diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index eb0c4e7c2..75b6f1edb 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -305,6 +305,23 @@ func Test_verifySourceURI(t *testing.T) { expectedSourceURI: "https://github.com/some/repo", err: serrors.ErrorInvalidDssePayload, }, + { + name: "match source no git no material ref (npm) v2 buildType", + provBuildType: common.NpmCLIBuildTypeV2, + provTriggerURI: "git+https://github.com/some/repo@v1.2.3", + provMaterialsURI: "git+https://github.com/some/repo", + expectedSourceURI: "https://github.com/some/repo", + // NOTE: Unlike for v1, we expect the URIs in material and trigger to match. + err: serrors.ErrorMalformedURI, + }, + { + name: "mismatch source material ref (npm) v2 builtType", + provBuildType: common.NpmCLIBuildTypeV2, + provTriggerURI: "git+https://github.com/some/repo@v1.2.3", + provMaterialsURI: "git+https://github.com/some/repo@v1.2.4", + expectedSourceURI: "https://github.com/some/repo", + err: serrors.ErrorInvalidDssePayload, + }, { name: "match source no git no material ref (byob)", provBuildType: common.BYOBBuildTypeV0, diff --git a/verifiers/internal/gha/slsaprovenance/common/buildtypes.go b/verifiers/internal/gha/slsaprovenance/common/buildtypes.go index 2ecf8f823..5efa39e9e 100644 --- a/verifiers/internal/gha/slsaprovenance/common/buildtypes.go +++ b/verifiers/internal/gha/slsaprovenance/common/buildtypes.go @@ -18,6 +18,9 @@ var ( // NpmCLIBuildTypeV1 is the buildType for provenance generated by the npm cli. NpmCLIBuildTypeV1 = "https://github.com/npm/cli/gha@v1" + + // NpmCLIBuildTypeV2 is the buildType for provenance generated by the npm cli. + NpmCLIBuildTypeV2 = "https://github.com/npm/cli/gha/v2" ) // Legacy buildTypes. diff --git a/verifiers/internal/gha/slsaprovenance/v0.2/provenance.go b/verifiers/internal/gha/slsaprovenance/v0.2/provenance.go index c854ade1c..0a98c78d4 100644 --- a/verifiers/internal/gha/slsaprovenance/v0.2/provenance.go +++ b/verifiers/internal/gha/slsaprovenance/v0.2/provenance.go @@ -40,8 +40,15 @@ var buildTypeMap = map[string]map[string]provFunc{ common.GenericGeneratorBuilderID: {common.GenericGeneratorBuildTypeV1: newLegacyBuilderProvenance}, common.ContainerGeneratorBuilderID: {common.ContainerGeneratorBuildTypeV1: newLegacyBuilderProvenance}, - common.NpmCLILegacyBuilderID: {common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance}, - common.NpmCLIHostedBuilderID: {common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance}, + common.NpmCLILegacyBuilderID: { + common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance, + common.NpmCLIBuildTypeV2: newLegacyBuilderProvenance, + }, + + common.NpmCLIHostedBuilderID: { + common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance, + common.NpmCLIBuildTypeV2: newLegacyBuilderProvenance, + }, // NOTE: we don't support Npm CLI on self-hosted. } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index d8168be4e..4068c5fd7 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -71,7 +71,6 @@ func verifyEnvAndCert(env *dsse.Envelope, // There is a corner-case to handle: if the verified builder ID from the cert // is a delegator builder, the user MUST provide an expected builder ID // and we MUST match it against the content of the provenance. - if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts.ExpectedID); err != nil { return nil, nil, err } @@ -259,7 +258,6 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context, RekorPubKeys: trustedRoot.RekorPubKeys, CTLogPubKeys: trustedRoot.CTPubKeys, } - atts, _, err := container.RunCosignImageVerification(ctx, artifactImage, opts) if err != nil { diff --git a/verifiers/verifier.go b/verifiers/verifier.go index f131e89e3..745523d09 100644 --- a/verifiers/verifier.go +++ b/verifiers/verifier.go @@ -44,7 +44,6 @@ func VerifyImage(ctx context.Context, artifactImage string, if err != nil { return nil, nil, err } - return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts) }