slsa-framework · enteraga6 · Aug 8, 2023 · Aug 8, 2023 · Aug 8, 2023 · Aug 11, 2023
@@ -35,6 +35,18 @@ on:
         required: false
         type: string
         default: ""
+      env-image:
+        description: "Image for build environment to run on"
+        required: false
+        type: string
+        default: ""
+      env-image-digest:
+        description: >
+          TODO(#2630): Add verification method for digest.
+          The image digest of the environment image.
+          This must be specified in order to verify the image.
+        required: false
+        type: string
       needs-runfiles:
         description: >
           A boolean input that if true will package the artifact's runfiles along with the artifact.
@@ -76,6 +88,32 @@ on:
           When run on other triggers, attestations are signed and have an "intoto.sigstore" extension.
         value: ${{ jobs.slsa-run.outputs.attestations-download-name }}
 
+      provenance-download-sha256:
+        description: >
+          The sha256 digest of the attestations.
+
+          Users should verify the download against this digest to prevent tampering.
+        value: ${{ jobs.slsa-run.outputs.attestations-download-sha256 }}
+
+      artifacts-download-name:
+        description: >
+          The name of the folder containing the built artifacts. There is a random hash at the
+          beginning of it in form <hash>-binaries to avoid collisions.
+        value: ${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).artifacts-download-name }}
+
+      artifacts-download-sha256:
+        description: "SHA256 of the uploaded tarball of built artifacts."
+        value: ${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).artifacts-download-sha256 }}
+
+      artifacts-actual-name:
+        description: >
+          The name of the folder which contains the artifacts.
+
+          After downloading artifacts-download-name and extracting
+          the folder.tgz from inside. A folder with artifacts with
+          this name will be extracted.
+        value: ${{ fromJSON(jobs.slsa-run.outputs.build-artifacts-outputs).artifacts-actual-name }}
+
 jobs:
   slsa-setup:
     permissions:

@@ -27,6 +27,9 @@ workflow the "Bazel builder" from now on.
   - [Workflow Outputs](#workflow-outputs)
   - [Provenance Format](#provenance-format)
   - [Provenance Example](#provenance-example)
+- [Verification and Rebuilding](#verification-and-rebuilding)
+  - [Verification](#verification)
+  - [Rebuilding](#rebuilding)
 
 <!-- tocstop -->
 
@@ -319,3 +322,48 @@ The following is an example of the generated provenance.
   }
 }
 ```
+
+## Verification and Rebuilding
+
+### Verification
+
+Verification of the provenance generated for an artifact can be done with one of two ways. Using the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier)
+as follows on their [instructions](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) for verification of Github builder artifacts.
+
+Verification can also be done through the passing the `--verify` flag to the rebuilder.
+
+### Rebuilding
+
+To rebuild your artifacts and check for reproducible builds use the Bazel Rebuilder,
+which takes in the following arguments on the command line.
+
+Arguments:
+
+| Argument Name to Rebuilder     | Required For Rebuilder | Additionally Required for Verification   | Description                                                                                                                                                                                                                                         |
+| ------------------------- | -------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--artifact_path=<path>`  | Yes       |               | Path to the artifact to rebuild and compares checksums with. |
+| `--prov_path=<path>`           | Yes      |                    | Path to the provenance of the artifact that is being rebuilt.   |
+| `--source_uri=<uri>`             | Yes       |                  | expected source repository that should have produced the binary, e.g. github.com/some/repo
+| `--builder_id=<id>`             | No       | Yes                 | The unique builder ID who created the provenance
+| `--env_image=<image>`            | No       |                  | A published image to be pull to build on top of
+| `--verify`            | No       | Yes                 | Flag to verify provenance for artifact being rebuilt
+| `--verbose`            | No       |                  | Flag to include extra output to track progress
+| `--cleanup`           | No       |                  | Removes cloned repos (`source_uri` and `slsa-verifier`) as well as directory for rebuilt artifacts
+
+The rebuilder does the following:
+
+1. Verifies the provenance for the artifact to rebuild,
+2. Parses out the attested build process from the provenance,
+3. Clones the repo that produced it,
+4. Rebuilds the inputted artifact with the attest build process,
+5. Compares checksums for reproducibility
+
+An example usage of the rebuilder is the following command:
+`./rebuilder.sh --artifact_path==<path> --prov_path=<path> --source_uri=<uri> --builder_id=<id> --env_image=<image> --verify --verbose`
+
+Using an image that dictates the build environment is needed to make reproducible rebuilding possible. The artifact
+must be built on an image from a registry originally during the Github Actions Workflow run to also build on a provided image during the rebuilding process.
+
+If no image was provided or if the artifact was not originally built on an image, the rebuilding process will use
+the user's local environment, thus diminishing the chances of a reproducible rebuild due to non-determinism from the
+different build environments.
@@ -41,6 +41,23 @@ inputs:
   slsa-workflow-secret14: {}
   slsa-workflow-secret15: {}
 
+outputs:
+  artifacts-download-name:
+    description: "The name of binaries folder to download"
+    # NOTE: This is an "untrusted" value returned from the build.
