Google Git
Sign in
flutter / mirrors / cocoon / dd9146ec364ae3e50bcc2eef5a3b13b493564148^! / .
commitdd9146ec364ae3e50bcc2eef5a3b13b493564148[log] [tgz]
authorDrew Roen <102626803+drewroengoogle@users.noreply.github.com>Wed Mar 29 11:12:48 2023 -0500
committerGitHub <noreply@github.com>Wed Mar 29 16:12:48 2023 +0000
tree66d3598c8931e12122a3ed85aa89a6ac74b5f336
parentb0031f8d9422b7c88ef948db9b1f3d7dc765ea7b [diff]
Update verify_provenance.sh to check two different source uris (#2576)

Update verify_provenance.sh to check two different source uris
diff --git a/cloud_build/verify_provenance.sh b/cloud_build/verify_provenance.sh
index bc39099..7c55c17 100755
--- a/cloud_build/verify_provenance.sh
+++ b/cloud_build/verify_provenance.sh

@@ -6,7 +6,9 @@
 # This script is used to verify provenance of our artifacts using slsa-verifier.
 # If slsa-verifier is unable to ensure the provenance of the artifact is
 # legitimate, then the script will exit with a non-zero exit code.
-set -e
+PROVENANCE_PATH=$1
+BUILDER_ID=https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3
+SOURCE_URI=https://github.com/flutter/cocoon
 
 # Download the jq binary in order to obtain the artifact registry url from the
 # docker image provenance.
@@ -20,6 +22,9 @@
 go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
 popd
 
+FULLY_QUALIFIED_DIGEST=$(cat $PROVENANCE_PATH |
+  jq -r .image_summary.fully_qualified_digest)
+
 # This command uses slsa-verifier to ensure the provenance has the correct
 # source location and builder.
 # "source-uri" is the original location of the source code
@@ -29,9 +34,32 @@
 # Note: jq is used in order to obtain the full artifact registry url from
 # the provenance metadata.
 echo "Verifying the provenance is valid and correct..."
-FULLY_QUALIFIED_DIGEST=$(cat $1 | \
-  jq -r .image_summary.fully_qualified_digest)
+echo "Checking for source-uri of $SOURCE_URI"
 slsa-verifier verify-image $FULLY_QUALIFIED_DIGEST \
-  --source-uri git+https://github.com/flutter/cocoon \
-  --builder-id=https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3 \
-  --provenance-path $1
+  --source-uri $SOURCE_URI \
+  --builder-id=$BUILDER_ID \
+  --provenance-path $PROVENANCE_PATH
+
+# If the provenance failed, try again, but check for 'git+' in the source-uri
+# Context: Cloud Build is sometimes generating provenance with 'git+', but it
+# will eventually be generated for all builds.
+# TODO(drewroengoogle): Once the cloud build change is completely rolled out,
+# remove this logic and only check for 'git+'.
+COMMAND_RESULT=$?
+if [[ $COMMAND_RESULT -eq 0 ]]; then
+  echo "Provenance verified!" && exit $COMMAND_RESULT
+fi
+
+echo "Verifying the provenance is valid and correct..."
+echo "Checking for source-uri of git+$SOURCE_URI"
+slsa-verifier verify-image $FULLY_QUALIFIED_DIGEST \
+  --source-uri git+$SOURCE_URI \
+  --builder-id=$BUILDER_ID \
+  --provenance-path $PROVENANCE_PATH
+
+COMMAND_RESULT=$?
+if [[ $COMMAND_RESULT -eq 0 ]]; then
+  echo "Provenance verified!" && exit $COMMAND_RESULT
+fi
+
+echo "Failed to validate provenance." && exit $COMMAND_RESULT