From c00b3d6150460584a48dd0922c06b0b345e60315 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 4 Apr 2022 20:29:36 +0000 Subject: [PATCH 1/3] Remove falsifiability --- .github/workflows/pre-submit.yml | 4 ++-- SPECIFICATIONS.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pre-submit.yml b/.github/workflows/pre-submit.yml index f5b9ede..9a25374 100644 --- a/.github/workflows/pre-submit.yml +++ b/.github/workflows/pre-submit.yml @@ -4,7 +4,7 @@ on: [pull_request, workflow_dispatch] permissions: read-all jobs: - pre-submit: + unit-tests: runs-on: ubuntu-latest steps: - name: Checkout @@ -24,4 +24,4 @@ jobs: # Build. go build -mod=vendor # Test. - go test -mod=vendor -v ./... + go test -mod=vendor -v ./... \ No newline at end of file diff --git a/SPECIFICATIONS.md b/SPECIFICATIONS.md index 6b58a9c..d2d566c 100644 --- a/SPECIFICATIONS.md +++ b/SPECIFICATIONS.md @@ -197,7 +197,7 @@ An example of the output provenance can be found in [README.md#example-provenanc ### Provenance Verification -Given an artifact and a signed provenance, a consumer must verify the authenticity, integrity, proof of service-generation, and non-falsifiability of the provenance in order to make accurate risk based assessments based on their security posture. +Given an artifact and a signed provenance, a consumer must verify the authenticity, integrity, proof of service-generation, and non-forgeability of the provenance in order to make accurate risk based assessments based on their security posture. Authenticity and integrity come from the digital signature on the provenance that was created using a private key accessible only to the service generating the provenance. The ephemeral key is generated and stored inside the isolated builder VM. @@ -205,7 +205,7 @@ Moreover, the provenance is non-forgeable. We first verify builder identity: by Because the signing key in the certificate and the OIDC token are only accessible inside this workflow, we have high confidence that the provenance was generated inside the service and that no other process could have impersonated the trusted builder. The ephemeral signing key is generated inside the workflow and does not get written to logs or leave the process. Moreover, even if the signing key was compromised, any signatures generated after the lifetime of the certificate (10 min) would be invalid, unless the attacker could retrieve a valid GitHub provisioned OIDC token for the trusted builder. Thus, the signing key is protected by the TTL of the certificate and its ephemerality. Further improvements on the scope of the signing certificate are discussed [here](https://github.com/sigstore/fulcio/issues/475). -Non-falsifiability also requires user isolation: users cannot interfere with the process inside the trusted builder by the isolation of reusable workflows on GitHub-hosted runners (assuming trust in GitHub). The user-defined build process is also isolated from the provenance signing key by job isolation. +Non-forgeability also requires user isolation: users cannot interfere with the process inside the trusted builder by the isolation of reusable workflows on GitHub-hosted runners (assuming trust in GitHub). The user-defined build process is also isolated from the provenance signing key by job isolation. Note that we rely on GitHub hosted runners executing the defined code to trust that the provenance was correctly generated inside the builder and that no other process could impersonate the builder. @@ -215,7 +215,7 @@ Given an artifact and a signed provenance, we perform the following steps: 1. **Download the certificate from the Rekor log**: Search the Rekor log by artifact hash to find the entry containing the signed provenance and extract the signing certificate. (See Rekor Log RT in Verification Latency for how this could be skipped). -2. **Verify the signed provenance**: Verify the signature in the DSSE payload using the signing certificate, and the chain of the signing certificate up to the Fulcio root CA. This verifies non-falsifiability of the payload and establishes trust in the contents of the certificate. +2. **Verify the signed provenance**: Verify the signature in the DSSE payload using the signing certificate, and the chain of the signing certificate up to the Fulcio root CA. This verifies non-forgeability of the payload and establishes trust in the contents of the certificate. 3. **Extract the builder identity from the signing certificate**: Extract certificate information (see [here](https://github.com/sigstore/fulcio/blob/c74e2cfb763dd32def5dc921ff49f579fa262d96/docs/oid-info.md#136141572641--fulcio) for extension OIDs). Verify that the signing certificate’s subject name (job_workflow_ref) is the trusted builder ID at a trusted hash (repository SHA in the diagram below). This verifies authenticity of the provenance and guarantees the provenance was correctly populated. From c6ce50793d646331eabd28f36e3eb20be9676ac4 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 4 Apr 2022 20:31:18 +0000 Subject: [PATCH 2/3] updates --- .github/workflows/pre-submit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-submit.yml b/.github/workflows/pre-submit.yml index 9a25374..c4e7b23 100644 --- a/.github/workflows/pre-submit.yml +++ b/.github/workflows/pre-submit.yml @@ -4,7 +4,7 @@ on: [pull_request, workflow_dispatch] permissions: read-all jobs: - unit-tests: + pre-submits: runs-on: ubuntu-latest steps: - name: Checkout From e4ae39169008fe1085c8ee3fa2aa1c97fdb8f6be Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 6 Apr 2022 15:52:20 +0000 Subject: [PATCH 3/3] fix --- .github/workflows/pre-submit.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pre-submit.yml b/.github/workflows/pre-submit.yml index c4e7b23..398a5de 100644 --- a/.github/workflows/pre-submit.yml +++ b/.github/workflows/pre-submit.yml @@ -4,24 +4,24 @@ on: [pull_request, workflow_dispatch] permissions: read-all jobs: - pre-submits: + pre-submit: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v2.3.4 - + - name: setup-go uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 with: go-version: '1.17' - + - name: Run tests for builder run: | set -euo pipefail - + # Download dependencies. go mod vendor # Build. go build -mod=vendor # Test. - go test -mod=vendor -v ./... \ No newline at end of file + go test -mod=vendor -v ./...