grab attestation media type and predicate type from attestation bundle

conorsloan · conorsloan · commit 36e729c5aaf2 · 2024-08-27T20:52:44.000+01:00
diff --git a/__tests__/ghcr-client.test.ts b/__tests__/ghcr-client.test.ts
@@ -606,6 +606,8 @@ function testIndexManifest(): {
   const manifest = ociContainer.createReferrerTagManifest(
     'attestation-digest',
     1234,
+    'bundle-media-type',
+    'bundle-predicate-type',
     new Date(),
     new Date()
   )
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
@@ -15,6 +15,8 @@ import * as ghcr from '../src/ghcr-client'
 import * as ociContainer from '../src/oci-container'
 
 const ghcrUrl = new URL('https://ghcr.io')
+const predicateType = 'https://slsa.dev/provenance/v1'
+const bundleMediaType = 'application/vnd.dev.sigstore.bundle.v0.3+json'
 
 // Mock the GitHub Actions core library
 let setFailedMock: jest.SpyInstance
@@ -302,11 +304,14 @@ describe('run', () => {
         attestationID: 'test-attestation-id',
         certificate: 'test',
         bundle: {
-          mediaType: 'application/vnd.cncf.notary.v2+jwt',
+          mediaType: bundleMediaType,
           verificationMaterial: {
             publicKey: {
               hint: 'test-hint'
             }
+          },
+          dsseEnvelope: {
+            payload: btoa(`{"predicateType": "${predicateType}"}`)
           }
         }
       }
@@ -360,11 +365,14 @@ describe('run', () => {
         attestationID: 'test-attestation-id',
         certificate: 'test',
         bundle: {
-          mediaType: 'application/vnd.cncf.notary.v2+jwt',
+          mediaType: bundleMediaType,
           verificationMaterial: {
             publicKey: {
               hint: 'test-hint'
             }
+          },
+          dsseEnvelope: {
+            payload: btoa(`{"predicateType": "${predicateType}"}`)
           }
         }
       }
@@ -426,11 +434,14 @@ describe('run', () => {
         attestationID: 'test-attestation-id',
         certificate: 'test',
         bundle: {
-          mediaType: 'application/vnd.cncf.notary.v2+jwt',
+          mediaType: bundleMediaType,
           verificationMaterial: {
             publicKey: {
               hint: 'test-hint'
             }
+          },
+          dsseEnvelope: {
+            payload: btoa(`{"predicateType": "${predicateType}"}`)
           }
         }
       }
@@ -568,11 +579,14 @@ describe('run', () => {
         attestationID: 'test-attestation-id',
         certificate: 'test',
         bundle: {
-          mediaType: 'application/vnd.cncf.notary.v2+jwt',
+          mediaType: bundleMediaType,
           verificationMaterial: {
             publicKey: {
               hint: 'test-hint'
             }
+          },
+          dsseEnvelope: {
+            payload: btoa(`{"predicateType": "${predicateType}"}`)
           }
         }
       }
@@ -583,6 +597,21 @@ describe('run', () => {
         expect(repository).toBe(options.nameWithOwner)
         expect(tag).toBe('sha256-my-test-digest')
         expect(manifest.mediaType).toBe(ociContainer.imageIndexMediaType)
+        expect(manifest.annotations['com.github.package.type']).toBe(
+          ociContainer.actionPackageReferrerTagAnnotationValue
+        )
+        expect(manifest.manifests.length).toBe(1)
+        expect(manifest.manifests[0].mediaType).toBe(
+          ociContainer.imageManifestMediaType
+        )
+        expect(manifest.manifests[0].artifactType).toBe(bundleMediaType)
+        expect(
+          manifest.manifests[0].annotations['dev.sigstore.bundle.predicateType']
+        ).toBe(predicateType)
+        expect(
+          manifest.manifests[0].annotations['com.github.package.type']
+        ).toBe(ociContainer.actionPackageAttestationAnnotationValue)
+
         return 'sha256:referrer-index-digest'
       }
     )
@@ -593,16 +622,23 @@ describe('run', () => {
         let expectedAnnotationValue = ''
         let expectedTagValue: string | undefined = undefined
         let returnValue = ''
+        let expectedPredicateTypeValue: string | undefined = undefined
+
+        let expectedSubjectMediaType: string | undefined = undefined
 
         if (tag === undefined) {
           expectedAnnotationValue =
             ociContainer.actionPackageAttestationAnnotationValue
           const sigStoreLayer = manifest.layers.find(
             (layer: ociContainer.Descriptor) =>
-              layer.mediaType === ociContainer.sigstoreBundleMediaType
+              layer.mediaType === bundleMediaType
           )
+          expectedPredicateTypeValue = predicateType
 
           expectedBlobKeys = [sigStoreLayer.digest, ociContainer.emptyConfigSha]
+
+          expectedSubjectMediaType = ociContainer.imageManifestMediaType
+
           returnValue = 'sha256:attestation-digest'
         } else {
           expectedAnnotationValue = ociContainer.actionPackageAnnotationValue
@@ -616,7 +652,12 @@ describe('run', () => {
         expect(manifest.annotations['com.github.package.type']).toBe(
           expectedAnnotationValue
         )
+        expect(manifest.annotations['dev.sigstore.bundle.predicateType']).toBe(
+          expectedPredicateTypeValue
+        )
         expect(tag).toBe(expectedTagValue)
+        expect(manifest.subject?.mediaType).toBe(expectedSubjectMediaType)
+
         expect(manifest.layers.length).toBe(expectedBlobKeys.length - 1) // Minus config layer
         expect(blobs.size).toBe(expectedBlobKeys.length)
         for (const expectedBlobKey of expectedBlobKeys) {
diff --git a/__tests__/oci-container.test.ts b/__tests__/oci-container.test.ts
@@ -219,6 +219,8 @@ function testAttestationManifest(setCreated = true): OCIImageManifest {
   return createSigstoreAttestationManifest(
     10,
     'bundleDigest',
+    'application/vnd.dev.sigstore.bundle.v0.3+json',
+    'https://slsa.dev/provenance/v1',
     100,
     'subjectDigest',
     setCreated ? date : undefined
@@ -230,6 +232,8 @@ function testReferrerIndexManifest(setCreated = true): OCIIndexManifest {
   return createReferrerTagManifest(
     'attDigest',
     100,
+    'application/vnd.dev.sigstore.bundle.v0.3+json',
+    'https://slsa.dev/provenance/v1',
     date,
     setCreated ? date : undefined
   )
diff --git a/badges/coverage.svg b/badges/coverage.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="116" height="20" role="img" aria-label="Coverage: 98.07%"><title>Coverage: 98.07%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="116" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#555"/><rect x="63" width="53" height="20" fill="#4c1"/><rect width="116" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="885" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">98.07%</text><text x="885" y="140" transform="scale(.1)" fill="#fff" textLength="430">98.07%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="116" height="20" role="img" aria-label="Coverage: 97.56%"><title>Coverage: 97.56%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="116" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#555"/><rect x="63" width="53" height="20" fill="#4c1"/><rect width="116" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="885" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">97.56%</text><text x="885" y="140" transform="scale(.1)" fill="#fff" textLength="430">97.56%</text></g></svg>
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/ghcr-client.ts b/src/ghcr-client.ts
@@ -238,7 +238,6 @@ export class Client {
     ).toString()
   }
 
-  // TODO: Add retries with backoff
   private async fetchWithDebug(
     url: string,
     config: RequestInit = {}
diff --git a/src/main.ts b/src/main.ts
@@ -60,24 +60,26 @@ export async function run(): Promise<void> {
 
     // Attestations are not supported in GHES.
     if (!options.isEnterprise) {
-      const { bundle, bundleDigest } = await generateAttestation(
-        manifestDigest,
-        semverTag.raw,
-        options
-      )
+      const { bundle, bundleDigest, bundleMediaType, bundlePredicateType } =
+        await generateAttestation(manifestDigest, semverTag.raw, options)
 
       const attestationCreated = new Date()
       const attestationManifest =
         ociContainer.createSigstoreAttestationManifest(
           bundle.length,
           bundleDigest,
+          bundleMediaType,
+          bundlePredicateType,
           ociContainer.sizeInBytes(manifest),
           manifestDigest,
           attestationCreated
         )
+
       const referrerIndexManifest = ociContainer.createReferrerTagManifest(
         ociContainer.sha256Digest(attestationManifest),
         ociContainer.sizeInBytes(attestationManifest),
+        bundleMediaType,
+        bundlePredicateType,
         attestationCreated
       )
 
@@ -221,6 +223,8 @@ async function generateAttestation(
 ): Promise<{
   bundle: Buffer
   bundleDigest: string
+  bundleMediaType: string
+  bundlePredicateType: string
 }> {
   const subjectName = `${options.nameWithOwner}@${semverTag}`
   const subjectDigest = removePrefix(manifestDigest, 'sha256:')
@@ -241,7 +245,26 @@ async function generateAttestation(
   hash.update(bundleArtifact)
   const bundleSHA = hash.digest('hex')
 
-  return { bundle: bundleArtifact, bundleDigest: `sha256:${bundleSHA}` }
+  // We must base64 decode the dsse envelope to grab the predicate type
+  const dsseEnvelopeArtifact = attestation.bundle.dsseEnvelope
+  if (dsseEnvelopeArtifact === undefined) {
+    throw new Error('Attestation bundle is missing dsseEnvelope artifact')
+  }
+
+  const dsseEnvelope = JSON.parse(
+    Buffer.from(dsseEnvelopeArtifact.payload, 'base64').toString('utf-8')
+  )
+  const predicateType = dsseEnvelope.predicateType
+  if (predicateType === undefined) {
+    throw new Error('Attestation bundle is missing predicateType')
+  }
+
+  return {
+    bundle: bundleArtifact,
+    bundleDigest: `sha256:${bundleSHA}`,
+    bundleMediaType: attestation.bundle.mediaType,
+    bundlePredicateType: predicateType
+  }
 }
 
 function removePrefix(str: string, prefix: string): string {
diff --git a/src/oci-container.ts b/src/oci-container.ts

Original file line number	Diff line number	Diff line change
`@@ -606,6 +606,8 @@ function testIndexManifest(): {`
`606`	`606`	`const manifest = ociContainer.createReferrerTagManifest(`
`607`	`607`	`'attestation-digest',`
`608`	`608`	`1234,`
	`609`	`+ 'bundle-media-type',`
	`610`	`+ 'bundle-predicate-type',`
`609`	`611`	`new Date(),`
`610`	`612`	`new Date()`
`611`	`613`	`)`
Original file line number	Diff line number	Diff line change
`@@ -238,7 +238,6 @@ export class Client {`
`238`	`238`	`).toString()`
`239`	`239`	`}`
`240`	`240`
`241`		`- // TODO: Add retries with backoff`
`242`	`241`	`private async fetchWithDebug(`
`243`	`242`	`url: string,`
`244`	`243`	`config: RequestInit = {}`