Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revisit implementation of gitCommit #1037

Open
lcarva opened this issue Jun 10, 2024 · 1 comment
Open

Revisit implementation of gitCommit #1037

lcarva opened this issue Jun 10, 2024 · 1 comment

Comments

@lcarva
Copy link
Member

lcarva commented Jun 10, 2024

The slsa_source_correlated package supports digest sets of type gitCommit. Allowing users to specify the following:

"resolvedDependencies": [
  {
    "digest": {
      "gitCommit": "c24001db921c8c2bbb12aeb1c33ae1d910f20504"
    },
    "uri": "git+https://gitlab.com/lucarval/sign-attest-poc"
  }
]

The spec of the digest attribute is responsible for defining how the value for gitCommit is computed:

This hash is computed over <type> SP <size> NUL <content>, where:

  • <type> is one of commit, tree, blob, tag
  • SP is the ASCII space character, 0x20
  • <size> is the number of bytes in <content>, represented as a decimal
    ASCII number with no leading zeros
  • NUL is the ASCII NUL character, 0x00
  • <content> is git representation of the object:
    • For commit, the raw commit object ([more info][so-commit][^git-docs])
    • For tree, the raw tree object, which is a series of
      <unix-octal-mode> <name> NUL <binary-digest> entries, sorted by
      <name> in the C locale ([more info][so-tree][^git-docs])
    • For blob, the raw file contents
    • For tag, the raw tag object

IIUC, in order to compute gitCommit we need the raw commit object. This is not available in the SLSA Provenance attestation. More so, our current implementation is basically performing the suggested computed for a gitBlob where the blob is the commit ID. This feels not right.

I think the intention of gitCommit is to actually just be the git commit ID as is. The description from the spec is just expanding on how git itself computes this information.

Let's use this issue to have another look at our implementation.

NOTE: There's a related feature request in Chains: tektoncd/chains#914
@lcarva lcarva mentioned this issue Jun 11, 2024
Closed
@simonbaird
Copy link
Member

simonbaird commented Dec 4, 2024
edited
Loading

After reading through the docs I think you're right. The explanation how how to compute the digest is meant to be for the use cases involving a single file, i.e. gitBlob. For a commit we can use the git sha directly.

I also think chains is using the wrong key currently. We probably want to consider supporting that anyhow so we continue to support the Chains behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@simonbaird @lcarva