Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] [docker] Use secure-upload for the build/provenance artifact folder #1655

Open
asraa opened this issue Feb 15, 2023 · 2 comments
Open

[feature] [docker] Use secure-upload for the build/provenance artifact folder #1655

asraa opened this issue Feb 15, 2023 · 2 comments
Assignees
@asraa
Labels
area:docker-based Docker based builder (supplying a builder image and command) type:feature New feature or request
Milestone
Docker image base...

Comments

@asraa
Copy link
Collaborator

asraa commented Feb 15, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
Follow-up from #1654

secure-upload doesn't seem to support folders (seems to read file on the folder) to compute the sha256)

This would be a nice feature for robustness to have, but if the artifact folder was tampered with, verification would fail anyway. The provenance folder has integrity from signing.
@asraa asraa added type:feature New feature or request status:triage Issue that has not been triaged labels Feb 15, 2023
@asraa
Copy link
Collaborator Author

asraa commented Feb 15, 2023

Maybe I can validate the outputs when downloading them with the SLSA outputs or some other output.

@asraa asraa added area:docker-based Docker based builder (supplying a builder image and command) and removed status:triage Issue that has not been triaged labels Feb 15, 2023
@asraa
Copy link
Collaborator Author

asraa commented Feb 15, 2023

The idea here is that the build job produces a number of artifacts based on the artifact_path that may contain wildcards in the configuration input.

The build job currently uploads to a path like /tmp/build-outputs-RNG, which get uploaded to the registry as build-outputs-RNG. In a later step, we will want to include uploading the build to a release or configured tag name. At that step, we will want to ensure that the outputs haven't been tampered by a different job. We could validate this against the slsa-layout, OR use a secure-upload/download-secure

@asraa asraa self-assigned this Mar 9, 2023
@laurentsimon laurentsimon mentioned this issue Mar 21, 2023
Merged
@asraa asraa mentioned this issue Mar 22, 2023
Open
@asraa asraa changed the title [feature] [docker] Use secure-upload for the build artifact folder [feature] [docker] Use secure-upload for the build/provenance artifact folder Mar 31, 2023
@rbehjati rbehjati mentioned this issue Apr 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asraa asraa

Labels
area:docker-based Docker based builder (supplying a builder image and command) type:feature New feature or request
Projects
None yet
Milestone
Docker image based builds for arbitra...
Development

No branches or pull requests
2 participants
@asraa @laurentsimon