Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update the GCB builder ID #350

Merged
merged 1 commit into from
Apr 17, 2024
Merged

fix: update the GCB builder ID #350

merged 1 commit into from
Apr 17, 2024

Conversation

ramonpetgrave64
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 commented Apr 17, 2024
edited
Loading

Addresses slsa-framework/slsa-github-generator#3344

...
FAILED: SLSA verification failed: builderID does not match provenance: expected version 'v0.3', got ''

The GCB Builder ID for newer provenances now does not include the tag @v0.3 under the inTotoSlsaProvenanceV1 .

We'll have to verify without the tag. Not including the tag is still compatible with slsa-verifier for older provenances.

GCB docs on how to verify also suggest to leave out the tag

slsa-verifier verify-image "$IMAGE" \
--provenance-path provenance.json \
--source-uri SOURCE \
--builder-id=BUILDER_ID

Where:
...
BUILDER_ID the unique ID for the builder, for example https://cloudbuild.googleapis.com/GoogleHostedWorker

Testing

Tested in a GCP cloud console

A helper script to debug, checking against the age of the build (index), and the tag the check.
Similar to our e2e test 

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test () {
    idx=$1
    tag=$2

    BUILDER_ID="https://cloudbuild.googleapis.com/GoogleHostedWorker${tag}"
    IMAGE_REGISTRY="us-west2-docker.pkg.dev"
    IMAGE_NAME="slsa-tooling/example-package-repo/e2e-gcb-tag-main-annotated-slsa3"
    build_id=$(gcloud builds list --filter "results.images.name=${IMAGE_REGISTRY}/${IMAGE_NAME}" --region=us-west2 --project slsa-tooling --limit=20 --format=json | jq -r '.[env.idx | tonumber].id')
    image_digest=$(gcloud builds describe "${build_id}" --project=slsa-tooling --region=us-west2 --format="value(results.images[0].digest)")
    gcloud artifacts docker images describe "${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}" --show-provenance --format json > provenance.json
    IMAGE="${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}"
    SOURCE="https://github.com/slsa-framework/example-package"

    slsa-verifier verify-image "$IMAGE" \
    --provenance-path provenance.json \
    --source-uri "$SOURCE" \
    --builder-id="$BUILDER_ID"
}

Using the tag fails for recent builds up until the builds from December and older.

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 0 @v0.3 # fail
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-google-hosted-worker_1"
FAILED: SLSA verification failed: builderID does not match provenance: expected version 'v0.3', got ''

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 8 @v0.3 # fail
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-google-hosted-worker_1"
FAILED: SLSA verification failed: builderID does not match provenance: expected version 'v0.3', got ''

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 9 @v0.3 # pass
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-provenanceSigner_1"
PASSED: Verified SLSA provenance

Not using the tag passes for all past and current provenances.

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 0 "" # pass
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-google-hosted-worker_1"
PASSED: Verified SLSA provenance

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 8 "" # pass
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-google-hosted-worker_1"
PASSED: Verified SLSA provenance

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 9 "" # pass
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-provenanceSigner_1"
PASSED: Verified SLSA provenance

rpetgrave@cloudshell:~ (slsa-tooling)$ do_test 15 "" # pass
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verification succeeded with key "global-pae-provenanceSigner_1"
PASSED: Verified SLSA provenance

@ramonpetgrave64
fix the builder id for gcb
93d8122 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64
Copy link
Collaborator Author

@laurentsimon

@laurentsimon
Copy link
Collaborator

laurentsimon commented Apr 17, 2024
edited
Loading

Thanks. So slsa-verifier is able to verify properly :) I know we have some code that looks for the version but it seems it's only relevant for v0.1 provenance https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gcb/provenance.go#L210-L236. Looks like v1.0 does not have this differentiation https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gcb/slsaprovenance/v1.0/provenance.go#L27-L35. So the fix looks good, thanks!

@laurentsimon laurentsimon merged commit 3653e2f into slsa-framework:main Apr 17, 2024
4 checks passed
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Apr 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ramonpetgrave64 @laurentsimon