[WIP] Test Witness for build attestations

.githooks/post-commit

@@ -0,0 +1,2 @@
+
+exec < /dev/tty && witness run -s commit -a git --fulcio=https://v1.fulcio.sigstore.dev --fulcio-oidc-client-id=https://oauth2.sigstore.dev/auth --fulcio-oidc-issuer=sigstore --enable-archivista --timestamp-servers https://freetsa.org/tsr -o /dev/null

.github/workflows/release.yml

@@ -0,0 +1,201 @@
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
+name: release
+
+on:
+  push:
+    branches:
+      - cole/witness
+
+jobs:
+  build-binaries:
+    runs-on: "ubuntu-22.04"
+
+    steps:
+      - name: Download syft
+        uses: anchore/sbom-action/download-syft@v0.14.3
+
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: "1.19"
+          cache: true
+
+      - name: Download GoReleaser
+        run: go install github.com/goreleaser/goreleaser@v1.17.1
+
+      - name: Run GoReleaser
+        uses: testifysec/witness-run-action@v0.1.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+        with:
+          enable-sigstore: true
+          enable-archivista: true
+          trace: true
+          step: "build"
+          command: goreleaser release --clean --snapshot
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: binaries
+          path: dist/
+          retention-days: 5
+
+  build-docker-server:
+    runs-on: "ubuntu-22.04"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Setup KO
+        uses: imjasonh/setup-ko@v0.6
+        env:
+          KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel
+      - name: Login to GHCR
+        env:
+          AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
+        run: |
+          echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin
+
+      - name: Build Server
+        uses: testifysec/witness-run-action@v0.1.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel
+        with:
+          enable-sigstore: true
+          enable-archivista: true
+          trace: true
+          step: "build"
+          attestations: "git github oci"
+          command: ko build --tarball server.tar --sbom-dir . ./cmd/server
+
+      - name: "Upload Server artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: server
+          path: server.tar
+          retention-days: 5
+
+
+  build-docker-harvestor:
+    runs-on: "ubuntu-22.04"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          fetch-depth: 0
+
+      - name: Setup KO
+        uses: imjasonh/setup-ko@v0.6
+        env:
+          KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel
+      - name: Login to GHCR
+        env:
+          AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }}
+        run: |
+          echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin
+
+      - name: Build Harvestor
+        uses: testifysec/witness-run-action@v0.1.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+          KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel
+
+        with:
+          enable-sigstore: true
+          enable-archivista: true
+          trace: true
+          step: "build"
+          attestations: "git github oci"
+          command: ko build --tarball harvestor.tar --sbom-dir . ./cmd/harvester
+
+      - name: "Upload Harvestor artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: harvestor
+          path: harvestor.tar
+          retention-days: 5
+
+      - name: "Upload Signed Policy and Public Key"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: witness
+          path: |
+            .witness/policy-signed.json
+            .witness/policy-bin-signed.json
+            .witness/policy.pub
+          retention-days: 90
+
+
+  verify-artifacts:
+    needs: [build-binaries, build-docker-server, build-docker-harvestor]
+    runs-on: "ubuntu-22.04"
+
+    steps:
+
+      - name: Download Server artifact
+        uses: actions/download-artifact@v3.0.2
+        with:
+          name: server
+          path: .
+
+      - name: Download Harvestor artifact
+        uses: actions/download-artifact@v3.0.2
+        with:
+          name: harvestor
+          path: .
+
+      - name: Download Signed Policy and Public Key
+        uses: actions/download-artifact@v3.0.2
+        with:
+          name: witness
+          path: .witness
+
+      - name: Download binaries
+        uses: actions/download-artifact@v3.0.2
+        with:
+          name: binaries
+          path: dist
+
+
+      - name: InstallWitness
+        uses: jaxxstorm/action-install-gh-release@v1.10.0
+        with: # Grab the latest version
+          repo: testifysec/witness
+          tag: v0.1.13
+
+      - name: Verify Server Container
+        run: witness verify -f server.tar -p .witness/policy-signed.json -k .witness/policy.pub --enable-archivista
+
+      - name: Verify Harvestor Container
+        run: witness verify -f harvestor.tar -p .witness/policy-signed.json -k .witness/policy.pub --enable-archivista
+
+      - name: Verify dist folder
+        run: |-
+          find ./dist -type f | while read FILE
+          do
+            # Exclude config.yaml since it is common
+            if [[ $FILE == *"config.yaml"* ]]; then
+              continue
+            fi
+
+            # Run witness verify on the file
+            echo "Verifying $FILE"
+            witness verify -f $FILE -p .witness/policy-bin-signed.json -k .witness/policy.pub --enable-archivista
+          done

.github/workflows/scorecard.policy

@@ -0,0 +1,71 @@
+# Copyright 2021 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+policies:
+  Token-Permissions:
+      score: 10
+      mode: enforced
+  Branch-Protection:
+      score: 10
+      mode: enforced
+  Code-Review:
+      score: 10
+      mode: enforced
+  Dangerous-Workflow:
+      score: 10
+      mode: enforced
+  License:
+      score: 10
+      mode: enforced
+  Pinned-Dependencies:
+      score: 10
+      mode: enforced
+  Security-Policy:
+      score: 10
+      mode: enforced
+  SAST:
+      score: 10
+      mode: enforced
+  Contributors:
+      score: 10
+      mode: disabled
+  Packaging:
+      score: 10
+      mode: enforced
+  Binary-Artifacts:
+      score: 10
+      mode: enforced
+  Signed-Releases:
+      score: 10
+      mode: disabled
+  Dependency-Update-Tool:
+      score: 10
+      mode: enforced
+  Fuzzing:
+      score: 10
+      mode: enforced
+  CII-Best-Practices:
+      # passing score
+      score: 5
+      mode: enforced
+  Vulnerabilities:
+      score: 10
+      mode: enforced
+  CI-Tests:
+      score: 10
+      mode: enforced
+  Maintained:
+      score: 1
+      mode: enforced