh, err := github.GetWorkflowContext() if err != nil { @@ -180,14 +180,5 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, if err != nil { return nil, err } - - // Upload the signed attestation to rekor. - logEntry, err := r.Upload(ctx, att) - if err != nil { - return nil, err - } - - fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) - return att.Bytes(), nil } diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go index a6770ca07c..47d059e5b3 100644 --- a/internal/builders/go/pkg/provenance_test.go +++ b/internal/builders/go/pkg/provenance_test.go @@ -21,7 +21,7 @@ import ( "github.com/slsa-framework/slsa-github-generator/slsa" ) -func TestGenerateProvenance_withErr(t *testing.T) { +func TestGenerateProvenance(t *testing.T) { // Disable pre-submit detection. // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove t.Setenv("GITHUB_EVENT_NAME", "non_event") @@ -30,10 +30,13 @@ func TestGenerateProvenance_withErr(t *testing.T) { sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" _, err := GenerateProvenance( "foo", sha256, "", "", "/home/foo", - &testutil.TestSigner{}, &testutil.TransparencyLogWithErr{}, + &testutil.TestSigner{}, &slsa.NilClientProvider{}, ) - if want, got := testutil.ErrTransparencyLog, err; want != got { - t.Errorf("expected error, want: %v, got: %v", want, got) + + var want error + got := err + if want != got { + t.Errorf("unexpected error, want: %v, got: %v", want, got) } } diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go new file mode 100644 index 0000000000..d1f0e9b88c --- /dev/null +++ b/signing/sigstore/bundle.go @@ -0,0 +1,146 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package sigstore + +import ( + "context" + "encoding/json" + "fmt" + + intoto "github.com/in-toto/in-toto-golang/in_toto" + sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle" + sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root" + sigstoreSign "github.com/sigstore/sigstore-go/pkg/sign" + "github.com/slsa-framework/slsa-github-generator/github" + "github.com/slsa-framework/slsa-github-generator/signing" +) + +// BundleSigner is used to produce Sigstore Bundles from provenance statements. +type BundleSigner struct{} + +type sigstoreBundleAtt struct { + cert []byte + att []byte +} + +// Cert returns the certificate used to sign the Bundle. +func (s *sigstoreBundleAtt) Cert() []byte { + return s.cert +} + +// attestation is a signed Sigstore Bundle. +func (s *sigstoreBundleAtt) Bytes() []byte { + return s.att +} + +// NewDefaultBundleSigner creates a new BundleSigner instance. +func NewDefaultBundleSigner() *BundleSigner { + return &BundleSigner{} +} + +// Sign signs the given provenance statement and returns the signed Sigstore Bundle. +func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (signing.Attestation, error) { + // content to sign + statementBytes, err := json.Marshal(*statement) + if err != nil { + return nil, err + } + content := &sigstoreSign.DSSEData{ + Data: statementBytes, + PayloadType: intoto.PayloadType, + } + + // keypair for the certificate + keypair, err := sigstoreSign.NewEphemeralKeypair(nil) + if err != nil { + return nil, err + } + + // get the oidc token. + oidcClient, err := github.NewOIDCClient() + if err != nil { + return nil, err + } + tokenStruct, err := oidcClient.Token(ctx, []string{"sigstore"}) + if err != nil { + return nil, err + } + rawToken := tokenStruct.RawToken + + // signing opts. + bundleOpts, err := getBundleOpts(ctx, &rawToken) + if err != nil { + return nil, err + } + + // sign. + innerBundle, err := sigstoreSign.Bundle(content, keypair, *bundleOpts) + if err != nil { + return nil, err + } + + // print the logIndex. + // Bundle will have already verified that the TLog entries are signed. + logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex() + fmt.Printf("Signed attestation is in rekor with Log Index %d.\n", logIndex) + fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+ + " $ rekor-cli get --log-index %[1]d\n\n"+ + "In addition to that, you could also use the Rekor Search UI:\n\n"+ + " https://search.sigstore.dev/?logIndex=%[1]d", logIndex) + + // marshall to json. + bundleWrapper := &sigstoreBundle.Bundle{ + Bundle: innerBundle, + } + bundleBytes, err := bundleWrapper.MarshalJSON() + if err != nil { + return nil, err + } + bundleAtt := &sigstoreBundleAtt{ + cert: innerBundle.GetVerificationMaterial().GetCertificate().GetRawBytes(), + att: bundleBytes, + } + return bundleAtt, nil +} + +// getBundleOpts provides the opts for sigstoreSign.Bundle(). +func getBundleOpts( + ctx context.Context, + identityToken *string, +) (*sigstoreSign.BundleOptions, error) { + bundleOpts := &sigstoreSign.BundleOptions{ + Context: ctx, + } + + trustedRoot, err := sigstoreRoot.FetchTrustedRoot() + if err != nil { + return nil, err + } + bundleOpts.TrustedRoot = trustedRoot + + fulcioOpts := &sigstoreSign.FulcioOptions{ + BaseURL: defaultFulcioAddr, + } + bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts) + bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{ + IDToken: *identityToken, + } + + rekorOpts := &sigstoreSign.RekorOptions{ + BaseURL: DefaultRekorAddr, + } + bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts)) + return bundleOpts, nil +} From 566ea3bd7bf0dadae15f9fe49ea3ab8271b228e1 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 11 Feb 2025 13:41:12 -0500 Subject: [PATCH 2/3] test: add a debug workflow Signed-off-by: Ramon Petgrave --- .github/workflows/debug-bundle.yml | 124 +++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 .github/workflows/debug-bundle.yml diff --git a/.github/workflows/debug-bundle.yml b/.github/workflows/debug-bundle.yml new file mode 100644 index 0000000000..8702e1ff38 --- /dev/null +++ b/.github/workflows/debug-bundle.yml @@ -0,0 +1,124 @@ +name: debug-generic-generator + +on: + push: + +permissions: read-all + +env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SLSA_VERIFIER_BRANCH: sghg-go-bundle + TEST_SLSA_GITHUB_GENERATOR_BRANCH: ${{ github.ref_name }} + +jobs: + generic-build: + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + runs-on: ubuntu-latest + steps: + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "foo" > artifact1 + echo "bar" > artifact2 + - name: Generate hashes + shell: bash + id: hash + run: | + # sha256sum generates sha256 hash for all artifacts. + # base64 -w0 encodes to base64 and outputs on a single line. + # sha256sum artifact1 artifact2 ... | base64 -w0 + echo "hashes=$(sha256sum artifact1 artifact2 | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Upload artifact1 + uses: actions/upload-artifact@v4 + with: + name: artifact1 + path: artifact1 + if-no-files-found: error + retention-days: 5 + + - name: Upload artifact2 + uses: actions/upload-artifact@v4 + with: + name: artifact2 + path: artifact2 + if-no-files-found: error + retention-days: 5 + + generic-provenance: + needs: generic-build + permissions: + id-token: write # For signing. + contents: write # For asset uploads. + actions: read # For reading workflow info. + uses: ./.github/workflows/generator_generic_slsa3.yml + with: + base64-subjects: "${{ needs.generic-build.outputs.hashes }}" + compile-generator: true + provenance-name: generic-build.intoto.jsonl + upload-assets: true + + generic-verify: + needs: generic-provenance + runs-on: ubuntu-latest + steps: + - name: Download artifact1 + uses: actions/download-artifact@v4 + with: + name: artifact1 + - name: Download artifact2 + uses: actions/download-artifact@v4 + with: + name: artifact2 + - name: Download provenance + uses: actions/download-artifact@v4 + with: + name: "${{ needs.generic-provenance.outputs.provenance-name }}" + - uses: actions/setup-go@v5 + - name: Setup slsa-verifier + run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }} + - name: Verify + run: | + SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \ + artifact1 artifact2 \ + --provenance-path generic-build.intoto.jsonl \ + --source-uri github.com/slsa-framework/slsa-github-generator \ + --source-branch ${{ env.TEST_SLSA_GITHUB_GENERATOR_BRANCH }} \ + --print-provenance + go-build: + permissions: + id-token: write # To sign the provenance. + contents: write # To upload assets to release. + actions: read # To read the workflow path. + uses: ./.github/workflows/builder_go_slsa3.yml + with: + go-version-file: 'go.mod' + config-file: .github/workflows/configs-container/config-release.yml + compile-builder: true + + go-verify: + needs: [generic-provenance, go-build] + runs-on: ubuntu-latest + steps: + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: "${{ needs.go-build.outputs.go-binary-name }}" + - name: Download provenance + uses: actions/download-artifact@v4 + with: + name: "${{ needs.go-build.outputs.go-provenance-name }}" + - uses: actions/setup-go@v5 + - name: Setup slsa-verifier + run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }} + - name: Verify + env: + ARTIFACT: "${{ needs.go-build.outputs.go-binary-name }}" + PROVENANCE: "${{ needs.go-build.outputs.go-provenance-name }}" + run: | + SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \ + "$ARTIFACT" \ + --provenance-path "$PROVENANCE" \ + --source-uri github.com/slsa-framework/slsa-github-generator \ + --source-branch ${{ env.TEST_SLSA_GITHUB_GENERATOR_BRANCH }} \ + --print-provenance From e015c138394bc4217fd9c034401f5fb9d1de9e4c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 11 Feb 2025 14:56:57 -0500 Subject: [PATCH 3/3] Revert "test: add a debug workflow" This reverts commit c6b6daf7cadf041724c37001a68fa4416d486789. Signed-off-by: Ramon Petgrave --- .github/workflows/debug-bundle.yml | 124 ----------------------------- 1 file changed, 124 deletions(-) delete mode 100644 .github/workflows/debug-bundle.yml diff --git a/.github/workflows/debug-bundle.yml b/.github/workflows/debug-bundle.yml deleted file mode 100644 index 8702e1ff38..0000000000 --- a/.github/workflows/debug-bundle.yml +++ /dev/null @@ -1,124 +0,0 @@ -name: debug-generic-generator - -on: - push: - -permissions: read-all - -env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - SLSA_VERIFIER_BRANCH: sghg-go-bundle - TEST_SLSA_GITHUB_GENERATOR_BRANCH: ${{ github.ref_name }} - -jobs: - generic-build: - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - runs-on: ubuntu-latest - steps: - - name: Build artifacts - run: | - # These are some amazing artifacts. - echo "foo" > artifact1 - echo "bar" > artifact2 - - name: Generate hashes - shell: bash - id: hash - run: | - # sha256sum generates sha256 hash for all artifacts. - # base64 -w0 encodes to base64 and outputs on a single line. - # sha256sum artifact1 artifact2 ... | base64 -w0 - echo "hashes=$(sha256sum artifact1 artifact2 | base64 -w0)" >> "$GITHUB_OUTPUT" - - name: Upload artifact1 - uses: actions/upload-artifact@v4 - with: - name: artifact1 - path: artifact1 - if-no-files-found: error - retention-days: 5 - - - name: Upload artifact2 - uses: actions/upload-artifact@v4 - with: - name: artifact2 - path: artifact2 - if-no-files-found: error - retention-days: 5 - - generic-provenance: - needs: generic-build - permissions: - id-token: write # For signing. - contents: write # For asset uploads. - actions: read # For reading workflow info. - uses: ./.github/workflows/generator_generic_slsa3.yml - with: - base64-subjects: "${{ needs.generic-build.outputs.hashes }}" - compile-generator: true - provenance-name: generic-build.intoto.jsonl - upload-assets: true - - generic-verify: - needs: generic-provenance - runs-on: ubuntu-latest - steps: - - name: Download artifact1 - uses: actions/download-artifact@v4 - with: - name: artifact1 - - name: Download artifact2 - uses: actions/download-artifact@v4 - with: - name: artifact2 - - name: Download provenance - uses: actions/download-artifact@v4 - with: - name: "${{ needs.generic-provenance.outputs.provenance-name }}" - - uses: actions/setup-go@v5 - - name: Setup slsa-verifier - run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }} - - name: Verify - run: | - SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \ - artifact1 artifact2 \ - --provenance-path generic-build.intoto.jsonl \ - --source-uri github.com/slsa-framework/slsa-github-generator \ - --source-branch ${{ env.TEST_SLSA_GITHUB_GENERATOR_BRANCH }} \ - --print-provenance - go-build: - permissions: - id-token: write # To sign the provenance. - contents: write # To upload assets to release. - actions: read # To read the workflow path. - uses: ./.github/workflows/builder_go_slsa3.yml - with: - go-version-file: 'go.mod' - config-file: .github/workflows/configs-container/config-release.yml - compile-builder: true - - go-verify: - needs: [generic-provenance, go-build] - runs-on: ubuntu-latest - steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: "${{ needs.go-build.outputs.go-binary-name }}" - - name: Download provenance - uses: actions/download-artifact@v4 - with: - name: "${{ needs.go-build.outputs.go-provenance-name }}" - - uses: actions/setup-go@v5 - - name: Setup slsa-verifier - run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }} - - name: Verify - env: - ARTIFACT: "${{ needs.go-build.outputs.go-binary-name }}" - PROVENANCE: "${{ needs.go-build.outputs.go-provenance-name }}" - run: | - SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \ - "$ARTIFACT" \ - --provenance-path "$PROVENANCE" \ - --source-uri github.com/slsa-framework/slsa-github-generator \ - --source-branch ${{ env.TEST_SLSA_GITHUB_GENERATOR_BRANCH }} \ - --print-provenance