Authenticating Supply-chain Metadata: Building Remote Code Attestations on GitHub

The presentation discusses the importance of artifact attestation or salsa provenance in ensuring the authenticity of build artifacts and creating strong links between artifacts and their source repositories. It also highlights the various use cases of artifact attestation in the supply chain.

• Artifact attestation creates a strong link between build artifacts and their source repositories, ensuring authenticity and enabling the creation of policies.
• Artifact attestation can be used to enforce policies at different stages of the supply chain, including control plane, build time, and installation time.
• GitHub's dependency API and S-BOM API can benefit from artifact attestation to ensure the authenticity of dependencies and S-BOMs.
• Artifact attestation can be used to prove to third parties that S-BOMs are authentic and created without cheating or hiding vulnerabilities.
• Artifact attestation can be used for any kind of metadata, including static analysis tool results.

The presenter demonstrates how the salsa provenance can be used to verify the authenticity of a binary and its source repository. The salsa provenance includes the hash commit used to compile the binary, the repository it came from, and the steps performed during compilation. This information can be used to rebuild and replay the compilation process and check for specific flags or environment variables. The presenter also highlights the importance of artifact attestation in GitHub's dependency API and S-BOM API, where maintainers can publish their exact dependencies and S-BOMs to GitHub. Artifact attestation can be used to prove the authenticity of these artifacts and ensure that they were created without cheating or hiding vulnerabilities.

Remote code attestation is a security property that allows one party (the prover) to prove to another (the verifier) that a piece of code was run, and that the results produced by the run are genuine and have not been tampered with. By attending this talk, attendees will learn how to leverage new GitHub features to add integrity protection to the results of their workflows, enabling software consumers to make risk-based decisions based on authenticated supply chain metadata. This new technique takes advantage of two newly added GitHub features, reusable workflows and OpenID Connect (OIDC), to achieve software-based attestations. We will demonstrate this technique with real-world applications, including: 1. Binary or package integrity: Ensuring no backdoors are inserted at compile time by an attestation of source and build process for integrity. 2. Data integrity: Verifying that OpenSSF's Scorecard data created via the Scorecard's GitHub action can be safely consumed by the community. 3. Authenticated requests: Ensuring integrity of GitHub's new Dependencies API, which lets developers upload their own dependency snapshot to improve the built-in GitHub's dependency graph feature.