From 9b5d2f8c1bae498d78400c8e9263bcae6e521adf Mon Sep 17 00:00:00 2001
From: Divy Srivastava <dj.srivastava23@gmail.com>
Date: Wed, 28 Feb 2024 07:58:02 +0530
Subject: feat(publish): provenance attestation (#22573)

Supply chain security for JSR.

```
$ deno publish --provenance

Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
```

0. Package has been published.
1. Fetches the version manifest and verifies it's matching with uploaded
files and exports.
2. Builds the attestation SLSA payload using Github actions env.
3. Creates an ephemeral key pair for signing the github token
(aud=sigstore) and DSSE pre authentication tag.
4. Requests a X.509 signing certificate from Fulcio using the challenge
and ephemeral public key PEM.
5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry
to Rekor and gets back the transparency log index.
6. Builds the provenance bundle and posts it to JSR.
---
 tests/util/server/src/servers/mod.rs | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'tests/util/server/src/servers/mod.rs')

diff --git a/tests/util/server/src/servers/mod.rs b/tests/util/server/src/servers/mod.rs
index f828f1bd4..b57e9dd25 100644
--- a/tests/util/server/src/servers/mod.rs
+++ b/tests/util/server/src/servers/mod.rs
@@ -84,6 +84,7 @@ const WS_PING_PORT: u16 = 4245;
 const H2_GRPC_PORT: u16 = 4246;
 const H2S_GRPC_PORT: u16 = 4247;
 const REGISTRY_SERVER_PORT: u16 = 4250;
+const PROVENANCE_MOCK_SERVER_PORT: u16 = 4251;
 
 // Use the single-threaded scheduler. The hyper server is used as a point of
 // comparison for the (single-threaded!) benchmarks in cli/bench. We're not
@@ -127,6 +128,8 @@ pub async fn run_all_servers() {
   let h2_grpc_server_fut = grpc::h2_grpc_server(H2_GRPC_PORT, H2S_GRPC_PORT);
 
   let registry_server_fut = registry::registry_server(REGISTRY_SERVER_PORT);
+  let provenance_mock_server_fut =
+    registry::provenance_mock_server(PROVENANCE_MOCK_SERVER_PORT);
 
   let server_fut = async {
     futures::join!(
@@ -154,6 +157,7 @@ pub async fn run_all_servers() {
       h2_only_server_fut,
       h2_grpc_server_fut,
       registry_server_fut,
+      provenance_mock_server_fut,
     )
   }
   .boxed_local();
-- 
cgit v1.2.3