feat: generate provenance for legitify release (#50)

feat: generate provenacne for legitify release
Legit-Labs · Nov 28, 2022 · a5b4308 · a5b4308
1 parent c1e6494
commit a5b4308
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 3 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,6 +8,8 @@ permissions:
   packages: 'write'
 jobs:
   goreleaser:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
     steps:
       - name: Install osslsigncode
@@ -25,9 +27,30 @@ jobs:
           password: '${{ secrets.GITHUB_TOKEN }}'
       - name: save keys to files
         run: echo ${{ secrets.WINDOWS_PUBLIC_KEY_B64 }} | base64 -d > /tmp/legit_signature.crt ; echo ${{ secrets.WINDOWS_PRIVATE_KEY_B64 }} | base64 -d > /tmp/legit_signature.key
-      - uses: 'goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b'
+      - name: release
+        id: run-goreleaser
+        uses: 'goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757'
         with:
           version: 'latest'
           args: 'release --rm-dist'
         env:
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+      - name: provenance-inputs
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.2
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true # upload to a new release
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -51,8 +51,8 @@ archives:
         format: zip
 
 checksum:
-  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA512SUMS'
-  algorithm: 'sha512'
+  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
+  algorithm: 'sha256'
 
 release:
   draft: false

diff --git a/README.md b/README.md
@@ -25,6 +25,16 @@ https://user-images.githubusercontent.com/74864790/178964716-825840a6-d714-4b1d-
 git clone git@github.com:Legit-Labs/legitify.git
 go run main.go analyze ...
 ```
+
+## Provenance
+To enhance the software supply chain security of legitify's users, as of v0.1.6, every legitify release contains a [SLSA Level 3 Provenacne](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document.  
+The provenance document refers to all artifacts in the release, as well as the generated docker image.  
+You can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance.  
+Example of usage for the darwin_arm64 release:  
+```
+./slsa-verifier verify-artifact --source-branch main --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2' --source-uri "git+https://github.com/legit-labs/legitify" --provenance-path multiple.intoto.jsonl ./legitify_0.1.6_darwin_arm64.tar.gz
+```
+
 ## Requirements
 1. To get the most out of legitify, you need to be an owner of at least one GitHub organization. Otherwise, you can still use the tool if you're an admin of at least one repository inside an organization, in which case you'll be able to see only repository-related policies results.
 2. legitify requires a GitHub personal access token (PAT) to analyze your resources successfully, which can be either provided as an argument (`-t`) or as an environment variable (`$GITHUB_ENV`).