ko icon indicating copy to clipboard operation
ko copied to clipboard

Published 20 hours ago verified publisher icon ko-build

feat: fenerate SLSA provenance for release binaries

Open laurentsimon opened this issue 2 years ago • 11 comments

Generate non-forgeable provenance, as proposed in https://github.com/google/ko/issues/729

Below is an example of what the provenance looks like:

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "ko-copy_5.0.1_Windows_arm64.tar.gz",
      "digest": {
        "sha256": "01a6a93df134ff638c7da1ccdd735398a979cb08c9d103e64d3a22f29e23223b"
      }
    },
    {
      "name": "ko-copy_5.0.1_Linux_i386.tar.gz",
      "digest": {
        "sha256": "520bcf95c284d0e9c43f02ae516f7ad35d26a24d9103d49e5977ed9a94511017"
      }
    },
    ...
  ],
  "predicate": {
    "builder": {
      "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.0.0"
    },
    "buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
    "invocation": {
      "configSource": {
        "uri": "git+https://github.com/google/ko@refs/tags/v0.0.4",
        "digest": {
          "sha1": "b6e9b26f5c8af4fbcb880f14ac9ad961a2b84e43"
        },
        "entryPoint": ".github/workflows/slsa-release.yml"
      },
      "parameters": {},
      "environment": {
        "arch": "X64",
        "github_actor": "laurentsimon",
        "github_actor_id": "64505099",
        "github_base_ref": "",
        "github_event_name": "push",
        "github_event_payload": {...},
        "github_head_ref": "",
        "github_ref": "refs/tags/v0.0.4",
        "github_ref_type": "tag",
        "github_repository_id": "501698356",
        "github_repository_owner": "laurentsimon",
        "github_repository_owner_id": "64505099",
        "github_run_attempt": "1",
        "github_run_id": "2497311143",
        "github_run_number": "4",
        "github_sha1": "b6e9b26f5c8af4fbcb880f14ac9ad961a2b84e43",
        "os": "ubuntu20"
      }
    },
    "buildConfig": nil,
    "metadata": {
      "buildInvocationID": "2497311143-1",
      "completeness": {
        "parameters": true,
        "environment": false,
        "materials": false
      },
      "reproducible": false
    },
    "materials": [
      {
        "uri": "git+https://github.com/google/ko@refs/tags/v0.0.4",
        "digest": {
          "sha1": "b6e9b26f5c8af4fbcb880f14ac9ad961a2b84e43"
        }
      },
      {
        "uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu20/20220605.1"
      }
    ]
  }
}

laurentsimon avatar Jun 14 '22 19:06 laurentsimon

Cool! Always happy to test out better supply chain security workflows 😎

Awesome, thanks!

laurentsimon avatar Jun 14 '22 20:06 laurentsimon

Any further concern I should address?

laurentsimon avatar Jun 15 '22 21:06 laurentsimon

I've updated the PR:

  1. Keep the current GoReleaser config
  2. Add a call to the SLSA generator to create provenance using the output of GoReleaser. The provenance file attests that the build was created in the release.yaml workflow, at a particular commit.

A follow-up PR would be to verify the binary pulled in https://github.com/imjasonh/setup-ko/blob/main/action.yml#L41. We're still working on a GHA installer for the verifier, so that is not ready yet :)

Appreciate your feedback. Thanks again

laurentsimon avatar Jul 25 '22 19:07 laurentsimon

Fyi, this PR is ready to be reviewed. Let me know if you have questions. Thanks!

laurentsimon avatar Jul 26 '22 20:07 laurentsimon

Fyi, this PR is ready to be reviewed. Let me know if you have questions. Thanks!

I probably won't have the bandwidth to review this closely for at least a week or so. I'm excited to see this progressing though, and especially now that it seems to require fewer changes to the release process. Thanks for pushing on that! 👍

imjasonh avatar Jul 27 '22 19:07 imjasonh

Friendly ping. Would love to hear your feedback. Thanks again.

laurentsimon avatar Aug 09 '22 17:08 laurentsimon

This looks pretty good to me. Would it be possible to have the release workflow also attempt to verify it, so we can detect quickly if verification is silently broken due to some future change?

@jonjohnsonjr any concerns?

imjasonh avatar Aug 09 '22 18:08 imjasonh

Codecov Report

Merging #730 (4a4897b) into main (7fafb61) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #730   +/-   ##
=======================================
  Coverage   51.40%   51.40%           
=======================================
  Files          44       44           
  Lines        3336     3336           
=======================================
  Hits         1715     1715           
  Misses       1403     1403           
  Partials      218      218

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

codecov-commenter avatar Aug 09 '22 18:08 codecov-commenter

This looks pretty good to me. Would it be possible to have the release workflow also attempt to verify it, so we can detect quickly if verification is silently broken due to some future change?

I can do that. How to you typically create the tag? Via a git command or via the GitHub UX?

@jonjohnsonjr any concerns?

laurentsimon avatar Aug 09 '22 19:08 laurentsimon

I usually do it through the UI, but I think triggering based on new tags should catch both cases.

imjasonh avatar Aug 09 '22 19:08 imjasonh

I have added the verification job. PTAL.

laurentsimon avatar Aug 11 '22 01:08 laurentsimon

@imjasonh any other feedback you'd like me to address?

laurentsimon avatar Aug 16 '22 21:08 laurentsimon

As we completed the SLSA provenance generation for release binaries, should we move on with the same for ko images? @imjasonh ^^

developer-guy avatar Sep 07 '23 11:09 developer-guy