Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature][BYOB] Allow TRW to generate predicate values #3660

Open
ianlewis opened this issue May 17, 2024 · 1 comment
Open

[feature][BYOB] Allow TRW to generate predicate values #3660

ianlewis opened this issue May 17, 2024 · 1 comment
Labels
area:BYOB An issue with the BYOB framework type:feature New feature or request

Comments

@ianlewis
Copy link
Member

For some ecosystems we will need to give the TRW the ability the affect the structure of the created SLSA predicate.
This is blocking SLSA v1.0 support for the Node.js builder (#2499)

This is how it works currently:

  1. The setup-generic actions creates a SLSA token in the context of the TRW
  2. The delegator workflow calls the verify-token action and this creates a SLSA predicate based on the token. it also returns a verified version of the SLSA token
  3. The generate-attestations action combines
    1. the predicate type (derived by the delegator workflow from the SLSA version set on the verified token)
    2. SLSA predicate created by verify-token
    3. subjects based on the layout returned by the callback action
  4. The sign-attestations actions takes the attestations returned by generate-attestations and signs each using sigstore.

Some potential solutions:

  1. TRWs can hook the generate-attestations step with their own implementation to alter the predicate created by verify-token before signing.
    • TRWs need to know how to generate the right layout from the generate-attestations step.
  2. A new optional step (update-attestation) is added between verify-token and generate-attestations that allows TRWs modify the predicate before signing. It takes the predicate from verify-token and outputs a new predicate.
    • Fairly straightforward for TRWs to implement.
    • Requires that the predicate generated by verify-token to be somewhat stable.
  3. verify-token doesn't generate a predicate but just outputs a verified SLSA token. A separate step is added to generate the predicate (generate-predicate) and TRWs can hook this action to generate their own predicate/buildType.
    • Fairly straightforward for TRWs to implement.
    • Requires that the verified SLSA token returned by verify-token to be somewhat stable.
@ianlewis ianlewis added type:feature New feature or request area:BYOB An issue with the BYOB framework labels May 17, 2024
@ianlewis
Copy link
Member Author

I'm kind of partial to 3 since that seems like the cleanest design and we can manage compatibility/stability of the token with the token version. Though I realize it would add some overhead to changes in the SLSA token that forces us to bump the version (and maybe do a full major version bump for the whole project) if the SLSA token version changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:BYOB An issue with the BYOB framework type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ianlewis