Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: produce sigstore Bundles for generic generator and go builder workflows #3777

Merged
merged 105 commits into from
Oct 24, 2024
Merged

feat: produce sigstore Bundles for generic generator and go builder workflows #3777

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
105 commits
Select commit Hold shift + click to select a range
42311b5
fix: maven e2e: remove verify job (#3748)
ramonpetgrave64 Jul 26, 2024
ec2ef9d
debug: print a message
ramonpetgrave64 Jul 31, 2024
26f0792
debug: print token payload
ramonpetgrave64 Jul 31, 2024
8aac1ea
debug: make sigstore bundle
ramonpetgrave64 Aug 1, 2024
0ec6b32
debug: add checks for err
ramonpetgrave64 Aug 1, 2024
5c4c4ec
full bundle print
ramonpetgrave64 Aug 1, 2024
576a078
debug: timout and retires
ramonpetgrave64 Aug 1, 2024
d3be460
debug: no trusted root, no verifying the bundle upon creation
ramonpetgrave64 Aug 1, 2024
a74d494
debug: marshall the bunlde
ramonpetgrave64 Aug 1, 2024
2cce51b
debug: attempt to produce real artifact
ramonpetgrave64 Aug 1, 2024
0cbf195
debug: attempt to verify with slsa-verifier
ramonpetgrave64 Aug 1, 2024
3b56d15
debug: SLSA_VERIFIER_TESTING
ramonpetgrave64 Aug 1, 2024
a81286f
debug: unpinned ul/dl artifact
ramonpetgrave64 Aug 1, 2024
5011d90
debug: ul/dl artifact @v4
ramonpetgrave64 Aug 1, 2024
0a0f065
debug: no additonal TSAs
ramonpetgrave64 Aug 1, 2024
aff495e
debug: back to setting trusted root
ramonpetgrave64 Aug 1, 2024
d5b1fc3
debug: compile
ramonpetgrave64 Aug 1, 2024
dc2df0f
debug: derference attestation
ramonpetgrave64 Aug 1, 2024
8f3bbff
debug: use plain data for bundle content
ramonpetgrave64 Aug 1, 2024
6ded4e7
debug: back to dsse data, nil trusted root so we don't try to verify,…
ramonpetgrave64 Aug 1, 2024
6b0cb35
sign the envelope directly
ramonpetgrave64 Aug 1, 2024
8188b61
back to trying to verify the bundle
ramonpetgrave64 Aug 1, 2024
f89fbd8
init: generic byob
ramonpetgrave64 Aug 2, 2024
5209a01
debug: generic as byob
ramonpetgrave64 Aug 2, 2024
97fc5b6
idtoken write
ramonpetgrave64 Aug 2, 2024
6d7727f
all perms
ramonpetgrave64 Aug 2, 2024
020af23
rel dir
ramonpetgrave64 Aug 2, 2024
bf28520
lahR
ramonpetgrave64 Aug 2, 2024
01f3035
add go.mod
ramonpetgrave64 Aug 7, 2024
745df85
subshell cd
ramonpetgrave64 Aug 7, 2024
0c1dc7a
go1.22
ramonpetgrave64 Aug 7, 2024
c4bb969
dir
ramonpetgrave64 Aug 7, 2024
86d4ecb
add veridy
ramonpetgrave64 Aug 7, 2024
cec43c8
upload the artifacts
ramonpetgrave64 Aug 7, 2024
c8aec50
set attestation-name variable
ramonpetgrave64 Aug 7, 2024
766c35d
named output
ramonpetgrave64 Aug 7, 2024
7281e3f
use env
ramonpetgrave64 Aug 7, 2024
17f9ec1
ls -lahr
ramonpetgrave64 Aug 7, 2024
7ab495d
prov--name, not prov-download-name
ramonpetgrave64 Aug 7, 2024
628ab62
secure download atts
ramonpetgrave64 Aug 7, 2024
e3936c0
actual prov name
ramonpetgrave64 Aug 7, 2024
98632b1
rename prov
ramonpetgrave64 Aug 7, 2024
9e23996
rename all to .build.slsa
ramonpetgrave64 Aug 7, 2024
d7d920b
full prov path
ramonpetgrave64 Aug 7, 2024
3465a62
--source branch
ramonpetgrave64 Aug 7, 2024
1e0ba53
alternate slsa-verifier build
ramonpetgrave64 Aug 8, 2024
914d2f7
by commit sha
ramonpetgrave64 Aug 8, 2024
c0edc87
install slsa-verifier directly with the branch
ramonpetgrave64 Aug 8, 2024
ed1e0ec
