Upload from GitLab CI fails with `repository and branch of cert doesn't match that of request`

[jamietanna]

I've just been looking at adding support for publishing results from GitLab CI for a few of my projects.

I've just hit #511 with my test repo so I thought I'd try using a non-nested group which now fails with something slightly different:

2024/02/20 12:01:49 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: repository and branch of cert doesn't match that of request, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

There's some more details in my thread in the OpenSSF Slack, if that's of help.

The ephemeral certificate has the following data within it:

``` Certificate: Data: Version: 3 (0x2) Serial Number: 5a:fa:aa:f8:2a:df:9c:09:8d:6a:2e:e3:84:be:16:ff:bd:13:77:79 Signature Algorithm: ecdsa-with-SHA384 Issuer: O=sigstore.dev, CN=sigstore-intermediate Validity Not Before: Feb 20 12:01:34 2024 GMT Not After : Feb 20 12:11:34 2024 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:93:8a:e6:ab:41:f6:65:e3:f6:2c:e8:6b:91:85: a5:be:09:d1:b6:7e:da:15:4b:b1:f7:0e:a3:83:32: f6:d9:fc:53:d7:43:cb:20:ab:ba:26:63:7f:16:fa: 6a:9d:34:be:8f:39:50:dd:f8:fa:56:d9:a0:5a:2b: 19:ea:ba:d5:2d ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 Subject Key Identifier: 2D:3A:F3:CB:D9:28:8F:FB:95:CA:05:AC:2B:3A:67:96:25:C7:24:E1 X509v3 Authority Key Identifier: DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F X509v3 Subject Alternative Name: critical URI:https://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main 1.3.6.1.4.1.57264.1.1: https://gitlab.com 1.3.6.1.4.1.57264.1.8: ..https://gitlab.com 1.3.6.1.4.1.57264.1.9: .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main 1.3.6.1.4.1.57264.1.10: .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98 1.3.6.1.4.1.57264.1.11: . gitlab-hosted 1.3.6.1.4.1.57264.1.12: .7https://gitlab.com/jamietanna/hacking-scorecards-gitlab 1.3.6.1.4.1.57264.1.13: .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98 1.3.6.1.4.1.57264.1.14: ..refs/heads/main 1.3.6.1.4.1.57264.1.15: ..55110726 1.3.6.1.4.1.57264.1.16: ..https://gitlab.com/jamietanna 1.3.6.1.4.1.57264.1.17: ..305304 1.3.6.1.4.1.57264.1.18: .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main 1.3.6.1.4.1.57264.1.19: .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98 1.3.6.1.4.1.57264.1.20: ..push 1.3.6.1.4.1.57264.1.21: .Ihttps://gitlab.com/jamietanna/hacking-scorecards-gitlab/-/jobs/6212550642 1.3.6.1.4.1.57264.1.22: ..public CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02: A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E Timestamp : Feb 20 12:01:34.423 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:32:4E:FC:E3:4B:90:C6:14:2F:06:1C:1C: 12:13:42:1C:34:3C:4A:1B:E3:5D:C0:A4:DA:8C:26:28: B4:CE:F6:26:02:20:11:3B:0C:CF:1B:FC:38:AB:E1:AC: 69:C8:5C:71:F6:51:66:C6:FA:33:A3:B3:11:D6:8F:E3: 36:E8:BE:FA:D6:B1 Signature Algorithm: ecdsa-with-SHA384 Signature Value: 30:65:02:31:00:e3:26:30:93:3d:d1:17:59:e4:87:bb:18:99: 76:01:5d:71:8e:2e:7e:79:58:d5:0f:6c:1c:31:eb:4d:f8:9a: e8:6a:d2:a1:47:34:9e:2c:36:af:96:70:0d:5a:8c:76:0e:02: 30:25:a1:23:24:44:d6:78:79:49:99:9d:f0:6d:50:47:23:f7: 8f:82:5b:62:09:91:59:91:72:5d:4e:c6:09:a5:a3:4c:67:9a: a3:e4:b8:ed:60:eb:ac:5c:02:d6:a9:b8:55 ```

I'm taking advantage of https://github.com/sigstore/cosign/pull/2864 to use a Sigstore-specific ID token to provide non-interactive authentication, and then using the CI_JOB_JWT to actually sign the data

[spencerschrock]

Thanks for including the certificate. I haven't seen the populated entries for GitLab yet.

There's a few things to discuss here:

1. Following the cert back to the producing workflow
2. Verifying the workflow

For the first point, #554 would likely need done first. The GitLab cert above doesn't have the fields we currently check, but does have the fields we should be checking to (partially) fix #554 as well.

For the second point, I'm not as familiar with GitLab CI, but there doesn't seem to be a GitHub action "marketplace". One benefit of that on the GitHub side is it allows us to have confidence about how the results are produced. What steps would help ensure someone didn't create their own JSON payload to upload?

[raghavkaul]

I see GitLab is working on an equivalent to the GitHub Actions ecosystem: https://about.gitlab.com/blog/2023/07/10/introducing-ci-components/. If there were a standard Scorecard action component on GitLab, we could check for the presence of the component in the workflow file, similar to how we check for the Scorecard job in https://github.com/ossf/scorecard-webapp/blob/efeceb7f76c949f59f12035bbb3bec0d978d4f87/app/server/verify_workflow.go#L194

I would want this feature out of experimental before we rely on it, though.

[adam-moss]

Just to note, CI Components became GA with GitLab v17

[adam-moss]

Just to note, CI Components became GA with GitLab v17

And now the have verified badges too if that is something you wanted to explore: https://docs.gitlab.com/ee/ci/components/#verified-component-creators