-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Output provenance as Sigstore bundle format #3750
Comments
The "BYOB" (bazel, maven, gradle, nodejs) builders will use the "delegator" workflows, which will use our
The go builder and generic generator, still only produce the DSSE envelope.
If there were a go library for producing Sigstore bundles, then we could easily integrate it within existing code for producing attestation envelopes. But it seems only the sigstore-js library can do that. Otherwise, I think we might be able to use reuse our existing
|
^ This could also make it easier to get all the generators to start using the SLSA v1.0 format for provenance, and simplify the slsa-verifier code significantly. |
I agree we should try to move the generic generator and go builder to use BYOB code and internal actions. Ideally we could eventually remove the Go code to consolidate on TypeScript (and bash to a lesser extent). It would be a significant effort since it's essentially a rewrite but fairly straightforward. I don't think we can really eliminate the Go code from the container-based (docker) builder that @asraa and @rbehjati worked on though. I don't know if anyone's using it or if we should properly support it. |
To give an update, sigstore-go now has bundle-producing functionality that I make use of in this PR to address this issue. I chose to modify the the original go code to produce Sigstore Bundles, instead of only DSSE envelopes, as a mostly drop-in replacement. @ianlewis I also agree, but while attempting, I found that
|
re: slsa-framework/slsa-github-generator#3750 Rekor TLog entries can now be of the type dsse v0.0.1, as when what's returned when using sigstore-go's `Bundle()`. This is to support eventual Sigstore Bundles produced by slsa-github-generator's "generic" generator, which will likely use sigstore-go's Bundle to produce attestations - slsa-framework/slsa-github-generator@main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101 - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10359750833 ## Tesing - Added unit tests with stub data - manual invocations to very both new and old attestations and bundles, with some modifications for testing purposes - main...verify-sigstore-go-Bundlev3#diff-94741068472ee694a12811cd704179dd478a9fa20a3bf45cf6ea2d4406214dc2R179 ## Followup Finish the work to produce bundles from the generic generators - slsa-framework/slsa-github-generator@main...ramonpetgrave64-internal-builder-sigstore-bundlev2#diff-b186a0c5d9ae459b11b694f05455568453699670926d21cad06cafec3dbf895eR101 --------- Signed-off-by: Ramon Petgrave <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Could you elaborate more on what you mean here? My understanding is that they currently expect to be a builder and thus generate a subject hash from the artifacts themselves, whereas for the generic generator we would need it to take the subject as an input. What kind of additional testing do you think would be required? |
@ianlewis I mean when I want to organize the actions, and their input and outputs. It took me a long while to demo a working conversion of the "generic-generator" that uses the "delegator". I say it would be difficult to test because I think I would have to also include
I hadn't tried it yet, so maybe it wouldn't have been so difficult. Github Actions workflows are generally not easy to debug, so I thought working with the go code would be a simpler to develop for. |
Right. BYOB does need to be support generators. Should be a fairly straightforward conversion for the Go builder I think though. |
BTW, most of the TypeScript (aside from code that uses OIDC) should be able to be run locally if given the right environment variables and is similar to the Go code in that regard. Though not all of the actions are easy to invoke this way. I usually just set up some tests and run locally to debug before testing on GitHub Actions since the iteration loop is long there. |
Is your feature request related to a problem? Please describe.
There is no support for offline verification currently. While a certificate is persisted in the DSSE signature, the Rekor entry proof is not, meaning the SLSA verifier must do an online lookup for the entry in Rekor.
Additionally, since all Sigstore clients now support the bundle format, this would allow SLSA clients to directly use Sigstore libraries to handle verification of the attestation signature (reducing code and simplifying maintenance), with the SLSA client handling verification of the attestation contents.
Describe the solution you'd like
Sigstore has defined a bundle format to store an attestation or signature along with verification metadata (certificate, signed timestamps, and Rekor log proofs). The generator should output a
.sigstore.json
bundle (the extension matches what other Sigstore clients output).This was discussed in #716, but this issue was filed before the bundle format was created. This issue tracked persisting Rekor's inclusion proof as its own file.
Describe alternatives you've considered
An alternative would be to have a divergent format or save verification metadata as "detached" files, which complicates storage of that metadata for no benefit.
The text was updated successfully, but these errors were encountered: