diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index a8356272e..851de9cb3 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -203,10 +203,8 @@ jobs: platform="x64" ;; *_arm64 ) - echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2 - continue - #source_dir="$PWD/dist/windows_windows_arm64" - #platform="arm64" + source_dir="$PWD/dist/windows_windows_arm64" + platform="arm64" ;; * ) printf "unsupported architecture: %s\n" "$MSI_NAME" >&2 @@ -299,7 +297,7 @@ jobs: rpmsign --addsign dist/*.rpm - name: Attest release artifacts if: inputs.environment == 'production' - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 with: subject-path: "dist/gh_*" - name: Run createrepo diff --git a/pkg/cmd/attestation/io/handler.go b/pkg/cmd/attestation/io/handler.go index 167128a42..06d747bf4 100644 --- a/pkg/cmd/attestation/io/handler.go +++ b/pkg/cmd/attestation/io/handler.go @@ -2,8 +2,8 @@ package io import ( "fmt" + "strings" - "github.com/cli/cli/v2/internal/tableprinter" "github.com/cli/cli/v2/pkg/iostreams" "github.com/cli/cli/v2/utils" ) @@ -65,26 +65,24 @@ func (h *Handler) VerbosePrintf(f string, v ...interface{}) (int, error) { if !h.debugEnabled || !h.IO.IsStdoutTTY() { return 0, nil } - return fmt.Fprintf(h.IO.ErrOut, f, v...) } -func (h *Handler) PrintTable(headers []string, rows [][]string) error { +func (h *Handler) PrintBulletPoints(rows [][]string) (int, error) { if !h.IO.IsStdoutTTY() { - return nil + return 0, nil } - - t := tableprinter.New(h.IO, tableprinter.WithHeader(headers...)) - + maxColLen := 0 for _, row := range rows { - for _, field := range row { - t.AddField(field, tableprinter.WithTruncate(nil)) + if len(row[0]) > maxColLen { + maxColLen = len(row[0]) } - t.EndRow() } - if err := t.Render(); err != nil { - return fmt.Errorf("failed to print output: %v", err) + info := "" + for _, row := range rows { + dots := strings.Repeat(".", maxColLen-len(row[0])) + info += fmt.Sprintf("%s:%s %s\n", row[0], dots, row[1]) } - return nil + return fmt.Fprintln(h.IO.ErrOut, info) } diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go index be828e66f..84a7ce3b8 100644 --- a/pkg/cmd/attestation/verification/mock_verifier.go +++ b/pkg/cmd/attestation/verification/mock_verifier.go @@ -67,7 +67,7 @@ func (v *FailSigstoreVerifier) Verify([]*api.Attestation, verify.PolicyBuilder) return nil, fmt.Errorf("failed to verify attestations") } -func BuildMockResult(b *bundle.Bundle, buildSignerURI, sourceRepoOwnerURI, sourceRepoURI, issuer string) AttestationProcessingResult { +func BuildMockResult(b *bundle.Bundle, buildConfigURI, buildSignerURI, sourceRepoOwnerURI, sourceRepoURI, issuer string) AttestationProcessingResult { statement := &in_toto.Statement{} statement.PredicateType = SLSAPredicateV1 @@ -80,10 +80,11 @@ func BuildMockResult(b *bundle.Bundle, buildSignerURI, sourceRepoOwnerURI, sourc Signature: &verify.SignatureVerificationResult{ Certificate: &certificate.Summary{ Extensions: certificate.Extensions{ + BuildConfigURI: buildConfigURI, BuildSignerURI: buildSignerURI, + Issuer: issuer, SourceRepositoryOwnerURI: sourceRepoOwnerURI, SourceRepositoryURI: sourceRepoURI, - Issuer: issuer, }, }, }, @@ -93,9 +94,10 @@ func BuildMockResult(b *bundle.Bundle, buildSignerURI, sourceRepoOwnerURI, sourc func BuildSigstoreJsMockResult(t *testing.T) AttestationProcessingResult { bundle := data.SigstoreBundle(t) + buildConfigURI := "https://github.com/sigstore/sigstore-js/.github/workflows/build.yml@refs/heads/main" buildSignerURI := "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main" sourceRepoOwnerURI := "https://github.com/sigstore" sourceRepoURI := "https://github.com/sigstore/sigstore-js" issuer := "https://token.actions.githubusercontent.com" - return BuildMockResult(bundle, buildSignerURI, sourceRepoOwnerURI, sourceRepoURI, issuer) + return BuildMockResult(bundle, buildConfigURI, buildSignerURI, sourceRepoOwnerURI, sourceRepoURI, issuer) } diff --git a/pkg/cmd/attestation/verification/policy.go b/pkg/cmd/attestation/verification/policy.go index 7bae2eff9..f2bd126d0 100644 --- a/pkg/cmd/attestation/verification/policy.go +++ b/pkg/cmd/attestation/verification/policy.go @@ -54,10 +54,7 @@ func (c EnforcementCriteria) Valid() error { func (c EnforcementCriteria) BuildPolicyInformation() string { policyAttr := make([][]string, 0, 6) - policyAttr = appendStr(policyAttr, "- OIDC Issuer must match", c.Certificate.Issuer) - if c.Certificate.RunnerEnvironment == GitHubRunner { - policyAttr = appendStr(policyAttr, "- Action workflow Runner Environment must match ", GitHubRunner) - } + policyAttr = appendStr(policyAttr, "- Predicate type must match", c.PredicateType) policyAttr = appendStr(policyAttr, "- Source Repository Owner URI must match", c.Certificate.SourceRepositoryOwnerURI) @@ -65,14 +62,17 @@ func (c EnforcementCriteria) BuildPolicyInformation() string { policyAttr = appendStr(policyAttr, "- Source Repository URI must match", c.Certificate.SourceRepositoryURI) } - policyAttr = appendStr(policyAttr, "- Predicate type must match", c.PredicateType) - if c.SAN != "" { policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match", c.SAN) } else if c.SANRegex != "" { policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match regex", c.SANRegex) } + policyAttr = appendStr(policyAttr, "- OIDC Issuer must match", c.Certificate.Issuer) + if c.Certificate.RunnerEnvironment == GitHubRunner { + policyAttr = appendStr(policyAttr, "- Action workflow Runner Environment must match ", GitHubRunner) + } + maxColLen := 0 for _, attr := range policyAttr { if len(attr[0]) > maxColLen { diff --git a/pkg/cmd/attestation/verify/attestation_integration_test.go b/pkg/cmd/attestation/verify/attestation_integration_test.go index caa02281f..630eb1dc5 100644 --- a/pkg/cmd/attestation/verify/attestation_integration_test.go +++ b/pkg/cmd/attestation/verify/attestation_integration_test.go @@ -83,7 +83,7 @@ func TestVerifyAttestations(t *testing.T) { attestations := []*api.Attestation{sgjAttestation[0], reusableWorkflowAttestations[0], sgjAttestation[1]} require.Len(t, attestations, 3) - rwfResult := verification.BuildMockResult(reusableWorkflowAttestations[0].Bundle, "", "https://github.com/malancas", "", verification.GitHubOIDCIssuer) + rwfResult := verification.BuildMockResult(reusableWorkflowAttestations[0].Bundle, "", "", "https://github.com/malancas", "", verification.GitHubOIDCIssuer) sgjResult := verification.BuildSigstoreJsMockResult(t) mockResults := []*verification.AttestationProcessingResult{&sgjResult, &rwfResult, &sgjResult} mockSgVerifier := verification.NewMockSigstoreVerifierWithMockResults(t, mockResults) diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 41b9ea27e..1e1dcd4d8 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -56,7 +56,7 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er signedRepoRegex := expandToGitHubURLRegex(opts.Tenant, opts.SignerRepo) c.SANRegex = signedRepoRegex } else if opts.SignerWorkflow != "" { - validatedWorkflowRegex, err := validateSignerWorkflow(opts) + validatedWorkflowRegex, err := validateSignerWorkflow(opts.Hostname, opts.SignerWorkflow) if err != nil { return verification.EnforcementCriteria{}, err } @@ -140,23 +140,23 @@ func buildSigstoreVerifyPolicy(c verification.EnforcementCriteria, a artifact.Di return policy, nil } -func validateSignerWorkflow(opts *Options) (string, error) { +func