From 781304651ee1415735d1bb19eaaef1e8b6508b35 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 25 Jun 2024 15:39:11 +0000 Subject: [PATCH] remove experimental Signed-off-by: Ramon Petgrave --- README.md | 9 ++++----- cli/slsa-verifier/main_regression_test.go | 2 -- cli/slsa-verifier/verify/verify_vsa.go | 6 ------ 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 119d136..744f97f 100644 --- a/README.md +++ b/README.md @@ -483,11 +483,11 @@ Note that `--source-uri` supports GitHub repository URIs like `github.com/$OWNER ### Verification Summary Attestations (VSA) -We have experimental support for [verifying](https://slsa.dev/spec/v1.1/verification_summary#how-to-verify) VSAs. +We have support for [verifying](https://slsa.dev/spec/v1.1/verification_summary#how-to-verify) VSAs. Rather than passing in filepaths as arguments, we allow passing in mulitple `--subject-digest` cli options, to accomodate subjects that are not simple-files. -This experimental support does not work yet with VSAs wrapped in Sigstore bundles, only with simple DSSE envelopes. +This support does not work yet with VSAs wrapped in Sigstore bundles, only with simple DSSE envelopes. With that, we allow the user to pass in the public key. Note that if the DSSE Envelope `signatures` specifies a `keyid` that is not a unpadded base64 encoded sha256 hash the key, like `sha256:abc123...` (not a well-known identifier, e.g, `my-kms:prod-vsa-key`), then you must supply the `--public-key-id` cli option. @@ -496,7 +496,7 @@ The verify-vsa command ```shell $ slsa-verifier verify-vsa --help -Verifies SLSA VSAs for the given subject-digests [experimental] +Verifies SLSA VSAs for the given subject-digests Usage: slsa-verifier verify-vsa [flags] subject-digest [subject-digest...] @@ -517,8 +517,7 @@ Flags: To verify VSAs, invoke like this ```shell -$ SLSA_VERIFIER_EXPERIMENTAL=1 \ -slsa-verifier verify-vsa \ +$ slsa-verifier verify-vsa \ --subject-digest gce_image_id:8970095005306000053 \ --attestations-path ./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \ --verifier-id https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \ diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go index 649762d..ad93e9e 100644 --- a/cli/slsa-verifier/main_regression_test.go +++ b/cli/slsa-verifier/main_regression_test.go @@ -1796,8 +1796,6 @@ func Test_runVerifyNpmPackage(t *testing.T) { } func Test_runVerifyVSA(t *testing.T) { - // We cannot use t.Setenv due to parallelized tests. - os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1") t.Parallel() tests := []struct { diff --git a/cli/slsa-verifier/verify/verify_vsa.go b/cli/slsa-verifier/verify/verify_vsa.go index 1a88d2b..9571347 100644 --- a/cli/slsa-verifier/verify/verify_vsa.go +++ b/cli/slsa-verifier/verify/verify_vsa.go @@ -17,7 +17,6 @@ package verify import ( "context" "crypto" - "errors" "fmt" "os" @@ -50,11 +49,6 @@ var hashAlgos = map[string]crypto.Hash{ // Exec executes the verifiers.VerifyVSA. func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, error) { - if !options.ExperimentalEnabled() { - err := errors.New("feature support is only provided in SLSA_VERIFIER_EXPERIMENTAL mode") - printFailed(err) - return nil, err - } vsaOpts := &options.VSAOpts{ ExpectedDigests: c.SubjectDigests, ExpectedVerifierID: c.VerifierID,