Standardizing CI OIDC token claims

[Hayden-IO]

Goal

Create a standard set of claims that should be present in OIDC tokens from CI systems such as GitHub Actions, Cirrus CI, GitLab, Circle CI, etc.

Background

As noted in the NPM RFC for integrating with Sigstore, and as documented in other tickets (#243, #591, #748), there is interest in support for other CI systems. It is technically possible to implement support for each, but it will require code duplication and work for onboarding every CI platform. It would be ideal if all OIDC tokens from all CI systems had a standard set of claims to represent identity, so that onboarding would simply be updating configuration.

Current state

All of the above platforms either are working on or currently produce OIDC tokens for CI workflows. Fulcio currently only accepts CI tokens from GitHub Actions, and has hardcoded the GitHub specific claim values and produces a code signing certificate with GitHub specific OID values.

Currently expected claims (GitHub ref)

• job_workflow_ref
• sha
• event_name
• repository
• workflow
• ref
• aud (which must be set to sigstore)
• exp

sha, event_name, repository, workflow, and ref are included in issued certificates in custom OIDs - https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md.

Required claims

The token should include standard OIDC claims like:

• aud (which must be customizable and set to sigstore)
• sub
• iss
• exp
• iat
• nbf

We should include the claims specified in "Currently expected claims".

There was conversation in #624 about including the run ID (run_id), run count (run_number) and attempt count (run_attempt). We should decide if these should be required for Fulcio certificates.

Another useful claim may be actor, who triggered the CI run.

Any claim values must be immutable. For example, user IDs should be used instead of usernames, and repository IDs should be used instead of repository names, to prevent resurrection attacks.

cc @asraa @laurentsimon @znewman01 @fkorotkov @feelepxyz, what would you like to see in a token and do you have recommendations on claim names?

[wlynch]

Another useful data point, Tekton (which is also drives other tools like JenkinsX), which would be limited by the Kubernetes JWT workload claims. (I assume this would also affect prow and other Kubernetes based CI as well)

[asraa]

job_workflow_ref may be unnecessary if we can construct it from other claim values like workflow and ref.

I don't think that's correct. In your link The workflow, ref, and other attributes describe the caller workflow, while job_workflow_ref refers to the called workflow: These are different, and we rely on them for SLSA 3 builders to demonstrate the identity of the trusted builder, the called workflow, which is distinct from the caller.

[asraa]

There was conversation in #624 about including the run ID (run_id), run count (run_number) and attempt count (run_attempt). We should decide if these should be required for Fulcio certificates.

I'm actually on the side that it should not: these values can easily be added inside a signed attestation -- this is very much like recreating provenance inside a signing certificate. See slsa-framework/slsa#464 related issue. The signing cert contains enough builder information that "You could think of the x509 builder as a first-stage builder, which is limited but sets the "root of trust". " We definitely don't NEED to include all the provenance inside the certificate. @laurentsimon

Another useful claim may be actor, who triggered the CI run.

Again, I think this starts turning into provenance metadata.

At minimum the signing cert should contain just the necessary info to identify the workflow: including the caller and called workflow and its commit SHA.

For example, user IDs should be used instead of usernames, and repository IDs should be used instead of repository names, to prevent resurrection attacks.

BIG +1! GitHub does expose repository IDs. Although: think of the verification side: it is much harder for humans to verify the cert fields to see if a signature came from a repository, when it is a repository ID. Again, that can go in provenance info (EDIT: maybe not? since the repository might be an unutrusted resurrected one)

[Hayden-IO]

These are different, and we rely on them for SLSA 3 builders to demonstrate the identity of the trusted builder, the called workflow, which is distinct from the caller.

Thanks for noting this, I've removed this from the issue description so it's now required.

I'm actually on the side that it should not:

I am in agreement, I believe Laurent as well from the discussion.

think of the verification side: it is much harder for humans to verify the cert fields to see if a signature came from a repository

I think we should be building verification policies around IDs and not human-readable values. I do agree it's harder for a human to validate it though, but I think this can be solved with better UX.

[bdehamer]

Related to the job_workflow_ref and workflow claims in token issued by GitHub Actions . . .

The job_workflow_ref claim provides the full path to the called workflow:

slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/heads/main

Whereas the workflow claim only identifies the logical name of the calling workflow:

build

This name isn't guaranteed to be unique across the workflows defined in a particular repo so this isn't particularly useful in identifying the calling workflow.

[laurentsimon]

I think we should be building verification policies around IDs and not human-readable values. I do agree it's harder for a human to validate it though, but I think this can be solved with better UX.

Maybe a broader question is whether you see Sigstore as a building block / "root of trust" for "richer" systems (re-usable workflows and similar systems) or not. If you consider Sigstore the fundamental building block / enabler / RoT, then you may not need to keep adding more fields in the OIDC token / cert.

+1 on agreeing on the set of minimum claims, like workflow(s), ref(s) and repo. I don't know enough about other non-GitHub CIs to say anything about actors and other pieces. On GitHub it's part of the GH context and can be retrieved by the "richer" builder, so is not necessarily needed. Not sure about other CIs

If you consider Sigstore a standalone solution for sighing only (without richer trusted builders), then additional fields may be something to consider. Maybe it's a product decision...? Certificates are not the most human-friendly to work with, so it may limit the usability of a solution; whereas adding fields into a JSON-formatted provenance seems easier? Trusted builders can more easily incorporate changes over time (e.g., additional fields, new features), so maybe something to keep in mind as well.

[znewman01]

At this point, I think we're agreement on the following:

1. The top priority is: we should require enough information to uniquely identify the workflow that was run.

   That is (provided nothing has been deleted), I would be able to go fetch from the CI system enough complete information to understand what the workflow did, and consequently what any artifacts that validate against this certificate are.

   Ideally, I can even be convinced about what workflow ran without needing a round-trip to the CI system.

   In order to uniquely identify the workflow run, we need immutable identifiers for everything.

2. We may or may not want additional information, including human-readable versions of IDs or identifying the runner.

Questions

I'd bet many of these have easy answers and I just don't have enough context/background to know them.

job_workflow_ref immutable identifiers

@bdehamer, the example of a job_workflow_ref you gave seems to support organization names, repo names, and tags/branches, all of which can change over time. Is there a way to get the analog of that job_workflow_ref with organization IDs, repo IDs, and digests?

How will verification work?

I think in most cases, we're trying to check the claim "this artifact was produced by workflow X from repository Y at commit Z," where typically X is somehow a trusted workflow.

@asraa and @laurentsimon's blog post about SLSA 3 on GitHub Actions is really helpful for understanding how these things will be used.

In general, I think we should have sophisticated tools for verification; manually checking all these things makes my head spin, but one-time engineering work to convince me "these packages were built from their source on GitHub using a standard Javascript builder" feels reasonable. I guess I'm in the @haydentherapper camp, or the "building block / root of trust" camp). I'd need to see use cases for the "signing only" camp that involve GitHub OIDC workflow identities.

Do we need to identify anything beyond the workflow?

Candidates:

• the run (see Add Github workflow run information to the signing certificate #624)
• the runner (is it self-hosted? do non-GitHub runners even get access to OIDC? it seems like maybe they do)
• the actor
• human-readable versions of the workflow/repository/owner IDs

Arguments for:

• Convenience: easier to interpret what a cert means
• It might be really easy to accidentally trust the provenance information from an unvetted workflow, which could lie about these things. If we trained verifiers to get this information from the cert, we wouldn't have that problem (though we would have it for everything else).

Arguments against:

• It's redundant. That information is available to any party (e.g., workflow) that has access to the key material. They could lie about it, but you can identify/audit such workflows and determine whether to trust provenance coming from them.
• Privacy: you may not want names, or the the identity of the person who kicked off an action in a CT log

My take: I think I'm convinced by @asraa and @laurentsimon here: minimal is better, and all of this is available elsewhere. Maybe with an exception for "what runner did this use?" since that seems like it could invalidate the provenance.

What is the minimal set of claims to uniquely identify a workflow on GitHub?

Maybe (see GitHub OIDC docs):

• repository_id: uniquely identifies a repository (do we need repository_owner_id too? can you fetch a repository based only on its ID?)
• sha: with repository_id, this uniquely identifies a source tree
• workflow: upthread, it's pointed out that this may not be unique within a repo; what should we use instead?
• job_workflow_ref (but with IDs): to identify a called reusable workflow

I worry that the "reusable workflow" concept is a little GitHub-specific, and we might want one field that combines workflow and job_workflow_ref.

What is the minimal set of claims to uniquely identify a workflow on other CI systems?

Need to do some homework here.

To what extent is it important that the fields are standard?

I'd argue that any verifier needs to understand each CI system in order to property understand how to interpret its repository IDs, workflow identifiers, etc., so my answer is "not very important."

It's definitely "nice" to have similar concepts represented by the same fields. However, it could be dangerous: maybe there are different types of hashes used by different systems, and you could confused them? I think most scenarios in which this is a problem are pretty contrived.

Do we require changes to the OIDC tokens we're getting to meet any of our goals?

If so, we should probably request those ASAP.

How can we improve ergonomics and trust for maintainers and verifiers?

It feels nice to be able to have "standard" provenance fields that maintainers can easily incorporate but verifiers can still trust. It's a little out-of-scope for this issue, but I think if we have a satisfying solution here that means that it's pretty hard to argue for more than a "minimal" claim set. (That said, we may be able to build a solution for some CI systems but not others.)

https://github.com/slsa-framework/slsa-github-generator gets so close in my mind. The missing element is composability: right now, I can:

1. Use a special, build-process-specific combined SLSA provenance generator/builder (e.g, the Go builder).

   This tightly couples the provenance generator and builder in a way I don't like: if I need an update to my builder workflow, this could affect provenance generation, and any changes that could affect provenance generation are very high-consequence. An attack could turn a routine update (that, if it only affected the builder, could at worst lead to bad artifacts) into a break-everything forgery (I can provide provenance with arbitrary data).

   Plus, now there's one provenance generator for each ecosystem that needs to be audited. Even if we're reusing components, there's not an easy way to check "my provenance came from a trusted generator, even if the builder is bad" without going into the source of the builder and parsing the workflow.

2. Use a provenance-only generator.

   I much prefer this from a security standpoint. However, anytime I mess with the calling workflow, I have the ability to change what artifacts are provided.

I would really like to say "use standard provenance generator @ commit X and standard node.js builder @ commit Y, together". Then, I would know that no matter what the source of the calling repository was, my artifact came from node build on that source.

Conclusion

I think it'll be much easier to decide what fields to use once we've answered the above questions for several candidate CI systems. Then, I think we should proceed with a minimal set of claims, and let users come to us with use cases that they don't meet.

Much of the above is a little bit off-topic, and I'm happy to table any discussions about those and pick them up elsewhere/later.

[laurentsimon]

job_workflow_ref immutable identifiers

@bdehamer, the example of a job_workflow_ref you gave seems to support organization names, repo names, and tags/branches, all of which can change over time. Is there a way to get the analog of that job_workflow_ref with organization IDs, repo IDs, and digests?

+1 on having them, and asking GH to support it including for re-usable workflows if it's not available yet.

Do we need to identify anything beyond the workflow?

Candidates:

• the run (see Add Github workflow run information to the signing certificate #624)
• the runner (is it self-hosted? do non-GitHub runners even get access to OIDC? it seems like maybe they do)

self-hosted runners have access to OIDC. You need a round-trip to verify this unless it's added into OIDC token (we asked GH to do that, so it may happen in the future). One additional complexity is that it's possible for a workflow to declare jobs self-hosted and others not.
Note: the trusted builder can hardcode it (we do that in our builders).

https://github.com/slsa-framework/slsa-github-generator gets so close in my mind. The missing element is composability: right now, I can:

1. Use a special, build-process-specific combined SLSA provenance generator/builder (e.g, the Go builder).
   This tightly couples the provenance generator and builder in a way I don't like: if I need an update to my builder workflow, this could affect provenance generation, and any changes that could affect provenance generation are very high-consequence. An attack could turn a routine update (that, if it only affected the builder, could at worst lead to bad artifacts) into a break-everything forgery (I can provide provenance with arbitrary data).

I don't entirely follow. At least in our case, the build and the provenance generation are separate jobs. The format remains the same, and only the buildConfig / builder.id change across builders. Agreed that if the code that's responsible for populating the buildConfig can be hijacked, it could forge the steps. But this code is part of the TCB, IIUC.

Maybe you're proposing having a dedicated project for provenance generation only? We kinda of have this in the generator repo. We don't expose it and only use it internally, though. We could, in theory, expose it thru a GitHub action.

Let me know if I mis-understood the comment.

Plus, now there's one provenance generator for each ecosystem that needs to be audited. Even if we're reusing components, there's not an easy way to check "my provenance came from a trusted generator, even if the builder is bad" without going into the source of the builder and parsing the workflow.

I think the plan is to share the provenance generation code with other builders for a given CI. On GitHub, we could theoretically create an Action for this. /cc @ianlewis

[znewman01]

self-hosted runners have access to OIDC. You need a round-trip to verify this unless it's added into OIDC token (we asked GH to do that, so it may happen in the future). One additional complexity is that it's possible for a workflow to declare jobs self-hosted and others not.
Note: the trusted builder can hardcode it (we do that in our builders).

TY! That helps.

Maybe you're proposing having a dedicated project for provenance generation only? We kinda of have this in the generator repo. We don't expose it and only use it internally, though. We could, in theory, expose it thru a GitHub action.

Let's move this conversation over to slsa-framework/slsa-github-generator#763; apologies for the distraction from the root issue in this thread 😄

[bdehamer]

Is there a way to get the analog of that job_workflow_ref with organization IDs, repo IDs, and digests?

I don't know, but I'll try and track down the team here responsible for this stuff and make some inquiries.

can you fetch a repository based only on its ID

Yeah, there's a GET /repositories/:id endpoint that will look-up a repo based solely on its ID (and the ID persists across renames and ownership changes)

[trevrosen]

I'd like to jumpstart some movement on this issue if possible, as we're regarding it pretty important for our work on npm attestations, especially now that we have begun to reach out to some potential launch partners (read: cloud CI vendors with existing OIDC support) to talk about integration on their own platforms.

Additionally we have some commitments from the Actions team to extend the OIDC token with the types of fields discussed in this thread (though we may need to get some further alignment there). If we can get crisp on some non-GitHub nomenclature for the cert fields, I feel like we're a long way toward settling this. Is anyone taking a stab at some generic naming notions? Should we try to chat in Sigstore Slack about a plan for settling this into a PR?

[Hayden-IO]

Let's get a chat going either on Slack or here, there hasn't been any progress.