Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(publish): provenance attestation #22573

Merged
merged 26 commits into from Feb 28, 2024
Merged

feat(publish): provenance attestation #22573

merged 26 commits into from Feb 28, 2024

Conversation

littledivy
Copy link
Member

@littledivy littledivy commented Feb 24, 2024
edited

Supply chain security for JSR.

$ deno publish --provenance

Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
  1. Package has been published.
  2. Fetches the version manifest and verifies it's matching with uploaded files and exports.
  3. Builds the attestation SLSA payload using Github actions env.
  4. Creates an ephemeral key pair for signing the github token (aud=sigstore) and DSSE pre authentication tag.
  5. Requests a X.509 signing certificate from Fulcio using the challenge and ephemeral public key PEM.
  6. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry to Rekor and gets back the transparency log index.
  7. Builds the provenance bundle and posts it to JSR.

@littledivy littledivy changed the title feat(publis): provenance attestation feat(publish): provenance attestation Feb 24, 2024
littledivy
littledivy commented Feb 24, 2024
View reviewed changes
cli/tools/registry/provenance.rs Outdated Show resolved Hide resolved
cli/tools/registry/mod.rs Outdated Show resolved Hide resolved
cli/tools/registry/mod.rs Outdated Show resolved Hide resolved
littledivy
littledivy commented Feb 24, 2024
View reviewed changes
cli/tools/registry/provenance.rs Outdated Show resolved Hide resolved
cli/tools/registry/provenance.rs Outdated Show resolved Hide resolved
@littledivy littledivy marked this pull request as ready for review February 24, 2024 17:27
dsherret
dsherret reviewed Feb 25, 2024
View reviewed changes
Copy link
Member

@dsherret dsherret left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work!

cli/tools/registry/mod.rs Show resolved Hide resolved
cli/tools/registry/mod.rs Show resolved Hide resolved
cli/tools/registry/mod.rs Show resolved Hide resolved
lucacasonato
lucacasonato reviewed Feb 26, 2024
View reviewed changes
cli/tools/registry/mod.rs
Comment on lines +950 to +970
for (path, entry) in manifest.manifest {
// Verify each path with the files in the tarball.
let file = package
.tarball
.files
.iter()
.find(|f| f.path_str == path.as_str());

if let Some(file) = file {
if file.hash != entry.checksum {
bail!(
"Checksum mismatch for {}: expected {}, got {}",
path,
entry.checksum,
file.hash
);
}
} else {
bail!("File {} not found in the tarball", path);
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't check yet whether the registry removed a file (sorry to be picky)

lucacasonato
lucacasonato approved these changes Feb 27, 2024
View reviewed changes
Copy link
Member

@lucacasonato lucacasonato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

cli/args/flags.rs
Comment on lines +2399 to +2404
.arg(
Arg::new("provenance")
.long("provenance")
.help("From CI/CD system, publicly links the package to where it was built and published from.")
.action(ArgAction::SetTrue)
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can also do this in a follow up, but can we enable provenance by default when we are using GH OIDC for auth?

And then add a --no-provenance option to force it off, and --provenance option to force it on.

We can then also use --provenance to do enable provenance for local publishes at some later date.

@littledivy littledivy merged commit 9b5d2f8 into denoland:main Feb 28, 2024
17 checks passed
@littledivy littledivy deleted the provenance branch February 28, 2024 02:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dsherret dsherret dsherret left review comments

@lucacasonato lucacasonato lucacasonato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@littledivy @dsherret @lucacasonato