Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature][npm] Verify consistency between cert and provenance #493

Open
laurentsimon opened this issue Feb 18, 2023 · 8 comments · May be fixed by #768
Open

[feature][npm] Verify consistency between cert and provenance #493

laurentsimon opened this issue Feb 18, 2023 · 8 comments · May be fixed by #768
Labels
area:npm An issue with verification of npm packages type:feature New feature request

Comments

@laurentsimon
Copy link
Contributor

This is currently not possible but will land once the Fulcio claims have been standardized

@ianlewis ianlewis added type:feature New feature request area:npm An issue with verification of npm packages labels Feb 21, 2023
@laurentsimon
Copy link
Contributor Author

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints. This requires some more discussions.
pros: only trust what can be verified
cons: someone how verifies their own package know that they have not altered with the content and may want to trust it anyway. Arguably they should be using a different builder if they want this level of guarantees

/cc @ianlewis @asraa

@ianlewis
Copy link
Member

ianlewis commented Feb 22, 2023

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints.

I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this.

@laurentsimon
Copy link
Contributor Author

Good idea. Please link the issue once you have created one on their repo

@ianlewis
Copy link
Member

I linked to here from the issue in their repo. Anyone who has access should see it above.

@laurentsimon
Copy link
Contributor Author

Example of claims and change in parsing sigstore/fulcio#754 (comment)

@laurentsimon
Copy link
Contributor Author

Done in #572. Closing

ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this issue Apr 18, 2024
* Add tags for renovate-bot

* fix checkout

* Pin to codeql-action 2.1.15
@ramonpetgrave64
Copy link
Contributor

reopening, since (n *Npm) verifiedProvenanceBytes() is not yet implemented.

func (n *Npm) verifiedProvenanceBytes() ([]byte, error) {
// TODO(#493): prune the provenance and return only
// verified fields.
// NOTE: we currently don't verify the materials' commit sha.
return []byte{}, nil
}

@ramonpetgrave64
Copy link
Contributor

fix pending in #768 #768 (comment)

ramonpetgrave64 added a commit that referenced this issue Jul 30, 2024
Fixes #614, #450, #449, #515

Adds support for NPM CLIs build provenances, generated when running `npm
publish --provenance --access public` from a [GitHub Actions
workflow](https://github.com/ramonpetgrave64/gundam-visor/blob/599500821344b070902a7a5666064bfdaba715df/.github/workflows/npm-publish.yml#L21).

## Testing

- added unit tests for some new helper functions
- added regression test cases

## Future work

- #493, so we can
do `--print-provenance`
- implemented in
#768 (comment)

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:npm An issue with verification of npm packages type:feature New feature request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants