Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: produce sigstore Bundles for generic generator and go builder workflows #3777

Merged
merged 105 commits into from
Oct 24, 2024

Conversation

ramonpetgrave64
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 commented Aug 14, 2024

Summary

fixes #3750

pending slsa-framework/slsa-verifier#799

Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows.

Testing Process

Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches.

Followup

[ ] Produce the provenance in v1 format, rather than the current v0.2 format.
[ ] fix initialism of [build]invocationID to [build]invocationId #3876

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-internal-builder-sigstore-bundlev2 branch from 20e2376 to f9a7e3e Compare August 14, 2024 22:18
@@ -39,6 +39,9 @@ const (

// OIDCToken represents the contents of a GitHub OIDC JWT token.
type OIDCToken struct {
// Expiry is the expiration date of the token.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lint: reordering fields by type.

@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review August 15, 2024 14:42
@ramonpetgrave64 ramonpetgrave64 marked this pull request as draft August 16, 2024 19:32
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-internal-builder-sigstore-bundlev2 branch from 7d5dcde to 91fc61e Compare August 16, 2024 19:33
@ramonpetgrave64 ramonpetgrave64 marked this pull request as ready for review August 16, 2024 19:45
@ramonpetgrave64
Copy link
Collaborator Author

@ianlewis @laurentsimon

@@ -53,7 +53,7 @@ func Test_CreateBuildDefinition(t *testing.T) {
}

if diff := cmp.Diff(got, want); diff != "" {
t.Errorf(diff)
t.Error(diff)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lint: change t.Errorf to t.Error when not actually using any string formatting.

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really great!

signing/sigstore/bundle.go Outdated Show resolved Hide resolved
// Bundle will have already verified that the TLog entries are signed.
logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex()
fmt.Printf("Signed attestation is in rekor with UUID %d.\n", logIndex)
fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor thing, but I would avoid printing the info about how to look up the entry given these look ups aren't verifying inclusion. In Cosign we've always struggled with what is useful output, and I don't have a good answer there - maybe a list of steps that the client took (requested token, fetched cert, uploaded entry to log, etc)?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's more of a UX thing, since I'm deleting another print statement that showed the log UUID.

I now see I need to update that text to say Log Index, not UUID.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add any tests for this? Possibly e2e tests with a similar setup like Colleen added in Cosign? https://github.com/sigstore/cosign/blob/main/test/README.md

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are e2e tests in slsa-framework/example-package that will produce and verify. We can't have the e2e tests in PRs because PRs don't have the needed token permissions to sign.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you use the identity token workflow we set up for conformance testing that publishes a valid ID token? Here's an example of gitsign using it - https://github.com/sigstore/gitsign/pull/549/files

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could definitely tweak this code to use that alternative token in PRs, but then verification won't work with slsa-verifier until we tweak it to trust alternative workflow and certificate identities:

ramonpetgrave64 and others added 9 commits October 8, 2024 07:05
# Summary

Followup to #3746

Removes the verify job, which won't work, because the ref will be
incorrect.

-
https://github.com/slsa-framework/slsa-github-generator/actions/runs/10115454784/job/27976327657#step:5:1

```
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verifying artifact ./target/test-java-project-1.21.97.jar: FAILED: invalid ref: "refs/heads/main": unexpected ref type: "heads"

FAILED: SLSA verification failed: invalid ref: "refs/heads/main": unexpected ref type: "heads"
Error: Process completed with exit code 1.
```

## Testing Process

The e2e test is executed in this PR, which now passes.

## Checklist

- [x] Review the contributing
[guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md)
- [x] Add a reference to related issues in the PR description.
- [ ] Update documentation if applicable.
- [x] Add unit tests if applicable.
- [ ] Add changes to the
[CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
if applicable.

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
ramonpetgrave64 and others added 18 commits October 8, 2024 07:05
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `692973e` -> `9a9194f` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://togithub.com/actions/setup-go) | action |
patch | `v5.0.1` -> `v5.0.2` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v4.0.2` -> `v4.0.3` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| digest | `60edb5d` -> `1e60f62` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.3` -> `v4.3.5` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v3.25.11` -> `v3.25.15` |
|
[gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action)
| action | minor | `v3.4.2` -> `v3.5.0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.3.3` -> `v2.4.0` |
|
[softprops/action-gh-release](https://togithub.com/softprops/action-gh-release)
| action | patch | `v2.0.6` -> `v2.0.8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://togithub.com/actions/download-artifact/pull/341)

**Full Changelog**:
actions/download-artifact@v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2)

[Compare
Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2)

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.5`](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://togithub.com/actions/upload-artifact/pull/584)

**Full Changelog**:
actions/upload-artifact@v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v3.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.5.0)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.2...v3.5.0)

> \[!IMPORTANT]
> As of `v3` this action has been superceded by
`gradle/actions/setup-gradle`.
> Any workflow that uses `gradle/gradle-build-action@v3` will
transparently delegate to `gradle/actions/setup-gradle@v3`.
>
> Users are encouraged to update their workflows, replacing:
>
>     uses: gradle/gradle-build-action@v3
>
> with
>
>     uses: gradle/actions/setup-gradle@v3
>
> See the [setup-gradle
documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle)
for up-to-date documentation for `gradle/actions/setup-gradle`.

