Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't verify sbom attestation #145

Open
pputman-clabs opened this issue Jan 7, 2025 · 4 comments
Open

Can't verify sbom attestation #145

pputman-clabs opened this issue Jan 7, 2025 · 4 comments

Comments

@pputman-clabs
Copy link

pputman-clabs commented Jan 7, 2025

I'm unable to verify the attestation of the sbom. In my workflow (added below), I create an sbom.json file which is uploaded as an artifact for sbom.spdx.json. If I download the artifact created, and run the following:

gh attestation verify ~/Downloads/sbom.spdx.json --owner my-org
Loaded digest sha256:4410592651bb3ff8fb2b74b992e89664ceff4ae0cf186e561f02b37c4361d4ff for file:///Users/my-user/Downloads/sbom.spdx.json
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from my-org: HTTP 404: Not Found (https://api.github.com/orgs/my-org/attestations/sha256:4410592651bb3ff8fb2b74b992e89664ceff4ae0cf186e561f02b37c4361d4ff?per_page=30)

Since this is the SBOM that was generated and used with this action to sign, should I not be able to verify the attestation of this sbom file?

    - name: Generate artifact attestation
       uses: actions/attest-build-provenance@v2
       with:
        subject-name: ${{ inputs.registry }}
        subject-digest: ${{ steps.docker-build-push.outputs.digest }}
        push-to-registry: true
    

    - uses: anchore/sbom-action@v0
      id: build-sbom
      with:
        image: ${{ inputs.registry }}@${{ steps.docker-build-push.outputs.digest }}
        output-file: ./sbom.json
        artifact-name: sbom.spdx.json
      
    - name: Generate SBOM attestation
      uses: actions/attest-sbom@v1
      with: 
        subject-name: ${{ inputs.registry }}
        subject-digest: ${{ steps.docker-build-push.outputs.digest }}
        sbom-path: sbom.json
        push-to-registry: true
@bdehamer
Copy link
Collaborator

bdehamer commented Jan 7, 2025

@pputman-clabs in order to verify the attestation, you need to supply the artifact that was attested (the subject) to the gh attestation verify command. In your case, it looks like the subject of your attestation is a container image so you'd want to do something like:

gh attestation verify oci://<image-uri> --owner my-org

@pputman-clabs
Copy link
Author

I'm sorry, aren't we attesting to the actual SBOM, to say that yes, this is a valid bill of materials? If I'm building a provenance and sbom attestation, how do I verify them each independently?

@pputman-clabs
Copy link
Author

just to show you that I am running an attestation verify, but it only shows the provenance attestations, nothing to do with the sbom.

gh attestation verify oci://us-west1-docker.pkg.dev/devopsre/dev-images/akeyless-action:testing --owner my-org --signer-repo my-org/reusable-workflows
Loaded digest sha256:4bd2a6f032fc1268fc8edbf949b3f97bd2595019ef9c6ebf5ec360ee2e1741bb for oci://us-west1-docker.pkg.dev/devopsre/dev-images/akeyless-action:testing
Loaded 15 attestations from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/my-org
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/my-org/reusable-workflows/

✓ Verification succeeded!

sha256:4bd2a6f032fc1268fc8edbf949b3f97bd2595019ef9c6ebf5ec360ee2e1741bb was attested by:
REPO                         PREDICATE_TYPE                  WORKFLOW                                                   
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha
my-org/reusable-workflows  https://slsa.dev/provenance/v1  .github/workflows/docker-build.yaml@refs/heads/v3.0.0-alpha

@bdehamer
Copy link
Collaborator

By default, the attestation verify command will only verify provenance attestations. If you want to work with your SBOM attestations you'll need to use the --predicate-type flag:

gh attestation verify oci://<image-uri> --predicate-type https://spdx.dev/Document/v2.3 --owner my-org

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants