godofredoc
commented
1 year ago \cc @drewroengoogle
Open godofredoc opened 1 year ago
godofredoc
commented
1 year ago \cc @drewroengoogle
drewroengoogle
commented
1 year ago In regards to impact, this is preventing us from doing any deployments of our Flutter infra applications. Is there a workaround or flag we can set to ignore the sourceProvenance change? The above provenance is automatically generated by Cloud Build, and we are using slsa-verifier 2.3.0, although from trying to verify the provenance locally, it seems to also be happening in 2.4.0.
laurentsimon
commented
1 year ago Thanks for the report. Please revert to the older slsa-verifier version (2.3.0). Can you attach (or copy) the result of your gcloud artifacts docker images describe in the issue?
We added some preliminary code to verify GCB v1.0 in v2.4.0, but not fully tested and not officially released. We're missing the e2e tests. I'll work on these right away and cut a new version
drewroengoogle
commented
1 year ago Yes, here's the provenance of one of an artifact that failed validation today:
{
"image_summary": {
"digest": "sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
"fully_qualified_digest": "us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6@sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
"registry": "us-docker.pkg.dev",
"repository": "appengine"
},
"provenance_summary": {
"provenance": [
{
"build": {
"intotoStatement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.1",
"slsaProvenance": {
"builder": {
"id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3"
},
"materials": [
{
"digest": {
"sha1": "27ecaf67be8ec7f8571b75553715bc05f3a7022c"
},
"uri": "git+https://github.com/flutter/cocoon"
}
],
"metadata": {
"buildFinishedOn": "2023-08-28T17:28:17.432966Z",
"buildInvocationId": "22237782-5a12-46fd-a753-1fc36ca79818",
"buildStartedOn": "2023-08-28T17:23:47.928930449Z"
},
"recipe": {
"arguments": {
"@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build",
"id": "22237782-5a12-46fd-a753-1fc36ca79818",
"name": "projects/308150028417/locations/global/builds/22237782-5a12-46fd-a753-1fc36ca79818",
"options": {
"dynamicSubstitutions": true,
"logging": "LEGACY",
"pool": {},
"requestedVerifyOption": "VERIFIED",
"substitutionOption": "ALLOW_LOOSE"
},
"sourceProvenance": {},
"steps": [
{
"args": [
"cloud_build/dashboard_build.sh"
],
"entrypoint": "/bin/bash",
"name": "us-docker.pkg.dev/flutter-dashboard/flutter/flutter",
"pullTiming": {
"endTime": "2023-08-28T17:24:27.360161386Z",
"startTime": "2023-08-28T17:23:51.511735054Z"
},
"status": "SUCCESS",
"timing": {
"endTime": "2023-08-28T17:27:06.448156408Z",
"startTime": "2023-08-28T17:23:51.511735054Z"
}
},
{
"args": [
"build",
"-t",
"us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6",
"app_dart"
],
"name": "us-docker.pkg.dev/cloud-builders/ga/v1/docker",
"pullTiming": {
"endTime": "2023-08-28T17:27:22.507876044Z",
"startTime": "2023-08-28T17:27:06.448243160Z"
},
"status": "SUCCESS",
"timing": {
"endTime": "2023-08-28T17:27:56.241362235Z",
"startTime": "2023-08-28T17:27:06.448243160Z"
}
},
{
"args": [
"-c",
"gcloud builds submit \\\n --config app_dart/cloudbuild_app_dart_deploy.yaml \\\n --substitutions=\"SHORT_SHA=27ecaf6\" \\\n --async"
],
"entrypoint": "/bin/bash",
"name": "gcr.io/cloud-builders/gcloud",
"pullTiming": {
