diff --git a/internal/cmd/checktag.go b/internal/cmd/checktag.go index b96f6e1d..d1bfaab6 100644 --- a/internal/cmd/checktag.go +++ b/internal/cmd/checktag.go @@ -70,7 +70,7 @@ func doCheckTag(args *checkTagOptions) error { pa := attest.NewProvenanceAttestor(ghconnection, verifier) prov, err := pa.CreateTagProvenance(ctx, args.commit, ghcontrol.TagToFullRef(args.tagName), args.actor) if err != nil { - return err + return fmt.Errorf("creating tag provenance metadata: %w", err) } // check p against policy @@ -78,7 +78,7 @@ func doCheckTag(args *checkTagOptions) error { pe.UseLocalPolicy = args.useLocalPolicy verifiedLevels, policyPath, err := pe.EvaluateTagProv(ctx, args.GetRepository(), prov) if err != nil { - return err + return fmt.Errorf("evaluating the tag provenance metadata: %w", err) } // create vsa diff --git a/pkg/attest/statement.go b/pkg/attest/statement.go index 107df87e..bdfc26b1 100644 --- a/pkg/attest/statement.go +++ b/pkg/attest/statement.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "io" + "strings" spb "github.com/in-toto/attestation/go/v1" "google.golang.org/protobuf/encoding/protojson" @@ -31,12 +32,27 @@ func (br *BundleReader) convertLineToStatement(line string) (*spb.Statement, err if err == nil { // This is it. return vr.Statement, nil - } else { - // We ignore errors because there could be other stuff in the - // bundle this line came from. - Debugf("Line '%s' failed verification: %v", line, err) } + // Compatibility hack bridgind identities for repository migration + // See here for more info and when to drop: + // + // https://github.com/slsa-framework/slsa-source-poc/issues/255 + if strings.Contains(err.Error(), "no matching CertificateIdentity") && strings.Contains(err.Error(), OldExpectedSan) { + ver, err := (&BndVerifier{ + Options: VerificationOptions{ + ExpectedIssuer: ExpectedIssuer, + ExpectedSan: OldExpectedSan, + }, + }).Verify(line) + if err == nil { + Debugf("found statement signed with old identity") + return ver.Statement, nil + } + } + + Debugf("Line '%s' failed verification: %v", line, err) + // TODO: add support for 'regular' DSSEs. return nil, fmt.Errorf("could not convert line to statement: '%s'", line) diff --git a/pkg/attest/verify.go b/pkg/attest/verify.go index 369f7a9e..05f1e912 100644 --- a/pkg/attest/verify.go +++ b/pkg/attest/verify.go @@ -13,11 +13,27 @@ type VerificationOptions struct { ExpectedSan string } +const ( + // ExpectedIssuer is the OIDC issuer found in the sigstore bundles + ExpectedIssuer = "https://token.actions.githubusercontent.com" + + // Expected SAN is the expected identity of the workflow signing the + // provenance and VSAs. + ExpectedSan = "https://github.com/slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@refs/heads/main" + + // OldExpectedSan is the old singer identity before splitting out the actions to their own repo + // this constant is part of a compatibility hack that should be reverted once the latests attestations + // of the repos are signed with the new identity. + // + // See https://github.com/slsa-framework/slsa-source-poc/issues/255 + OldExpectedSan = "https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main" +) + // TODO: Update ExpectedSan to support regex so we can get the branches/tags we really think // folks should be using (they won't all run from main). var DefaultVerifierOptions = VerificationOptions{ - ExpectedIssuer: "https://token.actions.githubusercontent.com", - ExpectedSan: "https://github.com/slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@refs/heads/main", + ExpectedIssuer: ExpectedIssuer, + ExpectedSan: ExpectedSan, } type Verifier interface { diff --git a/pkg/attest/vsa.go b/pkg/attest/vsa.go index be580ffe..95861907 100644 --- a/pkg/attest/vsa.go +++ b/pkg/attest/vsa.go @@ -21,7 +21,7 @@ import ( const ( VsaPredicateType = "https://slsa.dev/verification_summary/v1" - VsaVerifierId = "https://github.com/slsa-framework/slsa-source-poc" + VsaVerifierId = "https://github.com/slsa-framework/source-actions" ) func CreateUnsignedSourceVsa(repoUri, ref, commit string, verifiedLevels slsa.SourceVerifiedLevels, policy string) (string, error) { diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go index 50f86119..5b9b9921 100644 --- a/pkg/policy/policy.go +++ b/pkg/policy/policy.go @@ -32,7 +32,7 @@ import ( ) const ( - SourcePolicyUri = "github.com/slsa-framework/slsa-source-poc" + SourcePolicyUri = "github.com/slsa-framework/source-policies" SourcePolicyRepoOwner = "slsa-framework" SourcePolicyRepo = "source-policies" )