-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attestation output file format (base64 or no?) #129
Comments
It's part of the DSSE format https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse |
Hmm, I got confused as to the Go builder's output because slsa-github-generator/.github/workflows/scripts/e2e-verify.sh Lines 22 to 23 in 15ea472
This seems to be different from the scripts in |
I also thought that sigstore's dsse library did the base64 encoding for us so we shouldn't have to do it ourselves. slsa-github-generator/signing/sigstore/fulcio.go Lines 100 to 105 in 15ea472
|
sorry, I get the confusion. For pre-submits, we omit the signature (no OIDC write access) but still base64-encode to be consistent with DSSE https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/pkg/provenance.go#L145 In example-package, the full DSSE is used, so we extract the payload from the DSSE (base64--encoding is done by sigstore API). I have kept the base64-encoding on pre-submit because it's like an opaque string to pass around VMs (and it's consistent with DSSE), but besides that it has not particular benefits. |
Ok, I'll just get something working for my presubmit and we'll think about how we might clean this up moving forward. Maybe just adding some comments to clarify things would help for now. |
Removed from v1 as it's not critical to solve right now. |
@laurentsimon The Go builder outputs json provenance as base64 encoded. The generic provenance-only builder just outputs json without encoding. I'd like to be consistent, but base64 encoding didn't seem to me to provide any particular benefit. Any reason that json output for the Go builder encodes the data in base64?
slsa-github-generator/internal/builders/go/pkg/marshall.go
Lines 29 to 32 in dc15f82
The text was updated successfully, but these errors were encountered: