From fbdbd1ac19f8f04dfc3733ae890ebed778da4614 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Tue, 26 Jul 2022 13:21:05 +0200
Subject: [PATCH] profiles/coreos/base: slsa: revise material uri to match
 SPDXDownloadLocation spec

If the uri points to a path within the repo then the format is
git+https://repo@ref#path. ORIG_HEAD is actually the previous HEAD, so read
use that to extract the correct ref.
---
 .../coreos/base/profile.bashrc.slsa-provenance         | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance
index 83eaba0089..0c20ba7bf9 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/profile.bashrc.slsa-provenance
@@ -58,8 +58,8 @@ __slsa_provenance_materials() {
 
     # The ebuild. Since "configSource" in "invocation" cannot have more than one (top/level) entry
     #  we add the ebuild and git repo checksum here, as a material.
-    csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")"
-    uri="git+https://github.com/flatcar-linux/${repo}.git/${ebuild}"
+    csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/HEAD")"
+    uri="git+https://github.com/flatcar-linux/${repo}.git@${csum}#${ebuild}"
     echo -e "      { \"uri\": \"${uri}\","
     echo -n "        \"digest\": {\"sha1\":\"${csum}\"} }"
 
@@ -106,10 +106,12 @@ __slsa_provenance_materials() {
     fi
 
     # Patches / files shipped with the ebuild (if any)
-    uri="git+https://github.com/flatcar-linux/${repo}.git/${CATEGORY}/${PN}/files"
-    csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/ORIG_HEAD")"
+    csum="$(cat "/mnt/host/source/src/scripts/.git/modules/sdk_container/src/third_party/${repo}/HEAD")"
+    uri="git+https://github.com/flatcar-linux/${repo}.git@${csum}#${CATEGORY}/${PN}/files"
     if [ -d "${FILESDIR}" ] ; then
         for file in $(cd "$FILESDIR" && find . -type f | sed 's:^./::') ; do
+            csum="$(sha1sum - <"${FILESDIR}/${file}")"
+            csum="${csum%% *}"
             einfo "    Provenance: recording ebuild material (input) '${file}'"
             echo -e ",\n      { \"uri\": \"${uri}/${file}\","
             echo -n "        \"digest\": {\"sha1\":\"$csum\"} }"