slsa-github-generator: [bug] ”Generate Builder“ step fails
Describe the bug
It looks like the Generate Builder step fails:
Run ./.github/actions/generate-builder/generate-builder.sh
./.github/actions/generate-builder/generate-builder.sh
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
BUILDER_BINARY: slsa-generator-generic-linux-amd64
BUILDER_DIR: internal/builders/generic
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
VERIFIER_RELEASE: v1.1.1
COMPILE_BUILDER: false
BUILDER_REF: refs/tags/v1.2.0
GH_TOKEN: ***
Fetching the builder with ref: refs/tags/v1.2.0
Builder version: v1.2.0
BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
verifier hash computed is f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
verifier hash verification has passed
FAILED: SLSA verification failed: could not find a matching valid signature entry
Error: Process completed with exit code 6.
when invoked as a job similar to this public example but in a private repo:
provenance:
needs: build
# The generator should be referenced with a semantic version.
# The build will fail if we reference it using the commit sha.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
To Reproduce
Restarting the failed job continues to fail. Alas, private repo.
Expected behavior
This has worked before and during today’s run failed.
Screenshots
See above.
Additional context
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 24 (13 by maintainers)
Commits related to this issue
- fix: enable compile-builder https://github.com/slsa-framework/slsa-github-generator/issues/942#issuecomment-1263610114 — committed to suzuki-shunsuke/test-slsa-goreleaser by suzuki-shunsuke 2 years ago
Hi! Thanks for the report: we’ve seen this and are trying to fix this all the way through.
This is the same issue that @stephenfuqua reported: https://github.com/slsa-framework/slsa-github-generator/issues/876#issuecomment-1261469816
In the meantime, enable
compile-builder: trueto succeed.What we know has happened is that Rekor (the transparency log that the builders provenance is recorded on) had breaking changes that broke our verification.
Here’s what happened in this particular case when we were verifying the builder provenance’s inclusion in the log: we checked verified inclusion proof against the root hash, and then verified the root hash against a current signed tree head. After Rekor sharded (rotated trees) in production, the tree head no longer corresponds to the same tree that the entry was in, which caused a verification error. In particular, the tree size given in the entry’s inclusion proof is LARGER than the current tree size after rotation.
This will fix this https://github.com/slsa-framework/slsa-verifier/pull/277, and we’ll backport the changes to the
release/v1.1branch of the verifier. I think we’ll need to update all builder workflows to stop using verifierv1.1.1. @laurentsimon right?I think this conversation illustrates the importance and difficulty of deep supply chain integrity. My workflow failed because the SLSA provenance generator failed because the Rekor service failed…
And the above discussions raise a few more points that should be considered:
@ianlewis I think GA is no safeguard against breakage. I’d argue that this SLSA provenance generator should be tolerant to Rekor failures beyond GA. For example @asraa’s proposed fix above uses an undocumented feature, which should probably be documented for users because it decouples from yet another level of dependencies.
Further still, it may even make sense to make
compile-generator: truethe default because it avoids that extra dependency on Rekor. Personally, I prefer a slower self-contained action over a faster one with dependencies on a potentially failing external service (thus jeopardizing stability). It’s kind-of ironic that a tool checking software supply chain itself depends on a more complex supply chain.Two things we’ve prioritized on this front for the next quarter:
While providing a security tool though, we also did require the most robust security verification (with an online verification from Rekor directly) like Ian mentioned. I can see the argument both ways though, and reducing its reliance on an online service or transparency log is helpful for the future.
@ianlewis @laurentsimon can we support a build from the tag checkout using a secure-checkout that ensures that tag resolves to a safe/attested SHA? This is similar to @behnazh-w suggestion.
Yes, I’ll add a note on release of v1.3.1 in that title.
@jenstroeger We finally made a release with the fix for this. Please use v1.2.1.
As a new feature, how about allowing building from source with the correct version? Would there still be any security concerns?