From 9ff61cb424998d7e2e9f0d63d91dc6039252b47d Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 1 Aug 2023 22:53:06 +0000
Subject: [PATCH] Print byob builder

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 verifiers/internal/gha/provenance.go | 13 +++++++++++++
 verifiers/internal/gha/verifier.go   | 25 ++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
index e31c8c625..a80f8f51a 100644
--- a/verifiers/internal/gha/provenance.go
+++ b/verifiers/internal/gha/provenance.go
@@ -285,6 +285,19 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	return utils.IsValidBuilderTag(parts[1], false)
 }
 
+// BuilderID returns the full builder ID from the provenance.
+func BuilderID(env *dsselib.Envelope, trustedBuilderID *utils.TrustedBuilderID) (string, error){
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
+	if err != nil {
+		return "", err
+	}
+	id, err := prov.BuilderID()
+	if err != nil {
+		return "", err
+	}
+	return id, nil
+}
+
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
 func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error {
 	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
index d49090fc5..8c6f08b02 100644
--- a/verifiers/internal/gha/verifier.go
+++ b/verifiers/internal/gha/verifier.go
@@ -41,6 +41,20 @@ func (v *GHAVerifier) IsAuthoritativeFor(builderID string) bool {
 	return strings.HasPrefix(builderID, httpsGithubCom)
 }
 
+// builderID retrieves the builder ID from the provenance via the DSSE envelope.
+func builderID(env *dsse.Envelope, trustedBuilderID *utils.TrustedBuilderID) (*utils.TrustedBuilderID, error) {
+	id, err := BuilderID(env, trustedBuilderID)
+	if err != nil {
+		return nil, err
+	}
+	
+	verifiedBuilderID, err := utils.TrustedBuilderIDNew(id, true)
+	if err != nil {
+		return nil, err
+	}
+	return verifiedBuilderID, nil
+}
+
 func verifyEnvAndCert(env *dsse.Envelope,
 	cert *x509.Certificate,
 	provenanceOpts *options.ProvenanceOpts,
@@ -83,9 +97,18 @@ func verifyEnvAndCert(env *dsse.Envelope,
 		return nil, nil, err
 	}
 
+	if byob {
+		// Overwrite the builderID to match the one in the provenance.
+		verifiedBuilderID, err = builderID(env, verifiedBuilderID)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	
 	fmt.Fprintf(os.Stderr, "Verified build using builder %q at commit %s\n",
-		workflowInfo.SubjectWorkflow.String(),
+		verifiedBuilderID.String(),
 		workflowInfo.SourceSha1)
+
 	// Return verified provenance.
 	r, err := base64.StdEncoding.DecodeString(env.Payload)
 	if err != nil {