validateSignerWorkflow(hostname, signerWorkflow string) (string, error) { // we expect a provided workflow argument be in the format [HOST/]///path/to/workflow.yml // if the provided workflow does not contain a host, set the host - match, err := regexp.MatchString(hostRegex, opts.SignerWorkflow) + match, err := regexp.MatchString(hostRegex, signerWorkflow) if err != nil { return "", err } if match { - return fmt.Sprintf("^https://%s", opts.SignerWorkflow), nil + return fmt.Sprintf("^https://%s", signerWorkflow), nil } // if the provided workflow did not match the expect format // we move onto creating a signer workflow using the provided host name - if opts.Hostname == "" { + if hostname == "" { return "", errors.New("unknown host") } - return fmt.Sprintf("^https://%s/%s", opts.Hostname, opts.SignerWorkflow), nil + return fmt.Sprintf("^https://%s/%s", hostname, signerWorkflow), nil } diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 30724afef..d033ba4fa 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -4,7 +4,6 @@ import ( "testing" "github.com/cli/cli/v2/pkg/cmd/attestation/verification" - "github.com/cli/cli/v2/pkg/cmd/factory" "github.com/stretchr/testify/require" ) @@ -263,14 +262,8 @@ func TestValidateSignerWorkflow(t *testing.T) { } for _, tc := range testcases { - opts := &Options{ - Config: factory.New("test").Config, - SignerWorkflow: tc.providedSignerWorkflow, - } - // All host resolution is done verify.go:RunE - opts.Hostname = tc.host - workflowRegex, err := validateSignerWorkflow(opts) + workflowRegex, err := validateSignerWorkflow(tc.host, tc.providedSignerWorkflow) require.Equal(t, tc.expectedWorkflowRegex, workflowRegex) if tc.expectErr { diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 016ec1fa8..ea7502f00 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -6,6 +6,7 @@ import ( "regexp" "github.com/cli/cli/v2/internal/ghinstance" + "github.com/cli/cli/v2/internal/text" "github.com/cli/cli/v2/pkg/cmd/attestation/api" "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" "github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci" @@ -261,19 +262,32 @@ func runVerify(opts *Options) error { return nil } - opts.Logger.Printf("%s was attested by:\n", artifact.DigestWithAlg()) + opts.Logger.Printf("The following %s matched the policy criteria\n\n", text.Pluralize(len(verified), "attestation")) - // Otherwise print the results to the terminal in a table - tableContent, err := buildTableVerifyContent(opts.Tenant, verified) - if err != nil { - opts.Logger.Println(opts.Logger.ColorScheme.Red("failed to parse results")) - return err - } + // Otherwise print the results to the terminal + for i, v := range verified { + buildConfigURI := v.VerificationResult.Signature.Certificate.Extensions.BuildConfigURI + sourceRepoAndOrg, sourceWorkflow, err := extractAttestationDetail(opts.Tenant, buildConfigURI) + if err != nil { + opts.Logger.Println(opts.Logger.ColorScheme.Red("failed to parse build config URI")) + return err + } + builderSignerURI := v.VerificationResult.Signature.Certificate.Extensions.BuildSignerURI + signerRepoAndOrg, signerWorkflow, err := extractAttestationDetail(opts.Tenant, builderSignerURI) + if err != nil { + opts.Logger.Println(opts.Logger.ColorScheme.Red("failed to parse build signer URI")) + return err + } - headers := []string{"repo", "predicate_type", "workflow"} - if err = opts.Logger.PrintTable(headers, tableContent); err != nil { - opts.Logger.Println(opts.Logger.ColorScheme.Red("failed to print attestation details to table")) - return err + opts.Logger.Printf("- Attestation #%d\n", i+1) + rows := [][]string{ + {" - Build repo", sourceRepoAndOrg}, + {" - Build workflow", sourceWorkflow}, + {" - Signer repo", signerRepoAndOrg}, + {" - Signer workflow", signerWorkflow}, + } + //nolint:errcheck + opts.Logger.PrintBulletPoints(rows) } // All attestations passed verification and policy evaluation @@ -304,39 +318,15 @@ func extractAttestationDetail(tenant, builderSignerURI string) (string, string, match := orgAndRepoRegexp.FindStringSubmatch(builderSignerURI) if len(match) < 2 { - return "", "", fmt.Errorf("no match found for org and repo") + return "", "", fmt.Errorf("no match found for org and repo: %s", builderSignerURI) } orgAndRepo := match[1] match = workflowRegexp.FindStringSubmatch(builderSignerURI) if len(match) < 2 { - return "", "", fmt.Errorf("no match found for workflow") + return "", "", fmt.Errorf("no match found for workflow: %s", builderSignerURI) } workflow := match[1] return orgAndRepo, workflow, nil } - -func buildTableVerifyContent(tenant string, results []*verification.AttestationProcessingResult) ([][]string, error) { - content := make([][]string, len(results)) - - for i, res := range results { - if res.VerificationResult == nil || - res.VerificationResult.Signature == nil || - res.VerificationResult.Signature.Certificate == nil { - return nil, fmt.Errorf("bundle missing verification result fields") - } - builderSignerURI := res.VerificationResult.Signature.Certificate.Extensions.BuildSignerURI - repoAndOrg, workflow, err := extractAttestationDetail(tenant, builderSignerURI) - if err != nil { - return nil, err - } - if res.VerificationResult.Statement == nil { - return nil, fmt.Errorf("bundle missing attestation statement (bundle must originate from GitHub Artifact Attestations)") - } - predicateType := res.VerificationResult.Statement.PredicateType - content[i] = []string{repoAndOrg, predicateType, workflow} - } - - return content, nil -} diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 5e4f33507..87ffa96f0 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -415,7 +415,7 @@ func TestRunVerify(t *testing.T) { opts.BundlePath = "" opts.Owner = "sigstore" - require.Nil(t, runVerify(&opts)) + require.NoError(t, runVerify(&opts)) }) t.Run("with owner which not matches SourceRepositoryOwnerURI", func(t *testing.T) { diff --git a/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh new file mode 100755 index 000000000..89a3a4556 --- /dev/null +++ b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Get the root directory of the repository +rootDir="$(git rev-parse --show-toplevel)" + +ghBuildPath="$rootDir/bin/gh" + +artifactPath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0.tgz" +bundlePath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl" + +# Download a custom trusted root for verification +if ! $ghBuildPath attestation trusted-root > trusted_root.jsonl; then + # cleanup test data + echo "Failed to download trusted root" + exit 1 +fi + +if ! $ghBuildPath attestation verify "$artifactPath" -b "$bundlePath" --digest-alg=sha512 --owner=sigstore --custom-trusted-root trusted_root.jsonl; then + echo "Failed to verify package with a Sigstore v0.2.0 bundle" + exit 1 +fi diff --git a/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh new file mode 100644 index 000000000..647a13a4c --- /dev/null +++ b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Get the root directory of the repository +rootDir="$(git rev-parse --show-toplevel)" + +ghBuildPath="$rootDir/bin/gh" + +ghCLIArtifact="$rootDir/pkg/cmd/attestation/test/data/gh_2.60.1_windows_arm64.zip" + +# Verify the gh CLI artifact +echo "Testing with package $ghCLIArtifact" +if ! $ghBuildPath attestation verify "$ghCLIArtifact" --digest-alg=sha256 --owner=cli; then + echo "Failed to verify" + exit 1 +fi