scorecard
scorecard copied to clipboard
ossf
scorecard_4.5.0_linux_amd64.tar.gz wasn't released
Thank you for your great project!
I found scorecard_4.5.0_linux_amd64.tar.gz wasn't released.
https://github.com/ossf/scorecard/releases/tag/v4.5.0
On the other hand, scorecard_4.4.0_linux_amd64.tar.gz was released.
https://github.com/ossf/scorecard/releases/tag/v4.4.0
Could you release scorecard_4.5.0_linux_amd64.tar.gz?
Thank you.
https://github.com/ossf/scorecard/runs/7638647801?check_suite_focus=true
https://github.com/ossf/scorecard/blob/3b7c46f779b89ceb52ffd3d99540aa8e9f826665/.goreleaser.yml#L31-L34
https://github.com/ossf/scorecard/commit/3b7c46f779b89ceb52ffd3d99540aa8e9f826665#diff-42e26dc67aed8aa3edb2472b4403288c1699fb6dc47419b9a475f0f224fe4689L32
https://github.com/ossf/scorecard/pull/1702
Oh, this change seems to be intentional. I'll take a look SLSA. https://github.com/ossf/scorecard#standalone
$ slsa-verifier --artifact-path scorecard-linux-amd64 \
--provenance scorecard-linux-amd64.intoto.jsonl \
--source github.com/ossf/scorecard \
--tag v4.5.0
2022/08/03 04:10:35 open scorecard-linux-amd64: no such file or directory
CI failed. https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true
Fetching the builder with ref: refs/tags/v1.0.0
Builder version: v1.0.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd
verifier hash verification has passed
panic: error getting targets
goroutine 1 [running]:
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:48 +0x57
sync.(*Once).doSlow(0xc000be3b30?, 0xc0008de700?)
sync/once.go:68 +0xc2
sync.(*Once).Do(...)
sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:[44](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:45) +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
github.com/sigstore/[email protected]/cmd/cosign/cli/fulcio/fulcio.go:157
github.com/slsa-framework/slsa-verifier/pkg.FindSigningCertificate({0x221b510, 0xc000118000}, {0xc00012a500, 0x1, 0xf0f41934e555386?}, {{0xc000a260a0, 0x1c}, {0xc000a30000, 0x38[48](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:49)}, {0xc0005f2000, ...}}, ...)
github.com/slsa-framework/slsa-verifier/pkg/provenance.go:326 +0x1d9
main.verify({0x221b510, 0xc000118000}, {0xc00061a000, 0x3908, 0x3909}, {0xc00064dfc0, 0x40}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, ...}, ...)
github.com/slsa-framework/slsa-verifier/main.go:[50](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:51) +0x1a7
main.runVerify({0x7ffcb3a72e03?, 0x3106ff0?}, {0x7ffcb3a72e2c, 0x28}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, 0x4}, 0xc0004d3f70?, 0x0)
github.com/slsa-framework/slsa-verifier/main.go:1[66](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:67) +0x34a
main.main()
github.com/slsa-framework/slsa-verifier/main.go:127 +0x3f6
Error: Process completed with exit code 6.
https://github.com/slsa-framework/slsa-github-generator/blob/v1.0.0/.github/workflows/builder_go_slsa3.yml#L142-L177
https://github.com/slsa-framework/slsa-github-generator/blob/v1.0.0/.github/workflows/scripts/builder-fetch.sh#L75-L79
The latest version of slsa-framework/slsa-github-generator is v1.2.0 https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.2.0
Thanks. Sigstore made a breaking change which breaks every existing builder (https://github.com/sigstore/cosign/issues/2121). Sorry about that. Working on backporting some fixes to the older builders ...
Now it is released https://github.com/ossf/scorecard/releases/tag/v4.6.0 I encourage you to verify the provenance (attestation.intoto.json file), using the steps described in https://github.com/ossf/scorecard#installation when you download the released binaries.
It would be fun to simulate an attack and catch it via your automated CI. Feel free to reach out if you're interested.