[bug] Standard discrepancy: buildInvocationId versus buildInvocationID
#3876
Comments
woodruffw
added
status:triage
|
Thanks for reporting this. It seems like a go-style initialism that we've mistakenly enforced. I'm a bit surprised we're not seeing compatibility errors between the generators and slsa-verifier. I'd like to address this soon, but is it currently causing difficulties for you? |
Not difficulties per se, but we noticed it while adding SLSA predicate handling to In particular, we currently have a manual alias for the non-compliant field name here: |
|
(We'd ideally ship SLSA predicate support in sigstore-python without that hack, but I'm not sure if that's a good idea or not -- I suppose it would depend on how widely used this action is, and whether others are similarly assuming that this field is spelled as |
|
Lots of folks are using older versions of the generic generator, so it could be wiser for you to maintain backwards compatibility for preexisting provenances. But first, is the new functionality you're adding to sigstore-python to be able to both generate and verify signed Sigstore bundles that have SLSA provenance statements (what I think you call DSSE statements)? Currently the generic generator does not produce Sigstore bundles, only signed DSSE envelopes that wrap the provenances statements, which still use fulcio certificates for signing. slsa-verifier would do online lookups for more verification procedures. We have a pending change to make the generic generator produce sigstore bundles, so I perhaps I should also fix the this initialism issue before we release that change. If sigstore-python's verification is only meant to work with sigstore-bundles, and the generic generator does not yet produce sigstore bundles, do you still need the alias? |
That would be great!
Ah, true -- I think we observed this while looking for samples to check our the inner SLSA payload validation against, but we indeed won't ever directly consume the outputs of this action. So yeah, unless I'm missing something, we don't actually need the alias. (CCing @facutuesca to confirm) |
Is there any workflow where a user would want to generate a sigstore bundle using the predicate inside the DSSE envelope generated by this action? The verification where we found this issue is not the usual bundle verification, but rather a validation we run when generating sigstore bundles with DSSE envelopes. For that, the user needs to specify an artifact and a predicate: Then sigstore validates that So if a user trying to generate a bundle with this action's output's predicate is something we don't expect to happen, then yeah, we don't need the alias in |
I suspect not -- people using this action are probably passing the output around as-is, not reconstituting it into another bundle format 🙂 So yeah, it sounds like we should drop our alias. |
…orkflows (#3777) # Summary fixes #3750 pending slsa-framework/slsa-verifier#799 Changes the internal go code to produce Sigstore Bundles, instead of only signed DSSE envelopes. This means that the generic generator and go builder workflows now produce Sigstore Bundles, just like the other BYOB-type workflows. ## Testing Process Testing done on a previous commit with a test workflow. It's using a slightly modified slsa-verifier that respects sls-aw workflows from non-main branches. - https://github.com/slsa-framework/slsa-github-generator/actions/runs/10425271660 ## Followup [ ] Produce the provenance in v1 format, rather than the current v0.2 format. [ ] fix initialism of `[build]invocationID` to `[build]invocationId` #3876 ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. --------- Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
My colleague @facutuesca observed this bug with the
generator_generic_slsa3.ymlaction.Describe the bug
In SLSA 0.1 and 0.2,
buildInvocationIdis spelled with a lowercase "d":Similarly, it's spelled with a lowercase "d" in 1.0, where it's renamed to
invocationId:However,
generator_generic_slsa3.yml@2.0.0appears to generate0.2provenance objects withbuildInvocationID(capital 'D') instead.An example of this can be seen in
sigstore-python's release artifacts, e.g. our intoto provenance for v3.2.0:https://github.com/sigstore/sigstore-python/releases/download/v3.2.0/provenance-sigstore-v3.2.0.intoto.jsonl
when the
payloadis decoded, we can see that it's av0.2Provenance with the mis-spelledmetadata.buildInvocationID. Excerpted below:I've also attached the full SLSA provenance as a file to this report: slsa.json
To Reproduce
To reproduce, use the latest version of
generator_generic_slsa3.yml(2.0.0) in a workflow, like so:(Not all of these options may be necessary; that's exactly how they appear in sigstore-python's CI, which observed this behavior.)
Expected behavior
I expected
buildInvocationIDto be spelled asbuildInvocationId, for consistency with the SLSA provenance spec.Additional context
None!
The text was updated successfully, but these errors were encountered: