ko icon indicating copy to clipboard operation
ko copied to clipboard

Published 20 hours ago verified publisher icon ko-build

chore: slsa 3 provenance generation

Open developer-guy opened this issue 2 years ago • 7 comments

Signed-off-by: Batuhan Apaydın [email protected]

experimental try out with slsa 3 provenance generation for ko project

cc: @imjasonh @ianlewis

https://github.com/developer-guy/ko/releases/tag/v0.0.0

developer-guy avatar Jul 07 '22 15:07 developer-guy

@laurentsimon possibly superceding https://github.com/google/ko/pull/730 ?

imjasonh avatar Jul 07 '22 15:07 imjasonh

ah 🤦 I've missed that issue

developer-guy avatar Jul 07 '22 15:07 developer-guy

To clarify, I think this PR may be on a better track than #730, which AIUI is blocked on goreleaser including provenance generation itself. The alternative in #730 is to fork our goreleaser process to use the SLSA trusted builder, but I'd rather not have us diverge from standard vanilla goreleaser that much.

imjasonh avatar Jul 07 '22 15:07 imjasonh

Codecov Report

Merging #753 (98c2c67) into main (9139f45) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #753   +/-   ##
=======================================
  Coverage   51.19%   51.19%           
=======================================
  Files          44       44           
  Lines        3313     3313           
=======================================
  Hits         1696     1696           
  Misses       1404     1404           
  Partials      213      213

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 9139f45...98c2c67. Read the comment docs.

codecov-commenter avatar Jul 07 '22 15:07 codecov-commenter

We're working on a solution that will help you keep GoReleaser and attach provenance to it, see https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/generic#provenance-for-goreleaser

TL;DR: it will let you build yourself (so no change needed to your GoReleaser config), and the generator will attest to the origin of the repo ("provenance" requirement in SLSA https://slsa.dev/spec/v0.1/requirements). This won't satisfy the "build" requirements of SLSA, but it's still a good improvement.

We'll release this provenance generator this month. Later, when our Go builder has feature parity (or close to) with GoReleaser, we can discuss Go builder :)

Wdut?

laurentsimon avatar Jul 07 '22 19:07 laurentsimon

Sounds good to me. I'm glad so many folks are looking into improving the SLSAbility of these release workflows, and I'm happy to just ride that wave 🏄

imjasonh avatar Jul 07 '22 19:07 imjasonh

I updated my original https://github.com/google/ko/pull/730 and just realized your PR does the same thing :) We released the generic generator today, and it supports uploading the provenance using upload-assets: true, so the workflow need not do itself anymore.

Let me know if I should drop my PR and let this one go thru, or the other way around. I'm excited either way :)!

One thing I would add is a mention in the README to tell users how to verify binaries they download.

laurentsimon avatar Jul 26 '22 01:07 laurentsimon

#730 was merged, closing this

Please feel free to reopen this or open a new issue if there's anything else we should do on top of #730

imjasonh avatar Aug 18 '22 13:08 imjasonh