Upload from GitLab CI fails with repository and branch of cert doesn't match that of request

[jamietanna]

I've just been looking at adding support for publishing results from GitLab CI for a few of my projects.

I've just hit #511 with my test repo so I thought I'd try using a non-nested group which now fails with something slightly different:

2024/02/20 12:01:49 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: repository and branch of cert doesn't match that of request, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}

There's some more details in my thread in the OpenSSF Slack, if that's of help.

The ephemeral certificate has the following data within it:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:fa:aa:f8:2a:df:9c:09:8d:6a:2e:e3:84:be:16:ff:bd:13:77:79
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: O=sigstore.dev, CN=sigstore-intermediate
        Validity
            Not Before: Feb 20 12:01:34 2024 GMT
            Not After : Feb 20 12:11:34 2024 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:93:8a:e6:ab:41:f6:65:e3:f6:2c:e8:6b:91:85:
                    a5:be:09:d1:b6:7e:da:15:4b:b1:f7:0e:a3:83:32:
                    f6:d9:fc:53:d7:43:cb:20:ab:ba:26:63:7f:16:fa:
                    6a:9d:34:be:8f:39:50:dd:f8:fa:56:d9:a0:5a:2b:
                    19:ea:ba:d5:2d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Subject Key Identifier: 
                2D:3A:F3:CB:D9:28:8F:FB:95:CA:05:AC:2B:3A:67:96:25:C7:24:E1
            X509v3 Authority Key Identifier: 
                DF:D3:E9:CF:56:24:11:96:F9:A8:D8:E9:28:55:A2:C6:2E:18:64:3F
            X509v3 Subject Alternative Name: critical
                URI:https://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.1: 
                https://gitlab.com
            1.3.6.1.4.1.57264.1.8: 
                ..https://gitlab.com
            1.3.6.1.4.1.57264.1.9: 
                .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.10: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.11: 
                .
gitlab-hosted
            1.3.6.1.4.1.57264.1.12: 
                .7https://gitlab.com/jamietanna/hacking-scorecards-gitlab
            1.3.6.1.4.1.57264.1.13: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.14: 
                ..refs/heads/main
            1.3.6.1.4.1.57264.1.15: 
                ..55110726
            1.3.6.1.4.1.57264.1.16: 
                ..https://gitlab.com/jamietanna
            1.3.6.1.4.1.57264.1.17: 
                ..305304
            1.3.6.1.4.1.57264.1.18: 
                .Whttps://gitlab.com/jamietanna/hacking-scorecards-gitlab//.gitlab-ci.yml@refs/heads/main
            1.3.6.1.4.1.57264.1.19: 
                .(41b7c9b1e870fb7efaf998f1e4e935e4b6190c98
            1.3.6.1.4.1.57264.1.20: 
                ..push
            1.3.6.1.4.1.57264.1.21: 
                .Ihttps://gitlab.com/jamietanna/hacking-scorecards-gitlab/-/jobs/6212550642
            1.3.6.1.4.1.57264.1.22: 
                ..public
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:3D:30:6A:C6:C7:11:32:63:19:1E:1C:99:67:37:02:
                                A2:4A:5E:B8:DE:3C:AD:FF:87:8A:72:80:2F:29:EE:8E
                    Timestamp : Feb 20 12:01:34.423 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:32:4E:FC:E3:4B:90:C6:14:2F:06:1C:1C:
                                12:13:42:1C:34:3C:4A:1B:E3:5D:C0:A4:DA:8C:26:28:
                                B4:CE:F6:26:02:20:11:3B:0C:CF:1B:FC:38:AB:E1:AC:
                                69:C8:5C:71:F6:51:66:C6:FA:33:A3:B3:11:D6:8F:E3:
                                36:E8:BE:FA:D6:B1
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:31:00:e3:26:30:93:3d:d1:17:59:e4:87:bb:18:99:
        76:01:5d:71:8e:2e:7e:79:58:d5:0f:6c:1c:31:eb:4d:f8:9a:
        e8:6a:d2:a1:47:34:9e:2c:36:af:96:70:0d:5a:8c:76:0e:02:
        30:25:a1:23:24:44:d6:78:79:49:99:9d:f0:6d:50:47:23:f7:
        8f:82:5b:62:09:91:59:91:72:5d:4e:c6:09:a5:a3:4c:67:9a:
        a3:e4:b8:ed:60:eb:ac:5c:02:d6:a9:b8:55

I'm taking advantage of sigstore/cosign#2864 to use a Sigstore-specific ID token to provide non-interactive authentication, and then using the CI_JOB_JWT to actually sign the data

[spencerschrock]

Thanks for including the certificate. I haven't seen the populated entries for GitLab yet.

There's a few things to discuss here:

1. Following the cert back to the producing workflow
2. Verifying the workflow

For the first point, #554 would likely need done first. The GitLab cert above doesn't have the fields we currently check, but does have the fields we should be checking to (partially) fix #554 as well.

For the second point, I'm not as familiar with GitLab CI, but there doesn't seem to be a GitHub action "marketplace". One benefit of that on the GitHub side is it allows us to have confidence about how the results are produced. What steps would help ensure someone didn't create their own JSON payload to upload?

[raghavkaul]

I see GitLab is working on an equivalent to the GitHub Actions ecosystem: https://about.gitlab.com/blog/2023/07/10/introducing-ci-components/. If there were a standard Scorecard action component on GitLab, we could check for the presence of the component in the workflow file, similar to how we check for the Scorecard job in

scorecard-webapp/app/server/verify_workflow.go

Line 194 in efeceb7

func findScorecardJob(jobs map[string]*actionlint.Job) *actionlint.Job {

I would want this feature out of experimental before we rely on it, though.

[adam-moss]

Just to note, CI Components became GA with GitLab v17

[adam-moss]

Just to note, CI Components became GA with GitLab v17

And now the have verified badges too if that is something you wanted to explore: https://docs.gitlab.com/ee/ci/components/#verified-component-creators