scorecard_4.5.0_linux_amd64.tar.gz wasn't released

[suzuki-shunsuke]

Thank you for your great project!

I found scorecard_4.5.0_linux_amd64.tar.gz wasn't released.

https://github.com/ossf/scorecard/releases/tag/v4.5.0

On the other hand, scorecard_4.4.0_linux_amd64.tar.gz was released.

https://github.com/ossf/scorecard/releases/tag/v4.4.0

Could you release scorecard_4.5.0_linux_amd64.tar.gz?

Thank you.

[suzuki-shunsuke]

https://github.com/ossf/scorecard/runs/7638647801?check_suite_focus=true

scorecard/.goreleaser.yml

Lines 31 to 34 in 3b7c46f

	goarch:
	- arm64
	- 386
	- arm

3b7c46f#diff-42e26dc67aed8aa3edb2472b4403288c1699fb6dc47419b9a475f0f224fe4689L32

#1702

[suzuki-shunsuke]

Oh, this change seems to be intentional.
I'll take a look SLSA.
https://github.com/ossf/scorecard#standalone

[suzuki-shunsuke]

$ slsa-verifier --artifact-path scorecard-linux-amd64 \
  --provenance scorecard-linux-amd64.intoto.jsonl \
  --source github.com/ossf/scorecard \
  --tag v4.5.0
2022/08/03 04:10:35 open scorecard-linux-amd64: no such file or directory

[suzuki-shunsuke]

CI failed.
https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true

Fetching the builder with ref: refs/tags/v1.0.0
Builder version: v1.0.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd
verifier hash verification has passed
panic: error getting targets

goroutine 1 [running]:
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get.func1()
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:48 +0x57
sync.(*Once).doSlow(0xc000be3b30?, 0xc0008de700?)
	sync/once.go:68 +0xc2
sync.(*Once).Do(...)
	sync/once.go:59
github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots.Get()
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go:[44](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:45) +0x31
github.com/sigstore/cosign/cmd/cosign/cli/fulcio.GetRoots(...)
	github.com/sigstore/cosign@v1.7.2/cmd/cosign/cli/fulcio/fulcio.go:157
github.com/slsa-framework/slsa-verifier/pkg.FindSigningCertificate({0x221b510, 0xc000118000}, {0xc00012a500, 0x1, 0xf0f41934e555386?}, {{0xc000a260a0, 0x1c}, {0xc000a30000, 0x38[48](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:49)}, {0xc0005f2000, ...}}, ...)
	github.com/slsa-framework/slsa-verifier/pkg/provenance.go:326 +0x1d9
main.verify({0x221b510, 0xc000118000}, {0xc00061a000, 0x3908, 0x3909}, {0xc00064dfc0, 0x40}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, ...}, ...)
	github.com/slsa-framework/slsa-verifier/main.go:[50](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:51) +0x1a7
main.runVerify({0x7ffcb3a72e03?, 0x3106ff0?}, {0x7ffcb3a72e2c, 0x28}, {0x7ffcb3a72e5e, 0x2f}, {0x7ffcb3a72de1, 0x4}, 0xc0004d3f70?, 0x0)
	github.com/slsa-framework/slsa-verifier/main.go:1[66](https://github.com/ossf/scorecard/runs/7638656220?check_suite_focus=true#step:4:67) +0x34a
main.main()
	github.com/slsa-framework/slsa-verifier/main.go:127 +0x3f6
Error: Process completed with exit code 6.

https://github.com/slsa-framework/slsa-github-generator/blob/v1.0.0/.github/workflows/builder_go_slsa3.yml#L142-L177

https://github.com/slsa-framework/slsa-github-generator/blob/v1.0.0/.github/workflows/scripts/builder-fetch.sh#L75-L79

The latest version of slsa-framework/slsa-github-generator is v1.2.0
https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.2.0

[azeemshaikh38]

@laurentsimon fyi.

[laurentsimon]

Thanks. Sigstore made a breaking change which breaks every existing builder (sigstore/cosign#2121). Sorry about that. Working on backporting some fixes to the older builders ...

[laurentsimon]

Now it is released https://github.com/ossf/scorecard/releases/tag/v4.6.0
I encourage you to verify the provenance (attestation.intoto.json file), using the steps described in https://github.com/ossf/scorecard#installation when you download the released binaries.

It would be fun to simulate an attack and catch it via your automated CI. Feel free to reach out if you're interested.