"endTime": "2023-08-28T17:27:56.244231571Z",
"startTime": "2023-08-28T17:27:56.241498675Z"
},
"status": "SUCCESS",
"timing": {
"endTime": "2023-08-28T17:28:07.789365002Z",
"startTime": "2023-08-28T17:27:56.241498675Z"
}
}
],
"substitutions": {
"BRANCH_NAME": "main",
"COMMIT_SHA": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
"REF_NAME": "main",
"REPO_FULL_NAME": "flutter/cocoon",
"REPO_NAME": "cocoon",
"REVISION_ID": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
"SHORT_SHA": "27ecaf6",
"TRIGGER_BUILD_CONFIG_PATH": "app_dart/cloudbuild_app_dart.yaml",
"TRIGGER_NAME": "cocoon-app-dart"
}
},
"entryPoint": "app_dart/cloudbuild_app_dart.yaml",
"type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1"
}
},
"subject": [
{
"digest": {
"sha256": "7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c"
},
"name": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6"
},
{
"digest": {
"sha256": "7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c"
},
"name": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6:latest"
}
]
}
},
"createTime": "2023-08-28T17:28:18.356251Z",
"envelope": {
"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIn0sInVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZmx1dHRlci9jb2Nvb24ifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjMtMDgtMjhUMTc6Mjg6MTcuNDMyOTY2WiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4IiwiYnVpbGRTdGFydGVkT24iOiIyMDIzLTA4LTI4VDE3OjIzOjQ3LjkyODkzMDQ0OVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjIyMjM3NzgyLTVhMTItNDZmZC1hNzUzLTFmYzM2Y2E3OTgxOCIsIm5hbWUiOiJwcm9qZWN0cy8zMDgxNTAwMjg0MTcvbG9jYXRpb25zL2dsb2JhbC9idWlsZHMvMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4Iiwib3B0aW9ucyI6eyJkeW5hbWljU3Vic3RpdHV0aW9ucyI6dHJ1ZSwibG9nZ2luZyI6IkxFR0FDWSIsInBvb2wiOnt9LCJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiJWRVJJRklFRCIsInN1YnN0aXR1dGlvbk9wdGlvbiI6IkFMTE9XX0xPT1NFIn0sInNvdXJjZVByb3ZlbmFuY2UiOnsicmVzb2x2ZWRHaXRTb3VyY2UiOnsicmV2aXNpb24iOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZsdXR0ZXIvY29jb29uLmdpdCJ9fSwic3RlcHMiOlt7ImFyZ3MiOlsiY2xvdWRfYnVpbGQvZGFzaGJvYXJkX2J1aWxkLnNoIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoidXMtZG9ja2VyLnBrZy5kZXYvZmx1dHRlci1kYXNoYm9hcmQvZmx1dHRlci9mbHV0dGVyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNDoyNy4zNjAxNjEzODZaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyMzo1MS41MTE3MzUwNTRaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6MDYuNDQ4MTU2NDA4WiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6MjM6NTEuNTExNzM1MDU0WiJ9fSx7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNiIsImFwcF9kYXJ0Il0sIm5hbWUiOiJ1cy1kb2NrZXIucGtnLmRldi9jbG91ZC1idWlsZGVycy9nYS92MS9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjIyLjUwNzg3NjA0NFoiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjA2LjQ0ODI0MzE2MFoifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzo1Ni4yNDEzNjIyMzVaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzowNi40NDgyNDMxNjBaIn19LHsiYXJncyI6WyItYyIsImdjbG91ZCBidWlsZHMgc3VibWl0IFxcXG4gIC0tY29uZmlnIGFwcF9kYXJ0L2Nsb3VkYnVpbGRfYXBwX2RhcnRfZGVwbG95LnlhbWwgXFxcbiAgLS1zdWJzdGl0dXRpb25zPVwiU0hPUlRfU0hBPTI3ZWNhZjZcIiBcXFxuICAtLWFzeW5jIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2djbG91ZCIsInB1bGxUaW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQ0MjMxNTcxWiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQxNDk4Njc1WiJ9LCJzdGF0dXMiOiJTVUNDRVNTIiwidGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI4OjA3Ljc4OTM2NTAwMloiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjU2LjI0MTQ5ODY3NVoifX1dLCJzdWJzdGl0dXRpb25zIjp7IkJSQU5DSF9OQU1FIjoibWFpbiIsIkNPTU1JVF9TSEEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwiUkVGX05BTUUiOiJtYWluIiwiUkVQT19GVUxMX05BTUUiOiJmbHV0dGVyL2NvY29vbiIsIlJFUE9fTkFNRSI6ImNvY29vbiIsIlJFVklTSU9OX0lEIjoiMjdlY2FmNjdiZThlYzdmODU3MWI3NTU1MzcxNWJjMDVmM2E3MDIyYyIsIlNIT1JUX1NIQSI6IjI3ZWNhZjYiLCJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwiVFJJR0dFUl9OQU1FIjoiY29jb29uLWFwcC1kYXJ0In19LCJlbnRyeVBvaW50IjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwidHlwZSI6Imh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIn19LCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjEiLCJzbHNhUHJvdmVuYW5jZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIn0sInVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZmx1dHRlci9jb2Nvb24ifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjMtMDgtMjhUMTc6Mjg6MTcuNDMyOTY2WiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4IiwiYnVpbGRTdGFydGVkT24iOiIyMDIzLTA4LTI4VDE3OjIzOjQ3LjkyODkzMDQ0OVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjIyMjM3NzgyLTVhMTItNDZmZC1hNzUzLTFmYzM2Y2E3OTgxOCIsIm5hbWUiOiJwcm9qZWN0cy8zMDgxNTAwMjg0MTcvbG9jYXRpb25zL2dsb2JhbC9idWlsZHMvMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4Iiwib3B0aW9ucyI6eyJkeW5hbWljU3Vic3RpdHV0aW9ucyI6dHJ1ZSwibG9nZ2luZyI6IkxFR0FDWSIsInBvb2wiOnt9LCJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiJWRVJJRklFRCIsInN1YnN0aXR1dGlvbk9wdGlvbiI6IkFMTE9XX0xPT1NFIn0sInNvdXJjZVByb3ZlbmFuY2UiOnsicmVzb2x2ZWRHaXRTb3VyY2UiOnsicmV2aXNpb24iOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZsdXR0ZXIvY29jb29uLmdpdCJ9fSwic3RlcHMiOlt7ImFyZ3MiOlsiY2xvdWRfYnVpbGQvZGFzaGJvYXJkX2J1aWxkLnNoIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoidXMtZG9ja2VyLnBrZy5kZXYvZmx1dHRlci1kYXNoYm9hcmQvZmx1dHRlci9mbHV0dGVyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNDoyNy4zNjAxNjEzODZaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyMzo1MS41MTE3MzUwNTRaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6MDYuNDQ4MTU2NDA4WiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6MjM6NTEuNTExNzM1MDU0WiJ9fSx7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNiIsImFwcF9kYXJ0Il0sIm5hbWUiOiJ1cy1kb2NrZXIucGtnLmRldi9jbG91ZC1idWlsZGVycy9nYS92MS9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjIyLjUwNzg3NjA0NFoiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjA2LjQ0ODI0MzE2MFoifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzo1Ni4yNDEzNjIyMzVaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzowNi40NDgyNDMxNjBaIn19LHsiYXJncyI6WyItYyIsImdjbG91ZCBidWlsZHMgc3VibWl0IFxcXG4gIC0tY29uZmlnIGFwcF9kYXJ0L2Nsb3VkYnVpbGRfYXBwX2RhcnRfZGVwbG95LnlhbWwgXFxcbiAgLS1zdWJzdGl0dXRpb25zPVwiU0hPUlRfU0hBPTI3ZWNhZjZcIiBcXFxuICAtLWFzeW5jIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2djbG91ZCIsInB1bGxUaW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQ0MjMxNTcxWiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQxNDk4Njc1WiJ9LCJzdGF0dXMiOiJTVUNDRVNTIiwidGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI4OjA3Ljc4OTM2NTAwMloiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjU2LjI0MTQ5ODY3NVoifX1dLCJzdWJzdGl0dXRpb25zIjp7IkJSQU5DSF9OQU1FIjoibWFpbiIsIkNPTU1JVF9TSEEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwiUkVGX05BTUUiOiJtYWluIiwiUkVQT19GVUxMX05BTUUiOiJmbHV0dGVyL2NvY29vbiIsIlJFUE9fTkFNRSI6ImNvY29vbiIsIlJFVklTSU9OX0lEIjoiMjdlY2FmNjdiZThlYzdmODU3MWI3NTU1MzcxNWJjMDVmM2E3MDIyYyIsIlNIT1JUX1NIQSI6IjI3ZWNhZjYiLCJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwiVFJJR0dFUl9OQU1FIjoiY29jb29uLWFwcC1kYXJ0In19LCJlbnRyeVBvaW50IjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwidHlwZSI6Imh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIn19LCJzdWJqZWN0IjpbeyJkaWdlc3QiOnsic2hhMjU2IjoiN2M4YTcxYTg0M2VlMTI4ZmY0YmFhZGFiM2EwNTA3NmQwN2ZmYjhkNDdkOGFmZmM3NTlhODdhNjBiMWQ5MTUzYyJ9LCJuYW1lIjoiaHR0cHM6Ly91cy1kb2NrZXIucGtnLmRldi9mbHV0dGVyLWRhc2hib2FyZC9hcHBlbmdpbmUvZGVmYXVsdC52ZXJzaW9uLTI3ZWNhZjYifSx7ImRpZ2VzdCI6eyJzaGEyNTYiOiI3YzhhNzFhODQzZWUxMjhmZjRiYWFkYWIzYTA1MDc2ZDA3ZmZiOGQ0N2Q4YWZmYzc1OWE4N2E2MGIxZDkxNTNjIn0sIm5hbWUiOiJodHRwczovL3VzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNjpsYXRlc3QifV19",
"payloadType": "application/vnd.in-toto+json",
"signatures": [
{
"keyid": "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1",
"sig": "MEUCIQCnJrSetTPwk4zcHzEZZnLFEw7W_eylt0q4oYtYdAPZ6gIgU9yRbp2LVJdgdUCctjZQ9sI6KWtePKR1874znbJm7Lc="
},
{
"keyid": "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1",
"sig": "MEQCICj83i8WH-DCqMBcuqriymqii0bt1Ecwtz62hjgRNyA6AiBoIG8cC0ixb0Ro6Ge-yhBUWx7qHWslyGhw4I6S4xVfUw=="
}
]
},
"kind": "BUILD",
"name": "projects/flutter-dashboard/occurrences/7d301c29-20b0-465a-8c95-f81c7e8de751",
"noteName": "projects/verified-builder/notes/intoto_22237782-5a12-46fd-a753-1fc36ca79818",
"resourceUri": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6@sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
"updateTime": "2023-08-28T17:28:18.356251Z"
}
]
}
}Thanks. Taking a look.
laurentsimon
commented
1 year ago @godofredoc is correct. The text provenance and the payload's provenance don't match. Patching the text provenance with:
"sourceProvenance": {
"resolvedGitSource": {
"revision": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
"url": "https://github.com/flutter/cocoon.git"
}
},makes the verification pass. Let's create a bug on GCB side to ask why this inconsistency is happening.
laurentsimon
commented
1 year ago Here's a patch you can use temporarily (it assumes there's a single v0.1 provenance, which may soon change with v1.0 release at Cloud Next):
gcloud artifacts docker images describe $DOCKER_IMAGE_URL --show-provenance --format json > tmp.json
val=$(cat tmp.json | jq -r '.provenance_summary.provenance[0].envelope.payload' | base64 -d | jq '.predicate.recipe.arguments.sourceProvenance')
cat tmp.json | jq ".provenance_summary.provenance[0].build.intotoStatement.slsaProvenance.recipe.arguments.sourceProvenance = ${val}" > provenance.json
slsa-verifier ... --provenance-path provenance.json ...Thank you @laurentsimon for the workaround. I'll implement it in the flutter workflow to unblock the validation.
ramonpetgrave64
commented
3 months ago @godofredoc It's been about a year. Is this still an issue for you?
Error:
The issue is that provenance generated with
gcloud artifacts docker images describe $DOCKER_IMAGE_URL --show-provenance --format json > $OUTPUT_DIRECTORYhas an empty sourceProvenance in the plain text part of the file:But the base64 payload contains the full sourceprovenance: