search

xeol-io / xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
https://www.xeol.io/
Apache License 2.0
342 stars 18 forks source link

Can't verify SLSA provenance with `--source-tag` #210

Closed suzuki-shunsuke closed 11 months ago

suzuki-shunsuke commented 11 months ago

Without --source-tag, slsa-verifier works well.

$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.5_darwin_arm64.tar.gz --source-uri=github.com/xeol-io/xeol
Verified signature against tlog entry index 44906341 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a658e74e86e03e7aedcca39eebddebf59310b4d9c463b037951109186d73a5681
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit fdc6f5efca3f7277aacf25ef42f502355398f512
Verifying artifact xeol_0.9.5_darwin_arm64.tar.gz: PASSED

PASSED: Verified SLSA provenance

But with --source-tag, slsa-verifier doesn't work well.

$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.5_darwin_arm64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.5
Verified signature against tlog entry index 44906341 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a658e74e86e03e7aedcca39eebddebf59310b4d9c463b037951109186d73a5681
Verifying artifact xeol_0.9.5_darwin_arm64.tar.gz: FAILED: expected tag 'refs/tags/v0.9.5', got '': tag used to generate the binary does not match provenance

FAILED: SLSA verification failed: expected tag 'refs/tags/v0.9.5', got '': tag used to generate the binary does not match provenance

Ideally, we should verify the version too.

I guess this is because the release workflow is triggered by not GitHub tag's push event but workflow_dispatch event.

https://github.com/xeol-io/xeol/blob/fe937f59f2ffc83923463725932200e9246eee72/.github/workflows/release.yaml#L3-L8

$ slsa-verifier version
  ____    _       ____       _             __     __  _____   ____    ___   _____   ___   _____   ____
 / ___|  | |     / ___|     / \            \ \   / / | ____| |  _ \  |_ _| |  ___| |_ _| | ____| |  _ \
 \___ \  | |     \___ \    / _ \    _____   \ \ / /  |  _|   | |_) |  | |  | |_     | |  |  _|   | |_) |
  ___) | | |___   ___) |  / ___ \  |_____|   \ V /   | |___  |  _ <   | |  |  _|    | |  | |___  |  _ <
 |____/  |_____| |____/  /_/   \_\            \_/    |_____| |_| \_\ |___| |_|     |___| |_____| |_| \_\
slsa-verifier: Verify SLSA provenance for Github Actions

GitVersion:    2.0.3
GitCommit:     38829fa7d9491108bc3a86a6160fb2d53ddc3506
GitTreeState:  clean
BuildDate:     2023-03-11T03:02:01
GoVersion:     go1.18.10
Compiler:      gc
Platform:      darwin/arm64
noqcks commented 11 months ago

ah yes, that is correct, we will need to update the workflows to trigger on a tag instead of via workflow_dispatch. From the slsa-verifier docs.

source-tag: Expects a tag like v0.0.1. Verifies exact tag used to create the binary. Supported for new tag and release triggers.
suzuki-shunsuke commented 11 months ago

I see. I created a pull request to resolve the issue.

suzuki-shunsuke commented 11 months ago

Thank you for releasing v0.9.6. https://github.com/xeol-io/xeol/releases/tag/v0.9.6

I confirmed it worked well.

With --source-tag.

$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.6
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED

PASSED: Verified SLSA provenance

Without --source-tag.

$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol                    
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED

PASSED: Verified SLSA provenance

With invalid --source-tag.

$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.5
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: FAILED: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenance

FAILED: SLSA verification failed: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenance