Rename attestation-name (#777)

* Refactor attest command

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add testutil package

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Set default provenance name and add tests

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Update workflows to use updated builder

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Update doc for generic generator.

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Fix linter issues

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Use new output name

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add generate command unit tests

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Fix deprecation warning.

Signed-off-by: Ian Lewis <ianlewis@google.com>

* write newlines

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add debug

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Fix provenance outputs

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add comment on untrusted inputs

Signed-off-by: Ian Lewis <ianlewis@google.com>

* Add test for dir traversal

Signed-off-by: Ian Lewis <ianlewis@google.com>

Signed-off-by: Ian Lewis <ianlewis@google.com>

.github/workflows/generator_container_slsa3.yml

@@ -126,7 +126,7 @@ jobs:
 
           # Generate a predicate only.
           predicate_name="predicate.json"
-          ./"$BUILDER_BINARY" attest --signature="" --predicate="$predicate_name"
+          ./"$BUILDER_BINARY" generate --predicate="$predicate_name"
 
           COSIGN_EXPERIMENTAL=1 cosign attest --predicate="$predicate_name" \
             --type slsaprovenance \

.github/workflows/generator_generic_slsa3.yml

@@ -35,14 +35,13 @@ on:
         type: boolean
         default: false
       attestation-name:
-        description: >
-          The artifact name of the signed provenance.
-          The file must have the intoto.jsonl extension.
-
-          Default: attestation.intoto.jsonl
+        description: "The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts. DEPRECATED: Use provenance-name instead."
+        required: false
+        type: string
+      provenance-name:
+        description: The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to <filename>.intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts.
         required: false
         type: string
-        default: "attestation.intoto.jsonl"
       compile-generator:
         description: "Build the generator from source. This increases build time by ~2m."
         required: false
@@ -53,8 +52,11 @@ on:
         description: "The name of the release where provenance was uploaded."
         value: ${{ jobs.create-release.outputs.release-id }}
       attestation-name:
+        description: "DEPRECATED: use the provenance-name output instead."
+        value: ${{ jobs.generator.outputs.provenance-name }}
+      provenance-name:
         description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
-        value: "${{ inputs.attestation-name }}"
+        value: ${{ jobs.generator.outputs.provenance-name }}
 
 jobs:
   # detect-env detects the reusable workflow's repository and ref for use later
@@ -82,7 +84,8 @@ jobs:
   # reference.
   generator:
     outputs:
-      attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }}
+      provenance-sha256: ${{ steps.sign-prov.outputs.provenance-sha256 }}
+      provenance-name: ${{ steps.sign-prov.outputs.provenance-name }}
     runs-on: ubuntu-latest
     needs: [detect-env]
     permissions:
@@ -109,30 +112,36 @@ jobs:
         # order to avoid script injection.
         # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
         env:
-          SUBJECTS: "${{ inputs.base64-subjects }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
-          UNTRUSTED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
+          UNTRUSTED_SUBJECTS: "${{ inputs.base64-subjects }}"
+          UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
+          UNTRUSTED_DEPRECATED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
         run: |
           set -euo pipefail
-          # NOTE: The generator binary allows the attestation to be "" in which
-          # case it does not sign or generate provenance. However, this workflow
-          # requires it to be non-empty so we validate it here.
-          if [ "$UNTRUSTED_ATTESTATION_NAME" == "" ]; then
-            echo "attestation-name cannot be empty."
-            exit 5
+          untrusted_provenance_name=""
+          if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then
+            untrusted_provenance_name="$UNTRUSTED_PROVENANCE_NAME"
+          else
+            if [ "$UNTRUSTED_DEPRECATED_ATTESTATION_NAME" != "" ]; then
+              echo "WARNING: deprecated attestation-name was used. Use provenance-name instead."
+              untrusted_provenance_name="$UNTRUSTED_DEPRECATED_ATTESTATION_NAME"
+            fi
           fi
           # Create and sign provenance.
-          # Note: The builder verifies that the UNTRUSTED_ATTESTATION_NAME is located
+          # NOTE: The builder verifies that the provenance path is located
           # in the current directory.
-          ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g "$UNTRUSTED_ATTESTATION_NAME"
-          attestation_sha256=$(sha256sum "$UNTRUSTED_ATTESTATION_NAME" | awk '{print $1}')
-          echo "::set-output name=attestation-sha256::$attestation_sha256"
+          # NOTE: $untrusted_provenance_path may be empty. In this case the
+          # attest command chooses a file name based on the subject name and
+          # number of subjects based on in-toto attestation bundle file naming conventions.
+          # See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
+          # NOTE: The attest commmand outputs the provenance-name and provenance-sha256
+          ./"$BUILDER_BINARY" attest --subjects "${UNTRUSTED_SUBJECTS}" -g "$untrusted_provenance_name"
 
