Add SLSA provenance support

Author: csweichel

.goreleaser.yml

@@ -10,7 +10,7 @@ builds:
 - env:
   - CGO_ENABLED=0
   ldflags:
-  - -s -w -X github.com/gitpod-io/leeway/cmd.version={{.Version}}-{{.ShortCommit}}
+  - -s -w -X github.com/gitpod-io/leeway/pkg/leeway.Version={{.Version}}-{{.ShortCommit}}
   ignore:
   - goos: darwin
     goarch: 386

README.md

@@ -279,6 +279,41 @@ variables have an effect on leeway:
 - `LEEWAY_EXPERIMENTAL`: Enables exprimental features
 - `LEEWAY_NESTED_WORKSPACE`: Enables nested workspaces. By default leeway ignores everything below another `WORKSPACE.yaml`, but if this env var is set leeway will try and link packages from the other workspace as if they were part of the parent one. This does not work for scripts yet.
 
+# Provenance (SLSA) - EXPERIMENTAL
+leeway can produce provenance information as part of a build. At the moment only [SLSA](https://slsa.dev/spec/v0.1/) is supported. This supoprt is **experimental**.
+
+Provenance generation is enabled in the `WORKSPACE.YAML` file.
+```YAML
+provenance:
+  enabled: true
+  slsa: true
+```
+
+Once enabled, all packages carry an [attestation bundle](https://github.com/in-toto/attestation/blob/main/spec/bundle.md) which is compliant to the [SLSA v0.2 spec](https://slsa.dev/provenance/v0.2) in their cached archive. The bundle is complete, i.e. not only contains the attestation for the package build, but also those of its dependencies.
+
+## Dirty vs clean Git working copy
+When building from a clean Git working copy, leeway will use a reference to the Git remote origin as [material](https://github.com/in-toto/in-toto-golang/blob/26b6a96f8a7537f27b7483e19dd68e022b179ea6/in_toto/model.go#L360) (part of the SLSA [link](https://github.com/slsa-framework/slsa/blob/main/controls/attestations.md)).
+
+## Signing attestations
+To support SLSA level 2, leeway can sign the attestations it produces. To this end, you can provide the filepath to a key either as part of the `WORKSPACE.yaml` or through the `LEEWAY_PROVENANCE_KEYPATH` environment variable.
+
+## Inspecting provenance
+You can inspect the generated attestation bundle by extracting it from the built and cached archive. For example:
+```bash
+# run a build
+leeway build --save /tmp/build.tar.gz
+
+# extract bundle
+tar xf /tmp/build.tar.gz ./provenance-bundle.jsonl
+
+# inspect the bundle
+cat provenance-bundle.jsonl | jq -r .payload | base64 -d | jq
+```
+
+## Caveats
+- provenance is part of the leeway package version, i.e. when you enable provenance that will naturally invalidate previously built packages.
+- provenance is not supported for nested workspaces. The presence of `LEEWAY_NESTED_WORKSPACE` will make the build fail.
+
 # Debugging
 When a build fails, or to get an idea of how leeway assembles dependencies, run your build with `leeway build -c local` (local cache only) and inspect your `$LEEWAY_BUILD_DIR`.
 

WORKSPACE.yaml

@@ -6,6 +6,9 @@ environmentManifest:
     command: ["node", "--version"]
   - name: "yarn"
     command: ["yarn", "--version"]
+provenance:
+  enabled: true
+  slsa: true
 variants:
 - name: nogit
   srcs:

cmd/build.go

@@ -172,6 +172,7 @@ func addBuildFlags(cmd *cobra.Command) {
 	cmd.Flags().UintP("max-concurrent-tasks", "j", uint(runtime.NumCPU()), "Limit the number of max concurrent build tasks - set to 0 to disable the limit")
 	cmd.Flags().String("coverage-output-path", "", "Output path where test coverage file will be copied after running tests")
 	cmd.Flags().StringToString("docker-build-options", nil, "Options passed to all 'docker build' commands")
+
 }
 
 func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, *leeway.FilesystemCache) {
@@ -228,7 +229,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, *leeway.FilesystemC
 		log.Fatal(err)
 	}
 
-	log.Debugf("this is leeway version %s", version)
+	log.Debugf("this is leeway version %s", leeway.Version)
 
 	var planOutlet io.Writer
 	if plan, _ := cmd.Flags().GetString("dump-plan"); plan != "" {

cmd/root.go

@@ -58,9 +58,6 @@ __leeway_custom_func() {
 )
 
 var (
-	// version is set during the build using ldflags
-	version string = "unknown"
-
 	workspace string
 	buildArgs []string
 	verbose   bool
@@ -153,7 +150,7 @@ func getWorkspace() (leeway.Workspace, error) {
 		return leeway.FindNestedWorkspaces(workspace, args, variant)
 	}
 
-	return leeway.FindWorkspace(workspace, args, variant)
+	return leeway.FindWorkspace(workspace, args, variant, os.Getenv("LEEWAY_PROVENANCE_KEYPATH"))
 }
 
 func getBuildArgs() (leeway.Arguments, error) {

cmd/version.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 
+	"github.com/gitpod-io/leeway/pkg/leeway"
 	"github.com/spf13/cobra"
 )
 
@@ -11,7 +12,7 @@ var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Prints the version of this leeway build",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println(version)
+		fmt.Printf(leeway.Version)
 	},
 }
 

go.mod

@@ -24,6 +24,11 @@ require (
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )
 
+require (
+	github.com/in-toto/in-toto-golang v0.3.3
+	sigs.k8s.io/bom v0.1.0
+)
+
 require (
 	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 // indirect
@@ -40,8 +45,10 @@ require (
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/owenrumney/go-sarif v1.0.12 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/segmentio/fasthash v1.0.3 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/shibumi/go-pathspec v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xanzy/ssh-agent v0.3.1 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
@@ -51,4 +58,5 @@ require (
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/tools v0.1.8 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	sigs.k8s.io/release-utils v0.3.0 // indirect
 )