Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Signed-Releases - Check releases for signatures even if they only have source code #2186

Closed
wants to merge 5 commits into from

Conversation

raghavkaul
Copy link
Contributor

What kind of change does this PR introduce?

Fix issue where we skipped recent releases when looking for signature/provenance.

What is the current behavior?

Previously we checked for the presence of any assets. However, source code zips/tarballs aren't considered assets; they are created by default at the GitHub tag.

What is the new behavior (if this is a feature change)?**

Source code zips/tarballs

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #2169.

Does this PR introduce a user-facing change?

NONE

@raghavkaul raghavkaul temporarily deployed to integration-test August 22, 2022 14:58 Inactive
@codecov
Copy link

codecov bot commented Aug 22, 2022

Codecov Report

Merging #2186 (c26dcd9) into main (8b3793a) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #2186      +/-   ##
==========================================
- Coverage   42.28%   42.25%   -0.03%     
==========================================
  Files          95       95              
  Lines        7871     7876       +5     
==========================================
  Hits         3328     3328              
- Misses       4283     4288       +5     
  Partials      260      260              

@github-actions
Copy link

Integration tests success for
[3c93ee7]
(https://github.com/ossf/scorecard/actions/runs/2904909022)

@raghavkaul raghavkaul temporarily deployed to integration-test August 22, 2022 15:29 Inactive
checks/evaluation/signed_releases.go Show resolved Hide resolved
@@ -42,7 +42,7 @@ func SignedReleases(name string, dl checker.DetailLogger, r *checker.SignedRelea
total := 0
score := 0
for _, release := range r.Releases {
if len(release.Assets) == 0 {
if release.ZipballURL == "" && release.TarballURL == "" && len(release.Assets) == 0 {
continue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there anyway to sign or provide provenance for source code? @laurentsimon fyi

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you can PGP-sign a tarball or zipfile (we already check for the .asc file extension, including .tar.gz.asc). However we could expand the set of signatureExtensions and provenanceExtensions if there are any tarball or zip-specific formats that we don't already have.

Copy link
Contributor

@laurentsimon laurentsimon Aug 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose it's possible to sign too. The 2 default assets are generated by GitHub and cannot be updated by maintainers. So signing them does not improve security by much, unless we distrust GH. This is very different from the threat model on other assets that can be altered by maintainers.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any update? I'm not entirely sold on the benefit of this change. If there are no assets in the GH releases, it'd be fine to return a -1. Forcing signature that adds little to no security guarantees feels like asking users to do something that's not necessary and a burden.
Happy to chat more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The benefit of signing releases is that someone can be sure an artifact comes from the maintainer of a repo. It feels like a better approach would be to have a "not enough data" or "inconclusive" result (as per #1874), because there are no real artifacts in recent releases. I'm not even sure what benefit it provides to sign an artifact that's already being released through GitHub. If it were a package, Package integrity would be better captured by the Packaging check instead of this check.

In short, the way forward would be to wrap this kind of finding into #1874.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The benefit of signing releases is that someone can be sure an artifact comes from the maintainer of a repo.

But you need to be a maintainer to release. Are you saying that the benefit is that someone takes over a GH workflow to cut a release? Even then, the code is still from the repository, ie from a maintainer.

I'm not even sure what benefit it provides to sign an artifact that's already being released through GitHub.

In transit, these artifacts can be tampered with. I agree it's not perfect, and finding the public keys to verify is something nobody does in practice. I actually proposed getting rid of signature in #1776 as well.

If it were a package, Package integrity would be better captured by the Packaging check instead of this check.

Agreed, but no ecosystem really supports this. In golang, you don't even need signatures because code is fetched directly from repo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR still fixes a bug in our code - instead of looking at the latest 5 releases with a release artifact, look for the latest 5 releases irrespective of whether it has a release artifact or not. The only question that remains is, how we should treat those. IMO, we have 3 options:

  1. Skip these releases and return an -1
  2. Treat releases with source code only as signed and return a score of 10.
  3. Expect a signature even if it is source code only.

(1) should be the easiest/most acceptable fix. We can follow up separately to decide b/w (2) and (3). What do folks thinks?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on fixing the bug in the code. 1 seems fine for now.

I think we should discuss 2 and 3 more broadly in the context of what guarantees / goals this check should provide, and how it fits in the improvement of supply-chain. Today this check is not actionable due to lack of ecosystem support, and it's not "ecosystem-aware".

Wdut?

@raghavkaul raghavkaul temporarily deployed to integration-test August 22, 2022 16:17 Inactive
@github-actions
Copy link

Integration tests success for
[f26fca3]
(https://github.com/ossf/scorecard/actions/runs/2905081549)

@raghavkaul raghavkaul marked this pull request as ready for review August 22, 2022 16:19
@github-actions
Copy link

Integration tests success for
[03ad9f0]
(https://github.com/ossf/scorecard/actions/runs/2905440059)

@github-actions
Copy link

Integration tests success for
[23a4710]
(https://github.com/ossf/scorecard/actions/runs/2905080846)

* GitHub releases can be created without assets
* Source code tarballs/zips are attached to releases automatically and aren't considered assets
* If we skip these as invalid releases, we won't realize that they
  aren't signed
@github-actions
Copy link

github-actions bot commented Sep 4, 2022

Stale pull request message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Improve Score Reporting: Signed-Releases looks at old release data
4 participants