Add GitHub Artifact Attestations post #56
Conversation
Signed-off-by: Ian Lewis <[email protected]>
✅ Deploy Preview for www-ianlewis-org ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Ian Lewis <[email protected]>
|
@ramonpetgrave64 @haydentherapper @laurentsimon Would appreciate a review of this post for my personal blog. |
| provider are compromised. | ||
|
|
||
| So while the SLSA provenance itself might be modified the certificate OID | ||
| claims cannot. So GitHub can check the OID claims against the expected values |
There was a problem hiding this comment.
To confirm, does the GH CLI check against the OID claims rather than the SLSA provenance currently? Does slsa-verifier do the same?
There was a problem hiding this comment.
it should do both. slsa-verifier does both
There was a problem hiding this comment.
It should do both. Otherwise the verification would pass but the provenance predicate that the CLI prints out with --format json (and thus the data that potentially gets fed to policy engines) could be different from the real values.
It appears that the sigstore-go library will check against the OID claims using a policy which the GitHub CLI creates and send to sigstore-go's verifier.
https://github.com/cli/cli/blob/ff3a59802dfe0957fba65584551783ece554a03a/pkg/cmd/attestation/verification/sigstore.go#L121
However, I haven't yet been able to verify that they also check these against the values in the predicate. Pretty sure that sigstore-go doesn't do that so the CLI should be doing it but I haven't found it in the code anywhere (I had a hidden pending comment about this that I just published now).
There was a problem hiding this comment.
maybe run some tests against the server by writing a nice tool.. which other package registries will be able to tests their impl with :)
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
| to have. GitHub ensures that the JSON printed by the `gh` client’s `--format | ||
| json` option is trustworthy simply by omitting any values from the SLSA | ||
| provenance JSON that are not included in the certificate’s OID claims. This |
There was a problem hiding this comment.
Still haven't been able to verify that this actually happens. I've looked at the code and they use sigstore-go to verify the attestations with a policy that checks the owner/repo.
I'm pretty sure sigstore's validation code doesn't look into the SLSA predicate to verify it matches the certificate but I haven't got that far.
There was a problem hiding this comment.
sigstore-go verifies the subject only - https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/signature.go#L136-L184
There was a problem hiding this comment.
The GitHub CLI also provides a github.com/sigstore/sigstore-go/pkg/verify.PolicyBuilder https://github.com/cli/cli/blob/ff3a59802dfe0957fba65584551783ece554a03a/pkg/cmd/attestation/verification/sigstore.go#L121
The PolicyBuilder has checks on the repo owner and/or repo name depending on the user options given
https://github.com/cli/cli/blob/ff3a59802dfe0957fba65584551783ece554a03a/pkg/cmd/attestation/verify/policy.go#L31-L59
So far this is all I've been able to verify that they do.
There was a problem hiding this comment.
It looks like the extensions are checked by sigstore-go here
https://github.com/sigstore/sigstore-go/blob/817509999e0de65d795fa099010ea1fbdd7b0828/pkg/verify/certificate_identity.go#L133
There was a problem hiding this comment.
Yea, that's correct, so this should be sufficient assuming you setup the policy to check those extension values. This would ignore the predicate values.
There was a problem hiding this comment.
It seems the attestations API does check them and will refuse to persist the attestation in the store if the values don't match. So it's possible the gh CLI is relying on this check.
I get this error if I use my fork and generate a predicate with a different workflow ref.
Error: Error: Failed to persist attestation: Invalid Argument - values do not match: .github/workflows/artifact-attestations.basic.yml != .github/workflows/artifact-attestations.malicious.yml - https://docs.github.com/rest/repos/repos#create-an-attestation
https://github.com/ianlewis/gha-artifact-attestations-test/actions/runs/9170942023/job/25214201468
There was a problem hiding this comment.
so if there's ever a bug that allows writing to the attestation store, it'd allow an attacker to put anything in the intoto payload. They should verify in the client too, otherwise what you're really verifying client-side is the equivalent of a VSA (ie a pre-verified attestation).
There was a problem hiding this comment.
I'll see if I can test their verification code with the attestation store mocked out to verify my assumptions.
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
| provider are compromised. | ||
|
|
||
| So while the SLSA provenance itself might be modified the certificate OID | ||
| claims cannot. So GitHub can check the OID claims against the expected values |
There was a problem hiding this comment.
maybe run some tests against the server by writing a nice tool.. which other package registries will be able to tests their impl with :)
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
en/_posts/2024-05-30-understanding-github-artifact-attestations.md
Outdated
Show resolved
Hide resolved
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Blog post on GitHub Artifact Attestations for personal blog.