Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename attestation-name #777

Merged
merged 14 commits into from
Sep 1, 2022
Merged

Rename attestation-name #777

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
8eb29ac
Refactor attest command
ianlewis Aug 30, 2022
1a7c816
Add testutil package
ianlewis Aug 31, 2022
d697480
Set default provenance name and add tests
ianlewis Aug 31, 2022
dbdca5f
Update workflows to use updated builder
ianlewis Aug 31, 2022
358cd65
Update doc for generic generator.
ianlewis Aug 31, 2022
7acbf10
Fix linter issues
ianlewis Aug 31, 2022
9f18d3a
Use new output name
ianlewis Aug 31, 2022
076ad06
Add generate command unit tests
ianlewis Aug 31, 2022
d739f78
Fix deprecation warning.
ianlewis Aug 31, 2022
e70d7be
write newlines
ianlewis Aug 31, 2022
e9bd9a5
Add debug
ianlewis Aug 31, 2022
6ddd3c8
Fix provenance outputs
ianlewis Aug 31, 2022
97dcb17
Add comment on untrusted inputs
ianlewis Sep 1, 2022
0502a07
Add test for dir traversal
ianlewis Sep 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/generator_container_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ jobs:

# Generate a predicate only.
predicate_name="predicate.json"
./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name"
./"$BUILDER_BINARY" generate --predicate="$predicate_name"

COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
--type slsaprovenance \
Expand Down
61 changes: 35 additions & 26 deletions .github/workflows/generator_generic_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,13 @@ on:
type: boolean
default: false
attestation-name:
description: >
The artifact name of the signed provenance.
The file must have the intoto.jsonl extension.

Default: attestation.intoto.jsonl
description: "The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts. DEPRECATED: Use provenance-name instead."
required: false
type: string
provenance-name:
description: The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts.
required: false
type: string
default: "attestation.intoto.jsonl"
compile-generator:
description: "Build the generator from source. This increases build time by ~2m."
required: false
Expand All @@ -53,8 +52,11 @@ on:
description: "The name of the release where provenance was uploaded."
value: ${{ jobs.create-release.outputs.release-id }}
attestation-name:
description: "DEPRECATED: use the provenance-name output instead."
value: ${{ jobs.generator.outputs.provenance-name }}
provenance-name:
description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
value: "${{ inputs.attestation-name }}"
value: ${{ jobs.generator.outputs.provenance-name }}

jobs:
# detect-env detects the reusable workflow's repository and ref for use later
Expand Down Expand Up @@ -82,7 +84,8 @@ jobs:
# reference.
generator:
outputs:
attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }}
provenance-sha256: ${{ steps.sign-prov.outputs.provenance-sha256 }}
provenance-name: ${{ steps.sign-prov.outputs.provenance-name }}
runs-on: ubuntu-latest
needs: [detect-env]
permissions:
Expand All @@ -109,30 +112,36 @@ jobs:
# order to avoid script injection.
# See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
env:
SUBJECTS: "${{ inputs.base64-subjects }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
UNTRUSTED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
UNTRUSTED_SUBJECTS: "${{ inputs.base64-subjects }}"
UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
UNTRUSTED_DEPRECATED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
run: |
set -euo pipefail
# NOTE: The generator binary allows the attestation to be "" in which
# case it does not sign or generate provenance. However, this workflow
# requires it to be non-empty so we validate it here.
if [ "$UNTRUSTED_ATTESTATION_NAME" == "" ]; then
echo "attestation-name cannot be empty."
exit 5
untrusted_provenance_name=""
if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then
untrusted_provenance_name="$UNTRUSTED_PROVENANCE_NAME"
else
if [ "$UNTRUSTED_DEPRECATED_ATTESTATION_NAME" != "" ]; then
echo "WARNING: deprecated attestation-name was used. Use provenance-name instead."
untrusted_provenance_name="$UNTRUSTED_DEPRECATED_ATTESTATION_NAME"
fi
fi
# Create and sign provenance.
# Note: The builder verifies that the UNTRUSTED_ATTESTATION_NAME is located
# NOTE: The builder verifies that the provenance path is located
# in the current directory.
./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g "$UNTRUSTED_ATTESTATION_NAME"
attestation_sha256=$(sha256sum "$UNTRUSTED_ATTESTATION_NAME" | awk '{print $1}')
echo "::set-output name=attestation-sha256::$attestation_sha256"
# NOTE: $untrusted_provenance_path may be empty. In this case the
# attest command chooses a file name based on the subject name and
# number of subjects based on in-toto attestation bundle file naming conventions.
# See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
# NOTE: The attest commmand outputs the provenance-name and provenance-sha256
./"$BUILDER_BINARY" attest --subjects "${UNTRUSTED_SUBJECTS}" -g "$untrusted_provenance_name"

- name: Upload the signed provenance
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: "${{ inputs.attestation-name }}"
path: "${{ inputs.attestation-name }}"
name: "${{ steps.sign-prov.outputs.provenance-name }}"
path: "${{ steps.sign-prov.outputs.provenance-name }}"
if-no-files-found: error
retention-days: 5

Expand All @@ -150,13 +159,13 @@ jobs:
- name: Download the provenance
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@07d42a79c8531365637e425fac6a95bf0f5dc29e
with:
name: "${{ inputs.attestation-name }}"
path: "${{ inputs.attestation-name }}"
sha256: "${{ needs.generator.outputs.attestation-sha256 }}"
name: "${{ needs.generator.outputs.provenance-name }}"
path: "${{ needs.generator.outputs.provenance-name }}"
sha256: "${{ needs.generator.outputs.provenance-sha256 }}"

- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
id: release
with:
files: |
${{ inputs.attestation-name }}
${{ needs.generator.outputs.provenance-name }}
4 changes: 2 additions & 2 deletions .github/workflows/pre-submit.e2e.generic.default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ jobs:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
with:
name: ${{ needs.build.outputs.attestation-name }}
name: ${{ needs.build.outputs.provenance-name }}
- env:
BINARY: "binary-name"
PROVENANCE: ${{ needs.build.outputs.attestation-name }}
PROVENANCE: ${{ needs.build.outputs.provenance-name }}
run: ./.github/workflows/scripts/pre-submit.e2e.generic.default.sh
20 changes: 10 additions & 10 deletions internal/builders/generic/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,6 @@ jobs:
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
# Set a custom name for the provenance attestation.
attestation-name: "artifacts.intoto.jsonl"
# Upload provenance to a new release
upload-assets: true

Expand Down Expand Up @@ -183,19 +181,21 @@ issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose

The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) accepts the following inputs:

| Name | Required | Default | Description |
| ------------------ | -------- | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `base64-subjects` | yes | | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
| `upload-assets` | no | false | If true provenance is uploaded to a GitHub release for new tags. |
| `attestation-name` | no | "attestation.intoto.jsonl" | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. |
| Name | Required | Default | Description |
| ------------------ | -------- | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `base64-subjects` | yes | | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
| `upload-assets` | no | false | If true provenance is uploaded to a GitHub release for new tags. |
| `provenance-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. |
| `attestation-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. DEPRECATED: use `provenance-name` instead. |

### Workflow Outputs

The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) produces the following outputs:

| Name | Description |
| ------------------ | ------------------------------------------ |
| `attestation-name` | The artifact name of the signed provenance |
| Name | Description |
| ------------------ | -------------------------------------------------------------------------------------- |
| `provenance-name` | The artifact name of the signed provenance. |
| `attestation-name` | The artifact name of the signed provenance. DEPRECATED: use `provenance-name` instead. |

### Provenance Format

Expand Down
Loading