Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add functionality to output the UUID for log lookup purposes #3744

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Add functionality to output the UUID for log lookup purposes #3744

wants to merge 10 commits into from

Conversation

daoauth
Copy link

@daoauth daoauth commented Jul 23, 2024
edited
Loading

Summary

Add functionality to output the UUID for log lookup purposes. The provenance-rekor-uuid parameter represents the Rekor UUID, a unique identifier that can be used to search for and view specific log entry details on the Rekor Search UI.

Testing Process

Forked the branch and conducted unit tests to verify the output of the UUID.

Checklist

  • Review the contributing guidelines
  • Add a reference to related issues in the PR description.
  • Update documentation if applicable.
  • Add unit tests if applicable.
  • Add changes to the CHANGELOG if applicable.

@daoauth
Add functionality to output the UUID for log lookup purposes
930ed59 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
laurentsimon
laurentsimon reviewed Jul 23, 2024
View reviewed changes
Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR

.github/workflows/generator_generic_slsa3.yml Outdated Show resolved Hide resolved
.github/workflows/generator_generic_slsa3.yml Outdated Show resolved Hide resolved
@daoauth
fix output name and update README.md
5d19df0 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
@daoauth
update description
3473314 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
@ramonpetgrave64
Copy link
Collaborator

Thanks for implementing. Please use the PR template in this PR's description.

@daoauth
Copy link
Author

daoauth commented Jul 23, 2024

Thanks for implementing. Please use the PR template in this PR's description.

Thank you for the feedback. I have made the requested changes

@ramonpetgrave64
Copy link
Collaborator

Thanks for finding a way to test, can you show us an example run in your fork?

@daoauth
reformat workflow outputs table
d440ec9 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
@daoauth
fix uuid length
83b4cea 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
@daoauth
Copy link
Author

daoauth commented Jul 24, 2024
edited
Loading

Thanks for finding a way to test, can you show us an example run in your fork?

I renamed slsa-framework/slsa-github-generator/ to zktx-io/slsa-github-generator/ and created a release. Additionally, I downloaded slsa-generator-generic-linux-amd64, added it to the release, and modified the code to execute it as follows.

      - name: Create and sign provenance
        id: sign-prov
        continue-on-error: true
        # NOTE: Inputs and `github` context are set to environment variables in
        # order to avoid script injection.
        # See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
        env:
          GITHUB_CONTEXT: "${{ toJSON(github) }}"
          VARS_CONTEXT: "${{ toJSON(vars) }}"
          UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}"
        run: |
          set -euo pipefail

          # I downloaded the files uploaded to the release and changed their attributes using chmod +x to make them executable.
          chmod +x "$GITHUB_WORKSPACE/$BUILDER_BINARY"
          untrusted_prov_name=""
          if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then
            untrusted_prov_name="$UNTRUSTED_PROVENANCE_NAME"
          fi
          # Create and sign provenance.
          # NOTE: The builder verifies that the provenance path is located
          # in the current directory.
          # NOTE: $untrusted_provenance_path may be empty. In this case the
          # attest command chooses a file name based on the subject name and
          # number of subjects based on in-toto attestation bundle file naming conventions.
          # See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
          # NOTE: The attest commmand outputs the provenance-name and provenance-sha256
          output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name")
          echo "$output"
          uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}')

          # I verified the output by printing the UUID.
          echo "$uuid"
          echo "uuid=$uuid" >> $GITHUB_OUTPUT

@daoauth
fix markdown format
4853ba0 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
@ramonpetgrave64
Copy link
Collaborator

Sorry for not clarifying. If you ran the workflow on your own fork, can you provide us with a link so we can inspect the logs?

@daoauth
Copy link
Author

daoauth commented Jul 25, 2024

Sorry for not clarifying. If you ran the workflow on your own fork, can you provide us with a link so we can inspect the logs?

  1. This is the test repository where I forked slsa-github-generator: https://github.com/zktx-io/slsa-github-generator-test
  2. This is the test repository for outputting logs: https://github.com/zktx-io/slsa-github-generator-test2/actions/runs/10091019235/job/27901935588
Screenshot 2024-07-25 at 5 52 47 PM

ramonpetgrave64
ramonpetgrave64 reviewed Jul 26, 2024
View reviewed changes
.github/workflows/generator_generic_slsa3.yml
"$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name"
output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name")
echo "$output"
uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}')
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 Jul 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonblocker: it seems the rekor UUID is meant to be 64 hex digits, not 80.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The length of the UUID generated in "create and sign provenance" is 80.

https://search.sigstore.dev/?uuid=24296fb24b8ad77a037b175b6a98db3d318ae8d94428f5be89eb07c8a6b70b58b54bdd32c7b15fb6

https://docs.sigstore.dev/logging/sharding/#identifier-definitions-entryid-uuid-logid-log-index

So, I think the UUID used as a search parameter in sigstore is actually an entry ID.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The additional prefix digits are for distinguishing which log "shard" hosts the content.

@ramonpetgrave64
Copy link
Collaborator

ramonpetgrave64 commented Jul 26, 2024
edited
Loading

@haydentherapper, @loosebazooka please take a look

ramonpetgrave64
ramonpetgrave64 reviewed Jul 29, 2024
View reviewed changes
Copy link
Collaborator

@ramonpetgrave64 ramonpetgrave64 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks alright, just add the details to the list of unreleased changes.

@daoauth
update CHANGELOG.md
d9a57c9 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
ramonpetgrave64
ramonpetgrave64 requested changes Jul 30, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@daoauth
update CHANGELOG.md
6601053 
Signed-off-by: Lim Jet <57783762+daoauth@users.noreply.github.com>
ramonpetgrave64
ramonpetgrave64 requested changes Jul 31, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@daoauth @ramonpetgrave64
Update CHANGELOG.md
c81f799 
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Signed-off-by: daoauth <57783762+daoauth@users.noreply.github.com>
ramonpetgrave64
ramonpetgrave64 requested changes Aug 2, 2024
View reviewed changes
.github/workflows/generator_generic_slsa3.yml
output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name")
echo "$output"
uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}')
echo "uuid=$uuid" >> $GITHUB_OUTPUT
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lint errors: please run make actionlint and make lint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@laurentsimon laurentsimon laurentsimon left review comments

@ramonpetgrave64 ramonpetgrave64 ramonpetgrave64 requested changes

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

@kpk47 kpk47 Awaiting requested review from kpk47 kpk47 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@daoauth @ramonpetgrave64 @haydentherapper @laurentsimon