| [ |
| { |
| "cmd": [ |
| "cipd", |
| "ensure", |
| "-root", |
| "[START_DIR]/reporter", |
| "-ensure-file", |
| "infra/tools/security/provenance_broker/${platform} git_revision:d3cf3b0144447a77fd79c84fe8500dfe993ef602", |
| "-max-threads", |
| "0", |
| "-json-output", |
| "/path/to/tmp/json" |
| ], |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "ensure_installed", |
| "~followup_annotations": [ |
| "@@@STEP_LOG_LINE@json.output@{@@@", |
| "@@@STEP_LOG_LINE@json.output@ \"result\": {@@@", |
| "@@@STEP_LOG_LINE@json.output@ \"\": [@@@", |
| "@@@STEP_LOG_LINE@json.output@ {@@@", |
| "@@@STEP_LOG_LINE@json.output@ \"instance_id\": \"resolved-instance_id-of-git_revision:d3c\",@@@", |
| "@@@STEP_LOG_LINE@json.output@ \"package\": \"infra/tools/security/provenance_broker/resolved-platform\"@@@", |
| "@@@STEP_LOG_LINE@json.output@ }@@@", |
| "@@@STEP_LOG_LINE@json.output@ ]@@@", |
| "@@@STEP_LOG_LINE@json.output@ }@@@", |
| "@@@STEP_LOG_LINE@json.output@}@@@", |
| "@@@STEP_LOG_END@json.output@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "[START_DIR]/reporter/snoopy_broker", |
| "-report-stage", |
| "-stage", |
| "one" |
| ], |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "snoop: report_stage" |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "file_hash", |
| "[CACHE]/file.zip" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Compute file hash", |
| "~followup_annotations": [ |
| "@@@STEP_TEXT@Hash calculated: d2162c0c57d337899c660e7a10c51b65e3a82f5ed56723534aae911871dd4b20@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "[START_DIR]/reporter/snoopy_broker", |
| "-report-gcs", |
| "-digest", |
| "d2162c0c57d337899c660e7a10c51b65e3a82f5ed56723534aae911871dd4b20", |
| "-gcs-uri", |
| "gs://bucket/final_path/file.txt" |
| ], |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "snoop: report_gcs" |
| }, |
| { |
| "cmd": [], |
| "name": "Verify artifact.zip provenance" |
| }, |
| { |
| "cmd": [ |
| "python3", |
| "-u", |
| "RECIPE_MODULE[depot_tools::gsutil]/resources/gsutil_smart_retry.py", |
| "--", |
| "RECIPE_REPO[depot_tools]/gsutil.py", |
| "----", |
| "cp", |
| "gs://flutter_infra/release_artifacts/artifacts.zip", |
| "[CLEANUP]/verify_tmp_1/artifact.zip" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.gsutil download artifact.zip", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "python3", |
| "-u", |
| "RECIPE_MODULE[depot_tools::gsutil]/resources/gsutil_smart_retry.py", |
| "--", |
| "RECIPE_REPO[depot_tools]/gsutil.py", |
| "----", |
| "cp", |
| "gs://flutter_infra/release_artifacts/artifacts.zip.intoto.jsonl", |
| "[CLEANUP]/verify_tmp_1/artifact.zip.intoto.jsonl" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.gsutil download artifact.zip provenance", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "luci-auth", |
| "token", |
| "-scopes", |
| "https://www.googleapis.com/auth/bcid_verify https://www.googleapis.com/auth/cloud-platform", |
| "-lifetime", |
| "3m" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.get access token for default account", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "file_hash", |
| "[CLEANUP]/verify_tmp_1/artifact.zip" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.Compute file hash", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_TEXT@Hash calculated: 3038cc85aa9c41479c21791a47b1af8f38a422a73f61553b320b1411018a4c90@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "copy", |
| "[CLEANUP]/verify_tmp_1/artifact.zip.intoto.jsonl", |
| "/path/to/tmp/" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.read artifact.zip provenance", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_LOG_END@artifact.zip.intoto.jsonl@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "copy", |
| "Authorization: Bearer extra.secret.token.should.not.be.logged\n", |
| "[CLEANUP]/authorization" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.write authorization", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "copy", |
| "{\"resourceToVerify\": \"misc_software://flutter/engine\", \"artifactInfo\": {\"digests\": {\"sha256\": \"3038cc85aa9c41479c21791a47b1af8f38a422a73f61553b320b1411018a4c90\"}, \"attestations\": [\"\"]}}", |
| "[CLEANUP]/request" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.write request", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_LOG_LINE@request@{\"resourceToVerify\": \"misc_software://flutter/engine\", \"artifactInfo\": {\"digests\": {\"sha256\": \"3038cc85aa9c41479c21791a47b1af8f38a422a73f61553b320b1411018a4c90\"}, \"attestations\": [\"\"]}}@@@", |
| "@@@STEP_LOG_END@request@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "curl", |
| "-H", |
| "@[CLEANUP]/authorization", |
| "-H", |
| "Content-Type: application/json", |
| "-d", |
| "@[CLEANUP]/request", |
| "https://bcidsoftwareverifier-pa.googleapis.com/v1/software-artifact-verification-requests" |
| ], |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.verify artifact.zip provenance", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_LOG_LINE@raw_io.output_text@{\"allowed\": true, \"verificationSummary\": \"This artifact is definitely legitimate!\"}@@@", |
| "@@@STEP_LOG_END@raw_io.output_text@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "remove", |
| "[CLEANUP]/authorization" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.delete authorization", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "remove", |
| "[CLEANUP]/request" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.delete request", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "vpython3", |
| "-u", |
| "RECIPE_MODULE[recipe_engine::file]/resources/fileutil.py", |
| "--json-output", |
| "/path/to/tmp/json", |
| "copy", |
| "This artifact is definitely legitimate!", |
| "[CLEANUP]/verify_tmp_1/artifact.zip.vsa.intoto.jsonl" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.write artifact.zip.vsa.intoto.jsonl", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_LOG_LINE@artifact.zip.vsa.intoto.jsonl@This artifact is definitely legitimate!@@@", |
| "@@@STEP_LOG_END@artifact.zip.vsa.intoto.jsonl@@@" |
| ] |
| }, |
| { |
| "cmd": [ |
| "python3", |
| "-u", |
| "RECIPE_MODULE[depot_tools::gsutil]/resources/gsutil_smart_retry.py", |
| "--", |
| "RECIPE_REPO[depot_tools]/gsutil.py", |
| "----", |
| "cp", |
| "[CLEANUP]/verify_tmp_1/artifact.zip.vsa.intoto.jsonl", |
| "gs://flutter_infra/release_artifacts/artifacts.zip.vsa.intoto.jsonl" |
| ], |
| "infra_step": true, |
| "luci_context": { |
| "realm": { |
| "name": "dart-internal:flutter" |
| }, |
| "resultdb": { |
| "current_invocation": { |
| "name": "invocations/build:8945511751514863184", |
| "update_token": "token" |
| }, |
| "hostname": "rdbhost" |
| } |
| }, |
| "name": "Verify artifact.zip provenance.gsutil upload \"release_artifacts/artifacts.zip.vsa.intoto.jsonl\"", |
| "~followup_annotations": [ |
| "@@@STEP_NEST_LEVEL@1@@@", |
| "@@@STEP_LINK@gsutil.upload@https://storage.cloud.google.com/flutter_infra/release_artifacts/artifacts.zip.vsa.intoto.jsonl@@@" |
| ] |
| }, |
| { |
| "name": "$result" |
| } |
| ] |
