slsa-framework · ramonpetgrave64 · Feb 12, 2025 · Feb 11, 2025 · Feb 11, 2025 · Feb 11, 2025
@@ -160,7 +160,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.21"
+          go-version: "1.23.1"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"

@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- toc -->
 
 - [Unreleased](#unreleased)
+  - [Unreleased: Sigstore Bundles for Generic Generator and Go Builder](#unreleased-sigstore-bundles-for-generic-generator-and-go-builder)
   - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
@@ -106,6 +107,15 @@ duplication."
 
 ## Unreleased
 
+### Unreleased: Sigstore Bundles for Generic Generator and Go Builder
+
+The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml`
+have been updated to produce signed Sigstore Bundles, just like all the other builders
+that use the BYOB framework.
+
+The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
+https://search.sigstore.dev/.
+
 ### Unreleased: Vars context recorded in provenance
 
 - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and

@@ -39,6 +39,9 @@ const (
 
 // OIDCToken represents the contents of a GitHub OIDC JWT token.
 type OIDCToken struct {
+	// Expiry is the expiration date of the token.
+	Expiry time.Time
+
 	// Issuer is the token issuer.
 	Issuer string
 
@@ -54,8 +57,8 @@ type OIDCToken struct {
 	// ActorID is the unique ID of the actor who triggered the build.
 	ActorID string `json:"actor_id"`
 
-	// Expiry is the expiration date of the token.
-	Expiry time.Time
+	// RawToken is the unparsed oidc token.
+	RawToken string
 
 	// Audience is the audience for which the token was granted.
 	Audience []string
@@ -247,6 +250,8 @@ func (c *OIDCClient) Token(ctx context.Context, audience []string) (*OIDCToken,
 		return nil, err
 	}
 
+	token.RawToken = tokenPayload
+
 	return token, nil
 }
 

@@ -14,6 +14,7 @@ require (
 	github.com/sigstore/cosign/v2 v2.4.1
 	github.com/sigstore/rekor v1.3.6
 	github.com/sigstore/sigstore v1.8.10
+	github.com/sigstore/sigstore-go v0.6.1
 	github.com/spf13/cobra v1.8.1
 	golang.org/x/oauth2 v0.23.0
 	gopkg.in/square/go-jose.v2 v2.6.0
@@ -120,6 +121,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -165,6 +167,7 @@ require (
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect

@@ -280,6 +280,8 @@ github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
 github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
 github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA=
 github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -386,6 +388,9 @@ github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
 github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2wMvfPJU=
 github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
+github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
 github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
@@ -537,6 +542,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbm
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/cosign/v2 v2.4.1 h1:b8UXEfJFks3hmTwyxrRNrn6racpmccUycBHxDMkEPvU=

@@ -23,9 +23,9 @@ import (
 	"os"
 	"path"
 
-	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/spf13/cobra"
 
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/slsa-framework/slsa-github-generator/github"
 	"github.com/slsa-framework/slsa-github-generator/internal/builders/common"
 	"github.com/slsa-framework/slsa-github-generator/internal/utils"
@@ -35,7 +35,7 @@ import (
 
 // attestCmd returns the 'attest' command.
 func attestCmd(provider slsa.ClientProvider, check func(error),
-	signer signing.Signer, tlog signing.TransparencyLog,
+	signer signing.Signer,
 ) *cobra.Command {
 	var attPath string
 	var subjectsFilename string
@@ -44,7 +44,7 @@ func attestCmd(provider slsa.ClientProvider, check func(error),
 		Use:   "attest",
 		Short: "Create a signed SLSA provenance attestation from a Github Action",
 		Long: `Generate and sign SLSA provenance from a Github Action to form an attestation
-and upload to a Rekor transparency log. This command assumes that it is being
+and create a Sigstore Bundle. This command assumes that it is being
 run in the context of a Github Actions workflow.`,
 
 		Run: func(_ *cobra.Command, _ []string) {
@@ -114,9 +114,6 @@ run in the context of a Github Actions workflow.`,
 				})
 				check(err)
 
-				_, err = tlog.Upload(ctx, att)
-				check(err)
-
 				attBytes = att.Bytes()
 			}
 

@@ -249,7 +249,7 @@ func Test_attestCmd_default_single_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -294,7 +294,7 @@ b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  artifact2`)))
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -337,7 +337,7 @@ func Test_attestCmd_custom_provenance_name(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -393,7 +393,7 @@ func Test_attestCmd_invalid_extension(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -447,7 +447,7 @@ func Test_attestCmd_invalid_path(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, check, &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,
@@ -491,7 +491,7 @@ func Test_attestCmd_subdirectory_artifact(t *testing.T) {
 		t.Errorf("unexpected failure: %v", err)
 	}
 	defer os.Remove(fn)
-	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{}, &testutil.TestTransparencyLog{})
+	c := attestCmd(&slsa.NilClientProvider{}, checkTest(t), &testutil.TestSigner{})
 	c.SetOut(new(bytes.Buffer))
 	c.SetArgs([]string{
 		"--subjects-filename", fn,

@@ -36,7 +36,7 @@ For more information on SLSA, visit https://slsa.dev`,
 		},
 	}
 	c.AddCommand(versionCmd())
-	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultFulcio(), sigstore.NewDefaultRekor()))
+	c.AddCommand(attestCmd(nil, checkExit, sigstore.NewDefaultBundleSigner()))
 	return c
 }
 

@@ -75,11 +75,11 @@ func runBuild(dry bool, configFile, evalEnvs string) error {
 	return nil
 }
 
-func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor string) error {
-	r := sigstore.NewRekor(rekor)
-	s := sigstore.NewDefaultFulcio()
+func runProvenanceGeneration(subject, digest, commands, envs, workingDir string) error {
+	s := sigstore.NewDefaultBundleSigner()
+
 	attBytes, err := pkg.GenerateProvenance(subject, digest,
-		commands, envs, workingDir, s, r, nil)
+		commands, envs, workingDir, s, nil)
 	if err != nil {
 		return err
 	}
@@ -118,7 +118,6 @@ func main() {
 	provenanceCommand := provenanceCmd.String("command", "", "command used to compile the binary")
 	provenanceEnv := provenanceCmd.String("env", "", "env variables used to compile the binary")
 	provenanceWorkingDir := provenanceCmd.String("workingDir", "", "working directory used to issue compilation commands")
-	provenanceRekor := provenanceCmd.String("rekor", sigstore.DefaultRekorAddr, "rekor server to use for provenance")
 
 	// Expect a sub-command.
 	if len(os.Args) < 2 {
@@ -145,7 +144,7 @@ func main() {
 		}
 
 		err := runProvenanceGeneration(*provenanceName, *provenanceDigest,
-			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir, *provenanceRekor)
+			*provenanceCommand, *provenanceEnv, *provenanceWorkingDir)
 		check(err)
 
 	default:

@@ -65,7 +65,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) {
 // attestation.
 // Spec: https://slsa.dev/provenance/v0.2
 func GenerateProvenance(name, digest, command, envs, workingDir string,
-	s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider,
+	s signing.Signer, provider slsa.ClientProvider,
 ) ([]byte, error) {
 	gh, err := github.GetWorkflowContext()
 	if err != nil {
@@ -180,14 +180,5 @@ func GenerateProvenance(name, digest, command, envs, workingDir string,
 	if err != nil {
 		return nil, err
 	}
-
-	// Upload the signed attestation to rekor.
-	logEntry, err := r.Upload(ctx, att)
-	if err != nil {
-		return nil, err
-	}
-
-	fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID())
-
 	return att.Bytes(), nil
 }
@@ -21,7 +21,7 @@ import (
 	"github.com/slsa-framework/slsa-github-generator/slsa"
 )
 
-func TestGenerateProvenance_withErr(t *testing.T) {
+func TestGenerateProvenance(t *testing.T) {
 	// Disable pre-submit detection.
 	// TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove
 	t.Setenv("GITHUB_EVENT_NAME", "non_event")
@@ -30,10 +30,13 @@ func TestGenerateProvenance_withErr(t *testing.T) {
 	sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2"
 	_, err := GenerateProvenance(
 		"foo", sha256, "", "", "/home/foo",
-		&testutil.TestSigner{}, &testutil.TransparencyLogWithErr{},
+		&testutil.TestSigner{},
 		&slsa.NilClientProvider{},
 	)
-	if want, got := testutil.ErrTransparencyLog, err; want != got {
-		t.Errorf("expected error, want: %v, got: %v", want, got)
+
+	var want error
+	got := err
+	if want != got {
+		t.Errorf("unexpected error, want: %v, got: %v", want, got)
 	}
 }