[e2e]: container schedule main provenance-registry slsa3

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7136867189
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Dec 8 03:07:35 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7148649076
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sat Dec 9 03:05:56 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7155251725
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sun Dec 10 03:06:58 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7162395442
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Mon Dec 11 03:07:50 UTC 2023

[saisatishkarra]

The docker repo at line https://github.com/slsa-framework/example-package/actions/runs/7162395442/job/19499307066 to push the container image doesn't seem to exist / permission issue with DOCKER_TOKEN. @ianlewis pls confirm if this was created and where the image needs to be pushed. Repo structure: docker.io/slsa-framework/<workflow-name>

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7176385371
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Tue Dec 12 03:07:52 UTC 2023

[ianlewis]

The repo server shouldn't be docker.io but ghcr.io so that will need to be fixed. We don't store any of our images from e2e tests in docker.io.
https://github.com/slsa-framework/example-package/blob/abca0df707464cb0017116bf9eefa5938d7eb56e/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml#L21C9-L21C28

[saisatishkarra]

@ianlewis Here is more context for the swap and attempt for using dockerhub for images ((i.e deletion after completion) and GHCR for provenance: #2981 that we use two different registries (ghcr for provenance / dockerhub for container images).

Now that the deletion is not a requirement, I can swap them back (images in GHCR and provenance in dockerhub) but would still require the docker.io repo for provenance. Can you clarify what this repo name is / add a secret?

[saisatishkarra]

Workaround PR: slsa-framework/example-package#296 that still requires docker.io for provenance and ghcr.io for images

[laurentsimon]

The latest run failed with Error response from daemon: Get "https://gchr.io/v2/": remote error: tls: handshake failure https://github.com/slsa-framework/example-package/actions/runs/7185487268. I re-ran and got the same error. May need to enable debugging

[saisatishkarra]

@laurentsimon Quick look at ur comment made me find a typo and here is the fix: slsa-framework/example-package#297

[laurentsimon]

new run https://github.com/slsa-framework/example-package/actions/runs/7186615098/job/19572433787. The step "Create and sign provenance" shows the following error: tlog entry created with index: 56139934 Error: signing ghcr.io/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3@sha256:b11b6093931b12c27cd48a09d7fe3a6f319f99caec0de4a825a560be0e7f8731: GET https://index.docker.io/v2/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3/manifests/sha256-b11b6093931b12c27cd48a09d7fe3a6f319f99caec0de4a825a560be0e7f8731.att: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3 Type:repository]] main.go:74: error during command execution: signing ghcr.io/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3@sha256:b11b6093931b12c27cd48a09d7fe3a6f319f99caec0de4a825a560be0e7f8731: GET https://index.docker.io/v2/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3/manifests/sha256-b11b6093931b12c27cd48a09d7fe3a6f319f99caec0de4a825a560be0e7f8731.att: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3 Type:repository]] Error: Process completed with exit code 1.

Seems like an authentication error to docker. Mhh, could it be that my token does not have the permissions... It should have. Ill verify and circle back here.

[saisatishkarra]

@laurentsimon Can you confirm if the below info is valid and exists as per https://index.docker.io/v2/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3 ?

• dockerhub repository for provenance: example-package.e2e.container.schedule.main.provenance-registry.slsa3
• dockerhub org/personal account name: slsa-framework
• dockerhub username: laurentsimon
• Token: secrets.E2E_DOCKER_HUB_TOKEN has permissions to write to the above docker repo / org.

[laurentsimon]

@laurentsimon Can you confirm if the below info is valid and exists as per https://index.docker.io/v2/slsa-framework/example-package.e2e.container.schedule.main.provenance-registry.slsa3 ?

• dockerhub repository for provenance: example-package.e2e.container.schedule.main.provenance-registry.slsa3

This should be under the same repo laurentsimon

• dockerhub org/personal account name: slsa-framework

should be laurentsimon

• dockerhub username: laurentsimon
• Token: secrets.E2E_DOCKER_HUB_TOKEN has permissions to write to the above docker repo / org.

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7190202059
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Wed Dec 13 03:09:19 UTC 2023

[saisatishkarra]

@ianlewis / @laurentsimon Here is the PR for provenance account auth

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7203919921
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Thu Dec 14 03:03:46 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7217395725
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Dec 15 03:03:15 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7229365475
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sat Dec 16 03:05:18 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7235937745
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sun Dec 17 03:05:17 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7243046031
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Mon Dec 18 03:05:27 UTC 2023

[laurentsimon]

Current error I'm seeing is FAILED: SLSA verification failed: no matching attestations: during verification. The cosign verification works, but the one with slsa-verifier does not. I think we're missing COSIGN_REPOSITORY="${PROVENANCE_IMAGE}" for slsa-verifier. I'll make the change and see if it fixes the problem

[laurentsimon]

still failing, I think it's due to the value being visible in the script but not "exported" to the slsa-verifier process by default. Maybe we need to export it explicitly in the script if its value is not empty. Made this change https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.container.default.verify.sh#L44-L47 but it has not fixed the problem. @saisatishkarra any thoughts? Have you run slsa-verifier CLI locally and confirmed that it works?

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7256788293
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Tue Dec 19 03:05:31 UTC 2023

[saisatishkarra]

@laurentsimon I haven't run the slsa-verifier locally and never tried exporting COSIGN_REPOSITRORY. I can give it a quick try using 2 local docker repositories at my end if setting the cosign env variable works by default. Otherwise, seems like this should be an explicit option to the verifier.

[saisatishkarra]

@laurentsimon I have tested this locally with some of the internal images.

• SLSA VERFIER VERSION:

  ____    _       ____       _             __     __  _____   ____    ___   _____   ___   _____   ____
 / ___|  | |     / ___|     / \            \ \   / / | ____| |  _ \  |_ _| |  ___| |_ _| | ____| |  _ \
 \___ \  | |     \___ \    / _ \    _____   \ \ / /  |  _|   | |_) |  | |  | |_     | |  |  _|   | |_) |
  ___) | | |___   ___) |  / ___ \  |_____|   \ V /   | |___  |  _ <   | |  |  _|    | |  | |___  |  _ <
 |____/  |_____| |____/  /_/   \_\            \_/    |_____| |_| \_\ |___| |_|     |___| |_____| |_| \_\
slsa-verifier: Verify SLSA provenance for Github Actions

GitVersion:    2.4.0
GitCommit:     brew
GitTreeState:  clean
BuildDate:     2023-08-24T22:58:45Z
GoVersion:     go1.21.1
Compiler:      gc
Platform:      darwin/amd64

• COSIGN VERSION:

  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.0.1
GitCommit:     8faaee4d2b5f65678eb0831a8a3d5990a0271d3a
GitTreeState:  "clean"
BuildDate:     2023-04-06T19:10:33Z
GoVersion:     go1.20.3
Compiler:      gc
Platform:      darwin/amd64

• COSIGN RESPECTS the COSIGN_REPOSITORY env and verified the provenance stored in a different repo
• slsa-verifier FAILS even when the explicit export of COSIGN_REPOSITORY env and returns FAILED: SLSA verification failed: no matching attestations:

Can you confirm what version of cosign is being used by the slsa-verifier and if the API needs the COSIGN_REPOSITORY env parameter to be explicitly passed sent?

[laurentsimon]

cosign version is v2.2.0 https://github.com/slsa-framework/slsa-verifier/blob/main/go.mod#L21
cosign uses the variable in https://github.com/sigstore/cosign/blob/7763aefff1af577878fdd3befd1af8dcb1befc6d/pkg/cosign/env/env.go#L53. This variable seems to be used in https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/options/registry.go#L78-L90

Cosign API allows to set this option in https://github.com/sigstore/cosign/blob/7763aefff1af577878fdd3befd1af8dcb1befc6d/pkg/cosign/verify.go#L88
In slsa-verifier, we create the option https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/verifier.go#L255-L259, so I think all we do is update that part of the code. Can you confirm that would work?

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7270420644
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Wed Dec 20 03:05:40 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7283447507
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Thu Dec 21 03:05:03 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7295692268
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Dec 22 03:05:22 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7305792167
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sat Dec 23 03:05:13 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7312118342
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sun Dec 24 03:05:20 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7318612256
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Mon Dec 25 03:05:21 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7326130316
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Tue Dec 26 03:05:14 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7334608222
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Wed Dec 27 03:05:31 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7343955280
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Thu Dec 28 03:05:32 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7353287981
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Dec 29 03:05:30 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7361656683
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sat Dec 30 03:05:22 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7367996578
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Sun Dec 31 03:05:14 UTC 2023

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7374463208
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Mon Jan 1 03:05:40 UTC 2024

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7381786043
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Tue Jan 2 03:05:18 UTC 2024

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7392977433
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Wed Jan 3 03:05:03 UTC 2024

[saisatishkarra]

Here is the PR for consuming COSIGN_REPOSITORY when set for verifying provenance stored in a different registry. I have tested the go binary of slsa-verifier locally with the changes and it seemed to honor the set env variable and successfully verify image provenance instead of failing.

@ianlewis / @laurentsimon Please guide how to update the e2e workflow to use the ref of the slsa-verifier to test it.

[laurentsimon]

The changes in the PR make sense. I think this will work. We don't have good support to test a particular ref in the e2e test. I suggest we merge your PR and trigger it at main. Then we follow up with a PR to add a proper --provenance-registry as we decided in slsa-framework/slsa-verifier#724. Wdut?

[saisatishkarra]

Sounds good to me!!

[ianlewis]

Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7404998045
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Thu Jan 4 03:05:35 UTC 2024

Tests are passing now. Closing this issue.

[laurentsimon]

Looks like it's working, yaay, great job @saisatishkarra
Let me know if you need some guidance on the slsa-verifier. If so, please ping me on the issue and I will answer. Thank you!