Skip to content

Commit

Permalink
revert: "feat: produce sigstore Bundles for generic generator and go …
Browse files Browse the repository at this point in the history
…builder workflows" (#3985)

Reverts #3777

Lots of new failing errors in our e2e tests today. We may have missed
something when testing these changes.
For now, we should revert while we debug, and come up with more robust
testing methods.

-
https://github.com/slsa-framework/example-package/actions/runs/11511156484/job/32044242878#step:6:125
- #3967

```
**** Verifying provenance authenticity with verifier at HEAD *****
Testing against builder args
  **** Default parameters (annotated tags) *****
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verifying artifact hello: FAILED: missing signing certificate in bundle

FAILED: SLSA verification failed: missing signing certificate in bundle
✖ 1 == 0 :: not main default parameters (annotated_tags)
Error: Process completed with exit code 1.
```
ramonpetgrave64 authored Oct 25, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 2333f37 commit d7aa406
Showing 12 changed files with 172 additions and 341 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/generator_generic_slsa3.yml
Original file line number Diff line number Diff line change
@@ -160,7 +160,7 @@ jobs:
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
go-version: "1.23.1"
go-version: "1.21"
binary: "${{ env.BUILDER_BINARY }}"
compile-builder: "${{ inputs.compile-generator }}"
directory: "${{ env.BUILDER_DIR }}"
10 changes: 0 additions & 10 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -10,7 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
<!-- toc -->

- [Unreleased](#unreleased)
- [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder)
- [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
- [v2.0.0](#v200)
- [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
@@ -107,15 +106,6 @@ duplication."

## Unreleased

### Unreleased: Sigstore Bundles for Generic Generator and Go Builder

The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml`
have been updated to produce signed Sigstore Bundles, just like all the other builders
that use the BYOB framework.

The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
https://search.sigstore.dev/.

### Unreleased: Vars context recorded in provenance

- **Updated**: GitHub `vars` context is now recorded in provenance for the generic and
9 changes: 2 additions & 7 deletions github/oidc.go
Original file line number Diff line number Diff line change
@@ -39,9 +39,6 @@ const (

// OIDCToken represents the contents of a GitHub OIDC JWT token.
type OIDCToken struct {
// Expiry is the expiration date of the token.
Expiry time.Time

// Issuer is the token issuer.
Issuer string

@@ -57,8 +54,8 @@ type OIDCToken struct {
// ActorID is the unique ID of the actor who triggered the build.
ActorID string `json:"actor_id"`

// RawToken is the unparsed oidc token.
RawToken string
// Expiry is the expiration date of the token.
Expiry time.Time

// Audience is the audience for which the token was granted.
Audience []string
@@ -250,8 +247,6 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken,
return nil, err
}

token.RawToken = tokenPayload

return token, nil
}

80 changes: 38 additions & 42 deletions go.mod
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@ module github.com/slsa-framework/slsa-github-generator
go 1.23.1

require (
github.com/coreos/go-oidc/v3 v3.11.0
github.com/coreos/go-oidc/v3 v3.10.0
github.com/go-openapi/strfmt v0.23.0
github.com/go-openapi/swag v0.23.0
github.com/google/go-cmp v0.6.0
@@ -13,10 +13,9 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/cosign/v2 v2.2.4
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.8
github.com/sigstore/sigstore-go v0.6.0
github.com/spf13/cobra v1.8.1
golang.org/x/oauth2 v0.22.0
github.com/sigstore/sigstore v1.8.3
github.com/spf13/cobra v1.8.0
golang.org/x/oauth2 v0.20.0
gopkg.in/square/go-jose.v2 v2.6.0
gopkg.in/yaml.v3 v3.0.1
)
@@ -44,26 +43,26 @@ require (
github.com/alibabacloud-go/debug v1.0.0 // indirect
github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
github.com/alibabacloud-go/tea v1.2.2 // indirect
github.com/alibabacloud-go/tea v1.2.1 // indirect
github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/aliyun/credentials-go v1.3.1 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
github.com/aws/smithy-go v1.20.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
github.com/aws/smithy-go v1.20.1 // indirect
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/buildkite/agent/v3 v3.62.0 // indirect
@@ -89,7 +88,7 @@ require (
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-jose/go-jose/v4 v4.0.2 // indirect
github.com/go-jose/go-jose/v4 v4.0.1 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
@@ -106,9 +105,9 @@ require (
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.2.1 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-containerregistry v0.20.1 // indirect
github.com/google/go-containerregistry v0.19.1 // indirect
github.com/google/go-github/v55 v55.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
@@ -119,14 +118,13 @@ require (
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/in-toto/attestation v1.1.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
@@ -151,7 +149,6 @@ require (
github.com/segmentio/ksuid v1.0.4 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/fulcio v1.4.5 // indirect
github.com/sigstore/protobuf-specs v0.3.2 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
@@ -165,7 +162,6 @@ require (
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tjfoc/gmsm v1.4.1 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
@@ -174,28 +170,28 @@ require (
github.com/zeebo/errs v1.3.0 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 // indirect
go.opentelemetry.io/otel v1.27.0 // indirect
go.opentelemetry.io/otel/metric v1.27.0 // indirect
go.opentelemetry.io/otel/trace v1.27.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
go.opentelemetry.io/otel v1.24.0 // indirect
go.opentelemetry.io/otel/metric v1.24.0 // indirect
go.opentelemetry.io/otel/trace v1.24.0 // indirect
go.step.sm/crypto v0.44.2 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/crypto v0.22.0 // indirect
golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
golang.org/x/mod v0.16.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.20.0 // indirect
golang.org/x/term v0.19.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
golang.org/x/tools v0.19.0 // indirect
google.golang.org/api v0.172.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
google.golang.org/grpc v1.64.1 // indirect
google.golang.org/protobuf v1.34.2 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
google.golang.org/grpc v1.62.1 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
210 changes: 98 additions & 112 deletions go.sum

Large diffs are not rendered by default.

9 changes: 6 additions & 3 deletions internal/builders/generic/attest.go
Original file line number Diff line number Diff line change
@@ -23,9 +23,9 @@ import (
"os"
"path"

intoto "github.com/in-toto/in-toto-golang/in_toto"
"github.com/spf13/cobra"

intoto "github.com/in-toto/in-toto-golang/in_toto"
"github.com/slsa-framework/slsa-github-generator/github"
"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
"github.com/slsa-framework/slsa-github-generator/internal/utils"
@@ -35,7 +35,7 @@ import (

// attestCmd returns the 'attest' command.
func attestCmd(provider slsa.ClientProvider, check func(error),
signer signing.Signer,
signer signing.Signer, tlog signing.TransparencyLog,
) *cobra.Command {
var attPath string
var subjectsFilename string
@@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error),
Use: "attest",
Short: "Create a signed SLSA provenance attestation from a Github Action",
Long: `Generate and sign SLSA provenance from a Github Action to form an attestation
and create a Sigstore Bundle. This command assumes that it is being
and upload to a Rekor transparency log. This command assumes that it is being
run in the context of a Github Actions workflow.`,

Run: func(_ *cobra.Command, _ []string) {
@@ -114,6 +114,9 @@ run in the context of a Github Actions workflow.`,
})
check(err)

_, err = tlog.Upload(ctx, att)
check(err)

attBytes = att.Bytes()
}

12 changes: 6 additions & 6 deletions internal/builders/generic/attest_test.go
Original file line number Diff line number Diff line change
@@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
@@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c artifact2`)))
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
@@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
@@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
@@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
@@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) {
t.Errorf("unexpected failure: %v", err)
}
defer os.Remove(fn)
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
c.SetOut(new(bytes.Buffer))
c.SetArgs([]string{
"--subjects-filename", fn,
2 changes: 1 addition & 1 deletion internal/builders/generic/main.go
Original file line number Diff line number Diff line change
@@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`,
},
}
c.AddCommand(versionCmd())
c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner()))
c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor()))
return c
}

11 changes: 6 additions & 5 deletions internal/builders/go/main.go
Original file line number Diff line number Diff line change
@@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
return nil
}

func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error {
s := sigstore.NewDefaultBundleSigner()

func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
r := sigstore.NewRekor(rekor)
s := sigstore.NewDefaultFulcio()
attBytes, err := pkg.GenerateProvenance(subject, digest,
commands, envs, workingDir, s, nil)
commands, envs, workingDir, s, r, nil)
if err != nil {
return err
}
@@ -118,6 +118,7 @@ func main() {
provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary")
provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary")
provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands")
provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance")

// Expect a sub-command.
if len(os.Args) < 2 {
@@ -144,7 +145,7 @@ func main() {
}

err := runProvenanceGeneration(*provenanceName, *provenanceDigest,
*provenanceCommand, *provenanceEnv, *provenanceWorkingDir)
*provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor)
check(err)

default:
11 changes: 10 additions & 1 deletion internal/builders/go/pkg/provenance.go
Original file line number Diff line number Diff line change
@@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) {
// attestation.
// Spec: https://slsa.dev/provenance/v0.2
func GenerateProvenance(name, digest, command, envs, workingDir string,
s signing.Signer, provider slsa.ClientProvider,
s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider,
) ([]byte, error) {
gh, err := github.GetWorkflowContext()
if err != nil {
@@ -180,5 +180,14 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
if err != nil {
return nil, err
}

// Upload the signed attestation to rekor.
logEntry, err := r.Upload(ctx, att)
if err != nil {
return nil, err
}

fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID())

return att.Bytes(), nil
}
11 changes: 4 additions & 7 deletions internal/builders/go/pkg/provenance_test.go
Original file line number Diff line number Diff line change
@@ -21,7 +21,7 @@ import (
"github.com/slsa-framework/slsa-github-generator/slsa"
)

func TestGenerateProvenance(t *testing.T) {
func TestGenerateProvenance_withErr(t *testing.T) {
// Disable pre-submit detection.
// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
t.Setenv("GITHUB_EVENT_NAME", "non_event")
@@ -30,13 +30,10 @@ func TestGenerateProvenance(t *testing.T) {
sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2"
_, err := GenerateProvenance(
"foo", sha256, "", "", "/home/foo",
&testutil.TestSigner{},
&testutil.TestSigner{}, &testutil.TransparencyLogWithErr{},
&slsa.NilClientProvider{},
)

var want error
got := err
if want != got {
t.Errorf("unexpected error, want: %v, got: %v", want, got)
if want, got := testutil.ErrTransparencyLog, err; want != got {
t.Errorf("expected error, want: %v, got: %v", want, got)
}
}
146 changes: 0 additions & 146 deletions signing/sigstore/bundle.go

This file was deleted.

0 comments on commit d7aa406

Please sign in to comment.