scorecard
scorecard copied to clipboard
ossf
[Feature] Support GitHub Attestations with artifacts for Signed-Releases
Is your feature request related to a problem? Please describe.
I've recently updated my CI to attest the artifacts it generates using GitHub artifact attestations.
I've also started generating an SBOM and uploading it to the GitHub releases, which is also attested. However, because the SBOM doesn't include a signature it causes a score of 0 for the Signed-Releases.
Describe the solution you'd like
In conjunction with Releases now expose digests for release assets, if there is an attestation present for the file(s) in the attached to the release with the same name(s) and SHA(s) then it should be treated as signed.
Describe alternatives you've considered
Manually signing the files before attesting them and then uploading the additional signatures to the release.
Additional context
For example:
- Polly 8.6.1 has a
polly.spdx.jsonfile attached with a digest ofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.- For example, GET the release JSON
- GET the URL from
assets_url - The array contains an entry with a
nameofpolly.spdx.jsonand adigestofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.
- This matches this attestation which also contains
polly.spdx.jsonwith a digest ofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.- This can be checked as existing with a GET to
/users/App-vNext/attestations/sha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0(needs authentication) - In this case, the
payloadTypeisapplication/vnd.in-toto+json.
- This can be checked as existing with a GET to
So as an example implementation:
- Get the release and read
assets_url - Get the assets JSON from that URL
- For each asset:
- Check whether
digesthas a value - If it does:
- Get
/users/{owner}/attestations/{digest}(requires a GitHub token)
- Get
- Check whether
- If all assets have a
digestand they all have an attestation, then give the check a non-zero score
I responded in #4080 about an approach that doesn't require additional API calls. But on a side note for this issue, the digest for release artifact field hasn't quite made its way to the github library we use yet https://github.com/google/go-github/blob/0c6bd9186d03bf5e42a6b6b57ac9e3d68c6426df/github/repos_releases.go#L67-L82
One thing worth nothing with the proposal above I didn't spot originally is that an attestation being present isn't 100% confirmation:
Please note: in order to offer meaningful security benefits, an attestation's signature and timestamps must be cryptographically verified, and the identity of the attestation signer must be validated. Attestations can be verified using the GitHub CLI attestation verify command.
It's certainly a pointer towards use of attestation, but the attestation isn't verified just because the subject digest is found.
the digest for release artifact field hasn't quite made its way to the github library we use yet
A PR that adds it was merged a couple of days ago. No release with it out yet though.
A PR that adds it was merged a couple of days ago. No release with it out yet though.
The digest field is now available as of v74.0.0:
feat: Add the Digest field to ReleaseAsset
This issue has been marked stale because it has been open for 60 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}