From 9b5d2f8c1bae498d78400c8e9263bcae6e521adf Mon Sep 17 00:00:00 2001 From: Divy Srivastava Date: Wed, 28 Feb 2024 07:58:02 +0530 Subject: feat(publish): provenance attestation (#22573) Supply chain security for JSR. ``` $ deno publish --provenance Successfully published @divy/test_provenance@0.0.3 Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418 ``` 0. Package has been published. 1. Fetches the version manifest and verifies it's matching with uploaded files and exports. 2. Builds the attestation SLSA payload using Github actions env. 3. Creates an ephemeral key pair for signing the github token (aud=sigstore) and DSSE pre authentication tag. 4. Requests a X.509 signing certificate from Fulcio using the challenge and ephemeral public key PEM. 5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry to Rekor and gets back the transparency log index. 6. Builds the provenance bundle and posts it to JSR. --- tests/integration/publish_tests.rs | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'tests/integration/publish_tests.rs') diff --git a/tests/integration/publish_tests.rs b/tests/integration/publish_tests.rs index ae7a332c4..fafc018f9 100644 --- a/tests/integration/publish_tests.rs +++ b/tests/integration/publish_tests.rs @@ -4,6 +4,7 @@ use deno_core::serde_json::json; use test_util::assert_contains; use test_util::assert_not_contains; use test_util::env_vars_for_jsr_npm_tests; +use test_util::env_vars_for_jsr_provenance_tests; use test_util::env_vars_for_jsr_tests; use test_util::env_vars_for_npm_tests; use test_util::itest; @@ -164,6 +165,14 @@ itest!(successful { http_server: true, }); +itest!(provenance { + args: "publish --provenance", + output: "publish/successful_provenance.out", + cwd: Some("publish/successful"), + envs: env_vars_for_jsr_provenance_tests(), + http_server: true, +}); + itest!(no_check { args: "publish --token 'sadfasdf' --no-check", // still type checks the slow types output though -- cgit v1.2.3