From 9aa2319ef03de468f1cb83c22ca0b3b12626e46b Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:34:13 -0700 Subject: [PATCH] feat: Print byob builder (#677) closes https://github.com/slsa-framework/slsa-verifier/issues/672 --------- Signed-off-by: laurentsimon --- .github/workflows/pr-title.yml | 2 ++ verifiers/internal/gha/provenance.go | 18 ++++++++++++++++++ verifiers/internal/gha/verifier.go | 11 ++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 0f6c41cab..05c7a663b 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -4,6 +4,8 @@ on: pull_request: types: [opened, edited, reopened, synchronize] +permissions: read-all + jobs: validate: runs-on: ubuntu-latest diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index e31c8c625..a52f16acb 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -285,6 +285,24 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error { return utils.IsValidBuilderTag(parts[1], false) } +// builderID returns the trusted builder ID from the provenance. +// The certTrustedBuilderID input is from the Fulcio certificate. +func builderID(env *dsselib.Envelope, certTrustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) { + prov, err := slsaprovenance.ProvenanceFromEnvelope(certTrustedBuilderID.Name(), env) + if err != nil { + return nil, err + } + id, err := prov.BuilderID() + if err != nil { + return nil, err + } + verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true) + if err != nil { + return nil, err + } + return verifiedBuilderID, nil +} + // VerifyProvenance verifies the provenance for the given DSSE envelope. func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error { prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index d49090fc5..a663f58b3 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -83,9 +83,18 @@ func verifyEnvAndCert(env *dsse.Envelope, return nil, nil, err } + if byob { + // Overwrite the builderID to match the one in the provenance. + verifiedBuilderID, err = builderID(env, verifiedBuilderID) + if err != nil { + return nil, nil, err + } + } + fmt.Fprintf(os.Stderr, "Verified build using builder %q at commit %s\n", - workflowInfo.SubjectWorkflow.String(), + verifiedBuilderID.String(), workflowInfo.SourceSha1) + // Return verified provenance. r, err := base64.StdEncoding.DecodeString(env.Payload) if err != nil {