Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Provenance subject pkg:npm/hereby/hereby@1.8.3 does not match the package: pkg:npm/hereby@1.8.3 #2359

Closed
jakebailey opened this issue Jul 7, 2023 · 3 comments · Fixed by #2367
Closed

[bug] Provenance subject pkg:npm/hereby/hereby@1.8.3 does not match the package: pkg:npm/hereby@1.8.3 #2359

jakebailey opened this issue Jul 7, 2023 · 3 comments · Fixed by #2367
Labels
area:nodejs Issue related to the Node.js builder type:bug Something isn't working
Milestone
Node.js builder GA

Comments

@jakebailey
Copy link

Describe the bug

I just set up the nodejs builder to publish my package with provenance; I had to use the main version because the npm version used in the published workflow is too old and fails, but when I do get it running, it appears to fail because the subject and the package do not match.

To Reproduce
Steps to reproduce the behavior:

npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm verb stack Error: Provenance subject pkg:npm/hereby/hereby@1.8.3 does not match the package: pkg:npm/hereby@1.8.3
npm verb stack     at verifyProvenance (/tmp/tmp.FXPIVTdzY6/node_modules/npm/node_modules/libnpmpublish/lib/provenance.js:216:11)
npm verb stack     at async buildMetadata (/tmp/tmp.FXPIVTdzY6/node_modules/npm/node_modules/libnpmpublish/lib/publish.js:181:26)
npm verb stack     at async publish (/tmp/tmp.FXPIVTdzY6/node_modules/npm/node_modules/libnpmpublish/lib/publish.js:45:44)
npm verb stack     at async otplease (/tmp/tmp.FXPIVTdzY6/node_modules/npm/lib/utils/otplease.js:4:12)
npm verb stack     at async Publish.exec (/tmp/tmp.FXPIVTdzY6/node_modules/npm/lib/commands/publish.js:123:7)
npm verb stack     at async module.exports (/tmp/tmp.FXPIVTdzY6/node_modules/npm/lib/cli-entry.js:61:5)
npm verb cwd /home/runner/work/hereby/hereby
npm verb Linux 5.15.0-1041-azure
npm verb node v18.16.1
npm verb npm  v9.8.0
npm ERR! Provenance subject pkg:npm/hereby/hereby@1.8.3 does not match the package: pkg:npm/hereby@1.8.3
npm verb exit 1
npm verb code 1

https://github.com/jakebailey/hereby/actions/runs/5483129736/jobs/9989176122#step:3:399

Expected behavior

Publish succeeds.
@jakebailey jakebailey added status:triage Issue that has not been triaged type:bug Something isn't working labels Jul 7, 2023
@jakebailey
Copy link
Author

Indeed, the sigstore file does contain this:

{
  _type: 'https://in-toto.io/Statement/v0.1',
  subject: [ { name: 'pkg:npm/hereby/hereby@1.8.3', digest: [Object] } ],
  predicateType: 'https://slsa.dev/provenance/v0.2',
  predicate: {
    builder: {
      id: 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@refs/tags/v1.7.0'
    },
    buildType: 'https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0',
    invocation: {
      configSource: [Object],
      parameters: [Object],
      environment: [Object]
    },
    metadata: { buildInvocationId: '5483129736-1', completeness: [Object] },
    materials: [ [Object] ]
  }
}

Must be somthing here that is thinking that my package is scoped:

slsa-github-generator/internal/builders/nodejs/generate-layout.sh

Line 26 in ffbc1e5

# pkg:npm/<scope>/<name>@<version>

@jakebailey
Copy link
Author

jakebailey commented Jul 7, 2023
edited
Loading

Yeah, this code doesn't quite work:

raw_package_scope=$(echo "${PACKAGE_NAME:-}" | cut -d'/' -f1)
raw_package_name=$(echo "${PACKAGE_NAME:-}" | cut -d'/' -f2)
if [ "${raw_package_name}" == "" ]; then
    raw_package_name="${raw_package_scope}"
    raw_package_scope=""
fi

When there's no /, both -f1 and -f2 give the entire string, meaning when PACKAGE_NAME=hereby, it ends up thinking my package is hereby/hereby.

@ianlewis ianlewis mentioned this issue Jul 10, 2023
Open
@ianlewis
Copy link
Member

Right. This was a mistake on my part. We need to handle packages without a scope properly. Should have used the -s flag...

@ianlewis ianlewis added area:nodejs Issue related to the Node.js builder and removed status:triage Issue that has not been triaged labels Jul 10, 2023
@ianlewis ianlewis added this to the Node.js builder GA milestone Jul 10, 2023
@ianlewis ianlewis mentioned this issue Jul 10, 2023
Merged
laurentsimon pushed a commit that referenced this issue Jul 10, 2023
fix: non-scoped package handling (#2367)
391661a 
Fixes #2359 

Fixes parsing of npm package names when non-scoped.

Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis mentioned this issue Jul 11, 2023
Closed
enteraga6 pushed a commit to enteraga6/slsa-github-generator that referenced this issue Jul 18, 2023
@enteraga6
fix: non-scoped package handling (slsa-framework#2367)
3b2bc03 
Fixes slsa-framework#2359

Fixes parsing of npm package names when non-scoped.

Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Noah Elzner <elzner@google.com>
@ianlewis ianlewis mentioned this issue Aug 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:nodejs Issue related to the Node.js builder type:bug Something isn't working
Projects
None yet
Milestone
Node.js builder GA
Development

Successfully merging a pull request may close this issue.

fix: non-scoped package handling ianlewis/slsa-github-generator
2 participants
@ianlewis @jakebailey