SLSA provenance verify tag problem with jreleaser/jreleaser

[scop]

aqua info

$ aqua info
# current git main

Overview

I'm trying to add SLSA provenance verification to jreleaser/jreleaser, registry.yaml diff:

--- a/registry.yaml
+++ b/registry.yaml
@@ -32585,6 +32585,9 @@ packages:
       type: github_release
       asset: jreleaser-{{trimV .Version}}.zip.sha256
       algorithm: sha256
+    slsa_provenance:
+      type: github_release
+      asset: jreleaser-all-{{trimV .Version}}.intoto.jsonl
   - name: jreleaser/jreleaser/standalone
     type: github_release
     repo_owner: jreleaser

(It'll need a re-scaffold but let's set that aside for now.)

Installing from the modified registry yields this error:

FAILED: SLSA verification failed: verifying tag: invalid ref: "": unexpected ref type: ""

I've poked at this in the debugger and the culprit is the --source-tag 1.16.0 arg aqua is passing to slsa-verifier. Verifying without that arg with plain slsa-verifier succeeds, and that's what they document as the way to verify the provenance at https://jreleaser.org/guide/latest/provenance.html#_slsa

I'm not sure if there's anything that could be passed as the source tag in this case, at least I haven't been able to come up with one.

Should there be a way to make aqua not pass the --source-tag arg?

How to reproduce

aqua.yaml

registries:
- type: local
  path: /path/to/aqua-registry/registry.yaml
  name: local
packages:
 - name: jreleaser/[email protected]
   registry: local

Other related code such as local Registry

# Local registry = standard registry with the diff in the overview above

Executed command and output

$ aqua i
INFO[0000] download and unarchive the package            aqua_version= env=linux/amd64 package_name=jreleaser/jreleaser package_version=v1.16.0 program=aqua registry=local
INFO[0024] verify a package with slsa-verifier           aqua_version= env=linux/amd64 package_name=jreleaser/jreleaser package_version=v1.16.0 program=aqua registry=local
INFO[0024] download and unarchive the package            aqua_version= env=linux/amd64 package_name=slsa-framework/slsa-verifier package_version=v2.7.0 program=aqua registry=
Verified signature against tlog entry index 158475679 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a8f0e4ad5bf508262cc7b035f91daf83afd326d0bbb9ef1d1f639fc65ba2362ec
Verifying artifact /tmp/610841369: FAILED: verifying tag: invalid ref: "": unexpected ref type: ""

FAILED: SLSA verification failed: verifying tag: invalid ref: "": unexpected ref type: ""

Expected behaviour

Verification success

Actual behaviour

Verification failure as described above

Note

$ slsa-verifier verify-artifact jreleaser-native-1.16.0-linux-x86_64.zip --provenance-path jreleaser-all-1.16.0.intoto.jsonl --source-uri github.com/jreleaser/jreleaser
Verified signature against tlog entry index 158475679 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a8f0e4ad5bf508262cc7b035f91daf83afd326d0bbb9ef1d1f639fc65ba2362ec
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 5377cd0b95813ac205a7dffc387c6290d575c39f
Verifying artifact jreleaser-native-1.16.0-linux-x86_64.zip: PASSED

PASSED: SLSA verification passed


$ slsa-verifier verify-artifact jreleaser-native-1.16.0-linux-x86_64.zip --provenance-path jreleaser-all-1.16.0.intoto.jsonl --source-uri github.com/jreleaser/jreleaser --source-tag 1.16.0
Verified signature against tlog entry index 158475679 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a8f0e4ad5bf508262cc7b035f91daf83afd326d0bbb9ef1d1f639fc65ba2362ec
Verifying artifact jreleaser-native-1.16.0-linux-x86_64.zip: FAILED: verifying tag: invalid ref: "": unexpected ref type: ""

FAILED: SLSA verification failed: verifying tag: invalid ref: "": unexpected ref type: ""

[suzuki-shunsuke]

Thank you for your report!
For now there is no way to omit --source-tag.
I think ref is empty because Jreleaser's release workflow is triggerred via workflow_dispatch.

https://github.com/jreleaser/jreleaser/blob/80c35cbf72a238b7470584a1b18156bd16a35ceb/.github/workflows/release.yml#L4

Ideally, this should be triggered via tag's push events.
And apart from that, aqua should allow to omit --source-tag.

[suzuki-shunsuke]

Perhaps we can use -workflow-input --build-workflow-input.

• feat: add a -workflow-input option slsa-framework/slsa-verifier#216

$ slsa-verifier verify-artifact --help
Verifies SLSA provenance on artifact blobs given as arguments (assuming same provenance)

Usage:
  slsa-verifier verify-artifact [flags] artifact [artifact..]

Flags:
      --build-workflow-input map[]     [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])