Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[e2e]: generic schedule main multi-subjects slsa3 #601

Closed
ianlewis opened this issue Jul 21, 2022 · 6 comments
Closed

[e2e]: generic schedule main multi-subjects slsa3 #601

ianlewis opened this issue Jul 21, 2022 · 6 comments
Labels
area:generic Issue with the generic generator e2e e2e integration tests type:bug Something isn't working
Milestone
GA for generic ge...

Comments

@ianlewis
Copy link
Member

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/2709376655
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
Trigger: schedule
Branch: main
Date: Thu Jul 21 04:51:41 UTC 2022
@ianlewis ianlewis added e2e e2e integration tests type:bug Something isn't working area:generic Issue with the generic generator labels Jul 21, 2022
@ianlewis
Copy link
Member Author

ianlewis commented Jul 21, 2022
edited
Loading

Seems like another rekor error: validating log entry: verifying inclusion proof: wrong proof size 13, want 14

Maybe some kind of backwards incompatibility with cosign.VerifyTLogEntry?

/cc @asraa

@asraa
Copy link
Collaborator

asraa commented Jul 21, 2022

Hmmm checking in on this. I'll try to reproduce it.

@asraa asraa mentioned this issue Jul 21, 2022
Closed
@asraa
Copy link
Collaborator

asraa commented Jul 21, 2022

Locally, things worked fine (I usually comment out the provider code and give an empty GH workflow context to run ./generic attest locally.

It is very weird that this might be a flake.

I went through Rekor logs and searched via time to find the Rekor entry:

$ ./rekor get --log-index 2993780 --format json | jq
{
  "Attestation": "{\"_type\":\"https://in-toto.io/Statement/v0.1\",\"predicateType\":\"https://slsa.dev/provenance/v0.2\",\"subject\":[{\"name\":\"artifact1\",\"digest\":{\"sha256\":\"482ce8c8f7e867da3a3c05a9aee637703e17470ed1cf882a9e5b405e8f82619d\"}},{\"name\":\"artifact2\",\"digest\":{\"sha256\":\"89cfc6954e88b2f92a7c2879d9eb085c42f3c7065d012a5066f450dbe59b2c00\"}},{\"name\":\"artifact3\",\"digest\":{\"sha256\":\"7a5d21a6adac945561d859bd1decfc37b2408788cf3206df3519e281afd31b6e\"}}],\"predicate\":{\"builder\":{\"id\":\"https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/heads/main\"},\"buildType\":\"https://github.com/slsa-framework/slsa-github-generator@v1\",\"invocation\":{\"configSource\":{\"uri\":\"git+https://github.com/slsa-framework/example-package@refs/heads/main\",\"digest\":{\"sha1\":\"3595a6696ff38f34547758e2733c15b84b5ca752\"},\"entryPoint\":\".github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml\"},\"parameters\":{},\"environment\":{\"github_actor\":\"laurentsimon\",\"github_actor_id\":\"64505099\",\"github_base_ref\":\"\",\"github_event_name\":\"schedule\",\"github_event_payload\":{\"schedule\":\"0 4 * * *\"},\"github_head_ref\":\"\",\"github_ref\":\"refs/heads/main\",\"github_ref_type\":\"branch\",\"github_repository_id\":\"486325809\",\"github_repository_owner\":\"slsa-framework\",\"github_repository_owner_id\":\"80431187\",\"github_run_attempt\":\"1\",\"github_run_id\":\"2709376655\",\"github_run_number\":\"12\",\"github_sha1\":\"3595a6696ff38f34547758e2733c15b84b5ca752\"}},\"metadata\":{\"buildInvocationID\":\"2709376655-1\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false},\"materials\":[{\"uri\":\"git+https://github.com/slsa-framework/example-package@refs/heads/main\",\"digest\":{\"sha1\":\"3595a6696ff38f34547758e2733c15b84b5ca752\"}}]}}",
  "AttestationType": "",
  "Body": {
    "IntotoObj": {
      "content": {
        "hash": {
          "algorithm": "sha256",
          "value": "802d343ce19151dbf79a56887ba212657faa4b2c6950df85036070a63842f3aa"
        },
        "payloadHash": {
          "algorithm": "sha256",
          "value": "96d9227d8784a4268db3b1f6a4f179f17ed3014d85001e6ec4971967bd09bc4d"
        }
      },
      "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURkekNDQXZ5Z0F3SUJBZ0lUQ3JtU3VqN2Fyd29rMTlSQ0JxR3hwVTJseURBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeQpNRGN5TVRBME5URXlORm9YRFRJeU1EY3lNVEExTURFeU0xb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQkRuRXZPbDNKTDBqaVlPZmVON2FvcytsM2ZtZmlMNnBTY2c3RVlYK1d1c2VyVXZTUVlIR21mem8KNm1hRC9WVFF0WUVXVGR4eC9jUStVejJJZnlDS3lJQ2pnZ0lwTUlJQ0pUQU9CZ05WSFE4QkFmOEVCQU1DQjRBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd013REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVkMGVrCm8yWHp4MHFmdnhmODQrVER5ZVdYZlBjd0h3WURWUjBqQkJnd0ZvQVVXTUFlWDVGRnBXYXBlc3lRb1pNaTBDckYKeGZvd2dZTUdBMVVkRVFFQi93UjVNSGVHZFdoMGRIQnpPaTh2WjJsMGFIVmlMbU52YlM5emJITmhMV1p5WVcxbApkMjl5YXk5emJITmhMV2RwZEdoMVlpMW5aVzVsY21GMGIzSXZMbWRwZEdoMVlpOTNiM0pyWm14dmQzTXZaMlZ1ClpYSmhkRzl5WDJkbGJtVnlhV05mYzJ4ellUTXVlVzFzUUhKbFpuTXZhR1ZoWkhNdmJXRnBiakEyQmdvckJnRUUKQVlPL01BRURCQ2d6TlRrMVlUWTJPVFptWmpNNFpqTTBOVFEzTnpVNFpUSTNNek5qTVRWaU9EUmlOV05oTnpVeQpNQ3dHQ2lzR0FRUUJnNzh3QVFVRUhuTnNjMkV0Wm5KaGJXVjNiM0pyTDJWNFlXMXdiR1V0Y0dGamEyRm5aVEFXCkJnb3JCZ0VFQVlPL01BRUNCQWh6WTJobFpIVnNaVEJTQmdvckJnRUVBWU8vTUFFRUJFUXVaMmwwYUhWaUwzZHYKY210bWJHOTNjeTlsTW1VdVoyVnVaWEpwWXk1elkyaGxaSFZzWlM1dFlXbHVMbTExYkhScExYTjFZbXBsWTNSegpMbk5zYzJFekxubHRiREE1QmdvckJnRUVBWU8vTUFFQkJDdG9kSFJ3Y3pvdkwzUnZhMlZ1TG1GamRHbHZibk11CloybDBhSFZpZFhObGNtTnZiblJsYm5RdVkyOXRNQjBHQ2lzR0FRUUJnNzh3QVFZRUQzSmxabk12YUdWaFpITXYKYldGcGJqQUtCZ2dxaGtqT1BRUURBd05wQURCbUFqRUF3U04xRnJUZ0FpenlxQitoMmwwekF1T21KWkgzenJrRApYZGxCbGdHeHJXK0c3VWkvclBwSjVzOXN2b050eFhEUkFqRUE5Tk5VaFF3WElYM2tOd0JFMWZqaDFON1VBQ2ZrCm02ZFhNdmFhUzY2SW5RRlpKWWFmNkozWVF3ajlTSTFSSDZNaQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
    }
  },
  "LogIndex": 2993780,
  "IntegratedTime": 1658379085,
  "UUID": "49a10fe0f0b0192f6cf3ddddb46d45724362a8d64dab49bd8a6ae8bb385adcba",
  "LogID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}

Running ./rekor verify --log-index 2993780 worked correctly.

I will try with cosign.VerifyTLogEntry.

@asraa
Copy link
Collaborator

asraa commented Jul 21, 2022

I also tried a cosign.VerifyTLogEntry using that entry, and it was able to succeed...

Unfortunately, the inclusion proof size is not "reproducible" -- the current inclusion proof for that entry is now 20 hashes long, as opposed to the 14 sized one from before.

@ianlewis
Copy link
Member Author

Ok, I guess we can see if it closes on its own when it runs next and keep our eye out for similar errors in the future.

@ianlewis ianlewis added this to the GA for generic generator milestone Jul 22, 2022
@ianlewis
Copy link
Member Author

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/2716374076
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Jul 22 04:51:59 UTC 2022

Tests are passing now. Closing this issue.

@asraa asraa mentioned this issue Aug 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:generic Issue with the generic generator e2e e2e integration tests type:bug Something isn't working
Projects
None yet
Milestone
GA for generic generator
Development

No branches or pull requests
2 participants
@ianlewis @asraa