Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload from GitLab CI fails with repository and branch of cert doesn't match that of request #561

Open
jamietanna opened this issue Feb 20, 2024 · 2 comments
Open

Upload from GitLab CI fails with repository and branch of cert doesn't match that of request #561

jamietanna opened this issue Feb 20, 2024 · 2 comments

Comments

@jamietanna
Copy link

jamietanna commented Feb 20, 2024
edited

I've just been looking at adding support for publishing results from GitLab CI for a few of my projects.

I've just hit #511 with my test repo so I thought I'd try using a non-nested group which now fails with something slightly different:

2024/02/20 12:01:49 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: repository and branch of cert doesn't match that of request, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

There's some more details in my thread in the OpenSSF Slack, if that's of help.

The ephemeral certificate has the following data within it:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:fa:aa:f8:2a:df:9c:09:8d:6a:2e:e3:84:be:16:ff:bd:13:77:79
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O=sigstore.dev, CN=sigstore-intermediate
        Validity
            Not Before: Feb 20 12:01:34 2024 GMT
            Not After : Feb 20 12:11:34 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:93:8a:e6:ab:41:f6:65:e3:f6:2c:e8:6b:91:85:
                    a5:be:09:d1:b6:7e:da:15:4b:b1:f7:0e:a3:83:32:
                    f6:d9:fc:53:d7:43:cb:20:ab:ba:26:63:7f:16:fa:
                    6a:9d:34:be:8f:39:50:dd:f8:fa:56:d9:a0:5a:2b:
                    19:ea:ba:d5:2d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                2D:3A:F3:CB:D9:28:8F:FB:95:CA:05:AC:2B:3A:67:96:25:C7:24:E1
            X509v3 Authority Key Identifier: 
                DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
            X509v3 Subject Alternative Name: critical
                URI:https://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.1: 
                https://gitlab.com
            1.3.6.1.4.1.57264.1.8: 
                ..https://gitlab.com
            1.3.6.1.4.1.57264.1.9: 
                .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.10: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.11: 
                .
gitlab-hosted
            1.3.6.1.4.1.57264.1.12: 
                .7https://gitlab.com/jamietanna/hacking-scorecards-gitlab
            1.3.6.1.4.1.57264.1.13: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.14: 
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15: 
                ..55110726
            1.3.6.1.4.1.57264.1.16: 
                ..https://gitlab.com/jamietanna
            1.3.6.1.4.1.57264.1.17: 
                ..305304
            1.3.6.1.4.1.57264.1.18: 
                .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.19: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.20: 
                ..push
            1.3.6.1.4.1.57264.1.21: 
                .Ihttps://gitlab.com/jamietanna/hacking-scorecards-gitlab/-/jobs/6212550642
            1.3.6.1.4.1.57264.1.22: 
                ..public
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
                                A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
                    Timestamp : Feb 20 12:01:34.423 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:32:4E:FC:E3:4B:90:C6:14:2F:06:1C:1C:
                                12:13:42:1C:34:3C:4A:1B:E3:5D:C0:A4:DA:8C:26:28:
                                B4:CE:F6:26:02:20:11:3B:0C:CF:1B:FC:38:AB:E1:AC:
                                69:C8:5C:71:F6:51:66:C6:FA:33:A3:B3:11:D6:8F:E3:
                                36:E8:BE:FA:D6:B1
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:31:00:e3:26:30:93:3d:d1:17:59:e4:87:bb:18:99:
        76:01:5d:71:8e:2e:7e:79:58:d5:0f:6c:1c:31:eb:4d:f8:9a:
        e8:6a:d2:a1:47:34:9e:2c:36:af:96:70:0d:5a:8c:76:0e:02:
        30:25:a1:23:24:44:d6:78:79:49:99:9d:f0:6d:50:47:23:f7:
        8f:82:5b:62:09:91:59:91:72:5d:4e:c6:09:a5:a3:4c:67:9a:
        a3:e4:b8:ed:60:eb:ac:5c:02:d6:a9:b8:55

I'm taking advantage of sigstore/cosign#2864 to use a Sigstore-specific ID token to provide non-interactive authentication, and then using the CI_JOB_JWT to actually sign the data
@spencerschrock
Copy link
Contributor

Thanks for including the certificate. I haven't seen the populated entries for GitLab yet.

There's a few things to discuss here:

  1. Following the cert back to the producing workflow
  2. Verifying the workflow

For the first point, #554 would likely need done first. The GitLab cert above doesn't have the fields we currently check, but does have the fields we should be checking to (partially) fix #554 as well.

For the second point, I'm not as familiar with GitLab CI, but there doesn't seem to be a GitHub action "marketplace". One benefit of that on the GitHub side is it allows us to have confidence about how the results are produced. What steps would help ensure someone didn't create their own JSON payload to upload?

@raghavkaul
Copy link
Contributor

I see GitLab is working on an equivalent to the GitHub Actions ecosystem: https://about.gitlab.com/blog/2023/07/10/introducing-ci-components/. If there were a standard Scorecard action component on GitLab, we could check for the presence of the component in the workflow file, similar to how we check for the Scorecard job in

scorecard-webapp/app/server/verify_workflow.go

Line 194 in efeceb7

func findScorecardJob(jobs map[string]*actionlint.Job) *actionlint.Job {

I would want this feature out of experimental before we rely on it, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jamietanna @spencerschrock @raghavkaul