slsa-framework · laurentsimon · May 30, 2023 · May 30, 2023 · laurentsimon · May 30, 2023
@@ -594,6 +594,12 @@ function createPredicate(rawTokenObj, toolURI, token, isGenerator) {
                 inputs: Object.fromEntries(rawTokenObj.tool.inputs),
                 // Variables are always empty for BYOB / builders.
                 vars: {},
+                source: {
+                    uri: sourceURI,
+                    digest: {
+                        gitCommit: sourceSha1,
+                    },
+                },
             };
         }
         // Put GitHub event payload into internalParameters.

@@ -125,6 +125,12 @@ export async function createPredicate(
       inputs: Object.fromEntries(rawTokenObj.tool.inputs),
       // Variables are always empty for BYOB / builders.
       vars: {},
+      source: {
+        uri: sourceURI,
+        digest: {
+          gitCommit: sourceSha1,
+        },
+      },
     };
   }
 

@@ -17,7 +17,7 @@ name: verify-token schedule
 on:
   workflow_call:
 
-permissions: read-all
+permissions: {}
 
 env:
   GH_TOKEN: ${{ github.token }}
@@ -31,6 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       valid-token: ${{ steps.verify.outputs.slsa-token }}
+      valid-token-sha1: ${{ steps.verify-sha1.outputs.slsa-token }}
       invalid-mask-token: ${{ steps.verify-invalid-mask.outputs.slsa-token }}
       invalid-sha1-token: ${{ steps.verify-invalid-sha1.outputs.slsa-token }}
     steps:
@@ -53,12 +54,34 @@ jobs:
           # The Action should trim the spaces automatically.
           slsa-workflow-masked-inputs: name2, name4,name6
           slsa-checkout-fetch-depth: 4
-          slsa-checkout-sha1: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
 
       - id: verify
         env:
           SLSA_TOKEN: ${{ steps.setup.outputs.slsa-token }}
           CHECKOUT_FETCH_DEPTH: 4
+        run: |
+          set -euo pipefail
+          ./.github/workflows/scripts/schedule.actions/verify-setup-token.sh
+          echo "slsa-token=$SLSA_TOKEN" >> "$GITHUB_OUTPUT"
+
+      - id: setup-sha1
+        uses: ./actions/delegator/setup-token
+        with:
+          slsa-workflow-recipient: "delegator_generic_slsa3.yml"
+          slsa-rekor-log-public: true
+          slsa-runner-label: "ubuntu-latest"
+          slsa-build-action-path: "./actions/build-artifacts-composite"
+          slsa-workflow-inputs: '{"name1":"value1","name2":"value2","name3":"value3","name4":"","name5":"value5","name6":"value6","private-repository":true}'
+          # name4 has empty value and won't be obfuscated even though it's in the list.
+          # The Action should trim the spaces automatically.
+          slsa-workflow-masked-inputs: name2, name4,name6
+          slsa-checkout-fetch-depth: 4
+          slsa-checkout-sha1: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+
+      - id: verify-sha1
+        env:
+          SLSA_TOKEN: ${{ steps.setup-sha1.outputs.slsa-token }}
+          CHECKOUT_FETCH_DEPTH: 4
           CHECKOUT_SHA1: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
         run: |
           set -euo pipefail
@@ -129,6 +152,23 @@ jobs:
           TOOL_REF: ${{ steps.verify-builder.outputs.tool-ref }}
           PREDICATE: predicate.json
           CHECKOUT_FETCH_DEPTH: 4
+          BUILDER_INTERFACE_TYPE: "builder"
+        run: ./.github/workflows/scripts/schedule.actions/verify-verified-token.sh
+
+      - id: verify-builder-sha1
+        uses: ./.github/actions/verify-token
+        with:
+          slsa-unverified-token: ${{ needs.setup-token.outputs.valid-token-sha1 }}
+          slsa-workflow-recipient: "delegator_generic_slsa3.yml"
+          output-predicate: predicate.json
+          builder-interface-type: "builder"
+
+      - env:
+          VERIFIED_TOKEN: ${{ steps.verify-builder-sha1.outputs.slsa-verified-token }}
+          TOOL_REPOSITORY: ${{ steps.verify-builder.outputs.tool-repository }}
+          TOOL_REF: ${{ steps.verify-builder.outputs.tool-ref }}
+          PREDICATE: predicate.json
+          CHECKOUT_FETCH_DEPTH: 4
           CHECKOUT_SHA1: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
           BUILDER_INTERFACE_TYPE: "builder"
         run: ./.github/workflows/scripts/schedule.actions/verify-verified-token.sh

@@ -20,7 +20,7 @@ on:
     - cron: "0 4 * * *"
   workflow_dispatch:
 
-permissions: read-all
+permissions: {}
 
 env:
   GH_TOKEN: ${{ github.token }}

@@ -146,3 +146,12 @@ e2e_verify_predicate_v1_runDetails_builder_id() {
 e2e_verify_predicate_v1_runDetails_metadata_invocationId() {
     _e2e_verify_query "$1" "$2" '.runDetails.metadata.invocationId'
 }
+
+e2e_get_source_sha1() {
+    local digest="$GITHUB_SHA"
+    if [[ -n "${CHECKOUT_SHA1:-}" ]]; then
+        # If the TRW provided a sha1 for checkout, the predicate should use it instead.
+        digest="${CHECKOUT_SHA1}"
+    fi
+    echo "$digest"
+}
@@ -69,11 +69,7 @@ e2e_verify_common_metadata() {
 # $1: the attestation content
 e2e_verify_common_materials() {
     # By default, we use the digest from the GitHub event.
-    local digest="$GITHUB_SHA"
-    if [[ -n "${CHECKOUT_SHA1:-}" ]]; then
-        # If the TRW provided a sha1 for checkout, the predicate should use it instead.
-        digest="${CHECKOUT_SHA1}"
-    fi
+    digest=$(e2e_get_source_sha1)
     e2e_verify_predicate_materials "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$digest\"}}"
 }
 

@@ -40,5 +40,6 @@ e2e_verify_predicate_v1_runDetails_builder_id "$PREDICATE_CONTENT" "https://gith
 e2e_verify_predicate_v1_buildDefinition_externalParameters_workflow "$PREDICATE_CONTENT" "$(e2e_this_file_full_path)" "$GITHUB_REF" "git+https://github.com/$GITHUB_REPOSITORY"
 
 # Verify external parameters source
-e2e_verify_predicate_v1_buildDefinition_externalParameters_source "$PREDICATE_CONTENT" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}"
+digest=$(e2e_get_source_sha1)
+e2e_verify_predicate_v1_buildDefinition_externalParameters_source "$PREDICATE_CONTENT" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$digest\"}}"
 e2e_verify_predicate_v1_buildDefinition_externalParameters_inputs "$PREDICATE_CONTENT" '{"name1":"value1","name2":"***","name3":"value3","name4":"***","name5":"value5","name6":"***","private-repository":true}'