chore: Generate SLSA provenance for SBOM (argoproj#14438) (argoproj#1…

…4507) * Add provenance generation for sbom Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * upload SBOM Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove cosign setup Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * include hashes in generate-sbom output Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Replace Cosign Verification command with SLSA command in docs Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> * Remove id-token write permission - no longer needed Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --------- Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
yyzxw · Aug 9, 2023 · 33ae14f · 33ae14f
1 parent 1995ec0
commit 33ae14f
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 22 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -127,13 +127,14 @@ jobs:
       upload-assets: true
 
   generate-sbom:
-    name: Create Sbom and sign assets
+    name: Create SBOM and generate hash
     needs:
       - argocd-image
       - goreleaser
     permissions:
       contents: write # Needed for release uploads
-      id-token: write # Needed for signing Sbom
+    outputs:
+      hashes: ${{ steps.sbom-hash.outputs.hashes}}
     if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-22.04
     steps:
@@ -148,11 +149,6 @@ jobs:
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
-      - name: Install cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
-        with:
-          cosign-release: 'v2.0.0'
-
       - name: Generate SBOM (spdx)
         id: spdx-builder
         env:
@@ -182,23 +178,38 @@ jobs:
           fi
 
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
-
-      - name: Sign SBOM
+          
+      - name: Generate SBOM hash
+        shell: bash
+        id: sbom-hash
         run: |
-          cosign sign-blob \
-            --output-certificate=/tmp/sbom.tar.gz.pem \
-            --output-signature=/tmp/sbom.tar.gz.sig \
-            -y \
-            /tmp/sbom.tar.gz
-
-      - name: Upload SBOM and signature assets
+          # sha256sum generates sha256 hash for sbom.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum /tmp/sbom.tar.gz ... | base64 -w0
+          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
+      
+      - name: Upload SBOM
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           files: |
-            /tmp/sbom.tar.*
-
+            /tmp/sbom.tar.gz
+  
+  sbom-provenance:
+    needs: [generate-sbom]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    if: github.repository == 'argoproj/argo-cd'
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+    with:
+      base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
+      provenance-name: "argocd-sbom.intoto.jsonl"
+      upload-assets: true
+
   post-release:
     needs:
       - argocd-image

diff --git a/docs/operator-manual/signed-release-assets.md b/docs/operator-manual/signed-release-assets.md
@@ -136,11 +136,13 @@ slsa-verifier verify-artifact argocd-linux-amd64 \
 
 ## Verification of Sbom
 
+A single attestation (`argocd-sbom.intoto.jsonl`) from each release is provided along with the sbom (`sbom.tar.gz`). This can be used with [slsa-verifier](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) to verify that the SBOM was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed.
+
 ```bash
-cosign verify-blob --signature sbom.tar.gz.sig --certificate sbom.tar.gz.pem \
---certificate-identity-regexp ^https://github.com/argoproj/argo-cd/.github/workflows/release.yaml@refs/tags/v \
---certificate-oidc-issuer https://token.actions.githubusercontent.com  \
- ~/Downloads/sbom.tar.gz | jq
+slsa-verifier verify-artifact sbom.tar.gz \
+  --provenance-path argocd-sbom.intoto.jsonl \
+  --source-uri github.com/argoproj/argo-cd \
+  --source-tag v2.7.0
 ```
 
 ***