+    value: "${{ steps.rng.outputs.random }}-artifacts"
+  artifacts-download-sha256:
+    description: "SHA256 of the uploaded tarball of artifacts."
+    value: ${{ steps.generate-artifacts.outputs.sha256 }}
+  artifacts-actual-name:
+    description: >
+      The name of the folder which contains the artifacts.
+
+      After downloading artifacts-download-name and extracting
+      the folder.tgz from inside. A folder with artifacts with
+      this name will be extracted.
+    value: "bazel_builder_binaries_to_upload_to_gh_7bc972367cb286b7f36ab4457f06e369"
+
 runs:
   using: "composite"
   steps:
@@ -52,20 +69,51 @@ runs:
       uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0
 
     - name: Setup Java
+      if: ${{ fromJson(inputs.slsa-workflow-inputs).includes-java }} == 'true'
       id: java
       uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
       with:
         distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}"
         java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}"
 
+    - name: Check for Environment Image
+      id: env-image
+      shell: bash
+      run: |
+        if [[ -z "${{ fromJson(inputs.slsa-workflow-inputs).env-image }}" ]]
+        then
+          echo "No Environment Image provided. Will build without."
+          echo "use_env_image=false" >> $GITHUB_OUTPUT
+        else
+          echo "Docker image provided. Running build on Docker Image."
+          echo "use_env_image=true"  >> $GITHUB_OUTPUT
+        fi
+
+    - name: Build on Environment Image
+      if: ${{ steps.env-image.outputs.use_env_image == 'true' }}
+      env:
+        UNTRUSTED_TARGETS: ${{ fromJson(inputs.slsa-workflow-inputs).targets }}
+        UNTRUSTED_FLAGS: ${{ fromJson(inputs.slsa-workflow-inputs).flags }}
+        UNTRUSTED_NEEDS_RUNFILES: ${{ fromJson(inputs.slsa-workflow-inputs).needs-runfiles }}
+        UNTRUSTED_INCLUDES_JAVA: ${{ fromJson(inputs.slsa-workflow-inputs).includes-java }}
+        UNTRUSTED_ENV_IMAGE: ${{ fromJson(inputs.slsa-workflow-inputs).env-image }}
+      shell: bash
+      run: |
+        set -euo pipefail
+        docker pull $UNTRUSTED_ENV_IMAGE
+        curr_dir=$(basename "$(pwd)")
+        docker run --rm --env UNTRUSTED_TARGETS=${UNTRUSTED_TARGETS} --env UNTRUSTED_FLAGS=${UNTRUSTED_FLAGS} --env UNTRUSTED_NEEDS_RUNFILES=${UNTRUSTED_NEEDS_RUNFILES} --env UNTRUSTED_INCLUDES_JAVA=${UNTRUSTED_INCLUDES_JAVA} -v $PWD/../:/src -w /src $UNTRUSTED_ENV_IMAGE /bin/sh -c "ls && tree && cd $curr_dir && ls && tree && ./../__TOOL_ACTION_DIR__/build.sh"
+
     - id: build
+      if: ${{ steps.env-image.outputs.use_env_image == 'false' }}
       env:
-        TARGETS: ${{ fromJson(inputs.slsa-workflow-inputs).targets }}
-        FLAGS: ${{ fromJson(inputs.slsa-workflow-inputs).flags }}
-        NEEDS_RUNFILES: ${{ fromJson(inputs.slsa-workflow-inputs).needs-runfiles }}
-        INCLUDES_JAVA: ${{ fromJson(inputs.slsa-workflow-inputs).includes-java }}
+        UNTRUSTED_TARGETS: ${{ fromJson(inputs.slsa-workflow-inputs).targets }}
+        UNTRUSTED_FLAGS: ${{ fromJson(inputs.slsa-workflow-inputs).flags }}
+        UNTRUSTED_NEEDS_RUNFILES: ${{ fromJson(inputs.slsa-workflow-inputs).needs-runfiles }}
+        UNTRUSTED_INCLUDES_JAVA: ${{ fromJson(inputs.slsa-workflow-inputs).includes-java }}
       shell: bash
-      run: ./../__TOOL_ACTION_DIR__/build.sh
+      run: |
+        ./../__TOOL_ACTION_DIR__/build.sh
 
     # rng generates a random number to avoid name collision in artifacts
     # when multiple workflows run concurrently.
@@ -77,7 +125,7 @@ runs:
       id: generate-artifacts
       uses: slsa-framework/slsa-github-generator/.github/actions/secure-upload-folder@main
       with:
-        name: "${{ steps.rng.outputs.random }}-binaries"
+        name: "${{ steps.rng.outputs.random }}-artifacts"
         path: "./bazel_builder_binaries_to_upload_to_gh_7bc972367cb286b7f36ab4457f06e369" # path-to-artifact(s)
 
     - name: Echo statement

@@ -22,12 +22,12 @@ binaries_dir="bazel_builder_binaries_to_upload_to_gh_7bc972367cb286b7f36ab4457f0
 mkdir ${binaries_dir}
 
 # Transfer flags and targets to their respective arrays
-IFS=' ' read -r -a build_flags <<< "${FLAGS}"
-IFS=' ' read -r -a build_targets <<< "${TARGETS}"
+IFS=' ' read -r -a build_flags <<< "${UNTRUSTED_FLAGS}"
+IFS=' ' read -r -a build_targets <<< "${UNTRUSTED_TARGETS}"
 
 # If the targets includes Java targets, include Java build flag
 # and add Github Runner Java rule to WORKSPACE
-if [[ "${INCLUDES_JAVA}" == "true" ]]
+if [[ "${UNTRUSTED_INCLUDES_JAVA}" == "true" ]]
 then
   build_flags+=("--java_runtime_version=myjdk")
 
@@ -52,20 +52,20 @@ declare -A targets_set
 ################################################
 
 for input in "${build_targets[@]}"; do
-  
+
   # Using bazel query extracts all targets from a glob pattern.
   # Thus we can change Java targets to their _deploy.jar target.
   for target in $(bazel query "$input"); do
 
     # Check to see if the target is a Java target. If it is the output is a Java target.
     # Note: targets that already have the _deploy.jar suffix will have no output from the query
     output=$(bazel query "kind(java_binary, $target)" 2>/dev/null)
-    
+
     # If there is a Java target without _deploy.jar suffix, add suffix, build and add to target set.
     if [[ -n "$output" ]]
     then
       bazel build "${build_flags[@]}" "${target}_deploy.jar"
-      targets_set["${target}_deploy.jar"]="1"    
+      targets_set["${target}_deploy.jar"]="1"
     else
       # Build target regularly.
       bazel build "${build_flags[@]}" "$target"
@@ -81,7 +81,7 @@ done
 ################################################
 
 for curr_target in "${!targets_set[@]}"; do
-  
+
   # Removes everything up to and including the first colon
   # "//src/internal:fib" --> "fib"
   binary_name=${curr_target#*:}
@@ -107,7 +107,7 @@ for curr_target in "${!targets_set[@]}"; do
     # Copy JAR to artifact-specific dir in ./${binaries_dir} and remove symbolic links.
     file="$bazel_generated"
     cp -Lr "$file" "./${binaries_dir}/$run_script_name"
-    
+
     # Get the path the to run-script associated with the {$curr_target}_deploy.jar
     # If the user inputted the path to their local JAVABIN insert that into the run-script to define it.
     # Inputting a local path to JAVABIN is needed or else run-script will not work as it points to Github Runner JAVABIN
@@ -118,19 +118,19 @@ for curr_target in "${!targets_set[@]}"; do
     # to run the run-script themselves, which would not be possible as it is either set to the Github Runner VM Java bin path
     # if no flag to USER_LOCAL_JAVABIN is passed in their workflow or to the path passed in their flag.
     awk -v n=66 -v s='    --local_javabin=*) USER_JAVA_BIN=( "${1#--local_javabin=}" ) ;;' 'NR == n {print s} {print}' "$run_script_path" > temp_file && mv -f temp_file "$run_script_path"
-    
+
     # Updates Java Bin in run-script after the flags get proccessed
     awk -v n=127 -v s='' 'NR == n {print s} {print}' "$run_script_path" > temp_file && mv -f temp_file "$run_script_path"
     awk -v n=128 -v s='if [[ -n $USER_JAVA_BIN ]]; then JAVABIN=$USER_JAVA_BIN; fi' 'NR == n {print s} {print}' "$run_script_path" > temp_file && mv -f temp_file "$run_script_path"
-    
+
     cp -L "$run_script_path" "./${binaries_dir}/$run_script_name"
 
   ################################################
   #                                              #
   #          Logic for Non-Java Targets          #
   #                                              #
   ################################################
-  
+
   else
 
     ################################################
@@ -139,7 +139,7 @@ for curr_target in "${!targets_set[@]}"; do
     #                                              #
     ################################################
 
-    if [[ "${NEEDS_RUNFILES}" == "true" ]]
+    if [[ "${UNTRUSTED_NEEDS_RUNFILES}" == "true" ]]
     then
       # Get file(s) generated from build with respect to the target
       bazel_generated=$(bazel cquery --output=starlark --starlark:expr="'\n'.join([f.path for f in target.files.to_list()])" "$curr_target" 2>/dev/null)
@@ -178,7 +178,7 @@ for curr_target in "${!targets_set[@]}"; do
     else
       # Get file(s) generated from build with respect to the target
       bazel_generated=$(bazel cquery --output=starlark --starlark:expr="'\n'.join([f.path for f in target.files.to_list()])" "$curr_target" 2>/dev/null)
-      
+
       # Uses a Starlark expression to pass new line seperated list of file(s) into the set of files
       while read -r file; do
           cp -L "$file" ./${binaries_dir}