From bc78a12a02f5f450080d88b3505f844eef2d63b4 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:06:21 +0100 Subject: [PATCH] add verification Signed-off-by: AdamKorcz --- ....workflow_dispatch.main.default.slsa3.yml} | 13 ++----- .github/workflows/scripts/e2e-utils.sh | 2 +- .../scripts/e2e.maven.default.verify.sh | 35 +++++++++++++++++++ 3 files changed, 39 insertions(+), 11 deletions(-) rename .github/workflows/{e2e.maven.push.main.default.slsa3.yml => e2e.maven.workflow_dispatch.main.default.slsa3.yml} (75%) create mode 100755 .github/workflows/scripts/e2e.maven.default.verify.sh diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml similarity index 75% rename from .github/workflows/e2e.maven.push.main.default.slsa3.yml rename to .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index c643a496fa..7db77b15ab 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -29,12 +29,12 @@ jobs: needs: [build] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" path: slsa-attestations - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" @@ -42,15 +42,8 @@ jobs: - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" -# - env: -# # NOTE: We move the artifact because the verification script -# # check that the subject name matches the filename. -# ARTIFACT: "${{ needs.build.outputs.artifact }}" -# run: | -# mv "artifacts/${ARTIFACT}" . - env: BINARY: ./target/test-java-project-0.1.19.jar PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" - BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" - run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh + run: ./.github/workflows/scripts/e2e.maven.default.verify.sh diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh index 12ed3097ac..6fd63a9186 100755 --- a/.github/workflows/scripts/e2e-utils.sh +++ b/.github/workflows/scripts/e2e-utils.sh @@ -433,7 +433,7 @@ _e2e_verify_query() { local expected="$2" local query="$3" name=$(echo -n "${attestation}" | jq -c -r "${query}") - e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected}" + e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected} but was ${name}" } # Returns the first 2 asset in a release. diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh new file mode 100755 index 0000000000..43a0701941 --- /dev/null +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# shellcheck source=/dev/null +source "./.github/workflows/scripts/e2e-verify.common.sh" + +RUNNER_DEBUG=${RUNNER_DEBUG:-} +if [[ -n "${RUNNER_DEBUG}" ]]; then + set -x +fi + +go env -w GOFLAGS=-mod=mod + +verify_provenance_content() { + e2e_verify_predicate_subject_name "${ATTESTATION}" "test-java-project-0.1.19.jar" + e2e_verify_predicate_v1_runDetails_builder_id "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" + e2e_verify_predicate_v1_buildDefinition_buildType "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" +} + +THIS_FILE=$(e2e_this_file) +BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) +echo "branch is $BRANCH" +echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" +echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" +echo "GITHUB_REF: $GITHUB_REF" +echo "DEBUG: file is $THIS_FILE" +echo "PROVENANCE is: ${PROVENANCE}" + +ATTESTATION=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) +export ATTESTATION + +export SLSA_VERIFIER_TESTING="true" + +# Verify provenance content. +echo "verify_provenance_content:" +verify_provenance_content