Open ianlewis opened 2 years ago
It's part of the DSSE format https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse Here's an example of the final results https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/testdata/binary-linux-amd64.intoto.jsonl
Hmm, I got confused as to the Go builder's output because e2e-verify.sh
seems to base64 decode the entire file.
https://github.com/slsa-framework/slsa-github-generator/blob/15ea472d4b1b16fd92a2d0e1de23d2c62e0b9309/.github/workflows/scripts/e2e-verify.sh#L22-L23
This seems to be different from the scripts in example-package
which extracts the payload. I'm not sure how the e2e pre-submits work for the Go builder if that's the case. 😕
https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L134-L135
It's part of the DSSE format https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse Here's an example of the final results https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/testdata/binary-linux-amd64.intoto.jsonl
I also thought that sigstore's dsse library did the base64 encoding for us so we shouldn't have to do it ourselves. https://github.com/slsa-framework/slsa-github-generator/blob/15ea472d4b1b16fd92a2d0e1de23d2c62e0b9309/signing/sigstore/fulcio.go#L100-L105
Hmm, I got confused as to the Go builder's output because
e2e-verify.sh
seems to base64 decode the entire file.This seems to be different from the scripts in
example-package
which extracts the payload. I'm not sure how the e2e pre-submits work for the Go builder if that's the case. 😕 https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L134-L135
sorry, I get the confusion. For pre-submits, we omit the signature (no OIDC write access) but still base64-encode to be consistent with DSSE https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/pkg/provenance.go#L145
In example-package, the full DSSE is used, so we extract the payload from the DSSE (base64--encoding is done by sigstore API).
I have kept the base64-encoding on pre-submit because it's like an opaque string to pass around VMs (and it's consistent with DSSE), but besides that it has not particular benefits.
Ok, I'll just get something working for my presubmit and we'll think about how we might clean this up moving forward. Maybe just adding some comments to clarify things would help for now.
Removed from v1 as it's not critical to solve right now.
@laurentsimon The Go builder outputs json provenance as base64 encoded. The generic provenance-only builder just outputs json without encoding. I'd like to be consistent, but base64 encoding didn't seem to me to provide any particular benefit. Any reason that json output for the Go builder encodes the data in base64?
https://github.com/slsa-framework/slsa-github-generator/blob/dc15f82c63a7c87294491c8f5c99f0e7e6451317/internal/builders/go/pkg/marshall.go#L29-L32