Merge pull request #820 from crazy-max/signing

sigstore class to sign and verify buildkit provenance blobs

Author: crazy-max

.github/workflows/test.yml

@@ -146,6 +146,9 @@ jobs:
       fail-fast: false
       matrix:
         include: ${{ fromJson(needs.prepare-itg.outputs.includes) }}
+    permissions:
+      contents: read
+      id-token: write # needed for signing with GitHub OIDC Token
     steps:
       -
         name: Checkout

__tests__/.fixtures/sigstore/multi/linux_amd64/hello.txt

@@ -0,0 +1 @@
+Hello, World! This is linux/amd64

__tests__/.fixtures/sigstore/multi/linux_amd64/provenance.json

@@ -0,0 +1 @@
+Hello, World! This is linux/arm64

__tests__/.fixtures/sigstore/multi/linux_arm64/hello.txt

@@ -0,0 +1 @@
+Hello, World! This is linux/amd64

__tests__/.fixtures/sigstore/multi/linux_arm64/provenance.json

@@ -0,0 +1,92 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, jest, it, beforeAll} from '@jest/globals';
+import fs from 'fs';
+import * as path from 'path';
+
+import {Install as CosignInstall} from '../../src/cosign/install';
+import {Sigstore} from '../../src/sigstore/sigstore';
+
+const fixturesDir = path.join(__dirname, '..', '.fixtures');
+
+const maybe = process.env.GITHUB_ACTIONS && process.env.GITHUB_ACTIONS === 'true' && process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu') ? describe : describe.skip;
+
+// needs current GitHub repo info
+jest.unmock('@actions/github');
+
+beforeAll(async () => {
+  const cosignInstall = new CosignInstall();
+  const cosignBinPath = await cosignInstall.download('v3.0.2', true);
+  await cosignInstall.install(cosignBinPath);
+}, 100000);
+
+maybe('signProvenanceBlobs', () => {
+  it('single platform', async () => {
+    const sigstore = new Sigstore();
+    const results = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'single')
+    });
+    expect(Object.keys(results).length).toEqual(1);
+    const provenancePath = Object.keys(results)[0];
+    expect(provenancePath).toEqual(path.join(fixturesDir, 'sigstore', 'single', 'provenance.json'));
+    expect(fs.existsSync(results[provenancePath].bundlePath)).toBe(true);
+    expect(results[provenancePath].bundle).toBeDefined();
+    expect(results[provenancePath].certificate).toBeDefined();
+    expect(results[provenancePath].tlogID).toBeDefined();
+    expect(results[provenancePath].attestationID).not.toBeDefined();
+    console.log(provenancePath, JSON.stringify(results[provenancePath].bundle, null, 2));
+  });
+  it('multi-platform', async () => {
+    const sigstore = new Sigstore();
+    const results = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'multi')
+    });
+    expect(Object.keys(results).length).toEqual(2);
+    for (const [provenancePath, res] of Object.entries(results)) {
+      expect(provenancePath).toMatch(/linux_(amd64|arm64)\/provenance.json/);
+      expect(fs.existsSync(res.bundlePath)).toBe(true);
+      expect(res.bundle).toBeDefined();
+      expect(res.certificate).toBeDefined();
+      expect(res.tlogID).toBeDefined();
+      expect(res.attestationID).not.toBeDefined();
+      console.log(provenancePath, JSON.stringify(res.bundle, null, 2));
+    }
+  });
+});
+
+maybe('verifySignedArtifacts', () => {
+  it('sign and verify', async () => {
+    const sigstore = new Sigstore();
+    const signResults = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'multi')
+    });
+    expect(Object.keys(signResults).length).toEqual(2);
+
+    const verifyResults = await sigstore.verifySignedArtifacts(
+      {
+        certificateIdentityRegexp: `^https://github.com/docker/actions-toolkit/.github/workflows/test.yml.*$`
+      },
+      signResults
+    );
+    expect(Object.keys(verifyResults).length).toEqual(2);
+    for (const [artifactPath, res] of Object.entries(verifyResults)) {
+      expect(fs.existsSync(artifactPath)).toBe(true);
+      expect(res.bundlePath).toBeDefined();
+      expect(res.cosignArgs).toBeDefined();
+    }
+  });
+});

__tests__/.fixtures/sigstore/single/hello.txt

@@ -46,6 +46,7 @@
   },
   "dependencies": {
     "@actions/artifact": "^4.0.0",
+    "@actions/attest": "^2.0.0",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
@@ -56,6 +57,8 @@
     "@azure/storage-blob": "^12.15.0",
     "@octokit/core": "^5.2.2",
     "@octokit/plugin-rest-endpoint-methods": "^10.4.1",
+    "@sigstore/bundle": "^3.1.0",
+    "@sigstore/sign": "^3.1.0",
     "async-retry": "^1.3.3",
     "csv-parse": "^6.1.0",
     "gunzip-maybe": "^1.4.2",
@@ -68,6 +71,8 @@
     "tmp": "^0.2.5"
   },
   "devDependencies": {
+    "@sigstore/mock": "^0.10.0",
+    "@sigstore/rekor-types": "^3.0.0",
     "@types/gunzip-maybe": "^1.4.2",
     "@types/he": "^1.2.3",
     "@types/js-yaml": "^4.0.9",

__tests__/.fixtures/sigstore/single/provenance.json

@@ -0,0 +1,225 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {X509Certificate} from 'crypto';
+import fs from 'fs';
+import path from 'path';
+
+import {Endpoints} from '@actions/attest/lib/endpoints';
+import * as core from '@actions/core';
+import {signPayload} from '@actions/attest/lib/sign';
+import {bundleToJSON} from '@sigstore/bundle';
+import {Attestation} from '@actions/attest';
+import {Bundle} from '@sigstore/sign';
+
+import {Cosign} from '../cosign/cosign';
+import {Exec} from '../exec';
+import {GitHub} from '../github';
+
+import {MEDIATYPE_PAYLOAD as intotoMediatypePayload, Subject} from '../types/intoto/intoto';
+import {FULCIO_URL, REKOR_URL, SEARCH_URL, TSASERVER_URL} from '../types/sigstore/sigstore';
+
+export interface SignProvenanceBlobsOpts {
+  localExportDir: string;
+  name?: string;
+  noTransparencyLog?: boolean;
+}
+
+export interface SignProvenanceBlobsResult extends Attestation {
+  bundlePath: string;
+  subjects: Array<Subject>;
+}
+
+export interface VerifySignedArtifactsOpts {
+  certificateIdentityRegexp: string;
+}
+
+export interface VerifySignedArtifactsResult {
+  bundlePath: string;
+  cosignArgs: Array<string>;
+}
+
+export interface SigstoreOpts {
+  cosign?: Cosign;
+}
+
+export class Sigstore {
+  private readonly cosign: Cosign;
+
+  constructor(opts?: SigstoreOpts) {
+    this.cosign = opts?.cosign || new Cosign();
+  }
+
+  public async signProvenanceBlobs(opts: SignProvenanceBlobsOpts): Promise<Record<string, SignProvenanceBlobsResult>> {
+    const result: Record<string, SignProvenanceBlobsResult> = {};
+    try {
+      if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        throw new Error('missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.');
+      }
+
+      const endpoints = this.signingEndpoints(opts);
+      core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
+
+      const provenanceBlobs = Sigstore.getProvenanceBlobs(opts);
+      for (const p of Object.keys(provenanceBlobs)) {
+        await core.group(`Signing ${p}`, async () => {
+          const blob = provenanceBlobs[p];
+          const bundlePath = path.join(path.dirname(p), `${opts.name ?? 'provenance'}.sigstore.json`);
+          const subjects = Sigstore.getProvenanceSubjects(blob);
+          if (subjects.length === 0) {
+            core.warning(`No subjects found in provenance ${p}, skip signing.`);
+            return;
+          }
+          const bundle = await signPayload(
+            {
+              body: blob,
+              type: intotoMediatypePayload
+            },
+            endpoints
+          );
+          const attest = Sigstore.toAttestation(bundle);
+          core.info(`Provenance blob signed for:`);
+          for (const subject of subjects) {
+            const [digestAlg, digestValue] = Object.entries(subject.digest)[0] || [];
+            core.info(`  - ${subject.name} (${digestAlg}:${digestValue})`);
+          }
+          if (attest.tlogID) {
+            core.info(`Attestation signature uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
+          }
+          core.info(`Writing Sigstore bundle to: ${bundlePath}`);
+          fs.writeFileSync(bundlePath, JSON.stringify(attest.bundle, null, 2), {
+            encoding: 'utf-8'
+          });
+          result[p] = {
+            ...attest,
+            bundlePath: bundlePath,
+            subjects: subjects
+          };
+        });
+      }
+    } catch (err) {
+      throw new Error(`Signing BuildKit provenance blobs failed: ${(err as Error).message}`);
+    }
+    return result;
+  }
+
+  public async verifySignedArtifacts(opts: VerifySignedArtifactsOpts, signed: Record<string, SignProvenanceBlobsResult>): Promise<Record<string, VerifySignedArtifactsResult>> {
+    const result: Record<string, VerifySignedArtifactsResult> = {};
+    if (!(await this.cosign.isAvailable())) {
+      throw new Error('Cosign is required to verify signed artifacts');
+    }
+    for (const [provenancePath, signedRes] of Object.entries(signed)) {
+      const baseDir = path.dirname(provenancePath);
+      await core.group(`Verifying ${signedRes.bundlePath}`, async () => {
+        for (const subject of signedRes.subjects) {
+          const artifactPath = path.join(baseDir, subject.name);
+          core.info(`Verifying signed artifact ${artifactPath}`);
+          // prettier-ignore
+          const cosignArgs = [
+            'verify-blob-attestation',
+            '--new-bundle-format',
+            '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
+            '--certificate-identity-regexp', opts.certificateIdentityRegexp
+          ]
+          if (!signedRes.bundle.verificationMaterial || !Array.isArray(signedRes.bundle.verificationMaterial.tlogEntries) || signedRes.bundle.verificationMaterial.tlogEntries.length === 0) {
+            // if there is no tlog entry, we skip tlog verification but still verify the signed timestamp
+            cosignArgs.push('--use-signed-timestamps', '--insecure-ignore-tlog');
+          }
+          const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, '--bundle', signedRes.bundlePath, artifactPath], {
+            ignoreReturnCode: true
+          });
+          if (execRes.stderr.length > 0 && execRes.exitCode != 0) {
+            throw new Error(execRes.stderr);
+          }
+          result[artifactPath] = {
+            bundlePath: signedRes.bundlePath,
+            cosignArgs: cosignArgs
+          };
+        }
+      });
+    }
+    return result;
+  }
+
+  private signingEndpoints(opts: SignProvenanceBlobsOpts): Endpoints {
+    const noTransparencyLog = opts.noTransparencyLog ?? GitHub.context.payload.repository?.private;
+    core.info(`Upload to transparency log: ${noTransparencyLog ? 'disabled' : 'enabled'}`);
+    return {
+      fulcioURL: FULCIO_URL,
+      rekorURL: noTransparencyLog ? undefined : REKOR_URL,
+      tsaServerURL: TSASERVER_URL
+    };
+  }
+
+  private static getProvenanceBlobs(opts: SignProvenanceBlobsOpts): Record<string, Buffer> {
+    // For single platform build
+    const singleProvenance = path.join(opts.localExportDir, 'provenance.json');
+    if (fs.existsSync(singleProvenance)) {
+      return {[singleProvenance]: fs.readFileSync(singleProvenance)};
+    }
+
+    // For multi-platform build
+    const dirents = fs.readdirSync(opts.localExportDir, {withFileTypes: true});
+    const platformFolders = dirents.filter(dirent => dirent.isDirectory());
+    if (platformFolders.length > 0 && platformFolders.length === dirents.length && platformFolders.every(platformFolder => fs.existsSync(path.join(opts.localExportDir, platformFolder.name, 'provenance.json')))) {
+      const result: Record<string, Buffer> = {};
+      for (const platformFolder of platformFolders) {
+        const p = path.join(opts.localExportDir, platformFolder.name, 'provenance.json');
+        result[p] = fs.readFileSync(p);
+      }
+      return result;
+    }
+
+    throw new Error(`No valid provenance.json found in ${opts.localExportDir}`);
+  }
+
+  private static getProvenanceSubjects(body: Buffer): Array<Subject> {
+    const statement = JSON.parse(body.toString()) as {
+      subject: Array<{name: string; digest: Record<string, string>}>;
+    };
+    return statement.subject.map(s => ({
+      name: s.name,
+      digest: s.digest
+    }));
+  }
+
+  // https://github.com/actions/toolkit/blob/d3ab50471b4ff1d1274dffb90ef9c5d9949b4886/packages/attest/src/attest.ts#L90
+  private static toAttestation(bundle: Bundle): Attestation {
+    let certBytes: Buffer;
+    switch (bundle.verificationMaterial.content.$case) {
+      case 'x509CertificateChain':
+        certBytes = bundle.verificationMaterial.content.x509CertificateChain.certificates[0].rawBytes;
+        break;
+      case 'certificate':
+        certBytes = bundle.verificationMaterial.content.certificate.rawBytes;
+        break;
+      default:
+        throw new Error('Bundle must contain an x509 certificate');
+    }
+
+    const signingCert = new X509Certificate(certBytes);
+
+    // Collect transparency log ID if available
+    const tlogEntries = bundle.verificationMaterial.tlogEntries;
+    const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined;
+
+    return {
+      bundle: bundleToJSON(bundle),
+      certificate: signingCert.toString(),
+      tlogID: tlogID
+    };
+  }
+}