Open ramonpetgrave64 opened 3 weeks ago
Interesting discovery, @ramonpetgrave64 TIL!
I can see that gh attestation verify
creates a regex based on the signer workflow input, which explains how this works as you've described. I don't know if this is an intended but undocumented behavior or something to fix, so I defer to @malancas and @steiza there.
The code in question:
I don't have a strong opinion here. I think it would be okay to update the documentation to clarify that --signer-workflow
is handled like a regex, or changing it to be an exact match, and / or adding a --signer-workflow-regex
.
For what it's worth, I haven't heard from any users or can't think of any existing use-cases that would need a --signer-workflow-regex
, so maybe I have a slight preference for changing --signer-workflow
to be an exact match.
@steiza it’s important that we have the ability to verify the ref of the signer workflow. The regex feature is convenient when the verifier wants to check that the signer workflow comes from a set of known branches or tags that take advantage of GitHub Repository Rules or Protected Branches, such as “/release-*” or “^v\d+.\d+.\d+$” for matching the tag v1.2.3, but not v1.2.3-rc.1.
If we only update the docs for —signer-workflow
to say that it’s supposed to be a regex, I’m worried that it won’t be self-explanatory and a user may still expect it to do a full string match.
Speaking of expected refs, I’d also like the CLI to support matching expected source repo refs, for the same reasons I wrote above. I can open a new issue later to discuss that.
Describe the bug
Currently the
gh attestation verify --help
for the--signer-workflow
option does not seem to suggest that the user input is meant to be treated as a regex, since there is also another--cert-identity-regex
option.However I found that if I supplied an incorrect value, the returned error messages suggest the tool will always treat my input as a regex.
And so I've been able to supply regexes to
--signer-workflow
.Steps to reproduce the behavior
See my example workflow and download the artifacts and attestations.
Invoke, supplying the incorrect signer branch name
Invoke, supplying a regex that would match multiple different branch names, including the correct branch name.
Invoke, supplying an incomplete signer workflow URI, not including the ref, and also cutting off the last few characters of, the workflow's file name.
Expected vs actual behavior
With the wording of the documentation, I would not expect user input for
--signer-workflow
to be treated as a regex, especially since it's possible to supply an incomplete workflow URI: For example:[host/]<owner>/<repo>/<path>/<t
, instead of the full[host/]<owner>/<repo>/<path>/<to>/<workflow>
.Instead, it should probably be treated as a full string match, and another future
--signer-workflow-regex
option should handle regexes.Logs
Logs supplied above.