Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: v2.0.0-rc.0: update adversarial test: Adversarial Go builder #357

Merged
merged 1 commit into from
Apr 18, 2024
Merged

chore: v2.0.0-rc.0: update adversarial test: Adversarial Go builder #357

merged 1 commit into from
Apr 18, 2024

Conversation

ramonpetgrave64
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 merged commit 80f47fa into main Apr 18, 2024
33 checks passed
@ramonpetgrave64
Copy link
Collaborator Author

with the malicious binary, failing with

https://github.com/slsa-framework/example-package/actions/runs/8743960624/job/23995773145#step:2:214

Fetching the builder with ref: refs/tags/v2.0.0-rc.0
Builder version: v2.0.0-rc.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 54e4f40bf120bce1cef1ff123fef3456e8c526f315c47e22ed6acfe02a06b9a8
verifier hash verification has passed
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verified signature against tlog entry index 86791355 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad46dc432c6e5687e0c4d7eb0fecddd3bdc7e4cfc89d4d4e6c5e1a94bb5dd46f4
Verifying artifact slsa-builder-go-linux-amd64: FAILED: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03' not found: artifact hash does not match provenance subject

FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03' not found: artifact hash does not match provenance subject

@ramonpetgrave64
Copy link
Collaborator Author

Hash matches, but we now have a different error

https://github.com/slsa-framework/example-package/actions/runs/8743960624/job/23995773145#step:2:214

Fetching the builder with ref: refs/tags/v2.0.0-rc.0
Builder version: v2.0.0-rc.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 54e4f40bf120bce1cef1ff123fef3456e8c526f315c47e22ed6acfe02a06b9a8
verifier hash verification has passed
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verified signature against tlog entry index 86791355 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad46dc432c6e5687e0c4d7eb0fecddd3bdc7e4cfc89d4d4e6c5e1a94bb5dd46f4
Verifying artifact slsa-builder-go-linux-amd64: FAILED: expected branch 'main', got 'v2.0.0-rc.0-tag-updates': branch used to generate the binary does not match provenance

FAILED: SLSA verification failed: expected branch 'main', got 'v2.0.0-rc.0-tag-updates': branch used to generate the binary does not match provenance
Error: Process completed with exit code 6.

@ramonpetgrave64
Copy link
Collaborator Author

Now succeeding, after redoing the original release

https://github.com/slsa-framework/example-package/actions/runs/8744269236/job/23997752537

@ramonpetgrave64 ramonpetgrave64 changed the title chore: v2.0.0-rc.0: update adversarial test: builder binary chore: v2.0.0-rc.0: update adversarial test: Adversarial Go builder Apr 18, 2024
@ramonpetgrave64
Copy link
Collaborator Author

expected error after putting the wrong binary

https://github.com/slsa-framework/example-package/actions/runs/8790559743/job/24122831599#step:2:214

Run ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/generate-builder.sh
Fetching the builder with ref: refs/tags/v2.0.0
Builder version: v2.0.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 54e4f40bf120bce1cef1ff123fef3456e8c526f315c47e22ed6acfe02a06b9a8
verifier hash verification has passed
Verified signature against tlog entry index 87834333 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a552c5ddaf7096b9cb853a38117cf72db7995794c10c0448c96f7c15a75c36c58
Verifying artifact slsa-builder-go-linux-amd64: FAILED: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03' not found: artifact hash does not match provenance subject

FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03' not found: artifact hash does not match provenance subject
Error: Process completed with exit code 6.

@ramonpetgrave64
Copy link
Collaborator Author

Now passing

https://github.com/slsa-framework/example-package/actions/runs/8790604149/job/24122964499#step:2:213

Run ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-builder/generate-builder.sh
Fetching the builder with ref: refs/tags/v2.0.0
Builder version: v2.0.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 54e4f40bf120bce1cef1ff123fef3456e8c526f315c47e22ed6acfe02a06b9a8
verifier hash verification has passed
Verified signature against tlog entry index 87834333 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a552c5ddaf7096b9cb853a38117cf72db7995794c10c0448c96f7c15a75c36c58
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v2.0.0" at commit 5a775b367a56d5bd118a224a811bba288150a563
Verifying artifact slsa-builder-go-linux-amd64: PASSED
PASSED: Verified SLSA provenance
Builder provenance verified at tag v2.0.0 and commit 5a775b367a56d5bd118a224a811bba288150a563
Run ./__BUILDER_CHECKOUT_DIR__/.github/actions/compute-sha256
Computing sha256 of slsa-builder-go-linux-amd64
Computed sha256 of slsa-builder-go-linux-amd64 as 63b53c376bcece6b12fb2ebfa04[210](https://github.com/slsa-framework/example-package/actions/runs/8790604149/job/24122964499#step:2:225)a6b26420a1d5ed851e816ea0bd881492a0

@ramonpetgrave64 ramonpetgrave64 deleted the ramonpetgrave64-patch-7 branch June 26, 2024 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon is a code owner

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ramonpetgrave64