From 365bc87c4441971a125ca934736d4c618d17e9ba Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 06:02:17 +0000 Subject: [PATCH 1/8] Combine common checks and add generic tag test --- .../e2e.generic.push.main.default.slsa2.yml | 3 +- ...2e.generic.schedule.main.default.slsa2.yml | 3 +- .../e2e.generic.tag.main.default.slsa2.yml | 116 +++++++++ .../workflows/scripts/e2e-create-release.sh | 9 +- .github/workflows/scripts/e2e-utils.sh | 11 +- .../workflows/scripts/e2e-verify-release.sh | 1 - .../workflows/scripts/e2e-verify.common.sh | 92 +++++++ .../scripts/e2e.generic.default.verify.sh | 243 +++++++++--------- ...e2e-verify.sh => e2e.go.default.verify.sh} | 67 +---- 9 files changed, 352 insertions(+), 193 deletions(-) create mode 100644 .github/workflows/e2e.generic.tag.main.default.slsa2.yml create mode 100755 .github/workflows/scripts/e2e-verify.common.sh rename .github/workflows/scripts/{e2e-verify.sh => e2e.go.default.verify.sh} (75%) diff --git a/.github/workflows/e2e.generic.push.main.default.slsa2.yml b/.github/workflows/e2e.generic.push.main.default.slsa2.yml index 77f35c2eaf..9d3a07daff 100644 --- a/.github/workflows/e2e.generic.push.main.default.slsa2.yml +++ b/.github/workflows/e2e.generic.push.main.default.slsa2.yml @@ -1,4 +1,5 @@ -name: Generic push main default SLSA 2 +name: Generic push main default SLSA2 + on: schedule: - cron: "0 3 * * *" diff --git a/.github/workflows/e2e.generic.schedule.main.default.slsa2.yml b/.github/workflows/e2e.generic.schedule.main.default.slsa2.yml index 3316c35649..892391ebf5 100644 --- a/.github/workflows/e2e.generic.schedule.main.default.slsa2.yml +++ b/.github/workflows/e2e.generic.schedule.main.default.slsa2.yml @@ -1,4 +1,5 @@ -name: Generic schedule main default SLSA 2 +name: Generic schedule main default SLSA2 + on: schedule: - cron: "0 3 * * *" diff --git a/.github/workflows/e2e.generic.tag.main.default.slsa2.yml b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml new file mode 100644 index 0000000000..7e72fbe401 --- /dev/null +++ b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml @@ -0,0 +1,116 @@ +name: generic tag main default SLSA2 + +on: + schedule: + - cron: "0 2 * * *" + workflow_dispatch: + push: + tags: + - "*" # triggers only if push new tag version, like `0.8.4` or else + +env: + GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} + ISSUE_REPOSITORY: slsa-framework/slsa-github-generator + +jobs: + release: + runs-on: ubuntu-latest + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + permissions: + contents: write + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - id: create + # Note: we use v16.x.y + run: ./.github/workflows/scripts/e2e-create-release.sh + + shim: + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.ref_type == 'tag' + outputs: + continue: ${{ steps.verify.outputs.continue }} + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - id: verify + run: ./.github/workflows/scripts/e2e-verify-release.sh + + build: + outputs: + binary-name: ${{ steps.build.outputs.binary-name }} + digest: ${{ steps.hash.outputs.digest }} + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Setup Go + uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + with: + go-version: "1.18" + - name: Build artifact + id: build + run: | + go mod vendor + go build -mod=vendor -o hello . + echo "::set-output name=binary-name::hello" + - name: Upload binary + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + with: + name: ${{ steps.build.outputs.binary-name }} + path: ${{ steps.build.outputs.binary-name }} + if-no-files-found: error + retention-days: 5 + - name: Generate hash + shell: bash + id: hash + env: + BINARY_NAME: ${{ steps.build.outputs.binary-name }} + run: | + set -euo pipefail + echo "::set-output name=digest::$(sha256sum $BINARY_NAME | base64 -w0)" + + provenance: + needs: [shim, build] + if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' + permissions: + id-token: write # For signing. + contents: write # For asset uploads. + actions: read # For the entrypoint. + uses: slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@main + with: + base64-subjects: "${{ needs.build.outputs.digest }}" + + verify: + runs-on: ubuntu-latest + needs: [shim, build, provenance] + if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.go-binary-name }} + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.binary-name }}.intoto.jsonl + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + with: + go-version: "1.17" + - env: + BINARY: ${{ needs.build.outputs.binary-name }} + PROVENANCE: ${{ needs.provenance.outputs.attestation-name }} + run: ./.github/workflows/scripts/e2e.generic.default.verify.sh + + if-succeeded: + runs-on: ubuntu-latest + needs: [shim, build, verify] + if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - run: ./.github/workflows/scripts/e2e-report-success.sh + + if-failed: + runs-on: ubuntu-latest + needs: [shim, build, verify] + if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/scripts/e2e-create-release.sh b/.github/workflows/scripts/e2e-create-release.sh index ddd3e73568..33f68be5c3 100755 --- a/.github/workflows/scripts/e2e-create-release.sh +++ b/.github/workflows/scripts/e2e-create-release.sh @@ -1,4 +1,3 @@ - #!/usr/bin/env bash set -euo pipefail @@ -11,16 +10,16 @@ echo "THIS_FILE: $THIS_FILE" # List the releases and find the latest for THIS_FILE. RELEASE_LIST=$(gh release list) -while read line; do +while read -r line; do TAG=$(echo "$line" | cut -f1) BODY=$(gh release view "$TAG" --json body | jq -r '.body') if [[ "$BODY" == *"$THIS_FILE"* ]]; then RELEASE_TAG="$TAG" break fi -done <<< "$RELEASE_LIST" +done <<<"$RELEASE_LIST" -if [[ -z "$RELEASE_TAG" ]]; then +if [[ -z "$RELEASE_TAG" ]]; then echo "Tag not found for $THIS_FILE" exit 3 fi @@ -39,7 +38,7 @@ TAG="$NEW_RELEASE_TAG" echo "New release tag used: $TAG" -cat << EOF > DATA +cat <DATA **E2e release creation**: Tag: $TAG Branch: $BRANCH diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh index b2799104a9..1c639d2ead 100755 --- a/.github/workflows/scripts/e2e-utils.sh +++ b/.github/workflows/scripts/e2e-utils.sh @@ -4,6 +4,12 @@ source "./.github/workflows/scripts/e2e-assert.sh" +# Gets the name of the currently running workflow file. +# Note: this requires GH_TOKEN to be set in the workflows. +e2e_this_file() { + gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3 +} + # Converter from yaml to JSON. #sudo apt-get install jc @@ -44,7 +50,7 @@ e2e_verify_predicate_builder_id() { _e2e_verify_query "$1" "$2" '.predicate.builder.id' } -e2e_verify_predicate_builderType() { +e2e_verify_predicate_buildType() { _e2e_verify_query "$1" "$2" '.predicate.buildType' } @@ -69,7 +75,8 @@ e2e_verify_predicate_buildConfig_step_command() { # $3: expected value. e2e_verify_predicate_buildConfig_step_env() { local attestation="$2" - local expected="$(echo -n "$3" | jq -c '.| sort')" + local expected + expected="$(echo -n "$3" | jq -c '.| sort')" if [[ "${expected}" == "[]" ]]; then _e2e_verify_query "${attestation}" "null" ".predicate.buildConfig.steps[$1].env" diff --git a/.github/workflows/scripts/e2e-verify-release.sh b/.github/workflows/scripts/e2e-verify-release.sh index 60bc97c712..37557ef902 100755 --- a/.github/workflows/scripts/e2e-verify-release.sh +++ b/.github/workflows/scripts/e2e-verify-release.sh @@ -29,4 +29,3 @@ if [[ "$BODY" == *"$THIS_FILE"* ]]; then RELEASE_TAG="$TAG" echo "::set-output name=continue::yes" fi - diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh new file mode 100755 index 0000000000..388fc0b692 --- /dev/null +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash +# +# This file contains tests for common fields of Github Actions provenance. + +source "./.github/workflows/scripts/e2e-utils.sh" + +# Runs all generic SLSA checks that shouldn't change on a per-builder basis. +# $1: the attestation content +e2e_verify_common_all() { + e2e_verify_common_builder "$1" + e2e_verify_common_invocation "$1" + e2e_verify_common_metadata "$1" + e2e_verify_common_materials "$1" +} + +# Verifies the builder for generic provenance. +# $1: the attestation content +e2e_verify_common_builder() { + : +} + +# Verifies the invocation for generic provenance. +# $1: the attestation content +e2e_verify_common_invocation() { + # NOTE: We set GITHUB_WORKFLOW to the entryPoint for pull_requests. + # TODO(github.com/slsa-framework/slsa-github-generator/issues/131): support retrieving entryPoint in pull requests. + e2e_verify_predicate_invocation_configSource "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\".github/workflows/$(e2e_this_file)\"}" + + e2e_verify_predicate_invocation_environment "$1" "github_actor" "$GITHUB_ACTOR" + e2e_verify_predicate_invocation_environment "$1" "github_sha1" "$GITHUB_SHA" + # e2e_verify_predicate_invocation_environment "$1" "os" "ubuntu20" + # e2e_verify_predicate_invocation_environment "$1" "arch" "X64" + e2e_verify_predicate_invocation_environment "$1" "github_event_name" "$GITHUB_EVENT_NAME" + e2e_verify_predicate_invocation_environment "$1" "github_ref" "$GITHUB_REF" + e2e_verify_predicate_invocation_environment "$1" "github_ref_type" "$GITHUB_REF_TYPE" + e2e_verify_predicate_invocation_environment "$1" "github_run_id" "$GITHUB_RUN_ID" + e2e_verify_predicate_invocation_environment "$1" "github_run_number" "$GITHUB_RUN_NUMBER" + e2e_verify_predicate_invocation_environment "$1" "github_run_attempt" "$GITHUB_RUN_ATTEMPT" + ACTOR_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_ACTOR" | jq -r '.id') + OWNER_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_REPOSITORY_OWNER" | jq -r '.id') + REPO_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /repos/"$GITHUB_REPOSITORY" | jq -r '.id') + e2e_verify_predicate_invocation_environment "$1" "github_actor_id" "$ACTOR_ID" + e2e_verify_predicate_invocation_environment "$1" "github_repository_owner_id" "$OWNER_ID" + e2e_verify_predicate_invocation_environment "$1" "github_repository_id" "$REPO_ID" +} + +# Verifies the expected metadata. +# $1: the attestation content +e2e_verify_common_metadata() { + e2e_verify_predicate_metadata "$1" "{\"buildInvocationID\":\"$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false}" +} + +# Verifies the materials include the GitHub repository. +# $1: the attestation content +e2e_verify_common_materials() { + e2e_verify_predicate_materials "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}" +} + +# Runs a verification command for each version of slsa-verifier. +# $1: command to run. The command should take the verifier binary as an +# argument. +e2e_run_verifier_all_releases() { + VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" + VERIFIER_BINARY="slsa-verifier-linux-amd64" + VERIFY_COMMAND=$1 + + # First, verify provenance with the verifier at HEAD. + go env -w GOFLAGS=-mod=mod + go install "github.com/$VERIFIER_REPOSITORY@latest" + echo "**** Verifying provenance with verifier at HEAD *****" + verify_provenance "slsa-verifier" "HEAD" + + # Second, retrieve all previous versions of the verifier, + # and verify the provenance. This is essentially regression tests. + RELEASE_LIST=$(gh release -R "$VERIFIER_REPOSITORY" -L 100 list) + while read -r line; do + TAG=$(echo "$line" | cut -f1) + gh release -R "$VERIFIER_REPOSITORY" download "$TAG" -p "$VERIFIER_BINARY*" || exit 10 + + # Use the compiled verifier to verify the provenance (Optional) + slsa-verifier --branch "main" \ + --tag "$TAG" \ + --artifact-path "$VERIFIER_BINARY" \ + --provenance "$VERIFIER_BINARY.intoto.jsonl" \ + --source "github.com/$VERIFIER_REPOSITORY" || exit 6 + + echo "**** Verifying provenance with verifier at $TAG ****" + chmod a+x "./$VERIFIER_BINARY" + $VERIFY_COMMAND "./$VERIFIER_BINARY" + + done <<<"$RELEASE_LIST" +} diff --git a/.github/workflows/scripts/e2e.generic.default.verify.sh b/.github/workflows/scripts/e2e.generic.default.verify.sh index ae38387fea..a4ef47f665 100755 --- a/.github/workflows/scripts/e2e.generic.default.verify.sh +++ b/.github/workflows/scripts/e2e.generic.default.verify.sh @@ -4,136 +4,127 @@ source "./.github/workflows/scripts/e2e-utils.sh" go env -w GOFLAGS=-mod=mod -# Install from HEAD -go install github.com/slsa-framework/slsa-verifier@latest - -THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - +verify_provenance() { + local verifier="$1" + + # Default parameters. + if [[ "$BRANCH" == "main" ]]; then + $verifier --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_eq "$?" "0" "main default parameters" + else + $verifier --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "not main default parameters" + fi + + # Correct branch + $verifier --branch "$BRANCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_eq "$?" "0" "should be branch $BRANCH" + + # Wrong branch + $verifier --branch "not-$GITHUB_REF_NAME" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "wrong branch" + + # Wrong tag + $verifier --tag v1.2.3 --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "wrong tag" + + if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then + #TODO: try several versioned-tags and tags. + SEMVER="$GITHUB_REF_NAME" + PATCH=$(echo "$SEMVER" | cut -d '.' -f3) + MINOR=$(echo "$SEMVER" | cut -d '.' -f2) + MAJOR=$(echo "$SEMVER" | cut -d '.' -f1) + + M="${MAJOR:1}" + MAJOR_LESS_ONE="v$((M - 1))" + MINOR_LESS_ONE=$((MINOR - 1)) + PATCH_LESS_ONE=$((PATCH - 1)) + MAJOR_PLUS_ONE="v$((M + 1))" + MINOR_PLUS_ONE=$((MINOR + 1)) + PATCH_PLUS_ONE=$((PATCH + 1)) + + # Correct vM.N.P + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_eq "$?" "0" "$MAJOR.$MINOR.$PATCH versioned-tag vM.N.P ($MAJOR.$MINOR.$PATCH) should be correct" + + # Correct vM.N + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_eq "$?" "0" "$MAJOR.$MINOR versioned-tag vM.N ($MAJOR.$MINOR) should be correct" + + # Correct vM + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_eq "$?" "0" "$MAJOR versioned-tag vm ($MAJOR) should be correct" + + # Incorrect v(M-1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE versioned-tag should be incorrect" + + # Incorrect v(M-1).N + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR versioned-tag should be incorrect" + + # Incorrect v(M-1).N.P + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" + + # Incorrect vM.(N-1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE versioned-tag should be incorrect" + + # Incorrect vM.(N-1).P + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_LESS_ONE.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE.$PATCH versioned-tag should be incorrect" + + # Incorrect vM.N.(P-1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_LESS_ONE versioned-tag should be incorrect" + + # Incorrect v(M+1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE versioned-tag should be incorrect" + + # Incorrect v(M+1).N + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR versioned-tag should be incorrect" + + # Incorrect v(M+1).N.P + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" + + # Incorrect vM.(N+1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE versioned-tag should be incorrect" + + # Incorrect vM.(N+1).P + slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_PLUS_ONE.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE.$PATCH versioned-tag should be incorrect" + + # Incorrect vM.N.(P+1) + $verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_PLUS_ONE versioned-tag should be incorrect" + else + # Wrong versioned-tag + $verifier --branch "$BRANCH" --versioned-tag v1.2.3 --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "wrong versioned-tag" + fi + + # Provenance content verification. + ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d) + + # Verify all common provenance fields. + e2e_verify_common_all "$ATTESTATION" + + e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY" + e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@refs/heads/main" + e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator@v1" +} + +THIS_FILE=$(e2e_this_file) BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "branch is $BRANCH" echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" echo "GITHUB_REF: $GITHUB_REF" - -# Default parameters. -if [[ "$BRANCH" == "main" ]]; then - slsa-verifier --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_eq "$?" "0" "main default parameters" -else - slsa-verifier --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "not main default parameters" -fi - echo "DEBUG: file is $THIS_FILE" -# Correct branch -slsa-verifier --branch "$BRANCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" -e2e_assert_eq "$?" "0" "should be branch $BRANCH" - -# Wrong branch -slsa-verifier --branch "not-$GITHUB_REF_NAME" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" -e2e_assert_not_eq "$?" "0" "wrong branch" - -# Wrong tag -slsa-verifier --tag v1.2.3 --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" -e2e_assert_not_eq "$?" "0" "wrong tag" - -if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then - #TODO: try several versioned-tags and tags. - SEMVER="$GITHUB_REF_NAME" - PATCH=$(echo "$SEMVER" | cut -d '.' -f3) - MINOR=$(echo "$SEMVER" | cut -d '.' -f2) - MAJOR=$(echo "$SEMVER" | cut -d '.' -f1) - - M="${MAJOR:1}" - MAJOR_LESS_ONE="v$((M - 1))" - MINOR_LESS_ONE=$((MINOR - 1)) - PATCH_LESS_ONE=$((PATCH - 1)) - MAJOR_PLUS_ONE="v$((M + 1))" - MINOR_PLUS_ONE=$((MINOR + 1)) - PATCH_PLUS_ONE=$((PATCH + 1)) - - # Correct vM.N.P - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_eq "$?" "0" "$MAJOR.$MINOR.$PATCH versioned-tag vM.N.P ($MAJOR.$MINOR.$PATCH) should be correct" - - # Correct vM.N - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_eq "$?" "0" "$MAJOR.$MINOR versioned-tag vM.N ($MAJOR.$MINOR) should be correct" - - # Correct vM - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_eq "$?" "0" "$MAJOR versioned-tag vm ($MAJOR) should be correct" - - # Incorrect v(M-1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE versioned-tag should be incorrect" - - # Incorrect v(M-1).N - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR versioned-tag should be incorrect" - - # Incorrect v(M-1).N.P - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_LESS_ONE.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" - - # Incorrect vM.(N-1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE versioned-tag should be incorrect" - - # Incorrect vM.(N-1).P - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_LESS_ONE.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE.$PATCH versioned-tag should be incorrect" - - # Incorrect vM.N.(P-1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH_LESS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_LESS_ONE versioned-tag should be incorrect" - - # Incorrect v(M+1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE versioned-tag should be incorrect" - - # Incorrect v(M+1).N - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE.$MINOR" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR versioned-tag should be incorrect" - - # Incorrect v(M+1).N.P - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR_PLUS_ONE.$MINOR.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" - - # Incorrect vM.(N+1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE versioned-tag should be incorrect" - - # Incorrect vM.(N+1).P - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR_PLUS_ONE.$PATCH" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE.$PATCH versioned-tag should be incorrect" - - # Incorrect vM.N.(P+1) - slsa-verifier --branch "$BRANCH" --versioned-tag "$MAJOR.$MINOR.$PATCH_PLUS_ONE" --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_PLUS_ONE versioned-tag should be incorrect" -else - # Wrong versioned-tag - slsa-verifier --branch "$BRANCH" --versioned-tag v1.2.3 --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "wrong versioned-tag" -fi - -# Provenance content verification. -ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d) -ASSETS=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep -v noassets) -DIR="$PWD" -e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY" -e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@refs/heads/main" -e2e_verify_predicate_builderType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator@v1" - -e2e_verify_predicate_invocation_configSource "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\".github/workflows/$THIS_FILE\"}" - -e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_actor" "$GITHUB_ACTOR" -e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_sha1" "$GITHUB_SHA" -e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_event_name" "$GITHUB_EVENT_NAME" -e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_ref" "$GITHUB_REF" -e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_ref_type" "$GITHUB_REF_TYPE" - -e2e_verify_predicate_metadata "$ATTESTATION" "{\"buildInvocationID\":\"$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false}" -e2e_verify_predicate_materials "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}" +e2e_run_verifier_all_releases verify_provenance diff --git a/.github/workflows/scripts/e2e-verify.sh b/.github/workflows/scripts/e2e.go.default.verify.sh similarity index 75% rename from .github/workflows/scripts/e2e-verify.sh rename to .github/workflows/scripts/e2e.go.default.verify.sh index a60aa5b25d..89c24125d0 100755 --- a/.github/workflows/scripts/e2e-verify.sh +++ b/.github/workflows/scripts/e2e.go.default.verify.sh @@ -16,13 +16,12 @@ # export BINARY=binary-linux-amd64 # export PROVENANCE=example.intoto.jsonl -source "./.github/workflows/scripts/e2e-utils.sh" +source "./.github/workflows/scripts/e2e-verify.common.sh" # Function used to verify provenance. verify_provenance() { local verifier="$1" - local version="$2" - + # Default parameters. if [[ "$BRANCH" == "main" ]]; then $verifier --artifact-path "$BINARY" --provenance "$PROVENANCE" --source "github.com/$GITHUB_REPOSITORY" @@ -125,7 +124,7 @@ verify_provenance() { fi # Provenance content verification. - ATTESTATION=$(cat "$PROVENANCE" | jq -r '.payload' | base64 -d) + ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d) #TRIGGER=$(echo "$THIS_FILE" | cut -d '.' -f3) #BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) LDFLAGS=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep -v noldflags) @@ -137,26 +136,15 @@ verify_provenance() { DIR="$DIR/$GO_DIR" fi + # Verify all common provenance fields. + e2e_verify_common_all "$ATTESTATION" + e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY" e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/heads/main" - e2e_verify_predicate_builderType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/go@v1" + e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/go@v1" - e2e_verify_predicate_invocation_configSource "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\".github/workflows/$THIS_FILE\"}" - - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_actor" "$GITHUB_ACTOR" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_sha1" "$GITHUB_SHA" e2e_verify_predicate_invocation_environment "$ATTESTATION" "os" "ubuntu20" e2e_verify_predicate_invocation_environment "$ATTESTATION" "arch" "X64" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_event_name" "$GITHUB_EVENT_NAME" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_ref" "$GITHUB_REF" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_ref_type" "$GITHUB_REF_TYPE" - - ACTOR_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_ACTOR" | jq -r '.id') - OWNER_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_REPOSITORY_OWNER" | jq -r '.id') - REPO_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /repos/"$GITHUB_REPOSITORY" | jq -r '.id') - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_actor_id" "$ACTOR_ID" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_repository_owner_id" "$OWNER_ID" - e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_repository_id" "$REPO_ID" # First step is vendoring e2e_verify_predicate_buildConfig_step_command "0" "$ATTESTATION" "[\"mod\",\"vendor\"]" @@ -171,7 +159,7 @@ verify_provenance() { e2e_verify_predicate_buildConfig_step_command "1" "$ATTESTATION" "[\"build\",\"-mod=vendor\",\"-trimpath\",\"-tags=netgo\",\"-o\",\"$BINARY\"]" else chmod a+x ./"$BINARY" - + if [[ -z "$GO_MAIN" ]]; then e2e_verify_predicate_buildConfig_step_command "1" "$ATTESTATION" "[\"build\",\"-mod=vendor\",\"-trimpath\",\"-tags=netgo\",\"-ldflags=-X main.gitVersion=v1.2.3 -X main.gitCommit=abcdef -X main.gitBranch=$BRANCH\",\"-o\",\"$BINARY\"]" else @@ -188,9 +176,6 @@ verify_provenance() { e2e_assert_not_eq "$B" "" "GitBranch should not be empty" fi - e2e_verify_predicate_metadata "$ATTESTATION" "{\"buildInvocationID\":\"$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false}" - e2e_verify_predicate_materials "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}" - if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then A=$(gh release view --json assets "$GITHUB_REF_NAME" | jq -r '.assets | .[0].name, .