update

Author: laurentsimon

cli/slsa-verifier/main_test.go

@@ -9,8 +9,6 @@ import (
 
 	"golang.org/x/mod/semver"
 
-	serrors "github.com/slsa-framework/slsa-verifier/errors"
-
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 )
@@ -43,6 +41,7 @@ func Test_runVerify(t *testing.T) {
 		ptag        *string
 		pversiontag *string
 		pbuilderID  *string
+		builderID   string
 		err         error
 		// noversion is a special case where we are not testing all builder versions
 		// for example, testdata for the builder at head in trusted repo workflows
@@ -344,6 +343,7 @@ func Test_runVerify(t *testing.T) {
 			minversion: "v1.2.0",
 			builders:   []string{"generic"},
 			pbuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"),
+			builderID:  "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/heads/main",
 		},
 		// Special case of the e2e test repository building builder from head.
 		{
@@ -352,6 +352,7 @@ func Test_runVerify(t *testing.T) {
 			source:    "github.com/slsa-framework/example-package",
 			branch:    "main",
 			noversion: true,
+			builderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/heads/main",
 		},
 		// Malicious builders and workflows.
 		{
@@ -434,14 +435,22 @@ func Test_runVerify(t *testing.T) {
 				artifactPath := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifact))
 				provenancePath := fmt.Sprintf("%s.intoto.jsonl", artifactPath)
 
-				_, _, err := runVerify(artifactPath,
+				_, builderID, err := runVerify(artifactPath,
 					provenancePath,
 					tt.source, branch, tt.pbuilderID,
 					tt.ptag, tt.pversiontag)
 
 				if !errCmp(err, tt.err) {
 					t.Errorf(cmp.Diff(err, tt.err, cmpopts.EquateErrors()))
 				}
+
+				if err != nil {
+					return
+				}
+
+				if tt.builderID != "" && builderID != tt.builderID {
+					t.Errorf(cmp.Diff(builderID, tt.builderID))
+				}
 			}
 		})
 	}

options/options.go

@@ -19,7 +19,7 @@ type ProvenanceOpts struct {
 	ExpectedVersionedTag *string
 
 	// ExpectedBuilderID is the expected builder ID.
-	ExpectedBuilderID *string
+	ExpectedBuilderID string
 }
 
 // BuildOpts are the options for checking the builder.

verifiers/internal/gha/builder.go

@@ -59,7 +59,8 @@ func VerifyWorkflowIdentity(id *WorkflowIdentity,
 			expectedSource, id.CallerRepository)
 	}
 
-	return builderID, nil
+	// Return the builder and its tag.
+	return builderID + "@" + workflowPath[1], nil
 }
 
 func verifyTrustedBuilderID(path string, builderID *string) (string, error) {

verifiers/internal/gha/builder_test.go

@@ -65,7 +65,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            "https://token.actions.githubusercontent.com",
 			},
-			source: trustedBuilderRepository,
+			source:    trustedBuilderRepository,
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main",
 		},
 		{
 			name: "valid main ref for e2e test",
@@ -76,7 +77,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            certOidcIssuer,
 			},
-			source: e2eTestRepository,
+			source:    e2eTestRepository,
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main",
 		},
 		{
 			name: "valid main ref for e2e test - match builderID",
@@ -91,6 +93,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 			buildOpts: &options.BuilderOpts{
 				ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"),
 			},
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main",
 		},
 		{
 			name: "valid main ref for e2e test - mismatch builderID",
@@ -116,8 +119,9 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            certOidcIssuer,
 			},
-			source: "malicious/source",
-			err:    serrors.ErrorMismatchSource,
+			source:    "malicious/source",
+			err:       serrors.ErrorMismatchSource,
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main",
 		},
 		{
 			name: "valid main ref for builder",
@@ -151,7 +155,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            certOidcIssuer,
 			},
-			source: "asraa/slsa-on-github-test",
+			source:    "asraa/slsa-on-github-test",
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3",
 		},
 		{
 			name: "valid workflow identity - match builderID",
@@ -166,6 +171,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 			buildOpts: &options.BuilderOpts{
 				ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"),
 			},
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3",
 		},
 		{
 			name: "valid workflow identity - mismatch builderID",
@@ -191,8 +197,9 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            certOidcIssuer,
 			},
-			source: "asraa/slsa-on-github-test",
-			err:    serrors.ErrorInvalidRef,
+			source:    "asraa/slsa-on-github-test",
+			err:       serrors.ErrorInvalidRef,
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3-alpha",
 		},
 		{
 			name: "invalid workflow identity with build",
@@ -227,7 +234,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 				Trigger:           "workflow_dispatch",
 				Issuer:            certOidcIssuer,
 			},
-			source: "github.com/asraa/slsa-on-github-test",
+			source:    "github.com/asraa/slsa-on-github-test",
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3",
 		},
 		{
 			name: "valid workflow identity with fully qualified source - match builderID",
@@ -242,6 +250,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 			buildOpts: &options.BuilderOpts{
 				ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"),
 			},
+			builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3",
 		},
 		{
 			name: "valid workflow identity with fully qualified source - mismatch builderID",
@@ -267,10 +276,16 @@ func Test_VerifyWorkflowIdentity(t *testing.T) {
 			if opts == nil {
 				opts = &options.BuilderOpts{}
 			}
-			_, err := VerifyWorkflowIdentity(tt.workflow, opts, tt.source)
+			id, err := VerifyWorkflowIdentity(tt.workflow, opts, tt.source)
 			if !errCmp(err, tt.err) {
 				t.Errorf(cmp.Diff(err, tt.err, cmpopts.EquateErrors()))
 			}
+			if err != nil {
+				return
+			}
+			if id != tt.builderID {
+				t.Errorf(cmp.Diff(id, tt.builderID))
+			}
 		})
 	}
 }

verifiers/internal/gha/provenance.go

@@ -39,13 +39,9 @@ func provenanceFromEnv(env *dsselib.Envelope) (prov *intoto.ProvenanceStatement,
 
 // Verify Builder ID in provenance statement.
 func verifyBuilderID(prov *intoto.ProvenanceStatement, builderID string) error {
-	id, err := sourceFromURI(prov.Predicate.Builder.ID)
-	if err != nil {
-		return err
-	}
-	if !strings.EqualFold(id, builderID) {
+	if !strings.EqualFold(prov.Predicate.Builder.ID, builderID) {
 		return fmt.Errorf("%w: expected '%s' in builder.id, got '%s'", serrors.ErrorMismatchBuilderID,
-			builderID, id)
+			builderID, prov.Predicate.Builder.ID)
 	}
 	return nil
 }
@@ -178,7 +174,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO
 	}
 
 	// Verify Builder ID.
-	if err := verifyBuilderID(prov, *provenanceOpts.ExpectedBuilderID); err != nil {
+	if err := verifyBuilderID(prov, provenanceOpts.ExpectedBuilderID); err != nil {
 		return err
 	}
 

verifiers/internal/gha/verifier.go

@@ -65,7 +65,7 @@ func (v *GHAVerifier) Verify(ctx context.Context,
 
 	/* Verify properties of the SLSA provenance. */
 	// Unpack and verify info in the provenance, including the Subject Digest.
-	provenanceOpts.ExpectedBuilderID = &builderID
+	provenanceOpts.ExpectedBuilderID = builderID
 	if err := VerifyProvenance(env, provenanceOpts); err != nil {
 		return nil, "", err
 	}