search

slsa-framework / slsa-github-generator

Language-agnostic SLSA provenance generation for Github Actions
Apache License 2.0
413 stars 127 forks source link

Attestation output file format (base64 or no?) #129

Open ianlewis opened 2 years ago

ianlewis commented 2 years ago

@laurentsimon The Go builder outputs json provenance as base64 encoded. The generic provenance-only builder just outputs json without encoding. I'd like to be consistent, but base64 encoding didn't seem to me to provide any particular benefit. Any reason that json output for the Go builder encodes the data in base64?

https://github.com/slsa-framework/slsa-github-generator/blob/dc15f82c63a7c87294491c8f5c99f0e7e6451317/internal/builders/go/pkg/marshall.go#L29-L32

laurentsimon commented 2 years ago

It's part of the DSSE format https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse Here's an example of the final results https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/testdata/binary-linux-amd64.intoto.jsonl

ianlewis commented 2 years ago

Hmm, I got confused as to the Go builder's output because e2e-verify.sh seems to base64 decode the entire file. https://github.com/slsa-framework/slsa-github-generator/blob/15ea472d4b1b16fd92a2d0e1de23d2c62e0b9309/.github/workflows/scripts/e2e-verify.sh#L22-L23

This seems to be different from the scripts in example-package which extracts the payload. I'm not sure how the e2e pre-submits work for the Go builder if that's the case. 😕 https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L134-L135

ianlewis commented 2 years ago

It's part of the DSSE format https://github.com/secure-systems-lab/go-securesystemslib/tree/main/dsse Here's an example of the final results https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/testdata/binary-linux-amd64.intoto.jsonl

I also thought that sigstore's dsse library did the base64 encoding for us so we shouldn't have to do it ourselves. https://github.com/slsa-framework/slsa-github-generator/blob/15ea472d4b1b16fd92a2d0e1de23d2c62e0b9309/signing/sigstore/fulcio.go#L100-L105

laurentsimon commented 2 years ago

Hmm, I got confused as to the Go builder's output because e2e-verify.sh seems to base64 decode the entire file.

https://github.com/slsa-framework/slsa-github-generator/blob/15ea472d4b1b16fd92a2d0e1de23d2c62e0b9309/.github/workflows/scripts/e2e-verify.sh#L22-L23

This seems to be different from the scripts in example-package which extracts the payload. I'm not sure how the e2e pre-submits work for the Go builder if that's the case. 😕 https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L134-L135

sorry, I get the confusion. For pre-submits, we omit the signature (no OIDC write access) but still base64-encode to be consistent with DSSE https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/pkg/provenance.go#L145

In example-package, the full DSSE is used, so we extract the payload from the DSSE (base64--encoding is done by sigstore API).

I have kept the base64-encoding on pre-submit because it's like an opaque string to pass around VMs (and it's consistent with DSSE), but besides that it has not particular benefits.

ianlewis commented 2 years ago

Ok, I'll just get something working for my presubmit and we'll think about how we might clean this up moving forward. Maybe just adding some comments to clarify things would help for now.

ianlewis commented 2 years ago

Removed from v1 as it's not critical to solve right now.