Use generic generator for SLSA (#2146)

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

.github/workflows/goreleaser.yaml

@@ -24,6 +24,8 @@ permissions:
 
 jobs:
   goreleaser:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     permissions:
       contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     runs-on: ubuntu-latest
@@ -52,6 +54,7 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Run GoReleaser
+        id: run-goreleaser
         uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # v2.5.0
         with:
           version: latest
@@ -60,3 +63,23 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version_flags }}
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true # upload to a new release

.github/workflows/slsa-goreleaser.yml

@@ -1,9 +1,9 @@
 name: SLSA releaser
 on:
   workflow_dispatch:
-  push:
-    tags:
-      - "*"
+  # push:
+  #   tags:
+  #     - "*"
 
 permissions: read-all
 

.goreleaser.yml

@@ -29,6 +29,7 @@ builds:
   goos:
     - linux
   goarch:
+    - amd64
     - arm64
     - 386
     - arm

README.md

@@ -8,6 +8,7 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/ossf/scorecard/v4)](https://goreportcard.com/report/github.com/ossf/scorecard/v4)
 [![codecov](https://codecov.io/gh/ossf/scorecard/branch/main/graph/badge.svg?token=PMJ6NAN9J3)](https://codecov.io/gh/ossf/scorecard)
 [![Slack](https://slack.babeljs.io/badge.svg)](https://slack.openssf.org/#security_scorecards)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
 
 <img align="right" src="artwork/openssf_security_compressed.png" width="200" height="400">
 
@@ -152,22 +153,16 @@ Language: You must have GoLang installed to run Scorecards
 
 To install Scorecards as a standalone:
 
-1.  Visit our latest
-    [release page](https://github.com/ossf/scorecard/releases/latest) and
-    download the correct binary for your operating system 
-1.  Extract the binary file
-1.  We are excited to be an early adopter of one of the the OSSF [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
-to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file 
-scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary):
-```
-$ ./slsa-verifier-linux-amd64 \
-    --artifact-path scorecard-linux-amd64 \
-    --provenance scorecard-linux-amd64.intoto.jsonl \
-    --source github.com/ossf/scorecard
-    --tag vX.Y.Z
+Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and
+download the correct zip file for your operating system.
+
+We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
+1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
+2. Download the signature file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/GoogleContainerTools/jib/releases/latest).
+3. Run the verifier:
+```shell
+slsa-verifier -artifact-path <the-zip> -provenance attestation.intoto.jsonl -source github.com/ossf/scorecard -tag <the-tag>
 ```
-When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository. 
-If you're interested in reading more about SLSA, visit the official [slsa.dev](https://slsa.dev).
 
 1.  Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
     identify your directory if necessary)

docs/checks.md

@@ -365,7 +365,7 @@ by an appropriate file extension, as described in the [REUSE](https://reuse.soft
 ## Maintained 
 
 Risk: `High` (possibly unpatched vulnerabilities)
-   
+
 This check determines whether the project is actively maintained. If the project
 is archived, it receives the lowest score. If there is at least one commit per
 week during the previous 90 days, the project receives the highest score.  If there
@@ -385,7 +385,7 @@ This check will only succeed if a Github project is >90 days old. Projects
 that are younger than this are too new to assess whether they are maintained
 or not, and users should inspect the contents of those projects to ensure they
 are as expected.
- 
+
 
 **Remediation steps**
 - There is no remediation work needed from projects with a low score; this check simply provides insight into the project activity and maintenance commitment. External users should determine whether the software is the type that would not normally need active maintenance.
@@ -539,10 +539,14 @@ not support other source hosting repositories (i.e., Forges).
 Signed releases attest to the provenance of the artifact.
 
 This check looks for the following filenames in the project's last five
-releases: [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
-*.sig, *.sign.
+[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
+[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
+*.sig, *.sign, [*.intoto.jsonl](slsa.dev).
+
+If a signature is found in the assets for each release, a score of 8 is given.
+If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
 
-Note: The check does not verify the signatures. 
+Note: The check does not verify the signatures.
 
 
 **Remediation steps**

docs/checks/internal/checks.yaml

@@ -22,7 +22,7 @@ checks:
     short: Determines if the project is "actively maintained".
     description: |
       Risk: `High` (possibly unpatched vulnerabilities)
-         
+
       This check determines whether the project is actively maintained. If the project
       is archived, it receives the lowest score. If there is at least one commit per
       week during the previous 90 days, the project receives the highest score.  If there
@@ -586,10 +586,14 @@ checks:
       Signed releases attest to the provenance of the artifact.
 
       This check looks for the following filenames in the project's last five
-      releases: [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
-      *.sig, *.sign.
+      [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
+      [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
+      *.sig, *.sign, [*.intoto.jsonl](slsa.dev).
+
+      If a signature is found in the assets for each release, a score of 8 is given.
+      If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
 
-      Note: The check does not verify the signatures. 
+      Note: The check does not verify the signatures.
     remediation:
       - >-
         Publish the release.