Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support npm cli provenance v1 attestations #776

Merged
merged 26 commits into from
Jul 30, 2024
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
f565ec3
start considering provenance v1
ramonpetgrave64 May 23, 2024
91440cf
add the new buildType, TODO: fix verifySystemParameters()
ramonpetgrave64 May 23, 2024
fa4b631
fix verifySystemParameters()
ramonpetgrave64 May 28, 2024
99fc0bc
fix verifyIntotoTypes()
ramonpetgrave64 May 28, 2024
6232bda
add test case for v1
ramonpetgrave64 May 28, 2024
5d0188a
add GITHUB_WORKFLOW_SHA
ramonpetgrave64 May 29, 2024
cb1b033
better provenenace predicate type check
ramonpetgrave64 May 29, 2024
dd00555
use type switches instead of mangling sysParams
ramonpetgrave64 May 30, 2024
70d50fa
simplify GetBuildTriggerPath to a map type check
ramonpetgrave64 May 30, 2024
2add559
add Test_NpmCLIGithubActionsProvenance_TriggerURI
ramonpetgrave64 May 31, 2024
8905296
no need for statement headers
ramonpetgrave64 May 31, 2024
a58f2f2
no need for resolved deps
ramonpetgrave64 May 31, 2024
29326f5
add new GetExternalParams, tests
ramonpetgrave64 May 31, 2024
eee2182
regression tests: main branch
ramonpetgrave64 Jun 4, 2024
b454c58
regression tests: tag
ramonpetgrave64 Jun 4, 2024
91d8816
undo build tag
ramonpetgrave64 Jun 4, 2024
5b59f8b
make GetExternalParameters private
ramonpetgrave64 Jun 21, 2024
c01c789
accept the true type
ramonpetgrave64 Jun 21, 2024
334d915
typo
ramonpetgrave64 Jun 24, 2024
6d7845b
fix doc comment
ramonpetgrave64 Jun 24, 2024
9b5430f
docs and npm attestations example
ramonpetgrave64 Jun 24, 2024
18d52ca
typo
ramonpetgrave64 Jun 27, 2024
7b0a3d8
Merge branch 'main' into npm-slsa-1.0
ramonpetgrave64 Jul 23, 2024
b6cc301
Merge branch 'main' into npm-slsa-1.0
ramonpetgrave64 Jul 25, 2024
0b9898c
update func name
ramonpetgrave64 Jul 25, 2024
da7cf58
Merge branch 'main' into npm-slsa-1.0
ramonpetgrave64 Jul 30, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -315,6 +315,8 @@ PASSED: Verified SLSA provenance

Verification of npm packages is currently an experimental feature.

More deetails about npm attestations are in [docs/npm.md](./docs/npm.md)
ramonpetgrave64 marked this conversation as resolved.
Show resolved Hide resolved

#### The verify-npm-package command

```bash
Expand Down
187 changes: 186 additions & 1 deletion cli/slsa-verifier/main_regression_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1519,6 +1519,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@trishankatdatadog/supreme-goggles"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder short runner name",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1527,6 +1535,17 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@trishankatdatadog/supreme-goggles"),
builderID: PointerTo("https://github.com/actions/runner"),
},
{
// The builderID for v1 should never be the "shortname".
// https://github.com/npm/cli/blob/93883bb6459208a916584cad8c6c72a315cf32af/workspaces/libnpmpublish/lib/provenance.js#L58.
name: "valid npm CLI builder v1 short runner name",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder no builder",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1535,6 +1554,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@trishankatdatadog/supreme-goggles"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder v1 no builder",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.5"),
pkgName: PointerTo("gundam-visor"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder mismatch builder",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1544,20 +1571,43 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner2"),
err: serrors.ErrorNotSupported,
},
{
name: "valid npm CLI builder v1 mismatch builder",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted2"),
err: serrors.ErrorNotSupported,
},
{
name: "valid npm CLI builder no package name",
artifact: "supreme-googles-cli-v02-tag.tgz",
source: "github.com/trishankatdatadog/supreme-goggles",
pkgVersion: PointerTo("1.0.5"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1 no package name",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder no package version",
artifact: "supreme-googles-cli-v02-tag.tgz",
source: "github.com/trishankatdatadog/supreme-goggles",
pkgName: PointerTo("@trishankatdatadog/supreme-goggles"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1 no package version",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder mismatch source",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1567,6 +1617,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchSource,
},
{
name: "valid npm CLI builder v1 mismatch source",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visorS",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchSource,
},
{
name: "valid npm CLI builder mismatch package version",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1575,6 +1634,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageVersion,
},
{
name: "valid npm CLI builder v1 mismatch package version",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.2"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageVersion,
},
{
name: "valid npm CLI builder mismatch package name",
artifact: "supreme-googles-cli-v02-tag.tgz",
Expand All @@ -1583,6 +1651,15 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageName,
},
{
name: "valid npm CLI builder v1 mismatch package name",
artifact: "gundam-visor-cli-v1-tag.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visorS"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageName,
},
{
name: "invalid signature provenance npm CLI",
artifact: "supreme-googles-cli-v02-tag-invalidsigprov.tgz",
Expand All @@ -1592,13 +1669,31 @@ func Test_runVerifyNpmPackage(t *testing.T) {
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature provenance npm CLI",
name: "invalid signature provenance npm CLI v1",
artifact: "gundam-visor-cli-v1-tag-invalidsigprov.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature publish npm CLI",
artifact: "supreme-googles-cli-v02-tag-invalidsigpub.tgz",
source: "github.com/trishankatdatadog/supreme-goggles",
pkgName: PointerTo("@trishankatdatadog/supreme-goggles"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature publish npm CLI v1",
artifact: "gundam-visor-cli-v1-tag-invalidsigpub.tgz",
source: "github.com/ramonpetgrave64/gundam-visor",
pkgVersion: PointerTo("1.0.1"),
pkgName: PointerTo("gundam-visor"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
// npm CLI with main branch.
{
name: "valid npm CLI builder",
Expand All @@ -1608,6 +1703,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@laurentsimon/provenance-npm-test"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgVersion: PointerTo("2.3.1"),
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder short runner name",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
Expand All @@ -1616,6 +1719,17 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@laurentsimon/provenance-npm-test"),
builderID: PointerTo("https://github.com/actions/runner"),
},
{
// The builderID for v1 should never be the "shortname".
// https://github.com/npm/cli/blob/93883bb6459208a916584cad8c6c72a315cf32af/workspaces/libnpmpublish/lib/provenance.js#L58.
name: "valid npm CLI builder v1 short runner name",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgVersion: PointerTo("2.3.1"),
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder no builder",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
Expand All @@ -1624,6 +1738,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
pkgName: PointerTo("@laurentsimon/provenance-npm-test"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder v1 no builder",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgVersion: PointerTo("2.3.1"),
pkgName: PointerTo("sigstore"),
err: serrors.ErrorInvalidBuilderID,
},
{
name: "valid npm CLI builder mismatch builder",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
Expand All @@ -1633,27 +1755,58 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner2"),
err: serrors.ErrorNotSupported,
},
{
name: "valid npm CLI builder v1 mismatch builder",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgVersion: PointerTo("2.3.1"),
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted2"),
err: serrors.ErrorNotSupported,
},
{
name: "valid npm CLI builder no package name",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
pkgVersion: PointerTo("1.0.3"),
source: "github.com/laurentsimon/provenance-npm-test",
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1 no package name",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
pkgVersion: PointerTo("2.3.1"),
source: "github.com/sigstore/sigstore-js",
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder no package version",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
source: "github.com/laurentsimon/provenance-npm-test",
pkgName: PointerTo("@laurentsimon/provenance-npm-test"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder v1 no package version",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
},
{
name: "valid npm CLI builder mismatch source",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
source: "github.com/laurentsimon/provenance-npm-test2",
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchSource,
},
{
name: "valid npm CLI builder v1 mismatch source",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js2",
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchSource,
},
{
name: "valid npm CLI builder mismatch package version",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
Expand All @@ -1662,6 +1815,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageVersion,
},
{
name: "valid npm CLI builder v1 mismatch package version",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgVersion: PointerTo("2.3.2"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageVersion,
},
{
name: "valid npm CLI builder mismatch package name",
artifact: "provenance-npm-test-cli-v02-prega.tgz",
Expand All @@ -1670,6 +1831,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageName,
},
{
name: "valid npm CLI builder v1 mismatch package name",
artifact: "provenance-npm-test-cli-v1-prega.tgz",
source: "github.com/sigstore/sigstore-js",
pkgName: PointerTo("sigstore2"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorMismatchPackageName,
},
{
name: "invalid signature provenance npm CLI",
artifact: "provenance-npm-test-cli-v02-prega-invalidsigprov.tgz",
Expand All @@ -1678,6 +1847,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature provenance npm CLI v1",
artifact: "provenance-npm-test-cli-v1-prega-invalidsigprov.tgz",
source: "github.com/sigstore/sigstore-js",
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature publish npm CLI",
artifact: "provenance-npm-test-cli-v02-prega-invalidsigpub.tgz",
Expand All @@ -1686,6 +1863,14 @@ func Test_runVerifyNpmPackage(t *testing.T) {
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
{
name: "invalid signature publish npm CLI v1",
artifact: "provenance-npm-test-cli-v1-prega-invalidsigpub.tgz",
source: "github.com/sigstore/sigstore-js",
pkgName: PointerTo("sigstore"),
builderID: PointerTo("https://github.com/actions/runner/github-hosted"),
err: serrors.ErrorInvalidSignature,
},
// OSSF builder.
{
name: "valid npm OSSF builder",
Expand Down
Binary file not shown.
Loading
Loading