We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.
We can protect agains this by recording the repository_id, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
This could also be added to Fulcio's certificate generation. @asraa shall we start a threat about this on sigstore repos?
For the time being, let's record it as part of the invocation, and provide some examples in the README how to extract it, e.g. via ja
invocation
ja
The text was updated successfully, but these errors were encountered:
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/2419171690 Workflow name: go schedule main SLSA3 config-noldflags Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/ Trigger: schedule Branch: main Date: Wed Jun 1 04:02:50 UTC 2022
Sorry, something went wrong.
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/2420591002 Workflow name: go schedule main SLSA3 adversarial build provenance Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/ Trigger: schedule Branch: main Date: Wed Jun 1 09:30:17 UTC 2022
Tests are passing now. Closing this issue.
laurentsimon
Successfully merging a pull request may close this issue.
There's a recent attack that manages to re-name repositories https://sockpuppets.medium.com/how-i-hacked-ctx-and-phpass-modules-656638c6ec5e, which would bypass the current provenance verification.
We can protect agains this by recording the repository_id, see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
This could also be added to Fulcio's certificate generation. @asraa shall we start a threat about this on sigstore repos?
For the time being, let's record it as part of the
invocation
, and provide some examples in the README how to extract it, e.g. viaja
The text was updated successfully, but these errors were encountered: