Skip to content

Add Software Attestations (metadata) to enable SLSA 2 in GitLab CI (MVC)

Overview

Supply chain Levels for Software Artifacts, or SLSA (salsa) Level 2 provenance, (metadata about how an artifact was produced), requirements include the following:

  • Available: The provenance is available to the consumer in a format that the consumer accepts.
  • Available: The provenance format SHOULD be in-toto SLSA Provenance.
  • Authenticated: The provenance’s authenticity and integrity can be verified by the consumer.
  • Authenticated: The provenance’s authenticity SHOULD be verified through a digital signature from a private key accessible only to the service generating the provenance.

Terminology:

  • Provenance: provenance is the verifiable information about software artifacts describing where, when, and how something was produced.

  • Software Attestation: a software attestation is a signed statement (metadata) about a software artifact or collection of software artifacts, sometimes called a “software bill of materials”. An attestation is the generalization of raw artifact/code signing, where the signature is directly over the artifact or a hash of artifact. Stated more simply - a software attestation is authenticated, machine-readable metadata about one or more software artifacts.

Proposal

  • Add a mechanism to GitLab Runner that enables the generation of a GitLab-defined software attestation (metadata) for CI job execution.
  • The software attestation generated must satisfy the in-toto attestation format and spec version 0.10.

GitLab software attestation format (draft - revised 2022-03-07)

Field Value
_type https://in-toto.io/Statement/v0.1
subject.name The filename of the artifact that is built.
subject.digest.sha256 The sha256 checksum of the artifact that is built.
predicateType https://slsa.dev/provenance/v0.2
predicate.buildType https://gitlab.com/gitlab-org/gitlab-runner/-/blob/v15.1.0/PROVENANCE.md
predicate.builder.id A URI pointing to the runner details page, for example https://gitlab.com/gitlab-com/www-gitlab-com/-/runners/3785264
predicate.invocation.configSource.uri git+https://{gitlabinstance.xxx}/…/{projectname}.git
predicate.invocation.configSource.digest.sha256 The sha256 checksum of the repository that is being built.
predicate.invocation.configSource.entryPoint The name of the CI job that triggered the build.
predicate.invocation.environment.name The name of the GitLab Runner
predicate.invocation.environment.executor The executor type of the GitLab Runner
predicate.invocation.environment.architecture The architecture of the GitLab Runner
predicate.invocation.parameters The names of any CI or environment variables that were present when the build command was run. The value is always represented as an empty string to avoid leaking any secrets.

GitLab software attestation schema example (draft - revised 2022-06-15)

Please also view the SLSA Schema Template for further reference.

{
 "_type": "https://in-toto.io/Statement/v0.1",
 "subject": [{
  "name": "app.exe",
  "digest": {
   "sha256": "0bf474896363505e5ea5e5d6ace8ebfb13a760a409b1fb467d428fc716f9f284"
  }
 }],
 "predicateType": "https://slsa.dev/provenance/v0.2",
 "predicate": {
  "buildType": "https://gitlab.com/gitlab-org/gitlab-runner/-/blob/v15.1.0/PROVENANCE.md",
  "builder": {
   "id": "https://gitlab.com/gitlab-com/www-gitlab-com/-/runners/3785264"
  }
  "invocation": {
   "configSource": {
    "uri": "git+https://gitlab.com/software-supply-chain-testing/software-supply-chain-testing.git",
    "digest": {
     "sha256": "0bf474896363505e5ea5e5d6ace8ebfb13a760a409b1fb467d428fc716f9f284"
    }
    "entryPoint": "build"
   },
   "environment": {
    "name": "myrunner",
    "executor": "docker",
    "architecture": "x86_64"
   },
   "parameters": {
    "mycustomvariable": "", //Note: the empty string here is intentional to avoid leaking secrets
    "mycustomvariable2": ""
   }
  },
  "metadata": {
   "buildStartedOn": "<TIMESTAMP>",
   "buildFinishedOn": "<TIMESTAMP>",
   "completeness": {
    "parameters": true
    "environment": true,
    "materials": false
   },
   "reproducible": false
  },
  "materials": []
 }
}

Disclaimer

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by Sam White