Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: verify sourceURI for npm packages #521

Merged
merged 7 commits into from
Mar 10, 2023
Merged

feat: verify sourceURI for npm packages #521

merged 7 commits into from
Mar 10, 2023

Conversation

laurentsimon
Copy link
Contributor

closes #492

@laurentsimon
update
90c5e8f 
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon
update
6d72f70 
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon
update
1290b86 
Signed-off-by: laurentsimon <[email protected]>
asraa
asraa approved these changes Mar 9, 2023
View reviewed changes
verifiers/internal/gcb/provenance.go Outdated Show resolved Hide resolved
verifiers/internal/gha/provenance.go
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v
return nil
}

func sourceFromURI(uri string) (string, error) {
// NOTE: `allowNoRef` is to allow for verification of npm packages
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we set a tracking issue to remove this after GA?

Copy link
Contributor Author

@laurentsimon laurentsimon Mar 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea. I was hesitant because I don't know that we'll be able to remove it right away, since some provenance will have been generated with this code. Unless all the provenance generated before GA is considered "no prod ready" and the npm teams removes it. Created #524

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can maybe only allow it for provenance created before a certain date? or something like that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I wonder about the #524, and we can ask them when they go GA - i expect that is when they will stabilize

@laurentsimon laurentsimon mentioned this pull request Mar 9, 2023
Closed
@laurentsimon
update
7821629 
Signed-off-by: laurentsimon <[email protected]>
ianlewis
ianlewis approved these changes Mar 10, 2023
View reviewed changes
verifiers/internal/gha/provenance.go Outdated Show resolved Hide resolved
verifiers/internal/gha/provenance.go
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v
return nil
}

func sourceFromURI(uri string) (string, error) {
// NOTE: `allowNoRef` is to allow for verification of npm packages
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can maybe only allow it for provenance created before a certain date? or something like that?

verifiers/internal/gha/provenance.go Show resolved Hide resolved
verifiers/internal/gha/provenance.go Show resolved Hide resolved
asraa
asraa approved these changes Mar 10, 2023
View reviewed changes
verifiers/internal/gha/provenance.go
@@ -123,13 +125,17 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, v
return nil
}

func sourceFromURI(uri string) (string, error) {
// NOTE: `allowNoRef` is to allow for verification of npm packages
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I wonder about the #524, and we can ask them when they go GA - i expect that is when they will stabilize

verifiers/internal/gcb/provenance.go Outdated Show resolved Hide resolved
laurentsimon and others added 2 commits March 10, 2023 08:22
@laurentsimon @ianlewis
Update verifiers/internal/gha/provenance.go
b2c043b 
Co-authored-by: Ian Lewis <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon
update
735dfa5 
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon laurentsimon enabled auto-merge (squash) March 10, 2023 16:30
@laurentsimon
update
6329009 
Signed-off-by: laurentsimon <[email protected]>
@laurentsimon laurentsimon merged commit ae38103 into slsa-framework:main Mar 10, 2023
ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this pull request Apr 18, 2024
@laurentsimon
update (slsa-framework#521)
aa37b20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianlewis ianlewis ianlewis approved these changes

@asraa asraa asraa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Re-enable material URI verification
3 participants
@laurentsimon @ianlewis @asraa