feat: add bundle support (#4088)

# Summary

Followup up to #3777, #3985,
slsa-framework/slsa-verifier#813

Redo: Changes the internal go code to produce Sigstore Bundles, instead
of only signed DSSE envelopes. This means that the generic generator and
go builder workflows now produce Sigstore Bundles, just like the other
BYOB-type workflows.

## Testing Process

Tested with a previous commit that contains a debug workflow
*
https://github.com/slsa-framework/slsa-github-generator/actions/runs/13271183182
*
main...internal-builder-bundle#diff-7e191d865f72ecdac3334e38bc0bd33c12349c6729a1702bc81765ecfcfb2c82
   * generates provenances with `push` events
* it uses a slightly modified version of slsa-verifier that respect
provenances generated by non-main branches.
*
slsa-framework/slsa-verifier@main...sghg-go-bundle

## Checklist

- [x] Review the contributing
[guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md)
- [x] Add a reference to related issues in the PR description.
- [x] Update documentation if applicable.
- [x] Add unit tests if applicable.
- [x] Add changes to the
[CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
if applicable.

---------

Signed-off-by: Ramon Petgrave <[email protected]>

Author: ramonpetgrave64

.github/workflows/generator_generic_slsa3.yml

@@ -160,7 +160,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.21"
+          go-version: "1.23.1"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"

CHANGELOG.md

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- toc -->
 
 - [Unreleased](#unreleased)
+  - [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder)
   - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
@@ -106,6 +107,15 @@ duplication."
 
 ## Unreleased
 
+### Unreleased: Sigstore Bundles for Generic Generator and Go Builder
+
+The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml`
+have been updated to produce signed Sigstore Bundles, just like all the other builders
+that use the BYOB framework.
+
+The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
+https://search.sigstore.dev/.
+
 ### Unreleased: Vars context recorded in provenance
 
 - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and

github/oidc.go

@@ -39,6 +39,9 @@ const (
 
 // OIDCToken represents the contents of a GitHub OIDC JWT token.
 type OIDCToken struct {
+	// Expiry is the expiration date of the token.
+	Expiry time.Time
+
 	// Issuer is the token issuer.
 	Issuer string
 
@@ -54,8 +57,8 @@ type OIDCToken struct {
 	// ActorID is the unique ID of the actor who triggered the build.
 	ActorID string `json:"actor_id"`
 
-	// Expiry is the expiration date of the token.
-	Expiry time.Time
+	// RawToken is the unparsed oidc token.
+	RawToken string
 
 	// Audience is the audience for which the token was granted.
 	Audience []string
@@ -247,6 +250,8 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken,
 		return nil, err
 	}
 
+	token.RawToken = tokenPayload
+
 	return token, nil
 }
 

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.10
+	github.com/sigstore/sigstore-go v0.6.1
 	github.com/spf13/cobra v1.8.1
 	golang.org/x/oauth2 v0.23.0
 	gopkg.in/square/go-jose.v2 v2.6.0
@@ -120,6 +121,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -165,6 +167,7 @@ require (
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect

go.sum

@@ -280,6 +280,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
 github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
 github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA=
 github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -386,6 +388,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU=
 github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
+github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
 github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
@@ -537,6 +542,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=

internal/builders/generic/attest.go

@@ -23,9 +23,9 @@ import (
 	"os"
 	"path"
 
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/spf13/cobra"
 
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/slsa-framework/slsa-github-generator/github"
 	"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
@@ -35,7 +35,7 @@ import (
 
 // attestCmd returns the 'attest' command.
 func attestCmd(provider slsa.ClientProvider, check func(error),
-	signer signing.Signer, tlog signing.TransparencyLog,
+	signer signing.Signer,
 ) *cobra.Command {
 	var attPath string
 	var subjectsFilename string
@@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error),
 		Use:   "attest",
 		Short: "Create a signed SLSA provenance attestation from a Github Action",
 		Long: `Generate and sign SLSA provenance from a Github Action to form an attestation
-and upload to a Rekor transparency log. This command assumes that it is being
+and create a Sigstore Bundle. This command assumes that it is being
 run in the context of a Github Actions workflow.`,
 
 		Run: func(_ *cobra.Command, _ []string) {
@@ -114,9 +114,6 @@ run in the context of a Github Actions workflow.`,
 				})
 				check(err)
 
-				_, err = tlog.Upload(ctx, att)
-				check(err)
-
 				attBytes = att.Bytes()
 			}
 

internal/builders/generic/attest_test.go

@@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  artifact2`)))
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,

internal/builders/generic/main.go

@@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`,
 		},
 	}
 	c.AddCommand(versionCmd())
-	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor()))
+	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner()))
 	return c
 }
 

internal/builders/go/main.go

@@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
 	return nil
 }
 
-func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
-	r := sigstore.NewRekor(rekor)
-	s := sigstore.NewDefaultFulcio()
+func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error {
+	s := sigstore.NewDefaultBundleSigner()
+
 	attBytes, err := pkg.GenerateProvenance(subject, digest,
-		commands, envs, workingDir, s, r, nil)
+		commands, envs, workingDir, s, nil)
 	if err != nil {
 		return err
 	}
@@ -118,7 +118,6 @@ func main() {
 	provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary")
 	provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary")
 	provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands")
-	provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance")
 
 	// Expect a sub-command.
 	if len(os.Args) < 2 {
@@ -145,7 +144,7 @@ func main() {
 		}
 
 		err := runProvenanceGeneration(*provenanceName, *provenanceDigest,
-			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor)
+			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir)
 		check(err)
 
 	default:

internal/builders/go/pkg/provenance.go

@@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) {
 // attestation.
 // Spec: https://slsa.dev/provenance/v0.2
 func GenerateProvenance(name, digest, command, envs, workingDir string,
-	s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider,
+	s signing.Signer, provider slsa.ClientProvider,
 ) ([]byte, error) {
 	gh, err := github.GetWorkflowContext()
 	if err != nil {
@@ -180,14 +180,5 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 	if err != nil {
 		return nil, err
 	}
-
-	// Upload the signed attestation to rekor.
-	logEntry, err := r.Upload(ctx, att)
-	if err != nil {
-		return nil, err
-	}
-
-	fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID())
-
 	return att.Bytes(), nil
 }