setup-go
ramonpetgrave64 Aug 8, 2024
3935105
alt generator_generic
ramonpetgrave64 Aug 8, 2024
53e0470
add it
ramonpetgrave64 Aug 8, 2024
08eed9f
typo
ramonpetgrave64 Aug 8, 2024
10a794d
fix input
ramonpetgrave64 Aug 8, 2024
29a669b
contents: writer
ramonpetgrave64 Aug 8, 2024
258c8e0
action ref
ramonpetgrave64 Aug 8, 2024
de08ee1
fix path
ramonpetgrave64 Aug 8, 2024
4036af2
pwd
ramonpetgrave64 Aug 8, 2024
b997c22
cd
ramonpetgrave64 Aug 8, 2024
f5bd695
again
ramonpetgrave64 Aug 8, 2024
32a8152
checkout
ramonpetgrave64 Aug 8, 2024
1f7255c
original, no trusted root, custom slsa-verifier
ramonpetgrave64 Aug 9, 2024
1c2f8e9
run directly not as action
ramonpetgrave64 Aug 9, 2024
bd82eb3
explitly use v1 provenance
ramonpetgrave64 Aug 9, 2024
d5b3b90
build3
ramonpetgrave64 Aug 9, 2024
dcb4c54
ls
ramonpetgrave64 Aug 9, 2024
8223b26
add original wokrflow
ramonpetgrave64 Aug 12, 2024
419a686
back to nil provider
ramonpetgrave64 Aug 12, 2024
ea4500a
alt verifier branch
ramonpetgrave64 Aug 12, 2024
a1fdee8
add BundleSigner()
ramonpetgrave64 Aug 12, 2024
8562c8c
cleanup
ramonpetgrave64 Aug 12, 2024
0a43423
debug cleanup
ramonpetgrave64 Aug 12, 2024
b02f9e6
cleanup
ramonpetgrave64 Aug 12, 2024
e6e15d6
changelog
ramonpetgrave64 Aug 12, 2024
1b2cd9e
lint
ramonpetgrave64 Aug 12, 2024
58675b5
lint
ramonpetgrave64 Aug 12, 2024
7f2186f
add bundles for go packages
ramonpetgrave64 Aug 12, 2024
ea05345
test workflows
ramonpetgrave64 Aug 12, 2024
4f20057
perms
ramonpetgrave64 Aug 12, 2024
1526416
compile builder
ramonpetgrave64 Aug 12, 2024
22d3cb1
add config file
ramonpetgrave64 Aug 12, 2024
b8cc29f
undo typo
ramonpetgrave64 Aug 12, 2024
0ef3049
ls
ramonpetgrave64 Aug 12, 2024
ec5b2ae
verify v3
ramonpetgrave64 Aug 12, 2024
6d66d8c
correct source branch
ramonpetgrave64 Aug 12, 2024
777f1fc
lint
ramonpetgrave64 Aug 12, 2024
b38f9d6
modularize the fulcio and rekor URLs
ramonpetgrave64 Aug 12, 2024
fe81c3a
lint
ramonpetgrave64 Aug 14, 2024
7127022
print the rekor log index
ramonpetgrave64 Aug 14, 2024
e9b04be
chore(deps): update github-actions (#3753)
renovate-bot Aug 2, 2024
c4cd932
chore(deps): bump github.com/docker/docker from 24.0.9+incompatible t…
dependabot[bot] Aug 2, 2024
f636fb3
chore(config): migrate renovate config (#3774)
renovate-bot Aug 14, 2024
76ca145
lint
ramonpetgrave64 Aug 14, 2024
e04b6f8
fix help text
ramonpetgrave64 Aug 15, 2024
769ff49
remove debug fiel
ramonpetgrave64 Aug 15, 2024
2f0a04d
Revert "remove debug fiel"
ramonpetgrave64 Aug 16, 2024
0f3b0b9
remove unused rekor addr, use trusted root for partial inline
ramonpetgrave64 Aug 16, 2024
ee41a79
remove debug workflow
ramonpetgrave64 Aug 16, 2024
5f8b841
Update pre-submit.lint.yml
ramonpetgrave64 Sep 3, 2024
447cfe0
upgrade golancilint
ramonpetgrave64 Sep 3, 2024
c399674
lint
ramonpetgrave64 Sep 3, 2024
78b455f
lowercase
ramonpetgrave64 Oct 8, 2024
b23bcf2
correct print string
ramonpetgrave64 Oct 8, 2024
60e98e9
Merge branch 'main' into ramonpetgrave64-internal-builder-sigstore-bu…
ramonpetgrave64 Oct 8, 2024
739ec4a
Merge branch 'main' into ramonpetgrave64-internal-builder-sigstore-bu…
ramonpetgrave64 Oct 24, 2024
6bf118c
1.23.1 in generator_generic
ramonpetgrave64 Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
remove unused rekor addr, use trusted root for partial inline 
verification

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
  • Loading branch information
@ramonpetgrave64
ramonpetgrave64 committed Oct 8, 2024
commit 0f3b0b901cf4aaad54911c63c682c603b4ba63b4
25 changes: 14 additions & 11 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
module github.com/slsa-framework/slsa-github-generator

go 1.22.0
go 1.22.5

toolchain go1.23.0

require (
github.com/coreos/go-oidc/v3 v3.11.0
Expand All @@ -13,10 +15,10 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/cosign/v2 v2.2.4
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.7
github.com/sigstore/sigstore-go v0.5.1
github.com/sigstore/sigstore v1.8.8
github.com/sigstore/sigstore-go v0.6.0
github.com/spf13/cobra v1.8.1
golang.org/x/oauth2 v0.21.0
golang.org/x/oauth2 v0.22.0
gopkg.in/square/go-jose.v2 v2.6.0
gopkg.in/yaml.v3 v3.0.1
)
Expand Down Expand Up @@ -108,7 +110,7 @@ require (
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.2.1 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-containerregistry v0.20.0 // indirect
github.com/google/go-containerregistry v0.20.1 // indirect
github.com/google/go-github/v55 v55.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
Expand All @@ -119,6 +121,7 @@ require (
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/in-toto/attestation v1.1.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
Expand Down Expand Up @@ -180,14 +183,14 @@ require (
go.step.sm/crypto v0.44.2 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/crypto v0.25.0 // indirect
golang.org/x/crypto v0.26.0 // indirect
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
golang.org/x/mod v0.19.0 // indirect
golang.org/x/mod v0.20.0 // indirect
golang.org/x/net v0.27.0 // indirect
golang.org/x/sync v0.7.0 // indirect
golang.org/x/sys v0.22.0 // indirect
golang.org/x/term v0.22.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/term v0.23.0 // indirect
golang.org/x/text v0.17.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
google.golang.org/api v0.172.0 // indirect
Expand Down
22 changes: 22 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,6 +332,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg=
github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0=
github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA=
github.com/google/go-github/v57 v57.0.0 h1:L+Y3UPTY8ALM8x+TV0lg+IEBI+upibemtBD8Q9u7zHs=
Expand Down Expand Up @@ -393,6 +395,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q=
github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs=
github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
Expand Down Expand Up @@ -546,8 +550,12 @@ github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg=
github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA=
github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
github.com/sigstore/sigstore-go v0.6.0 h1:X72BkR8kXFcdhF/V5GA2fpFvCz+VyZ6fI0YgTBn5feI=
github.com/sigstore/sigstore-go v0.6.0/go.mod h1:+RyopI/FJDE6z5WVs2sQ2nkc+zsxxByDmbp8a4HoxbA=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18=
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=
Expand Down Expand Up @@ -684,6 +692,8 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o=
golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
Expand All @@ -696,6 +706,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -726,6 +738,8 @@ golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand All @@ -736,6 +750,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
Expand Down Expand Up @@ -765,6 +781,8 @@ golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
Expand All @@ -775,6 +793,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
Expand All @@ -787,6 +807,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
Expand Down
7 changes: 3 additions & 4 deletions internal/builders/go/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
return nil
}

func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
s := sigstore.NewBundleSigner(sigstore.DefaultFulcioAddr, rekor)
func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error {
s := sigstore.NewDefaultBundleSigner()

attBytes, err := pkg.GenerateProvenance(subject, digest,
commands, envs, workingDir, s, nil)
Expand Down Expand Up @@ -118,7 +118,6 @@ func main() {
provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary")
provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary")
provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands")
provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance")

// Expect a sub-command.
if len(os.Args) < 2 {
Expand All @@ -145,7 +144,7 @@ func main() {
}

err := runProvenanceGeneration(*provenanceName, *provenanceDigest,
*provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor)
*provenanceCommand, *provenanceEnv, *provenanceWorkingDir)
check(err)

default:
Expand Down
30 changes: 11 additions & 19 deletions signing/sigstore/bundle.go
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add any tests for this? Possibly e2e tests with a similar setup like Colleen added in Cosign? https://github.com/sigstore/cosign/blob/main/test/README.md

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are e2e tests in slsa-framework/example-package that will produce and verify. We can't have the e2e tests in PRs because PRs don't have the needed token permissions to sign.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the identity token workflow we set up for conformance testing that publishes a valid ID token? Here's an example of gitsign using it - https://github.com/sigstore/gitsign/pull/549/files

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could definitely tweak this code to use that alternative token in PRs, but then verification won't work with slsa-verifier until we tweak it to trust alternative workflow and certificate identities:

Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (

intoto "github.com/in-toto/in-toto-golang/in_toto"
sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle"
sigstoreRoot "github.com/sigstore/sigstore-go/pkg/root"
sigstoreSign "github.com/sigstore/sigstore-go/pkg/sign"
"github.com/slsa-framework/slsa-github-generator/github"
"github.com/slsa-framework/slsa-github-generator/signing"
Expand Down Expand Up @@ -49,15 +50,7 @@ func (s *sigstoreBundleAtt) Bytes() []byte {

// NewDefaultBundleSigner creates a new BundleSigner instance.
func NewDefaultBundleSigner() *BundleSigner {
return NewBundleSigner(DefaultFulcioAddr, DefaultRekorAddr)
}

// NewBundleSigner creates a new BundleSigner instance.
func NewBundleSigner(fulcioAddr, rekorAddr string) *BundleSigner {
return &BundleSigner{
fulcioAddr: fulcioAddr,
rekorAddr: rekorAddr,
}
return &BundleSigner{}
}

// Sign signs the given provenance statement and returns the signed Sigstore Bundle.
Expand Down Expand Up @@ -90,12 +83,7 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
rawToken := TokenStruct.RawToken

// signing opts.
bundleOpts, err := getBundleOpts(
ctx,
&s.fulcioAddr,
&s.rekorAddr,
&rawToken,
)
bundleOpts, err := getBundleOpts(ctx, &rawToken)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -133,24 +121,28 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
// getBundleOpts provides the opts for sigstoreSign.Bundle().
func getBundleOpts(
ctx context.Context,
fulcioAddr *string,
rekorAddr *string,
identityToken *string,
) (*sigstoreSign.BundleOptions, error) {
bundleOpts := &sigstoreSign.BundleOptions{
Context: ctx,
}

trustedRoot, err := sigstoreRoot.FetchTrustedRoot()
if err != nil {
return nil, err
}
bundleOpts.TrustedRoot = trustedRoot

fulcioOpts := &sigstoreSign.FulcioOptions{
BaseURL: *fulcioAddr,
BaseURL: defaultFulcioAddr,
}
bundleOpts.CertificateProvider = sigstoreSign.NewFulcio(fulcioOpts)
bundleOpts.CertificateProviderOptions = &sigstoreSign.CertificateProviderOptions{
IDToken: *identityToken,
}

rekorOpts := &sigstoreSign.RekorOptions{
BaseURL: *rekorAddr,
BaseURL: DefaultRekorAddr,
}
bundleOpts.TransparencyLogs = append(bundleOpts.TransparencyLogs, sigstoreSign.NewRekor(rekorOpts))
return bundleOpts, nil
Expand Down
5 changes: 2 additions & 3 deletions signing/sigstore/fulcio.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,7 @@ import (
)

const (
// DefaultFulcioAddr is the default Sigstore Fulcio URL.
DefaultFulcioAddr = options.DefaultFulcioURL
defaultFulcioAddr = options.DefaultFulcioURL
defaultOIDCIssuer = options.DefaultOIDCIssuerURL
defaultOIDCClientID = "sigstore"
)
Expand Down Expand Up @@ -64,7 +63,7 @@ func (a *attestation) Cert() []byte {
// NewDefaultFulcio creates a new Fulcio instance using the public Fulcio
// server and public sigstore OIDC issuer.
func NewDefaultFulcio() *Fulcio {
return NewFulcio(DefaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID)
return NewFulcio(defaultFulcioAddr, defaultOIDCIssuer, defaultOIDCClientID)
}

// NewFulcio creates a new Fulcio instance.
Expand Down