Add functionality to output the UUID for log lookup purposes #3744
Conversation
Signed-off-by: Lim Jet <[email protected]>
daoauth
requested review from
laurentsimon,
joshuagl,
kpk47 and
ramonpetgrave64
as code owners
Signed-off-by: Lim Jet <[email protected]>
Signed-off-by: Lim Jet <[email protected]>
|
Thanks for implementing. Please use the PR template in this PR's description. |
Thank you for the feedback. I have made the requested changes |
|
Thanks for finding a way to test, can you show us an example run in your fork? |
Signed-off-by: Lim Jet <[email protected]>
Signed-off-by: Lim Jet <[email protected]>
I renamed - name: Create and sign provenance
id: sign-prov
continue-on-error: true
# NOTE: Inputs and `github` context are set to environment variables in
# order to avoid script injection.
# See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
env:
GITHUB_CONTEXT: "${{ toJSON(github) }}"
VARS_CONTEXT: "${{ toJSON(vars) }}"
UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
run: |
set -euo pipefail
# I downloaded the files uploaded to the release and changed their attributes using chmod +x to make them executable.
chmod +x "$GITHUB_WORKSPACE/$BUILDER_BINARY"
untrusted_prov_name=""
if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then
untrusted_prov_name="$UNTRUSTED_PROVENANCE_NAME"
fi
# Create and sign provenance.
# NOTE: The builder verifies that the provenance path is located
# in the current directory.
# NOTE: $untrusted_provenance_path may be empty. In this case the
# attest command chooses a file name based on the subject name and
# number of subjects based on in-toto attestation bundle file naming conventions.
# See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
# NOTE: The attest commmand outputs the provenance-name and provenance-sha256
output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name")
echo "$output"
uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}')
# I verified the output by printing the UUID.
echo "$uuid"
echo "uuid=$uuid" >> $GITHUB_OUTPUT |
Signed-off-by: Lim Jet <[email protected]>
|
Sorry for not clarifying. If you ran the workflow on your own fork, can you provide us with a link so we can inspect the logs? |
|
| "$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name" | ||
| output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name") | ||
| echo "$output" | ||
| uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}') |
There was a problem hiding this comment.
nonblocker: it seems the rekor UUID is meant to be 64 hex digits, not 80.
There was a problem hiding this comment.
The length of the UUID generated in "create and sign provenance" is 80.
https://docs.sigstore.dev/logging/sharding/#identifier-definitions-entryid-uuid-logid-log-index
So, I think the UUID used as a search parameter in sigstore is actually an entry ID.
There was a problem hiding this comment.
The additional prefix digits are for distinguishing which log "shard" hosts the content.
|
@haydentherapper, @loosebazooka please take a look |
Signed-off-by: Lim Jet <[email protected]>
Signed-off-by: Lim Jet <[email protected]>
Co-authored-by: Ramon Petgrave <[email protected]> Signed-off-by: daoauth <[email protected]>
| output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name") | ||
| echo "$output" | ||
| uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}') | ||
| echo "uuid=$uuid" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
Lint errors: please run make actionlint and make lint
|
Closing due to inactivity. |
Summary
Add functionality to output the UUID for log lookup purposes. The
provenance-rekor-uuidparameter represents the Rekor UUID, a unique identifier that can be used to search for and view specific log entry details on the Rekor Search UI.Testing Process
Forked the branch and conducted unit tests to verify the output of the UUID.
Checklist