Skip to content

chore(security): improve debugging for provenance script #2784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 17, 2023
Merged

chore(security): improve debugging for provenance script #2784

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 44 additions & 21 deletions .github/actions/verify-provenance/verify_provenance.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,35 +36,58 @@ export readonly FILES=("${SLSA_VERIFIER_BINARY}" "${SLSA_VERIFIER_CHECKSUM_FILE}

function debug() {
TIMESTAMP=$(date -u "+%FT%TZ") # 2023-05-10T07:53:59Z
echo ""${TIMESTAMP}" DEBUG - $1"
echo ""${TIMESTAMP}" DEBUG - [*] $1"
}

function download_slsa_verifier() {
debug "[*] Downloading SLSA Verifier for - Binary: slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
curl --location --silent -O "https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-${OS_NAME}-${ARCHITECTURE}"

debug "[*] Downloading SLSA Verifier checksums"
curl --location --silent -O "https://raw.githubusercontent.com/slsa-framework/slsa-verifier/f59b55ef2190581d40fc1a5f3b7a51cab2f4a652/${SLSA_VERIFIER_CHECKSUM_FILE}"
function error() {
cleanup
TIMESTAMP=$(date -u "+%FT%TZ") # 2023-05-10T07:53:59Z
echo ""${TIMESTAMP}" ERROR - [!] $1"
echo ""${TIMESTAMP}" ERROR - [!] exiting"
exit 1
}

debug "[*] Verifying SLSA Verifier binary integrity"
function download_slsa_verifier() {
readonly SLSA_URL="https://github.com/slsa-framework/slsa-verifier/releases/download/v${SLSA_VERIFIER_VERSION}/slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
# debug "Downloading SLSA Verifier for - Binary: slsa-verifier-${OS_NAME}-${ARCHITECTURE}"
debug "Downloading SLSA Verifier binary: ${SLSA_URL}"
curl \
--location \
--fail \
--silent \
-O "${SLSA_URL}" || error "Failed to download SLSA Verifier binary"

readonly SLSA_CHECKSUM_URL="https://raw.githubusercontent.com/slsa-framework/slsa-verifier/f59b55ef2190581d40fc1a5f3b7a51cab2f4a652/${SLSA_VERIFIER_CHECKSUM_FILE}"
debug "Downloading SLSA Verifier checksums"
curl \
--location \
--fail \
--silent \
-O "${SLSA_CHECKSUM_URL}" || error "Failed to download SLSA Verifier binary checksum file"

debug "Verifying SLSA Verifier binary integrity"
CURRENT_HASH=$(sha256sum "${SLSA_VERIFIER_BINARY}" | awk '{print $1}')
if [[ $(grep "${CURRENT_HASH}" "${SLSA_VERIFIER_CHECKSUM_FILE}") ]]; then
debug "[*] SLSA Verifier binary integrity confirmed"
debug "SLSA Verifier binary integrity confirmed"
chmod +x "${SLSA_VERIFIER_BINARY}"
else
debug "[!] Failed integrity check for SLSA Verifier binary: ${SLSA_VERIFIER_BINARY}"
exit 1
error "Failed integrity check for SLSA Verifier binary: ${SLSA_VERIFIER_BINARY}"
fi
}

function download_provenance() {
debug "[*] Downloading attestation for - Release: https://github.com/${ORG}/${REPO}/releases/v${RELEASE_VERSION}"

curl --location --silent -O "https://github.com/${ORG}/${REPO}/releases/download/v${RELEASE_VERSION}/${PROVENANCE_FILE}"
readonly PROVENANCE_URL="https://github.com/${ORG}/${REPO}/releases/download/v${RELEASE_VERSION}/${PROVENANCE_FILE}"
debug "Downloading attestation: ${PROVENANCE_URL}"

curl \
--location \
--fail \
--silent \
-O ${PROVENANCE_URL} || error "Failed to download provenance. Does the release already exist?"
}

function download_release_artifact() {
debug "[*] Downloading ${RELEASE_VERSION} release from PyPi"
debug "Downloading ${RELEASE_VERSION} release from PyPi"
python -m pip download \
--only-binary=:all: \
--no-deps \
Expand All @@ -73,19 +96,19 @@ function download_release_artifact() {
}

function verify_provenance() {
debug "[*] Verifying attestation with slsa-verifier"
debug "Verifying attestation with slsa-verifier"
"${SLSA_VERIFIER_BINARY}" verify-artifact \
--provenance-path "${PROVENANCE_FILE}" \
--source-uri github.com/${ORG}/${REPO} \
${RELEASE_BINARY}
}

function cleanup() {
debug "[*] Cleaning up previously downloaded files"
rm "${SLSA_VERIFIER_BINARY}"
rm "${SLSA_VERIFIER_CHECKSUM_FILE}"
rm "${PROVENANCE_FILE}"
rm "${RELEASE_BINARY}"
debug "Cleaning up previously downloaded files"
rm -f "${SLSA_VERIFIER_BINARY}"
rm -f "${SLSA_VERIFIER_CHECKSUM_FILE}"
rm -f "${PROVENANCE_FILE}"
rm -f "${RELEASE_BINARY}"
echo "${FILES[@]}" | xargs -n1 echo "Removed file: "
}

Expand Down