For release details, see
https://github.com/gradle/actions/releases/tag/v3.5.0

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0). Of
special note to Scorecard Action is the Maintainer Annotation feature,
which can be used to suppress some Code Scanning false positives. Alerts
will not be generated for any Scorecard Check with an annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1410](https://togithub.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://togithub.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://togithub.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://togithub.com/jkowalleck) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>softprops/action-gh-release
(softprops/action-gh-release)</summary>

###
[`v2.0.8`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.8)

[Compare
Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.7...v2.0.8)

<!-- Release notes generated using configuration in .github/release.yml
at master -->

#### What's Changed

##### Other Changes 🔄

- chore(deps): bump prettier from 2.8.0 to 3.3.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/480](https://togithub.com/softprops/action-gh-release/pull/480)
- chore(deps): bump
[@&#8203;types/node](https://togithub.com/types/node) from 20.14.9 to
20.14.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/483](https://togithub.com/softprops/action-gh-release/pull/483)
- chore(deps): bump
[@&#8203;octokit/plugin-throttling](https://togithub.com/octokit/plugin-throttling)
from 9.3.0 to 9.3.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/484](https://togithub.com/softprops/action-gh-release/pull/484)
- chore(deps): bump glob from 10.4.2 to 11.0.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/477](https://togithub.com/softprops/action-gh-release/pull/477)
- refactor: write jest config in ts by
[@&#8203;chenrui333](https://togithub.com/chenrui333) in
[https://github.com/softprops/action-gh-release/pull/485](https://togithub.com/softprops/action-gh-release/pull/485)
- chore(deps): bump
[@&#8203;actions/github](https://togithub.com/actions/github) from 5.1.1
to 6.0.0 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/470](https://togithub.com/softprops/action-gh-release/pull/470)

**Full Changelog**:
softprops/action-gh-release@v2...v2.0.8

###
[`v2.0.7`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.7)

[Compare
Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.6...v2.0.7)

<!-- Release notes generated using configuration in .github/release.yml
at master -->

#### What's Changed

##### Bug fixes 🐛

- Fix missing update release body by
[@&#8203;FirelightFlagboy](https://togithub.com/FirelightFlagboy) in
[https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365)

##### Other Changes 🔄

- Bump
[@&#8203;octokit/plugin-retry](https://togithub.com/octokit/plugin-retry)
from 4.0.3 to 7.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/443](https://togithub.com/softprops/action-gh-release/pull/443)
- Bump typescript from 4.9.5 to 5.5.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/467](https://togithub.com/softprops/action-gh-release/pull/467)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.14.6 to 20.14.8 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/469](https://togithub.com/softprops/action-gh-release/pull/469)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.14.8 to 20.14.9 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/473](https://togithub.com/softprops/action-gh-release/pull/473)
- Bump typescript from 5.5.2 to 5.5.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/472](https://togithub.com/softprops/action-gh-release/pull/472)
- Bump ts-jest from 29.1.5 to 29.2.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/479](https://togithub.com/softprops/action-gh-release/pull/479)
- docs: document that existing releases are updated by
[@&#8203;jvanbruegge](https://togithub.com/jvanbruegge) in
[https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474)

#### New Contributors

- [@&#8203;jvanbruegge](https://togithub.com/jvanbruegge) made their
first contribution in
[https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474)
- [@&#8203;FirelightFlagboy](https://togithub.com/FirelightFlagboy) made
their first contribution in
[https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365)

**Full Changelog**:
softprops/action-gh-release@v2.0.6...v2.0.7

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
…o 25.0.6+incompatible in the go_modules group (#3760)

Bumps the go_modules group with 1 update:
[github.com/docker/docker](https://github.com/docker/docker).

Updates `github.com/docker/docker` from 24.0.9+incompatible to
25.0.6+incompatible
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/docker/releases">github.com/docker/docker's
releases</a>.</em></p>
<blockquote>
<h2>v25.0.6</h2>
<h2>25.0.6</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.6">docker/cli,
25.0.6 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.6">moby/moby,
25.0.6 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v25.0.6/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v25.0.6/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Security</h3>
<p>This release contains a fix for <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41110">CVE-2024-41110</a>
/ <a
href="https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq">GHSA-v23v-6jw2-98fq</a>
that impacted setups using <a
href="https://docs.docker.com/engine/extend/plugins_authorization/">authorization
plugins (AuthZ)</a> for access control.</p>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>[25.0] remove erroneous <code>platform</code> from image
<code>config</code> OCI descriptor in <code>docker save</code> output.
<a
href="https://redirect.github.com/moby/moby/pull/47695">moby/moby#47695</a></li>
<li>[25.0 backport] Fix a nil dereference when getting image history for
images having layers without the <code>Created</code> value set. <a
href="https://redirect.github.com/moby/moby/pull/47759">moby/moby#47759</a></li>
<li>[25.0 backport] apparmor: Allow confined runc to kill containers. <a
href="https://redirect.github.com/moby/moby/pull/47830">moby/moby#47830</a></li>
<li>[25.0 backport] Fix an issue where rapidly promoting a Swarm node
after another node was demoted could cause the promoted node to fail its
promotion. <a
href="https://redirect.github.com/moby/moby/pull/47869">moby/moby#47869</a></li>
<li>[25.0 backport] don't depend on containerd platform.Parse to return
a typed error. <a
href="https://redirect.github.com/moby/moby/pull/47890">moby/moby#47890</a></li>
<li>[25.0 backport] builder/mobyexporter: Add missing nil check <a
href="https://redirect.github.com/moby/moby/pull/47987">moby/moby#47987</a></li>
</ul>
<h3>Packaging updates</h3>
<ul>
<li>Update AWS SDK Go v2 to v1.24.1 for AWS CloudWatch logging driver.
<a
href="https://redirect.github.com/moby/moby/pull/47724">moby/moby#47724</a></li>
<li>Update Go runtime to 1.21.12, which contains security fixes for <a
href="https://github.com/advisories/GHSA-hw49-2p59-3mhj">CVE-2024-24791</a>
<a
href="https://redirect.github.com/moby/moby/pull/48146">moby/moby#48146</a></li>
<li>Update Containerd (static binaries only) to <a
href="https://github.com/containerd/containerd/releases/tag/v1.7.20">v1.7.20</a>.
<a
href="https://redirect.github.com/moby/moby/pull/48199">moby/moby#48199</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/moby/moby/compare/v25.0.5...v25.0.6">https://github.com/moby/moby/compare/v25.0.5...v25.0.6</a></p>
<h2>v25.0.5</h2>
<h2>25.0.5</h2>
<p>For a full list of pull requests and changes in this release, refer
to the relevant GitHub milestones:</p>
<ul>
<li><a
href="https://github.com/docker/cli/issues?q=is%3Aclosed+milestone%3A25.0.5">docker/cli,
25.0.5 milestone</a></li>
<li><a
href="https://github.com/moby/moby/issues?q=is%3Aclosed+milestone%3A25.0.5">moby/moby,
25.0.5 milestone</a></li>
<li>Deprecated and removed features, see <a
href="https://github.com/docker/cli/blob/v25.0.5/docs/deprecated.md">Deprecated
Features</a>.</li>
<li>Changes to the Engine API, see <a
href="https://github.com/moby/moby/blob/v25.0.5/docs/api/version-history.md">API
version history</a>.</li>
</ul>
<h3>Security</h3>
<p>This release contains a security fix for <a
href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>,
a potential data exfiltration from 'internal' networks via authoritative
DNS servers.</p>
<h3>Bug fixes and enhancements</h3>
<ul>
<li>
<p><a
href="https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx">CVE-2024-29018</a>:
Do not forward requests to external DNS servers for a container that is
only connected to an 'internal' network. Previously, requests were
forwarded if the host's DNS server was running on a loopback address,
like systemd's 127.0.0.53. <a
href="https://redirect.github.com/moby/moby/pull/47589">moby/moby#47589</a></p>
</li>
<li>
<p>plugin: fix mounting /etc/hosts when running in UserNS. <a
href="https://redirect.github.com/moby/moby/pull/47588">moby/moby#47588</a></p>
</li>
<li>
<p>rootless: fix <code>open /etc/docker/plugins: permission
denied</code>. <a
href="https://redirect.github.com/moby/moby/pull/47587">moby/moby#47587</a></p>
</li>
<li>
<p>Fix multiple parallel <code>docker build</code> runs leaking disk
space. <a
href="https://redirect.github.com/moby/moby/pull/47527">moby/moby#47527</a></p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/moby/moby/commit/b08a51fe16eed67de3861c03b363ba403643b12e"><code>b08a51f</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48231">#48231</a>
from austinvazquez/backport-vendor-otel-v0.46.1-to-...</li>
<li><a
href="https://github.com/moby/moby/commit/d151b0f87f9673f206b477c90db25956e1704ba5"><code>d151b0f</code></a>
vendor: OTEL v0.46.1 / v1.21.0</li>
<li><a
href="https://github.com/moby/moby/commit/c6ba9a5124603357bfc4a64971cbb9708180f06e"><code>c6ba9a5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48225">#48225</a>
from austinvazquez/backport-workflow-artifact-reten...</li>
<li><a
href="https://github.com/moby/moby/commit/4673a3ca2c37ae30270a29c281ccd9477107dcee"><code>4673a3c</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48227">#48227</a>
from austinvazquez/backport-backport-branch-check-t...</li>
<li><a
href="https://github.com/moby/moby/commit/30f89081028ce6fb1b49a71c02c156dacbe9aa62"><code>30f8908</code></a>
github/ci: Check if backport is opened against the expected branch</li>
<li><a
href="https://github.com/moby/moby/commit/7454d6a2e672b0b977aaa14463c9aeb53acd06af"><code>7454d6a</code></a>
ci: update workflow artifacts retention</li>
<li><a
href="https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919"><code>65cc597</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/moby/moby/commit/b722836927669b414569c42f096869cd800b59a6"><code>b722836</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/docker/issues/48199">#48199</a>
from austinvazquez/update-containerd-binary-to-1.7.20</li>
<li><a
href="https://github.com/moby/moby/commit/e8ecb9c76d97579ebbf3f9d3ef770d08ac303809"><code>e8ecb9c</code></a>
update containerd binary to v1.7.20</li>
<li><a
href="https://github.com/moby/moby/commit/e6cae1f2373d4ff37499570e67f23b2cebb7a043"><code>e6cae1f</code></a>
update containerd binary to v1.7.19</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/docker/compare/v24.0.9...v25.0.6">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/docker/docker&package-manager=go_modules&previous-version=24.0.9+incompatible&new-version=25.0.6+incompatible)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/slsa-framework/slsa-github-generator/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

