From 9b5d2f8c1bae498d78400c8e9263bcae6e521adf Mon Sep 17 00:00:00 2001 From: Divy Srivastava Date: Wed, 28 Feb 2024 07:58:02 +0530 Subject: feat(publish): provenance attestation (#22573) Supply chain security for JSR. ``` $ deno publish --provenance Successfully published @divy/test_provenance@0.0.3 Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418 ``` 0. Package has been published. 1. Fetches the version manifest and verifies it's matching with uploaded files and exports. 2. Builds the attestation SLSA payload using Github actions env. 3. Creates an ephemeral key pair for signing the github token (aud=sigstore) and DSSE pre authentication tag. 4. Requests a X.509 signing certificate from Fulcio using the challenge and ephemeral public key PEM. 5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry to Rekor and gets back the transparency log index. 6. Builds the provenance bundle and posts it to JSR. --- tests/testdata/publish/successful_provenance.out | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 tests/testdata/publish/successful_provenance.out (limited to 'tests/testdata/publish') diff --git a/tests/testdata/publish/successful_provenance.out b/tests/testdata/publish/successful_provenance.out new file mode 100644 index 000000000..512efcff0 --- /dev/null +++ b/tests/testdata/publish/successful_provenance.out @@ -0,0 +1,7 @@ +Check file:///[WILDCARD]/publish/successful/mod.ts +Checking for slow types in the public API... +Check file:///[WILDCARD]/publish/successful/mod.ts +Publishing @foo/bar@1.0.0 ... +Successfully published @foo/bar@1.0.0 +Provenance transparency log available at https://search.sigstore.dev/?logIndex=42069 +Visit http://127.0.0.1:4250/@foo/bar@1.0.0 for details -- cgit v1.2.3