       - name: Upload the signed provenance
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
-          name: "${{ inputs.attestation-name }}"
-          path: "${{ inputs.attestation-name }}"
+          name: "${{ steps.sign-prov.outputs.provenance-name }}"
+          path: "${{ steps.sign-prov.outputs.provenance-name }}"
           if-no-files-found: error
           retention-days: 5
 
@@ -150,13 +159,13 @@ jobs:
       - name: Download the provenance
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@07d42a79c8531365637e425fac6a95bf0f5dc29e
         with:
-          name: "${{ inputs.attestation-name }}"
-          path: "${{ inputs.attestation-name }}"
-          sha256: "${{ needs.generator.outputs.attestation-sha256 }}"
+          name: "${{ needs.generator.outputs.provenance-name }}"
+          path: "${{ needs.generator.outputs.provenance-name }}"
+          sha256: "${{ needs.generator.outputs.provenance-sha256 }}"
 
       - name: Release
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
         id: release
         with:
           files: |
-            ${{ inputs.attestation-name }}
+            ${{ needs.generator.outputs.provenance-name }}

.github/workflows/pre-submit.e2e.generic.default.yml

@@ -34,8 +34,8 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
       - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
         with:
-          name: ${{ needs.build.outputs.attestation-name }}
+          name: ${{ needs.build.outputs.provenance-name }}
       - env:
           BINARY: "binary-name"
-          PROVENANCE: ${{ needs.build.outputs.attestation-name }}
+          PROVENANCE: ${{ needs.build.outputs.provenance-name }}
         run: ./.github/workflows/scripts/pre-submit.e2e.generic.default.sh

internal/builders/generic/README.md

@@ -135,8 +135,6 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
-      # Set a custom name for the provenance attestation.
-      attestation-name: "artifacts.intoto.jsonl"
       # Upload provenance to a new release
       upload-assets: true
 
@@ -183,19 +181,21 @@ issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose
 
 The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) accepts the following inputs:
 
-| Name               | Required | Default                    | Description                                                                                                                                                                                                                                                      |
-| ------------------ | -------- | -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `base64-subjects`  | yes      |                            | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
-| `upload-assets`    | no       | false                      | If true provenance is uploaded to a GitHub release for new tags.                                                                                                                                                                                                 |
-| `attestation-name` | no       | "attestation.intoto.jsonl" | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension.                                                                                                                                                                     |
+| Name               | Required | Default                                                                                         | Description                                                                                                                                                                                                                                                      |
+| ------------------ | -------- | ----------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `base64-subjects`  | yes      |                                                                                                 | Artifact(s) for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\n[...]) and base64 encoded. The encoded value should decode to, for example: `90f3f7d6c862883ab9d856563a81ea6466eb1123b55bff11198b4ed0030cac86 foo.zip` |
+| `upload-assets`    | no       | false                                                                                           | If true provenance is uploaded to a GitHub release for new tags.                                                                                                                                                                                                 |
+| `provenance-name`  | no       | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension.                                                                                                                                                                     |
+| `attestation-name` | no       | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. DEPRECATED: use `provenance-name` instead.                                                                                                                          |
 
 ### Workflow Outputs
 
 The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) produces the following outputs:
 
-| Name               | Description                                |
-| ------------------ | ------------------------------------------ |
-| `attestation-name` | The artifact name of the signed provenance |
+| Name               | Description                                                                            |
+| ------------------ | -------------------------------------------------------------------------------------- |
+| `provenance-name`  | The artifact name of the signed provenance.                                            |
+| `attestation-name` | The artifact name of the signed provenance. DEPRECATED: use `provenance-name` instead. |
 
 ### Provenance Format