The Renovate config in this repository needs migrating. Typically this
is because one or more configuration options you are using have been
renamed.

You don't need to merge this PR right away, because Renovate will
continue to migrate these fields internally each time it runs. But later
some of these fields may be fully deprecated and the migrations removed.
So it's a good idea to merge this migration PR soon.

🔕 **Ignore**: Close this PR and you won't be reminded about config
migration again, but one day your current config may no longer be valid.

❓ Got questions? Does something look wrong to you? Please don't hesitate
to [request help
here](https://togithub.com/renovatebot/renovate/discussions).

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
This reverts commit 8cde63a.

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
verification

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64 ramonpetgrave64 force-pushed the ramonpetgrave64-internal-builder-sigstore-bundlev2 branch from bf7c4a6 to b23bcf2 Compare October 8, 2024 07:05
@ramonpetgrave64 ramonpetgrave64 enabled auto-merge (squash) October 24, 2024 19:40
@ramonpetgrave64 ramonpetgrave64 merged commit 2333f37 into main Oct 24, 2024
94 checks passed
ramonpetgrave64 added a commit that referenced this pull request Oct 25, 2024
…builder workflows" (#3985)

Reverts #3777

Lots of new failing errors in our e2e tests today. We may have missed
something when testing these changes.
For now, we should revert while we debug, and come up with more robust
testing methods.

-
https://github.com/slsa-framework/example-package/actions/runs/11511156484/job/32044242878#step:6:125
- #3967

```
**** Verifying provenance authenticity with verifier at HEAD *****
Testing against builder args
  **** Default parameters (annotated tags) *****
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verifying artifact hello: FAILED: missing signing certificate in bundle

FAILED: SLSA verification failed: missing signing certificate in bundle
✖ 1 == 0 :: not main default parameters (annotated_tags)
Error: Process completed with exit code 1.
```
ramonpetgrave64 added a commit to slsa-framework/slsa-verifier that referenced this pull request Oct 29, 2024
Followup to
slsa-framework/slsa-github-generator#3777

This PR adds a missing modification for getting the leaf certificate in
the new Bundle format v0.3.

In my original experiments, I did have this method in a dev branch, but
neglected to include it in the final PR.
-
main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107
 - https://github.com/slsa-framework/slsa-verifier/pull/799/files

## Testing

- I re-used the same attestation file from a failing workflow for unit
tests and manual invocation.
-
https://github.com/slsa-framework/example-package/actions/runs/11511156484

## Followup

- Finish finding a way to test changes within PRs.
-
slsa-framework/slsa-github-generator#3777 (comment)
  - #797

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature] Output provenance as Sigstore bundle format
3 participants