update

Signed-off-by: laurentsimon <[email protected]>
slsa-framework · Feb 24, 2023 · 5e75163 · 5e75163
1 parent 8c0030a
commit 5e75163
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 9 deletions.
diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go
@@ -46,7 +46,8 @@ type Npm struct {
 	publishAttestation    *attestation
 }
 
-var builderGitHubRunnerID = "https://github.com/actions/runner"
+// TODO(#494): update the builder name.
+var builderGitHubRunnerID = "https://github.com/actions/[email protected]"
 
 func (n *Npm) ProvenanceEnvelope() *dsse.Envelope {
 	return n.verifiedProvenanceAtt.Envelope
@@ -72,6 +73,7 @@ func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*N
 			attestations[0].PredicateType, slsaprovenance.ProvenanceV02Type)
 	}
 
+	// Provenance type verification.
 	if !strings.HasPrefix(attestations[1].PredicateType, publishAttestationV01) {
 		return nil, fmt.Errorf("%w: invalid predicate type: %v. Expected %v", errrorInvalidAttestations,
 			attestations[1].PredicateType, publishAttestationV01)
@@ -86,7 +88,7 @@ func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*N
 }
 
 func (n *Npm) verifyProvenanceAttestationSignature() error {
-	// We jut re-use the standard bundle verification.
+	// Re-use the standard bundle verification.
 	signedProvenance, err := VerifyProvenanceBundle(n.ctx, n.provenanceAttestation.BundleBytes, n.root)
 	if err != nil {
 		return err
@@ -102,7 +104,7 @@ func (n *Npm) verifyPublishAttesttationSignature() error {
 		return err
 	}
 
-	// Second, we verify the signature, which ues a static key.
+	// Second, we verify the signature, which uses a static key.
 	// Extract payload.
 	env := signedPublish.Envelope
 	payload, err := utils.PayloadFromEnvelope(env)

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
@@ -202,11 +202,12 @@ func VerifyNpmPackageProvenance(env *dsselib.Envelope, provenanceOpts *options.P
 
 	// Untrusted builder.
 	if provenanceOpts.ExpectedBuilderID == "" {
-		// verify it's the npm CLI
+		// Verify it's the npm CLI.
 		builderID, err := prov.BuilderID()
 		if err != nil {
 			return err
 		}
+		// TODO(#494): update the builder ID string.
 		if !strings.HasPrefix(builderID, "https://github.com/npm/cli@") {
 			return fmt.Errorf("%w: expected 'https://github.com/npm/cli' in builder.id, got '%s'",
 				serrors.ErrorMismatchBuilderID, builderID)

diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
@@ -114,18 +114,21 @@ func verifyNpmEnvAndCert(env *dsse.Envelope,
 		if builderOpts == nil || builderOpts.ExpectedID == nil {
 			return nil, fmt.Errorf("builder mistmatch. No builder ID provided by user , got '%v'", builderGitHubRunnerID)
 		}
-		if *builderOpts.ExpectedID != builderGitHubRunnerID {
-			return nil, fmt.Errorf("builder mistmatch. Expected '%v', got '%v'",
-				*builderOpts.ExpectedID, builderGitHubRunnerID)
+
+		trustedBuilderID, err = utils.TrustedBuilderIDNew(builderGitHubRunnerID)
+		if err != nil {
+			return nil, err
+		}
+		if err := trustedBuilderID.Matches(*builderOpts.ExpectedID, false); err != nil {
+			return nil, fmt.Errorf("builder mistmatch. %w", err)
 		}
 	}
 
 	if err := VerifyNpmPackageProvenance(env, provenanceOpts); err != nil {
 		return nil, err
 	}
 
-	// TODO: Update this string
-	fmt.Fprintf(os.Stderr, "Verified build using builder https://github.com%s at commit %s\n",
+	fmt.Fprintf(os.Stderr, "Verified build using builder %s at commit %s\n",
 		provenanceOpts.ExpectedBuilderID,
 		workflowInfo.CallerHash)