Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: slsa-verifier failing to validate google cloud generated provenance #700

Open
godofredoc opened this issue Aug 26, 2023 · 9 comments
Open

bug: slsa-verifier failing to validate google cloud generated provenance #700

godofredoc opened this issue Aug 26, 2023 · 9 comments
Labels
area:gcb Issue with the gcb verifier type:bug Something isn't working

Comments

@godofredoc
Copy link

Error:

FAILED: SLSA verification failed: verified intoto provenance does not match text provenance: diff '  gcb.v01IntotoStatement{
  	StatementHeader: {Type: "https://in-toto.io/Statement/v0.1", PredicateType: "https://slsa.dev/provenance/v0.1", Subject: {{Name: "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.ve"..., Digest: {"sha256": "0121a28df93df7e14e7fea450ba905b980d1efc80089263588142893610aa84d"}}, {Name: "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.ve"..., Digest: {"sha256": "0121a28df93df7e14e7fea450ba905b980d1efc80089263588142893610aa84d"}}}},
  	Predicate: gcb.ProvenancePredicate{
  		Builder: {ID: "https://cloudbuild.googleapis.com/[email protected]"},
  		Recipe: gcb.ProvenanceRecipe{
  			Type:       "https://cloudbuild.googleapis.com/[email protected]",
  			EntryPoint: "app_dart/cloudbuild_app_dart.yaml",
  			Arguments: map[string]any{
  				... // 2 identical entries
  				"name":             string("projects/308150028417/locations/global/builds/085019aa-9481-4d8b"...),
  				"options":          map[string]any{"dynamicSubstitutions": bool(true), "logging": string("LEGACY"), "pool": map[string]any{}, "requestedVerifyOption": string("VERIFIED"), ...},
- 				"sourceProvenance": map[string]any{},
+ 				"sourceProvenance": map[string]any{
+ 					"resolvedGitSource": map[string]any{
+ 						"revision": string("b1de41509493276b0ed9890ec20a537b6f2c09b0"),
+ 						"url":      string("https://github.com/flutter/cocoon.git"),
+ 					},
+ 				},

The issue is that provenance generated with gcloud artifacts docker images describe $DOCKER_IMAGE_URL --show-provenance --format json > $OUTPUT_DIRECTORY has an empty sourceProvenance in the plain text part of the file:

"sourceProvenance": map[string]any{},

But the base64 payload contains the full sourceprovenance:

+ 				"sourceProvenance": map[string]any{
+ 					"resolvedGitSource": map[string]any{
+ 						"revision": string("b1de41509493276b0ed9890ec20a537b6f2c09b0"),
+ 						"url":      string("https://github.com/flutter/cocoon.git"),
+ 					},
+ 				},
@godofredoc godofredoc changed the title slsa-verifier failing to validate google cloud generated provenance bug: slsa-verifier failing to validate google cloud generated provenance Aug 26, 2023
@godofredoc
Copy link
Author

\cc @drewroengoogle

@ianlewis ianlewis added type:bug Something isn't working area:gcb Issue with the gcb verifier labels Aug 28, 2023
@drewroengoogle drewroengoogle mentioned this issue Aug 28, 2023
Closed
@drewroengoogle
Copy link
Contributor

drewroengoogle commented Aug 28, 2023
edited
Loading

In regards to impact, this is preventing us from doing any deployments of our Flutter infra applications. Is there a workaround or flag we can set to ignore the sourceProvenance change? The above provenance is automatically generated by Cloud Build, and we are using slsa-verifier 2.3.0, although from trying to verify the provenance locally, it seems to also be happening in 2.4.0.

@laurentsimon
Copy link
Contributor

Thanks for the report. Please revert to the older slsa-verifier version (2.3.0). Can you attach (or copy) the result of your gcloud artifacts docker images describe in the issue?

We added some preliminary code to verify GCB v1.0 in v2.4.0, but not fully tested and not officially released. We're missing the e2e tests. I'll work on these right away and cut a new version

@drewroengoogle
Copy link
Contributor

Yes, here's the provenance of one of an artifact that failed validation today:

{
  "image_summary": {
    "digest": "sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
    "fully_qualified_digest": "us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6@sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
    "registry": "us-docker.pkg.dev",
    "repository": "appengine"
  },
  "provenance_summary": {
    "provenance": [
      {
        "build": {
          "intotoStatement": {
            "_type": "https://in-toto.io/Statement/v0.1",
            "predicateType": "https://slsa.dev/provenance/v0.1",
            "slsaProvenance": {
              "builder": {
                "id": "https://cloudbuild.googleapis.com/[email protected]"
              },
              "materials": [
                {
                  "digest": {
                    "sha1": "27ecaf67be8ec7f8571b75553715bc05f3a7022c"
                  },
                  "uri": "git+https://github.com/flutter/cocoon"
                }
              ],
              "metadata": {
                "buildFinishedOn": "2023-08-28T17:28:17.432966Z",
                "buildInvocationId": "22237782-5a12-46fd-a753-1fc36ca79818",
                "buildStartedOn": "2023-08-28T17:23:47.928930449Z"
              },
              "recipe": {
                "arguments": {
                  "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build",
                  "id": "22237782-5a12-46fd-a753-1fc36ca79818",
                  "name": "projects/308150028417/locations/global/builds/22237782-5a12-46fd-a753-1fc36ca79818",
                  "options": {
                    "dynamicSubstitutions": true,
                    "logging": "LEGACY",
                    "pool": {},
                    "requestedVerifyOption": "VERIFIED",
                    "substitutionOption": "ALLOW_LOOSE"
                  },
                  "sourceProvenance": {},
                  "steps": [
                    {
                      "args": [
                        "cloud_build/dashboard_build.sh"
                      ],
                      "entrypoint": "/bin/bash",
                      "name": "us-docker.pkg.dev/flutter-dashboard/flutter/flutter",
                      "pullTiming": {
                        "endTime": "2023-08-28T17:24:27.360161386Z",
                        "startTime": "2023-08-28T17:23:51.511735054Z"
                      },
                      "status": "SUCCESS",
                      "timing": {
                        "endTime": "2023-08-28T17:27:06.448156408Z",
                        "startTime": "2023-08-28T17:23:51.511735054Z"
                      }
                    },
                    {
                      "args": [
                        "build",
                        "-t",
                        "us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6",
                        "app_dart"
                      ],
                      "name": "us-docker.pkg.dev/cloud-builders/ga/v1/docker",
                      "pullTiming": {
                        "endTime": "2023-08-28T17:27:22.507876044Z",
                        "startTime": "2023-08-28T17:27:06.448243160Z"
                      },
                      "status": "SUCCESS",
                      "timing": {
                        "endTime": "2023-08-28T17:27:56.241362235Z",
                        "startTime": "2023-08-28T17:27:06.448243160Z"
                      }
                    },
                    {
                      "args": [
                        "-c",
                        "gcloud builds submit \\\n  --config app_dart/cloudbuild_app_dart_deploy.yaml \\\n  --substitutions=\"SHORT_SHA=27ecaf6\" \\\n  --async"
                      ],
                      "entrypoint": "/bin/bash",
                      "name": "gcr.io/cloud-builders/gcloud",
                      "pullTiming": {
                        "endTime": "2023-08-28T17:27:56.244231571Z",
                        "startTime": "2023-08-28T17:27:56.241498675Z"
                      },
                      "status": "SUCCESS",
                      "timing": {
                        "endTime": "2023-08-28T17:28:07.789365002Z",
                        "startTime": "2023-08-28T17:27:56.241498675Z"
                      }
                    }
                  ],
                  "substitutions": {
                    "BRANCH_NAME": "main",
                    "COMMIT_SHA": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
                    "REF_NAME": "main",
                    "REPO_FULL_NAME": "flutter/cocoon",
                    "REPO_NAME": "cocoon",
                    "REVISION_ID": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
                    "SHORT_SHA": "27ecaf6",
                    "TRIGGER_BUILD_CONFIG_PATH": "app_dart/cloudbuild_app_dart.yaml",
                    "TRIGGER_NAME": "cocoon-app-dart"
                  }
                },
                "entryPoint": "app_dart/cloudbuild_app_dart.yaml",
                "type": "https://cloudbuild.googleapis.com/[email protected]"
              }
            },
            "subject": [
              {
                "digest": {
                  "sha256": "7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c"
                },
                "name": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6"
              },
              {
                "digest": {
                  "sha256": "7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c"
                },
                "name": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6:latest"
              }
            ]
          }
        },
        "createTime": "2023-08-28T17:28:18.356251Z",
        "envelope": {
          "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIn0sInVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZmx1dHRlci9jb2Nvb24ifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjMtMDgtMjhUMTc6Mjg6MTcuNDMyOTY2WiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4IiwiYnVpbGRTdGFydGVkT24iOiIyMDIzLTA4LTI4VDE3OjIzOjQ3LjkyODkzMDQ0OVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjIyMjM3NzgyLTVhMTItNDZmZC1hNzUzLTFmYzM2Y2E3OTgxOCIsIm5hbWUiOiJwcm9qZWN0cy8zMDgxNTAwMjg0MTcvbG9jYXRpb25zL2dsb2JhbC9idWlsZHMvMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4Iiwib3B0aW9ucyI6eyJkeW5hbWljU3Vic3RpdHV0aW9ucyI6dHJ1ZSwibG9nZ2luZyI6IkxFR0FDWSIsInBvb2wiOnt9LCJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiJWRVJJRklFRCIsInN1YnN0aXR1dGlvbk9wdGlvbiI6IkFMTE9XX0xPT1NFIn0sInNvdXJjZVByb3ZlbmFuY2UiOnsicmVzb2x2ZWRHaXRTb3VyY2UiOnsicmV2aXNpb24iOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZsdXR0ZXIvY29jb29uLmdpdCJ9fSwic3RlcHMiOlt7ImFyZ3MiOlsiY2xvdWRfYnVpbGQvZGFzaGJvYXJkX2J1aWxkLnNoIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoidXMtZG9ja2VyLnBrZy5kZXYvZmx1dHRlci1kYXNoYm9hcmQvZmx1dHRlci9mbHV0dGVyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNDoyNy4zNjAxNjEzODZaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyMzo1MS41MTE3MzUwNTRaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6MDYuNDQ4MTU2NDA4WiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6MjM6NTEuNTExNzM1MDU0WiJ9fSx7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNiIsImFwcF9kYXJ0Il0sIm5hbWUiOiJ1cy1kb2NrZXIucGtnLmRldi9jbG91ZC1idWlsZGVycy9nYS92MS9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjIyLjUwNzg3NjA0NFoiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjA2LjQ0ODI0MzE2MFoifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzo1Ni4yNDEzNjIyMzVaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzowNi40NDgyNDMxNjBaIn19LHsiYXJncyI6WyItYyIsImdjbG91ZCBidWlsZHMgc3VibWl0IFxcXG4gIC0tY29uZmlnIGFwcF9kYXJ0L2Nsb3VkYnVpbGRfYXBwX2RhcnRfZGVwbG95LnlhbWwgXFxcbiAgLS1zdWJzdGl0dXRpb25zPVwiU0hPUlRfU0hBPTI3ZWNhZjZcIiBcXFxuICAtLWFzeW5jIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2djbG91ZCIsInB1bGxUaW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQ0MjMxNTcxWiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQxNDk4Njc1WiJ9LCJzdGF0dXMiOiJTVUNDRVNTIiwidGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI4OjA3Ljc4OTM2NTAwMloiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjU2LjI0MTQ5ODY3NVoifX1dLCJzdWJzdGl0dXRpb25zIjp7IkJSQU5DSF9OQU1FIjoibWFpbiIsIkNPTU1JVF9TSEEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwiUkVGX05BTUUiOiJtYWluIiwiUkVQT19GVUxMX05BTUUiOiJmbHV0dGVyL2NvY29vbiIsIlJFUE9fTkFNRSI6ImNvY29vbiIsIlJFVklTSU9OX0lEIjoiMjdlY2FmNjdiZThlYzdmODU3MWI3NTU1MzcxNWJjMDVmM2E3MDIyYyIsIlNIT1JUX1NIQSI6IjI3ZWNhZjYiLCJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwiVFJJR0dFUl9OQU1FIjoiY29jb29uLWFwcC1kYXJ0In19LCJlbnRyeVBvaW50IjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwidHlwZSI6Imh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIn19LCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjEiLCJzbHNhUHJvdmVuYW5jZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIn0sInVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZmx1dHRlci9jb2Nvb24ifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjMtMDgtMjhUMTc6Mjg6MTcuNDMyOTY2WiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4IiwiYnVpbGRTdGFydGVkT24iOiIyMDIzLTA4LTI4VDE3OjIzOjQ3LjkyODkzMDQ0OVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjIyMjM3NzgyLTVhMTItNDZmZC1hNzUzLTFmYzM2Y2E3OTgxOCIsIm5hbWUiOiJwcm9qZWN0cy8zMDgxNTAwMjg0MTcvbG9jYXRpb25zL2dsb2JhbC9idWlsZHMvMjIyMzc3ODItNWExMi00NmZkLWE3NTMtMWZjMzZjYTc5ODE4Iiwib3B0aW9ucyI6eyJkeW5hbWljU3Vic3RpdHV0aW9ucyI6dHJ1ZSwibG9nZ2luZyI6IkxFR0FDWSIsInBvb2wiOnt9LCJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiJWRVJJRklFRCIsInN1YnN0aXR1dGlvbk9wdGlvbiI6IkFMTE9XX0xPT1NFIn0sInNvdXJjZVByb3ZlbmFuY2UiOnsicmVzb2x2ZWRHaXRTb3VyY2UiOnsicmV2aXNpb24iOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2ZsdXR0ZXIvY29jb29uLmdpdCJ9fSwic3RlcHMiOlt7ImFyZ3MiOlsiY2xvdWRfYnVpbGQvZGFzaGJvYXJkX2J1aWxkLnNoIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoidXMtZG9ja2VyLnBrZy5kZXYvZmx1dHRlci1kYXNoYm9hcmQvZmx1dHRlci9mbHV0dGVyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNDoyNy4zNjAxNjEzODZaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyMzo1MS41MTE3MzUwNTRaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6MDYuNDQ4MTU2NDA4WiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6MjM6NTEuNTExNzM1MDU0WiJ9fSx7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNiIsImFwcF9kYXJ0Il0sIm5hbWUiOiJ1cy1kb2NrZXIucGtnLmRldi9jbG91ZC1idWlsZGVycy9nYS92MS9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjIyLjUwNzg3NjA0NFoiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjA2LjQ0ODI0MzE2MFoifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzo1Ni4yNDEzNjIyMzVaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0yOFQxNzoyNzowNi40NDgyNDMxNjBaIn19LHsiYXJncyI6WyItYyIsImdjbG91ZCBidWlsZHMgc3VibWl0IFxcXG4gIC0tY29uZmlnIGFwcF9kYXJ0L2Nsb3VkYnVpbGRfYXBwX2RhcnRfZGVwbG95LnlhbWwgXFxcbiAgLS1zdWJzdGl0dXRpb25zPVwiU0hPUlRfU0hBPTI3ZWNhZjZcIiBcXFxuICAtLWFzeW5jIl0sImVudHJ5cG9pbnQiOiIvYmluL2Jhc2giLCJuYW1lIjoiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2djbG91ZCIsInB1bGxUaW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQ0MjMxNTcxWiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMjhUMTc6Mjc6NTYuMjQxNDk4Njc1WiJ9LCJzdGF0dXMiOiJTVUNDRVNTIiwidGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI4OjA3Ljc4OTM2NTAwMloiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTI4VDE3OjI3OjU2LjI0MTQ5ODY3NVoifX1dLCJzdWJzdGl0dXRpb25zIjp7IkJSQU5DSF9OQU1FIjoibWFpbiIsIkNPTU1JVF9TSEEiOiIyN2VjYWY2N2JlOGVjN2Y4NTcxYjc1NTUzNzE1YmMwNWYzYTcwMjJjIiwiUkVGX05BTUUiOiJtYWluIiwiUkVQT19GVUxMX05BTUUiOiJmbHV0dGVyL2NvY29vbiIsIlJFUE9fTkFNRSI6ImNvY29vbiIsIlJFVklTSU9OX0lEIjoiMjdlY2FmNjdiZThlYzdmODU3MWI3NTU1MzcxNWJjMDVmM2E3MDIyYyIsIlNIT1JUX1NIQSI6IjI3ZWNhZjYiLCJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwiVFJJR0dFUl9OQU1FIjoiY29jb29uLWFwcC1kYXJ0In19LCJlbnRyeVBvaW50IjoiYXBwX2RhcnQvY2xvdWRidWlsZF9hcHBfZGFydC55YW1sIiwidHlwZSI6Imh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIn19LCJzdWJqZWN0IjpbeyJkaWdlc3QiOnsic2hhMjU2IjoiN2M4YTcxYTg0M2VlMTI4ZmY0YmFhZGFiM2EwNTA3NmQwN2ZmYjhkNDdkOGFmZmM3NTlhODdhNjBiMWQ5MTUzYyJ9LCJuYW1lIjoiaHR0cHM6Ly91cy1kb2NrZXIucGtnLmRldi9mbHV0dGVyLWRhc2hib2FyZC9hcHBlbmdpbmUvZGVmYXVsdC52ZXJzaW9uLTI3ZWNhZjYifSx7ImRpZ2VzdCI6eyJzaGEyNTYiOiI3YzhhNzFhODQzZWUxMjhmZjRiYWFkYWIzYTA1MDc2ZDA3ZmZiOGQ0N2Q4YWZmYzc1OWE4N2E2MGIxZDkxNTNjIn0sIm5hbWUiOiJodHRwczovL3VzLWRvY2tlci5wa2cuZGV2L2ZsdXR0ZXItZGFzaGJvYXJkL2FwcGVuZ2luZS9kZWZhdWx0LnZlcnNpb24tMjdlY2FmNjpsYXRlc3QifV19",
          "payloadType": "application/vnd.in-toto+json",
          "signatures": [
            {
              "keyid": "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1",
              "sig": "MEUCIQCnJrSetTPwk4zcHzEZZnLFEw7W_eylt0q4oYtYdAPZ6gIgU9yRbp2LVJdgdUCctjZQ9sI6KWtePKR1874znbJm7Lc="
            },
            {
              "keyid": "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1",
              "sig": "MEQCICj83i8WH-DCqMBcuqriymqii0bt1Ecwtz62hjgRNyA6AiBoIG8cC0ixb0Ro6Ge-yhBUWx7qHWslyGhw4I6S4xVfUw=="
            }
          ]
        },
        "kind": "BUILD",
        "name": "projects/flutter-dashboard/occurrences/7d301c29-20b0-465a-8c95-f81c7e8de751",
        "noteName": "projects/verified-builder/notes/intoto_22237782-5a12-46fd-a753-1fc36ca79818",
        "resourceUri": "https://us-docker.pkg.dev/flutter-dashboard/appengine/default.version-27ecaf6@sha256:7c8a71a843ee128ff4baadab3a05076d07ffb8d47d8affc759a87a60b1d9153c",
        "updateTime": "2023-08-28T17:28:18.356251Z"
      }
    ]
  }
}

@laurentsimon
Copy link
Contributor

Thanks. Taking a look.

@laurentsimon
Copy link
Contributor

laurentsimon commented Aug 28, 2023
edited
Loading

@godofredoc is correct. The text provenance and the payload's provenance don't match. Patching the text provenance with:

"sourceProvenance": {
          "resolvedGitSource": {
            "revision": "27ecaf67be8ec7f8571b75553715bc05f3a7022c",
            "url": "https://github.com/flutter/cocoon.git"
          }
        },

makes the verification pass. Let's create a bug on GCB side to ask why this inconsistency is happening.

@laurentsimon
Copy link
Contributor

Here's a patch you can use temporarily (it assumes there's a single v0.1 provenance, which may soon change with v1.0 release at Cloud Next):

gcloud artifacts docker images describe $DOCKER_IMAGE_URL --show-provenance --format json > tmp.json
val=$(cat tmp.json | jq -r '.provenance_summary.provenance[0].envelope.payload' | base64 -d | jq '.predicate.recipe.arguments.sourceProvenance')
cat tmp.json | jq ".provenance_summary.provenance[0].build.intotoStatement.slsaProvenance.recipe.arguments.sourceProvenance = ${val}" > provenance.json
slsa-verifier ... --provenance-path provenance.json ...

@godofredoc
Copy link
Author

Thank you @laurentsimon for the workaround. I'll implement it in the flutter workflow to unblock the validation.

@ramonpetgrave64
Copy link
Contributor

@godofredoc It's been about a year. Is this still an issue for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:gcb Issue with the gcb verifier type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ianlewis @ramonpetgrave64 @godofredoc @laurentsimon @drewroengoogle