Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature][byob] verification for sha1 provided by TRW for v0.2 #599

Open
laurentsimon opened this issue May 18, 2023 · 7 comments
Open

[feature][byob] verification for sha1 provided by TRW for v0.2 #599

laurentsimon opened this issue May 18, 2023 · 7 comments
Assignees
@ianlewis
Labels
status:blocked This issue is currently blocked on something.
Milestone
BYOB

Comments

@laurentsimon
Copy link
Contributor

verification counterpart for slsa-framework/slsa-github-generator#2079

To think about: if the sha1 != GitHub event, options like --source-branch, --source-tag or another source option should fail because we can no longer trust the event?

For generators, I think it's fine to trust keep the code as-is because the options refer to the trigger workflow. For builders, I think we need to fail.
@laurentsimon laurentsimon changed the title [feature][byob] verification for sha1 provided by TRW [feature][byob] verification for sha1 provided by TRW for v0.2 May 18, 2023
@laurentsimon laurentsimon mentioned this issue May 18, 2023
Closed
@ianlewis
Copy link
Member

For generators, I think it's fine to trust keep the code as-is because the options refer to the trigger workflow. For builders, I think we need to fail.

Doesn't that break our main use case which was for things like jReleaser which would be a builder rather than a generator?

@laurentsimon laurentsimon added this to the BYOB milestone May 18, 2023
@laurentsimon
Copy link
Contributor Author

laurentsimon commented May 18, 2023
edited
Loading

sorry. I meant we need to fail if options like --source-branch, --source-tag are passed, since we cannot relate the tag / branch to the sha1 we built from. If none of these options are passed, we allow it, including for builders

@laurentsimon
Copy link
Contributor Author

blocked on #604

@ianlewis ianlewis mentioned this issue May 21, 2023
Open
@ianlewis ianlewis self-assigned this May 23, 2023
@ianlewis
Copy link
Member

verification counterpart for slsa-framework/slsa-github-generator#2079

To think about: if the sha1 != GitHub event, options like --source-branch, --source-tag or another source option should fail because we can no longer trust the event?

If we are allowing users to specify a different sha1 then probably we shouldn't look at the GitHub event's ref and instead use the ref that's set on the materials[].uri?

@ianlewis ianlewis mentioned this issue May 25, 2023
Closed
@laurentsimon
Copy link
Contributor Author

If we are allowing users to specify a different sha1 then probably we shouldn't look at the GitHub event's ref and instead use the ref that's set on the materials[].uri?

Correct. For BYOB, we should allow that. Today we verify both, we'll have to relax the verification on the GitHub event's ref.

@ianlewis
Copy link
Member

Correct. For BYOB, we should allow that. Today we verify both, we'll have to relax the verification on the GitHub event's ref.

I found that while we do verify that both had the same repository, we didn't really verify that the sha or tag/branch ref were the same between the source and trigger. Though I believe that the builders have always specified the same values, we just never verified it.

@ianlewis ianlewis mentioned this issue Jun 2, 2023
Merged
@ianlewis ianlewis added the status:blocked This issue is currently blocked on something. label Jun 6, 2023
@ianlewis
Copy link
Member

ianlewis commented Jun 6, 2023

Blocked on slsa-framework/github-actions-buildtypes#4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ianlewis ianlewis

Labels
status:blocked This issue is currently blocked on something.
Projects
None yet
Milestone
BYOB
Development

Successfully merging a pull request may close this issue.

feat: Support different source branch/tag from trigger branch/tag. ianlewis/slsa-verifier
2 participants
@ianlewis @laurentsimon