Update verifier paths, bridge ID migration (#256)

* Fix tag check updating URIs

This commit fixes the broken tag verification by updating the paths
and URIs for the verification IDs to those of the new repos.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Use constants in default signer IDs

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* COMPAT: Support old+new signers

This commits adds a compatibility hack to support both the old and new
actions repository signer identities while we migrate to the new
source-actions repos.

This commit is inteded to be reverted once all repos have signed their
VSAs using the new identity. For more see:

#255

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

internal/cmd/checktag.go

@@ -70,15 +70,15 @@ func doCheckTag(args *checkTagOptions) error {
 	pa := attest.NewProvenanceAttestor(ghconnection, verifier)
 	prov, err := pa.CreateTagProvenance(ctx, args.commit, ghcontrol.TagToFullRef(args.tagName), args.actor)
 	if err != nil {
-		return err
+		return fmt.Errorf("creating tag provenance metadata: %w", err)
 	}
 
 	// check p against policy
 	pe := policy.NewPolicyEvaluator()
 	pe.UseLocalPolicy = args.useLocalPolicy
 	verifiedLevels, policyPath, err := pe.EvaluateTagProv(ctx, args.GetRepository(), prov)
 	if err != nil {
-		return err
+		return fmt.Errorf("evaluating the tag provenance metadata: %w", err)
 	}
 
 	// create vsa

pkg/attest/statement.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 
 	spb "github.com/in-toto/attestation/go/v1"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -31,12 +32,27 @@ func (br *BundleReader) convertLineToStatement(line string) (*spb.Statement, err
 	if err == nil {
 		// This is it.
 		return vr.Statement, nil
-	} else {
-		// We ignore errors because there could be other stuff in the
-		// bundle this line came from.
-		Debugf("Line '%s' failed verification: %v", line, err)
 	}
 
+	// Compatibility hack bridgind identities for repository migration
+	// See here for more info and when to drop:
+	//
+	//  https://github.com/slsa-framework/slsa-source-poc/issues/255
+	if strings.Contains(err.Error(), "no matching CertificateIdentity") && strings.Contains(err.Error(), OldExpectedSan) {
+		ver, err := (&BndVerifier{
+			Options: VerificationOptions{
+				ExpectedIssuer: ExpectedIssuer,
+				ExpectedSan:    OldExpectedSan,
+			},
+		}).Verify(line)
+		if err == nil {
+			Debugf("found statement signed with old identity")
+			return ver.Statement, nil
+		}
+	}
+
+	Debugf("Line '%s' failed verification: %v", line, err)
+
 	// TODO: add support for 'regular' DSSEs.
 
 	return nil, fmt.Errorf("could not convert line to statement: '%s'", line)

pkg/attest/verify.go

@@ -13,11 +13,27 @@ type VerificationOptions struct {
 	ExpectedSan    string
 }
 
+const (
+	// ExpectedIssuer is the OIDC issuer found in the sigstore bundles
+	ExpectedIssuer = "https://token.actions.githubusercontent.com"
+
+	// Expected SAN is the expected identity of the workflow signing the
+	// provenance and VSAs.
+	ExpectedSan = "https://github.com/slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@refs/heads/main"
+
+	// OldExpectedSan is the old singer identity before splitting out the actions to their own repo
+	// this constant is part of a compatibility hack that should be reverted once the latests attestations
+	// of the repos are signed with the new identity.
+	//
+	// See https://github.com/slsa-framework/slsa-source-poc/issues/255
+	OldExpectedSan = "https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main"
+)
+
 // TODO: Update ExpectedSan to support regex so we can get the branches/tags we really think
 // folks should be using (they won't all run from main).
 var DefaultVerifierOptions = VerificationOptions{
-	ExpectedIssuer: "https://token.actions.githubusercontent.com",
-	ExpectedSan:    "https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main",
+	ExpectedIssuer: ExpectedIssuer,
+	ExpectedSan:    ExpectedSan,
 }
 
 type Verifier interface {

pkg/attest/vsa.go

@@ -21,7 +21,7 @@ import (
 
 const (
 	VsaPredicateType = "https://slsa.dev/verification_summary/v1"
-	VsaVerifierId    = "https://github.com/slsa-framework/slsa-source-poc"
+	VsaVerifierId    = "https://github.com/slsa-framework/source-actions"
 )
 
 func CreateUnsignedSourceVsa(repoUri, ref, commit string, verifiedLevels slsa.SourceVerifiedLevels, policy string) (string, error) {

pkg/policy/policy.go

@@ -32,7 +32,7 @@ import (
 )
 
 const (
-	SourcePolicyUri       = "github.com/slsa-framework/slsa-source-poc"
+	SourcePolicyUri       = "github.com/slsa-framework/source-policies"
 	SourcePolicyRepoOwner = "slsa-framework"
 	SourcePolicyRepo      = "source-policies"
 )