From 80d23b4ac471a8837be978f50168d24ac69ac0bc Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:06:21 +0100 Subject: [PATCH 01/12] add verification Signed-off-by: AdamKorcz --- .../e2e.maven.push.main.default.slsa3.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 36dadfee0b..f0fcb14cbf 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -21,3 +21,18 @@ jobs: contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + verify: + runs-on: ubuntu-latest + needs: [build] + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + with: + name: "${{ needs.build.outputs.provenance-download-name }}" + sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" + path: slsa-attestations + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + with: + name: target + sha256: "${{ inputs.target-download-sha256 }}" + path: ./ From 6d78b492a8bb910f70458fa29ea1aa264d75daf7 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:20:21 +0100 Subject: [PATCH 02/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index f0fcb14cbf..05cc41e0a2 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ build: - runs-on: ubuntu-latest + #runs-on: ubuntu-latest permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. From 84e4198d16fd48b6714fdddbd87a9fa534153781 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:23:16 +0100 Subject: [PATCH 03/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 05cc41e0a2..c580396ae9 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -13,7 +13,7 @@ jobs: contents: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ + - run: mv e2e/maven/pom.xml ./ && cp -r e2e/maven/src ./ && rm -r e2e/maven/src build: #runs-on: ubuntu-latest permissions: From df5eca035367050129f551e5157a9f2cb6acbdf2 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:31:52 +0100 Subject: [PATCH 04/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index c580396ae9..7ea5d6c19b 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -34,5 +34,5 @@ jobs: - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 with: name: target - sha256: "${{ inputs.target-download-sha256 }}" + sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ From b3142514e7d5415badd4c5dcb78a078de8c2c855 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:54:26 +0100 Subject: [PATCH 05/12] rb --- .../e2e.maven.push.main.default.slsa3.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 7ea5d6c19b..df971e7b1c 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -36,3 +36,18 @@ jobs: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: "1.18" + - env: + # NOTE: We move the artifact because the verification script + # check that the subject name matches the filename. + ARTIFACT: "${{ needs.build.outputs.artifact }}" + run: | + mv "artifacts/${ARTIFACT}" . + - env: + BINARY: "${{ needs.build.outputs.artifact }}" + PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. + BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" + BUILDER_TAG: "v2.0.0" + run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh From 412cb377acc0721abe42d70dd397dd8bde1538e1 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:01:24 +0100 Subject: [PATCH 06/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index df971e7b1c..fc3f5396a7 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -43,11 +43,11 @@ jobs: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. ARTIFACT: "${{ needs.build.outputs.artifact }}" - run: | - mv "artifacts/${ARTIFACT}" . + #run: | + # mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" - PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. + PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh From bf23b745a73511a796bc5b962b799e077d440330 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:03:53 +0100 Subject: [PATCH 07/12] rb --- .../workflows/e2e.maven.push.main.default.slsa3.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index fc3f5396a7..5b44a58109 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -39,12 +39,12 @@ jobs: - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" - - env: - # NOTE: We move the artifact because the verification script - # check that the subject name matches the filename. - ARTIFACT: "${{ needs.build.outputs.artifact }}" - #run: | - # mv "artifacts/${ARTIFACT}" . +# - env: +# # NOTE: We move the artifact because the verification script +# # check that the subject name matches the filename. +# ARTIFACT: "${{ needs.build.outputs.artifact }}" +# run: | +# mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" From 6ad6e2f148fa9584a87dc8e164e1819c16b2200c Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:30:52 +0100 Subject: [PATCH 08/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 5b44a58109..eac945a8bb 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -6,6 +6,9 @@ on: permissions: read-all +env: + GH_TOKEN: ${{ github.token }} + jobs: bootstrap: runs-on: ubuntu-latest From 7c0796520729780924962d72089d4c45d33caa98 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:58:08 +0100 Subject: [PATCH 09/12] rb --- .github/workflows/scripts/e2e-verify.common.sh | 5 +++++ .github/workflows/scripts/e2e.delegator.default.verify.sh | 3 +++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 22e0354b54..65fe96aa1e 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -340,6 +340,11 @@ verify_provenance_authenticity() { if [[ "$tag" == "HEAD" ]] || version_ge "$tag" "v1.3"; then echo " **** Default parameters (annotated tags) *****" + echo "1: ${artifactAndbuilderMinArgs[@]}" + echo "2: ${provenanceArg[@]}" + echo "3: ${packageArg[@]}" + echo "4: ${sourceArg[@]}" + echo "5: github.com/$GITHUB_REPOSITORY" $verifierCmd "${artifactAndbuilderMinArgs[@]}" "${provenanceArg[@]}" "${packageArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters (annotated_tags)" elif [[ -z "$annotated_tags" ]]; then diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index e88ff0ea61..d156f7ea21 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -39,6 +39,9 @@ echo "DEBUG: file is $THIS_FILE" export SLSA_VERIFIER_TESTING="true" +echo "finding..................." +find . -name *.build.slsa + # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. e2e_run_verifier_all_releases "HEAD" From d663cb2f14ae27151f4766dfe7fa8a138f8e4e02 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:14:16 +0100 Subject: [PATCH 10/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- .github/workflows/scripts/e2e.delegator.default.verify.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index eac945a8bb..37274141be 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -50,7 +50,7 @@ jobs: # mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" - PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" + PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index d156f7ea21..485d0d492d 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -41,6 +41,7 @@ export SLSA_VERIFIER_TESTING="true" echo "finding..................." find . -name *.build.slsa +find . -name "*.jar" # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. From ca4c370f0d9e51fa554bcb38fa79c6f543b1d725 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:24:47 +0100 Subject: [PATCH 11/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 37274141be..9db29c521a 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -49,7 +49,7 @@ jobs: # run: | # mv "artifacts/${ARTIFACT}" . - env: - BINARY: "${{ needs.build.outputs.artifact }}" + BINARY: ./target/test-java-project-0.1.19.jar PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" From 28e6c4b3cdc3684f473ed60ce52303f7a9f58bfe Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:33:45 +0100 Subject: [PATCH 12/12] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 9db29c521a..c643a496fa 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -29,12 +29,12 @@ jobs: needs: [build] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" path: slsa-attestations - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 with: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}"