Skip to content

Commit 3772096

Browse files
rsoberano-ldrsoberano-ld
authored
build: fixing overlap in provenance filenames that causes race condition with multiple provenance generation jobs (#429)
The `client`, `server`, and `server-redis` provenance generation workflows each create a `{windows,linux,macos}-multile-provenance.intoto.jsonl` file that gets uploaded to the respective tagged releases. However, in an intermediate step, these files are temporarily uploaded to the workflow workspace that's shared between all three release types. Very occasionally, a race condition happens where one release type will overwrite the provenance file for the other release type before it's able to download it and upload it to the appropriate tagged release, which results in a SLSA verification error. This quick fix to prefix the provenance files with the release type should remove this overlap/conflict/race condition.
1 parent 4324e66 commit 3772096

File tree

2 files changed

+6
-6
lines changed

2 files changed

+6
-6
lines changed

.github/workflows/release-please.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -107,7 +107,7 @@ jobs:
107107
base64-subjects: "${{ needs.release-client.outputs[format('hashes-{0}', matrix.os)] }}"
108108
upload-assets: true
109109
upload-tag-name: ${{ needs.release-please.outputs.package-client-tag }}
110-
provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
110+
provenance-name: ${{ format('{0}-client-multiple-provenance.intoto.jsonl', matrix.os) }}
111111

112112
release-server-provenance:
113113
needs: [ 'release-please', 'release-server' ]
@@ -124,7 +124,7 @@ jobs:
124124
base64-subjects: "${{ needs.release-server.outputs[format('hashes-{0}', matrix.os)] }}"
125125
upload-assets: true
126126
upload-tag-name: ${{ needs.release-please.outputs.package-server-tag }}
127-
provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
127+
provenance-name: ${{ format('{0}-server-multiple-provenance.intoto.jsonl', matrix.os) }}
128128

129129
release-server-redis-provenance:
130130
needs: [ 'release-please', 'release-server-redis' ]
@@ -141,4 +141,4 @@ jobs:
141141
base64-subjects: "${{ needs.release-server-redis.outputs[format('hashes-{0}', matrix.os)] }}"
142142
upload-assets: true
143143
upload-tag-name: ${{ needs.release-please.outputs.package-server-redis-tag }}
144-
provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
144+
provenance-name: ${{ format('{0}-server-redis-multiple-provenance.intoto.jsonl', matrix.os) }}

PROVENANCE.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,18 +2,18 @@
22

33
LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
44

5-
As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-multiple-provenance.intoto.jsonl`.
5+
As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-PACKAGE-multiple-provenance.intoto.jsonl`.
66

77
To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages for Linux is included below:
88

99
```
1010
# Ensure provenance file is downloaded along with packages for your OS
1111
$ ls /tmp/launchdarkly-cpp-client-3.4.0
12-
linux-gcc-x64-dynamic.zip linux-gcc-x64-static.zip linux-multiple-provenance.intoto.jsonl
12+
linux-gcc-x64-dynamic.zip linux-gcc-x64-static.zip linux-client-multiple-provenance.intoto.jsonl
1313
1414
# Run slsa-verifier to verify provenance against package artifacts
1515
$ slsa-verifier verify-artifact \
16-
--provenance-path linux-multiple-provenance.intoto.jsonl \
16+
--provenance-path linux-client-multiple-provenance.intoto.jsonl \
1717
--source-uri github.com/launchdarkly/cpp-sdks \
1818
linux-gcc-x64-static.zip linux-gcc-x64-dynamic.zip
1919
Verified signature against tlog entry index 59501683 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad75383b2cf5388a2587a27acf06c948205b60999c208ae5fcbe89fae6a6aae70

0 commit comments

Comments
 (0)