Skip to content

gh attestation verify doesn't actually inspect provenance statement generated by this action #539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arianvp opened this issue Mar 21, 2025 · 0 comments
Open

gh attestation verify doesn't actually inspect provenance statement generated by this action #539

arianvp opened this issue Mar 21, 2025 · 0 comments

Comments

@arianvp
Copy link

arianvp commented Mar 21, 2025
edited
Loading

In order to be SLSA-compliant; the SLSA provenance predicate should be verified as instructed in https://slsa.dev/spec/v1.0/verifying-artifacts however the CLI doesn't do that. I found this surprising.

The contents of the provenance statement should matched against the content of the signing certificate otherwise there is very little point in creating the statement with https://github.com/actions/attest-build-provenance in the first place.

I expected the cli to inspect the contents of the predicate and inspect the contents of the statement; check that buildType is https://actions.github.io/buildtypes/workflow/v1 and match inspect externalParameters and verify them against the contents of the sigstore certificate. But this doesn't seem to be happening.

Not sure if this bug should be tracked here or in https://github.com/cli/cli
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arianvp and others