[1].name' | jq -R -s -c 'split("\n") | map(select(length > 0))') if [[ -z "$ASSETS" ]]; then @@ -207,44 +192,12 @@ verify_provenance() { # ===== main execution starts ========= # ===================================== -# Get the filename. Note: requires GH_TOKEN to be set in the workflows. -THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - +THIS_FILE=$(e2e_this_file) BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "branch is $BRANCH" echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" echo "GITHUB_REF: $GITHUB_REF" echo "DEBUG: file is $THIS_FILE" -VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" -VERIFIER_BINARY="slsa-verifier-linux-amd64" - -# First, verify provenance with the verifier at HEAD. -go env -w GOFLAGS=-mod=mod -go install "github.com/$VERIFIER_REPOSITORY@latest" -echo "**** Verifying provenance with verifier at HEAD *****" -verify_provenance "slsa-verifier" "HEAD" - -# Second, retrieve all previous versions of the verifier, -# and verify the provenance. This is essentially regression tests. -RELEASE_LIST=$(gh release -R "$VERIFIER_REPOSITORY" -L 100 list) -while read line; do - TAG=$(echo "$line" | cut -f1) - gh release -R "$VERIFIER_REPOSITORY" download "$TAG" -p "$VERIFIER_BINARY*" || exit 10 - - # Use the compiled verifier to verify the provenance (Optional) - slsa-verifier --branch "main" \ - --tag "$TAG" \ - --artifact-path "$VERIFIER_BINARY" \ - --provenance "$VERIFIER_BINARY.intoto.jsonl" \ - --source "github.com/$VERIFIER_REPOSITORY" || exit 6 - - echo "**** Verifying provenance with verifier at $TAG ****" - chmod a+x "./$VERIFIER_BINARY" - verify_provenance "./$VERIFIER_BINARY" "$TAG" - -done <<< "$RELEASE_LIST" - - +e2e_run_verifier_all_releases verify_provenance From 440f5065fa26785ae155c23d224fdfcdd99ab709 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 06:08:09 +0000 Subject: [PATCH 2/8] Use test repository --- .github/workflows/scripts/e2e-verify.common.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 388fc0b692..a4861659f0 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -60,13 +60,17 @@ e2e_verify_common_materials() { # $1: command to run. The command should take the verifier binary as an # argument. e2e_run_verifier_all_releases() { - VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" + # FIXME + # VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" + VERIFIER_REPOSITORY="ianlewis/slsa-verifier" VERIFIER_BINARY="slsa-verifier-linux-amd64" VERIFY_COMMAND=$1 # First, verify provenance with the verifier at HEAD. go env -w GOFLAGS=-mod=mod - go install "github.com/$VERIFIER_REPOSITORY@latest" + # FIXME + # go install "github.com/$VERIFIER_REPOSITORY@latest" + go install "github.com/$VERIFIER_REPOSITORY@ianlewis-test" echo "**** Verifying provenance with verifier at HEAD *****" verify_provenance "slsa-verifier" "HEAD" From 16fec0e53016ca57579c3ee5032f94b97284bea1 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 06:14:40 +0000 Subject: [PATCH 3/8] deps for build step --- .github/workflows/e2e.generic.tag.main.default.slsa2.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.generic.tag.main.default.slsa2.yml b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml index 7e72fbe401..9c75b2c1b3 100644 --- a/.github/workflows/e2e.generic.tag.main.default.slsa2.yml +++ b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml @@ -35,10 +35,12 @@ jobs: run: ./.github/workflows/scripts/e2e-verify-release.sh build: + runs-on: ubuntu-latest + needs: [shim] + if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' outputs: binary-name: ${{ steps.build.outputs.binary-name }} digest: ${{ steps.hash.outputs.digest }} - runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 From 1bfb5ae213dfe9439de37145c2d769b8ac0420ee Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 07:22:00 +0000 Subject: [PATCH 4/8] Cleanup --- .github/workflows/scripts/e2e-create-release.sh | 2 +- .github/workflows/scripts/e2e-verify-release.sh | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scripts/e2e-create-release.sh b/.github/workflows/scripts/e2e-create-release.sh index 33f68be5c3..0b575285e5 100755 --- a/.github/workflows/scripts/e2e-create-release.sh +++ b/.github/workflows/scripts/e2e-create-release.sh @@ -5,7 +5,7 @@ source "./.github/workflows/scripts/e2e-utils.sh" RELEASE_TAG="" -THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) +THIS_FILE=$(e2e_this_file) echo "THIS_FILE: $THIS_FILE" # List the releases and find the latest for THIS_FILE. diff --git a/.github/workflows/scripts/e2e-verify-release.sh b/.github/workflows/scripts/e2e-verify-release.sh index 37557ef902..554efd4b43 100755 --- a/.github/workflows/scripts/e2e-verify-release.sh +++ b/.github/workflows/scripts/e2e-verify-release.sh @@ -3,7 +3,7 @@ set -euo pipefail source "./.github/workflows/scripts/e2e-utils.sh" -THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) +THIS_FILE=$(e2e_this_file) echo "THIS_FILE: $THIS_FILE" if [[ "$GITHUB_REF_TYPE" != "tag" ]]; then @@ -14,7 +14,7 @@ fi # 1- Verify the branch # WARNING: GITHUB_BASE_REF is empty on tag releases. BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) -ENV_BRANCH=$(cat "$GITHUB_EVENT_PATH" | jq -r '.base_ref') +ENV_BRANCH=$(jq -r '.base_ref' <"$GITHUB_EVENT_PATH") if [[ "$ENV_BRANCH" != "refs/heads/$BRANCH" ]]; then echo "mismatch branch: file contains refs/heads/$BRANCH; GitHub env contains $ENV_BRANCH" @@ -26,6 +26,5 @@ fi TAG="$GITHUB_REF_NAME" BODY=$(gh release view "$TAG" --json body | jq -r '.body') if [[ "$BODY" == *"$THIS_FILE"* ]]; then - RELEASE_TAG="$TAG" echo "::set-output name=continue::yes" fi From 5ff982f42f940a4fe993e59c70022e125274c86b Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 07:34:57 +0000 Subject: [PATCH 5/8] Fix verification step --- .github/workflows/e2e.generic.tag.main.default.slsa2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.generic.tag.main.default.slsa2.yml b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml index 9c75b2c1b3..79cb515909 100644 --- a/.github/workflows/e2e.generic.tag.main.default.slsa2.yml +++ b/.github/workflows/e2e.generic.tag.main.default.slsa2.yml @@ -89,10 +89,10 @@ jobs: - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: - name: ${{ needs.build.outputs.go-binary-name }} + name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: - name: ${{ needs.build.outputs.binary-name }}.intoto.jsonl + name: ${{ needs.provenance.outputs.attestation-name }} - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 with: go-version: "1.17" From 02aa8edfafd4fe17adf3a173e47b6964d63b704b Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 07:56:51 +0000 Subject: [PATCH 6/8] updates --- .github/workflows/scripts/e2e.generic.default.verify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e.generic.default.verify.sh b/.github/workflows/scripts/e2e.generic.default.verify.sh index a4ef47f665..12f325df4d 100755 --- a/.github/workflows/scripts/e2e.generic.default.verify.sh +++ b/.github/workflows/scripts/e2e.generic.default.verify.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -source "./.github/workflows/scripts/e2e-utils.sh" +source "./.github/workflows/scripts/e2e-verify.common.sh" go env -w GOFLAGS=-mod=mod From 703074aee2587731fe0026f0bb67583734dc3a39 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 08:10:40 +0000 Subject: [PATCH 7/8] Revert verifier --- .github/workflows/scripts/e2e-verify.common.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index a4861659f0..388fc0b692 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -60,17 +60,13 @@ e2e_verify_common_materials() { # $1: command to run. The command should take the verifier binary as an # argument. e2e_run_verifier_all_releases() { - # FIXME - # VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" - VERIFIER_REPOSITORY="ianlewis/slsa-verifier" + VERIFIER_REPOSITORY="slsa-framework/slsa-verifier" VERIFIER_BINARY="slsa-verifier-linux-amd64" VERIFY_COMMAND=$1 # First, verify provenance with the verifier at HEAD. go env -w GOFLAGS=-mod=mod - # FIXME - # go install "github.com/$VERIFIER_REPOSITORY@latest" - go install "github.com/$VERIFIER_REPOSITORY@ianlewis-test" + go install "github.com/$VERIFIER_REPOSITORY@latest" echo "**** Verifying provenance with verifier at HEAD *****" verify_provenance "slsa-verifier" "HEAD" From 7d192cfad06ae176d696b9e5d0e47899d8449d0e Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 8 Jun 2022 08:35:32 +0000 Subject: [PATCH 8/8] updates --- .github/workflows/scripts/e2e-verify.common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 388fc0b692..bf4fa2c656 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -68,7 +68,7 @@ e2e_run_verifier_all_releases() { go env -w GOFLAGS=-mod=mod go install "github.com/$VERIFIER_REPOSITORY@latest" echo "**** Verifying provenance with verifier at HEAD *****" - verify_provenance "slsa-verifier" "HEAD" + verify_provenance "slsa-verifier" # Second, retrieve all previous versions of the verifier, # and verify the provenance. This is essentially regression tests.