Using UUID Output from “generator/Create and sign provenance” Step in generator_generic_slsa3 Job

[daoauth]

When using generator_generic_slsa3 in the workflow, the last part of the "generator/Create and sign provenance" step outputs "Uploaded signed attestation to rekor with UUID". I would like to use this UUID value as input in a subsequent job. How should I do this?

[ramonpetgrave64]

You would have to modify the workflow to save the command output as Step, Job, and Workflow outputs. We would welcome a PR.

From

• https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml#L237

your_command | tee >(read -r output; export MY_VAR="$output") 

And set the output like this

• https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-output-parameter

[ramonpetgrave64]

Can you tell us more about your use-case for outputting the rekor UUID as a workflow output?

[daoauth]

Can you tell us more about your use-case for outputting the rekor UUID as a workflow output?

We need to search for unique logs in sigstore using the rekor entry UUID to verify provenance. Using the hash alone isn't enough to identify the provenance generated by the current workflow, especially if the deployment fails or multiple people deploy the same code. Therefore, the rekor Entry UUID as a workflow output is crucial to accurately identify the generated provenance.

[haydentherapper]

For Sigstore, we want to discourage doing live lookups in the log in favor of verifying persisted inclusion proofs offline. We've filed an issue (https://github.com/slsa-framework/slsa-github-generator/issues/3750) to track support for this. In the meantime, adding the Rekor entry UUID as output seems reasonable.