From be46ed7bb0902a99935b95d11cec13f5dc58710c Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Wed, 22 Jun 2022 14:55:11 +0200 Subject: [PATCH 01/12] profiles/coreos/base/profile.bashrc: SLSA provenance reports This change adds initial support for SLSA provenance report generation. Reports are generated in package build post-install hooks after compilation. See https://slsa.dev/ for SLSA and https://slsa.dev/provenance/v0.2 for the provenance report syntax. Signed-off-by: Thilo Fromm --- .../profiles/coreos/base/profile.bashrc | 3 + .../base/profile.bashrc.slsa-provenance | 181 ++++++++++++++++++ 2 files changed, 184 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc index 4364514f5b..559985a71e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc @@ -94,6 +94,9 @@ cros_pre_pkg_setup_sysroot_build_bin_dir() { PATH+=":${CROS_BUILD_BOARD_BIN}" } +# Source hooks for SLSA build provenance report generation +source "${BASH_SOURCE[0]}.slsa-provenance" + # Insert our sysroot wrappers into the path SYSROOT_WRAPPERS_BIN="/usr/lib64/sysroot-wrappers/bin" if [[ "$PATH" != *"$SYSROOT_WRAPPERS_BIN"* ]]; then diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance new file mode 100644 index 0000000000..8c0200d1dc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -0,0 +1,181 @@ +# Build provenance hooks +# ====================== +# The functions below hook into every ebuild's execution and generate provenance files +# to meet the SLSA provenance requirements (https://slsa.dev/spec/v0.1/requirements#available). +# All input files (source tarball / git commit hash) plus added patches / files, +# and all resulting installation binaries and files are captured. +# The information is emitted in SLSA provenance 0.2 format (see https://slsa.dev/provenance/v0.2) + + +# We only record provenance when a package is actually being built. +# See profiles/coreos/base/profile.bashrc for cros_... +cros_post_src_configure_enable_slsa_provenance_report() { + export __slsa_provenance_report="yes" +} +# -- + +# Generate SLSA provenance 0.2 Subject information. +# The information will cover all installation files shipped with a package. +__slsa_provenance_subject() { + local parallel="$(grep -cE '^processor' /proc/cpuinfo)" + local comma="" + + einfo " Provenance: recording subject (output)" + + echo ' "subject": [' + + ( + cd "$D" + find . -type f -print | sed 's:^./::' | xargs -P "$parallel" -L 1 sha512sum + ) | while read checksum filepath; do + echo -en "${comma} {\"name\":\"/$filepath\", \"digest\":{\"sha512\":\"$checksum\"}}" + if [ -z "$comma" ] ; then + comma=',\n' + fi + done + echo -en "\n ]" +} +# -- + +__slsa_provenance_materials() { + local csum="" uri="" repo="" ebuild="" + + local ebuilds_basedir="/mnt/host/source/src/third_party/" + local ebuild="${CATEGORY}/${PN}/${PF}.ebuild" + if [ -f "${ebuilds_basedir}/coreos-overlay/${ebuild}" ] ; then + repo="coreos-overlay" + elif [ -f "${ebuilds_basedir}/portage-stable/${ebuild}" ] ; then + repo="portage-stable" + else + eerror "SLSA provenance: Unable to detect ebuild repository for package '${ebuild}'" + exit 1 + fi + + einfo " Provenance: recording ebuild material (input) '${repo}/${ebuild}'" + echo ' "materials": [' + + # The ebuild. Since "configSource" in "invocation" cannot have more than one (top/level) entry + # we add the ebuild and git repo checksum here, as a material. + csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")" + uri="git+https://github.com/flatcar-linux/${repo}.git/${ebuild}" + echo -e " { \"uri\": \"${uri}\"," + echo -n " \"digest\": {\"sha1\":\"${csum}\"} }" + + # The main sources + if [ -n "${A}" ] ; then + # Package is built from downloaded source tarball(s) + # There can be multiple, and can be used conditionally based on use flags, + # and even replaced with different local names ("http://... -> othername.tgz"). So + # we go through what's actually used ($A), then find the corresponding source URI. + local src="" prev_uri="" rename="false" orig_name="" + for src in ${A}; do + local found="false" + for uri in ${SRC_URI}; do + if [ "${uri}" = "->" ] ; then + rename="true" + continue + fi + if [ "${src}" = "$(basename "${uri}")" ] ; then + orig_name="${src}" + if [ "${rename}" = "true" ] ; then + uri="${prev_uri}" + orig_name="$(basename "${uri}")" + fi + einfo " Provenance: recording tarball material (input) '${src}' ('${orig_name}')" + csum="$(sha512sum "${DISTDIR}/${src}" | cut -d' ' -f1)" + echo -e ",\n { \"uri\": \"${uri}\"," + echo -n " \"digest\": {\"sha512\":\"${csum}\"} }" + found="true" + fi + rename="false" + prev_uri="${uri}" + done + if [ "${found}" != "true" ] ; then + eerror "No SRC_URI found for source '${src}', unable to record provenance!" + exit 1 + fi + done + elif [ -n "${EGIT_REPO_URI:-}" ] ; then + # package is built from repo checkout (git) + einfo " Provenance: recording GIT material (input) '${EGIT_REPO_URI}'" + csum="${EGIT_COMMIT}" + uri="${EGIT_REPO_URI}" + echo -e ",\n { \"uri\": \"${uri}\"," + echo -n " \"digest\": {\"sha1\":\"$csum\"} }" + fi + + # Patches / files shipped with the ebuild (if any) + uri="git+https://github.com/flatcar-linux/${repo}.git/${CATEGORY}/${PN}/files" + csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")" + if [ -d "${FILESDIR}" ] ; then + for file in $(cd "$FILESDIR" && find . -type f | sed 's:^./::') ; do + einfo " Provenance: recording ebuild material (input) '${file}'" + echo -e ",\n { \"uri\": \"${uri}/${file}\"," + echo -n " \"digest\": {\"sha1\":\"$csum\"} }" + done + fi + + echo -ne '\n ]' +} +# -- + +__slsa_provenance_report() { + local scripts_hash="$(cat "/mnt/host/source/src/scripts/.git/ORIG_HEAD")" + local buildcmd="emerge" + # extract board from e.g. '/build/amd64-usr/build'. Empty if no board is set (SDK build). + local board="$(echo "${CROS_BUILD_BOARD_TREE:-}" | sed -n 's:^/build/\([^/]\+\)/.*:\1:p')" + if [ -n "$board" ] ; then + buildcmd="emerge-${board}" + fi + + # FIXME: Supply SDK image ID and sha256 digest along with the version tag + local sdk_version="$(source /mnt/host/source/.repo/manifests/version.txt; echo ${FLATCAR_SDK_VERSION})" + + # FIXME: add builder ID +cat < "${T}/${report_file}" + + mkdir -p "${dest_dir}" + mv "${T}/${report_file}" "${dest_dir}" +} From d86d5ebe3f56a4000f26673311a81aa5e779a532 Mon Sep 17 00:00:00 2001 From: Thilo Fromm Date: Mon, 11 Jul 2022 09:25:03 +0200 Subject: [PATCH 02/12] slsa-provenance: make generation optional --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 8c0200d1dc..81186cb450 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -10,6 +10,9 @@ # We only record provenance when a package is actually being built. # See profiles/coreos/base/profile.bashrc for cros_... cros_post_src_configure_enable_slsa_provenance_report() { + if [ "${GENERATE_SLSA_PROVENANCE:-}" != "true" ] ; then + einfo "Provenance generation not requested by build; skipping." + fi export __slsa_provenance_report="yes" } # -- From 7bd2f19facfc2806dc6ce1d5218e8a124a1e7940 Mon Sep 17 00:00:00 2001 From: jenkins Date: Wed, 13 Jul 2022 11:37:40 +0000 Subject: [PATCH 03/12] profiles/coreos/base: slsa: use portageq to find repository path This makes the lookup work within the catalyst chroot, as well as in the SDK. --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 81186cb450..376f9e1278 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -43,11 +43,10 @@ __slsa_provenance_subject() { __slsa_provenance_materials() { local csum="" uri="" repo="" ebuild="" - local ebuilds_basedir="/mnt/host/source/src/third_party/" local ebuild="${CATEGORY}/${PN}/${PF}.ebuild" - if [ -f "${ebuilds_basedir}/coreos-overlay/${ebuild}" ] ; then + if [ -f "$(portageq get_repo_path ${ROOT:-/} coreos)/${ebuild}" ] ; then repo="coreos-overlay" - elif [ -f "${ebuilds_basedir}/portage-stable/${ebuild}" ] ; then + elif [ -f "$(portageq get_repo_path ${ROOT:-/} portage-stable)/${ebuild}" ] ; then repo="portage-stable" else eerror "SLSA provenance: Unable to detect ebuild repository for package '${ebuild}'" From 39f1d45dffbc51a8419d61a4b5e6f36584fb0760 Mon Sep 17 00:00:00 2001 From: jenkins Date: Tue, 19 Jul 2022 16:29:06 +0000 Subject: [PATCH 04/12] profiles/coreos/base: slsa: return when disabled and use die() --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 376f9e1278..384e14d542 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -12,6 +12,7 @@ cros_post_src_configure_enable_slsa_provenance_report() { if [ "${GENERATE_SLSA_PROVENANCE:-}" != "true" ] ; then einfo "Provenance generation not requested by build; skipping." + return 0 fi export __slsa_provenance_report="yes" } @@ -49,8 +50,7 @@ __slsa_provenance_materials() { elif [ -f "$(portageq get_repo_path ${ROOT:-/} portage-stable)/${ebuild}" ] ; then repo="portage-stable" else - eerror "SLSA provenance: Unable to detect ebuild repository for package '${ebuild}'" - exit 1 + die "SLSA provenance: Unable to detect ebuild repository for package '${ebuild}'" fi einfo " Provenance: recording ebuild material (input) '${repo}/${ebuild}'" @@ -93,8 +93,7 @@ __slsa_provenance_materials() { prev_uri="${uri}" done if [ "${found}" != "true" ] ; then - eerror "No SRC_URI found for source '${src}', unable to record provenance!" - exit 1 + die "No SRC_URI found for source '${src}', unable to record provenance!" fi done elif [ -n "${EGIT_REPO_URI:-}" ] ; then From 91b64a5587745949497163ce0cc6f1b9b283ee37 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Jul 2022 13:18:04 +0200 Subject: [PATCH 05/12] profile/coreos/base: slsa: remove name collision between variable and function __slsa_provenance_report is both a variable and a function, which is confusing. Rename the variable. --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 384e14d542..bdfcc63e12 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -14,7 +14,7 @@ cros_post_src_configure_enable_slsa_provenance_report() { einfo "Provenance generation not requested by build; skipping." return 0 fi - export __slsa_provenance_report="yes" + export generate_slsa_provenance_report="yes" } # -- @@ -167,7 +167,7 @@ EOF # -- cros_post_src_install_generate_slsa_provenance_report() { - if [ "${__slsa_provenance_report:-no}" != "yes" ] ; then + if [ "${generate_slsa_provenance_report:-no}" != "yes" ] ; then return fi From d211a2b16889e0a470e913feff3f66831569592d Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Jul 2022 13:19:05 +0200 Subject: [PATCH 06/12] profile/core/base: slsa: use nproc instead of parsing /proc/cpuinfo --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index bdfcc63e12..1f4fb70afd 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -21,7 +21,7 @@ cros_post_src_configure_enable_slsa_provenance_report() { # Generate SLSA provenance 0.2 Subject information. # The information will cover all installation files shipped with a package. __slsa_provenance_subject() { - local parallel="$(grep -cE '^processor' /proc/cpuinfo)" + local parallel="$(nproc)" local comma="" einfo " Provenance: recording subject (output)" From 1a0f396be4150ef9d84f45c506f6c401984318c3 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Jul 2022 13:19:28 +0200 Subject: [PATCH 07/12] profile/coreos/base: slsa: switch to bz2 compression for consistency ...and remove redundant mkdir. Mkdir is already called with the same argument a couple of lines lower. --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 1f4fb70afd..b29949c1cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -171,11 +171,10 @@ cros_post_src_install_generate_slsa_provenance_report() { return fi - mkdir -p "$D/usr/share/SLSA/" - local report_file="${CATEGORY}_${PF}.json.xz" + local report_file="${CATEGORY}_${PF}.json.bz2" local dest_dir="${D}/usr/share/SLSA/" - __slsa_provenance_report | xz -9cz > "${T}/${report_file}" + __slsa_provenance_report | lbzip2 -9cz > "${T}/${report_file}" mkdir -p "${dest_dir}" mv "${T}/${report_file}" "${dest_dir}" From b1ce3800a534843175af7a69467605a5a6af0a16 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Jul 2022 13:20:16 +0200 Subject: [PATCH 08/12] profiles/coreos/base: slsa: sort file checksums by name --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index b29949c1cd..83eaba0089 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -30,7 +30,7 @@ __slsa_provenance_subject() { ( cd "$D" - find . -type f -print | sed 's:^./::' | xargs -P "$parallel" -L 1 sha512sum + find . -type f -print | sed 's:^./::' | xargs -P "$parallel" -L 1 sha512sum | sort -k2 ) | while read checksum filepath; do echo -en "${comma} {\"name\":\"/$filepath\", \"digest\":{\"sha512\":\"$checksum\"}}" if [ -z "$comma" ] ; then From fbdbd1ac19f8f04dfc3733ae890ebed778da4614 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 26 Jul 2022 13:21:05 +0200 Subject: [PATCH 09/12] profiles/coreos/base: slsa: revise material uri to match SPDXDownloadLocation spec If the uri points to a path within the repo then the format is git+https://repo@ref#path. ORIG_HEAD is actually the previous HEAD, so read use that to extract the correct ref. --- .../coreos/base/profile.bashrc.slsa-provenance | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 83eaba0089..0c20ba7bf9 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -58,8 +58,8 @@ __slsa_provenance_materials() { # The ebuild. Since "configSource" in "invocation" cannot have more than one (top/level) entry # we add the ebuild and git repo checksum here, as a material. - csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")" - uri="git+https://github.com/flatcar-linux/${repo}.git/${ebuild}" + csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/HEAD")" + uri="git+https://github.com/flatcar-linux/${repo}.git@${csum}#${ebuild}" echo -e " { \"uri\": \"${uri}\"," echo -n " \"digest\": {\"sha1\":\"${csum}\"} }" @@ -106,10 +106,12 @@ __slsa_provenance_materials() { fi # Patches / files shipped with the ebuild (if any) - uri="git+https://github.com/flatcar-linux/${repo}.git/${CATEGORY}/${PN}/files" - csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")" + csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/HEAD")" + uri="git+https://github.com/flatcar-linux/${repo}.git@${csum}#${CATEGORY}/${PN}/files" if [ -d "${FILESDIR}" ] ; then for file in $(cd "$FILESDIR" && find . -type f | sed 's:^./::') ; do + csum="$(sha1sum - <"${FILESDIR}/${file}")" + csum="${csum%% *}" einfo " Provenance: recording ebuild material (input) '${file}'" echo -e ",\n { \"uri\": \"${uri}/${file}\"," echo -n " \"digest\": {\"sha1\":\"$csum\"} }" From 113de2ac757077b1861bd8296325067f87770132 Mon Sep 17 00:00:00 2001 From: jenkins Date: Tue, 26 Jul 2022 11:50:38 +0000 Subject: [PATCH 10/12] profiles/coreos/base: slsa: compute ebuild file checksum for materials entry --- .../coreos/base/profile.bashrc.slsa-provenance | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 0c20ba7bf9..1859c4eb69 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -42,16 +42,24 @@ __slsa_provenance_subject() { # -- __slsa_provenance_materials() { - local csum="" uri="" repo="" ebuild="" + local csum="" uri="" repo="" ebuild="" ebuildcsum="" local ebuild="${CATEGORY}/${PN}/${PF}.ebuild" - if [ -f "$(portageq get_repo_path ${ROOT:-/} coreos)/${ebuild}" ] ; then + local repopath="$(portageq get_repo_path ${ROOT:-/} coreos)" + if [ -f "${repopath}/${ebuild}" ] ; then repo="coreos-overlay" - elif [ -f "$(portageq get_repo_path ${ROOT:-/} portage-stable)/${ebuild}" ] ; then - repo="portage-stable" + ebuildcsum=$(sha1sum - < "${repopath}/${ebuild}") else + repopath="$(portageq get_repo_path ${ROOT:-/} portage-stable)" + if [ -f "${repopath}/${ebuild}" ] ; then + repo="portage-stable" + ebuildcsum=$(sha1sum - < "${repopath}/${ebuild}") + fi + fi + if [ -z "${repo}" ]; then die "SLSA provenance: Unable to detect ebuild repository for package '${ebuild}'" fi + ebuildcsum=${ebuildcsum%% *} einfo " Provenance: recording ebuild material (input) '${repo}/${ebuild}'" echo ' "materials": [' @@ -61,7 +69,7 @@ __slsa_provenance_materials() { csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/HEAD")" uri="git+https://github.com/flatcar-linux/${repo}.git@${csum}#${ebuild}" echo -e " { \"uri\": \"${uri}\"," - echo -n " \"digest\": {\"sha1\":\"${csum}\"} }" + echo -n " \"digest\": {\"sha1\":\"${ebuildcsum}\"} }" # The main sources if [ -n "${A}" ] ; then From d6077e928612161c3c76f301f438b9e9276deee5 Mon Sep 17 00:00:00 2001 From: jenkins Date: Tue, 26 Jul 2022 11:51:47 +0000 Subject: [PATCH 11/12] profiles/coreos/base: slsa: use .git/HEAD file to fetch scripts hash ORIG_HEAD is the previous HEAD, so it is not what we are after. HEAD only contains the hash if we are in a detached head situation, otherwise it will contain a ref and we need to resolve it. `git rev-parse HEAD` should work as well but hits an issue with git's new `safe.directory` setting, I have not found a way to set this parameter for a signle call. For toolchain packages are built with catalyst, and the HEAD value needs to pre-resolved because we do not have access to the whole git repository. So build_toolchains will need to inject the correct HEAD file contents. --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 1859c4eb69..0a7849ba22 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -131,13 +131,16 @@ __slsa_provenance_materials() { # -- __slsa_provenance_report() { - local scripts_hash="$(cat "/mnt/host/source/src/scripts/.git/ORIG_HEAD")" + local scripts_hash="$(cat "/mnt/host/source/src/scripts/.git/HEAD")" local buildcmd="emerge" # extract board from e.g. '/build/amd64-usr/build'. Empty if no board is set (SDK build). local board="$(echo "${CROS_BUILD_BOARD_TREE:-}" | sed -n 's:^/build/\([^/]\+\)/.*:\1:p')" if [ -n "$board" ] ; then buildcmd="emerge-${board}" fi + if [[ "${scripts_hash}" == "ref:"* ]]; then + scripts_hash="$(cat /mnt/host/source/src/scripts/.git/${scripts_hash#ref: })" + fi # FIXME: Supply SDK image ID and sha256 digest along with the version tag local sdk_version="$(source /mnt/host/source/.repo/manifests/version.txt; echo ${FLATCAR_SDK_VERSION})" From 10cde6a11ad6bc5e53d702e2d7a856150c22c494 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Tue, 2 Aug 2022 17:04:23 +0200 Subject: [PATCH 12/12] profiles/coreos/base: slsa: format report before compression --- .../profiles/coreos/base/profile.bashrc.slsa-provenance | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance index 0a7849ba22..f6eb9ad981 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance @@ -187,7 +187,7 @@ cros_post_src_install_generate_slsa_provenance_report() { local report_file="${CATEGORY}_${PF}.json.bz2" local dest_dir="${D}/usr/share/SLSA/" - __slsa_provenance_report | lbzip2 -9cz > "${T}/${report_file}" + __slsa_provenance_report | jq | lbzip2 -9cz > "${T}/${report_file}" mkdir -p "${dest_dir}" mv "${T}/${report_file}" "${dest_dir}"