From d12dce9526268ef3df051bb0b1b23ae1021ac700 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 8 Sep 2022 13:36:56 -0700 Subject: [PATCH] feat: CLI tests for GCB verification (#251) * update * update * update --- cli/slsa-verifier/main_test.go | 113 +++++++++++------- .../v0.3/gcloud-container-github.json | 108 +++++++++++++++++ .../v0.3/gcloud-container-github/index.json | 26 ++++ ...loud-container-mismatch-metadata-kind.json | 108 +++++++++++++++++ ...container-mismatch-metadata-urisha256.json | 108 +++++++++++++++++ ...-container-mismatch-payload-builderid.json | 108 +++++++++++++++++ ...oud-container-mismatch-payload-digest.json | 108 +++++++++++++++++ ...oud-container-mismatch-summary-digest.json | 108 +++++++++++++++++ ...gcloud-container-mismatch-text-digest.json | 108 +++++++++++++++++ .../gcloud-container-mismatch-text-steps.json | 108 +++++++++++++++++ go.mod | 2 +- verifiers/internal/gcb/provenance.go | 54 +++++++-- verifiers/internal/gcb/provenance_test.go | 105 ++++++++++++---- .../testdata/gcloud-container-github-v03.json | 108 +++++++++++++++++ verifiers/internal/gcb/verifier.go | 2 +- 15 files changed, 1198 insertions(+), 76 deletions(-) create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github.json create mode 100755 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github/index.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-kind.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-urisha256.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-builderid.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-digest.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-summary-digest.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-digest.json create mode 100644 cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-steps.json create mode 100644 verifiers/internal/gcb/testdata/gcloud-container-github-v03.json diff --git a/cli/slsa-verifier/main_test.go b/cli/slsa-verifier/main_test.go index d93ae5c..073578d 100644 --- a/cli/slsa-verifier/main_test.go +++ b/cli/slsa-verifier/main_test.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "io/ioutil" + "path" "path/filepath" "strings" "testing" @@ -703,35 +704,36 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { return strings.TrimPrefix(h.String(), "sha256:"), nil } - builder := "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2" + builder := "https://cloudbuild.googleapis.com/GoogleHostedWorker" tests := []struct { - name string - artifact string - oci bool - provenance string - source string - pbuilderID *string - outBuilderID string - err error + name string + artifact string + artifactDigest map[string]string + remote bool + provenance string + source string + pBuilderID *string + outBuilderID string + err error // noversion is a special case where we are not testing all builder versions // for example, testdata for the builder at head in trusted repo workflows // or testdata from malicious untrusted builders. // When true, this does not iterate over all builder versions. noversion bool + // minversion is a special case to test a newly added feature into a builder + minversion string }{ { name: "valid main branch default", artifact: "gcloud-container-github", provenance: "gcloud-container-github.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, }, { - name: "invalie repo name", + name: "invalid repo name", artifact: "gcloud-container-github", provenance: "gcloud-container-github.json", source: "github.com/laurentsimon/name", - pbuilderID: &builder, err: serrors.ErrorMismatchSource, }, { @@ -739,7 +741,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-github.json", source: "github.com/org/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchSource, }, { @@ -747,7 +748,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-github.json", source: "gitlab.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchSource, }, { @@ -755,7 +755,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-payload-digest.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorNoValidSignature, }, { @@ -763,7 +762,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-payload-builderid.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorNoValidSignature, }, { @@ -771,7 +769,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-summary-digest.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchHash, }, { @@ -779,7 +776,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-text-digest.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchIntoto, }, { @@ -787,7 +783,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-text-steps.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchIntoto, }, { @@ -795,7 +790,6 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-metadata-kind.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorInvalidFormat, }, { @@ -803,45 +797,54 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { artifact: "gcloud-container-github", provenance: "gcloud-container-mismatch-metadata-urisha256.json", source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, err: serrors.ErrorMismatchHash, }, { name: "oci valid with tag", - // Image us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v14@sha256:1a033b002f89ed2b8ea733162497fb70f1a4049a7f8602d6a33682b4ad9921fd - // re-tagged and pushed to docker hub. This image is public. - artifact: "laurentsimon/slsa-gcb-v0.2:test@sha256:1a033b002f89ed2b8ea733162497fb70f1a4049a7f8602d6a33682b4ad9921fd", - oci: true, + // Image re-tagged and pushed to docker hub. This image is public. + artifact: "laurentsimon/slsa-gcb-%s:test", + artifactDigest: map[string]string{ + "v0.2": "1a033b002f89ed2b8ea733162497fb70f1a4049a7f8602d6a33682b4ad9921fd", + "v0.3": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + }, + remote: true, source: "github.com/laurentsimon/gcb-tests", provenance: "gcloud-container-github.json", - pbuilderID: &builder, }, { - name: "oci valid no tag", - artifact: "laurentsimon/slsa-gcb-v0.2@sha256:1a033b002f89ed2b8ea733162497fb70f1a4049a7f8602d6a33682b4ad9921fd", - oci: true, + name: "oci mismatch digest", + artifact: "index.docker.io/laurentsimon/scorecard", + artifactDigest: map[string]string{ + "v0.2": "d794817bdf9c7e5ec34758beb90a18113c7dfbd737e760cabf8dd923d49e96f4", + "v0.3": "d794817bdf9c7e5ec34758beb90a18113c7dfbd737e760cabf8dd923d49e96f4", + }, + remote: true, + provenance: "gcloud-container-github.json", + source: "github.com/laurentsimon/gcb-tests", + err: serrors.ErrorMismatchHash, + }, + { + name: "oci valid no tag", + artifact: "laurentsimon/slsa-gcb-%s", + artifactDigest: map[string]string{ + "v0.2": "1a033b002f89ed2b8ea733162497fb70f1a4049a7f8602d6a33682b4ad9921fd", + "v0.3": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + }, + remote: true, source: "github.com/laurentsimon/gcb-tests", provenance: "gcloud-container-github.json", - pbuilderID: &builder, }, + // No version. { name: "oci is mutable", artifact: "index.docker.io/laurentsimon/scorecard", - oci: true, + noversion: true, + remote: true, source: "github.com/laurentsimon/gcb-tests", provenance: "gcloud-container-github.json", - pbuilderID: &builder, + pBuilderID: pString(builder + "@v0.2"), err: serrors.ErrorMutableImage, }, - { - name: "oci mismatch digest", - artifact: "index.docker.io/laurentsimon/scorecard@sha256:d794817bdf9c7e5ec34758beb90a18113c7dfbd737e760cabf8dd923d49e96f4", - oci: true, - provenance: "gcloud-container-github.json", - source: "github.com/laurentsimon/gcb-tests", - pbuilderID: &builder, - err: serrors.ErrorMismatchHash, - }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below @@ -854,10 +857,34 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { } for _, v := range checkVersions { + semver := path.Base(v) + builderID := pString(builder + "@" + semver) provenance := filepath.Clean(filepath.Join(TEST_DIR, v, tt.provenance)) image := tt.artifact var fn verify.ComputeDigestFn - if !tt.oci { + + // If builder ID is set, use it. + if tt.pBuilderID != nil { + if !tt.noversion { + panic("builderID set but not noversion option") + } + builderID = tt.pBuilderID + } + + // Select the right image according to the builder version we are testing. + if strings.Contains(image, `%s`) { + image = fmt.Sprintf(image, semver) + } + // Add the sha256 digest to the image name, if provided. + if len(tt.artifactDigest) > 0 { + digest, ok := tt.artifactDigest[semver] + if !ok { + panic(fmt.Sprintf("%s not present in artifactDigest %v", semver, tt.artifactDigest)) + } + image = fmt.Sprintf("%s@sha256:%s", image, digest) + } + // If it is a local image, change the digest computation. + if !tt.remote { image = filepath.Clean(filepath.Join(TEST_DIR, v, image)) fn = localDigestComputeFn } @@ -865,7 +892,7 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { cmd := verify.VerifyImageCommand{ SourceURI: tt.source, SourceBranch: nil, - BuilderID: tt.pbuilderID, + BuilderID: builderID, SourceTag: nil, SourceVersionTag: nil, DigestFn: fn, diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github.json new file mode 100644 index 0000000..6477a2a --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github/index.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github/index.json new file mode 100755 index 0000000..624d526 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-github/index.json @@ -0,0 +1,26 @@ +{ + "schemaVersion": 2, + "mediaType": "application/vnd.docker.distribution.manifest.v2+json", + "config": { + "mediaType": "application/vnd.docker.container.image.v1+json", + "size": 2034, + "digest": "sha256:738fc12a4294f732405a61e2416e1f383023da550b56536ecd73addd962a0eb7" + }, + "layers": [ + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "size": 22486039, + "digest": "sha256:f17d81b4b692f7e0d6c1176c86b81d9f2cb5ac5349703adca51c61debcfe413c" + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "size": 159, + "digest": "sha256:dc321114710ef96093295ef8b489c8c3ba5be1ecf1e92ae1e229ed23df91e37f" + }, + { + "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", + "size": 159, + "digest": "sha256:dc321114710ef96093295ef8b489c8c3ba5be1ecf1e92ae1e229ed23df91e37f" + } + ] +} \ No newline at end of file diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-kind.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-kind.json new file mode 100644 index 0000000..d680def --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-kind.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUIL", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-urisha256.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-urisha256.json new file mode 100644 index 0000000..0c4ae65 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-metadata-urisha256.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e8", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-builderid.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-builderid.json new file mode 100644 index 0000000..b6d1415 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-builderid.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJwcmVkaWNhdGUiOiB7CiAgICAiYnVpbGRlciI6IHsKICAgICAgImlkIjogImh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9Hb29nbGVIb3N0ZWRXb3JrZXJAdjAuMiIKICAgIH0sCiAgICAibWF0ZXJpYWxzIjogWwogICAgICB7CiAgICAgICAgImRpZ2VzdCI6IHsKICAgICAgICAgICJzaGExIjogIjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiCiAgICAgICAgfSwKICAgICAgICAidXJpIjogImh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIgogICAgICB9CiAgICBdLAogICAgIm1ldGFkYXRhIjogewogICAgICAiYnVpbGRGaW5pc2hlZE9uIjogIjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsCiAgICAgICJidWlsZEludm9jYXRpb25JZCI6ICIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLAogICAgICAiYnVpbGRTdGFydGVkT24iOiAiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIgogICAgfSwKICAgICJyZWNpcGUiOiB7CiAgICAgICJhcmd1bWVudHMiOiB7CiAgICAgICAgIkB0eXBlIjogInR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLAogICAgICAgICJpZCI6ICIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLAogICAgICAgICJvcHRpb25zIjogewogICAgICAgICAgImR5bmFtaWNTdWJzdGl0dXRpb25zIjogdHJ1ZSwKICAgICAgICAgICJsb2dnaW5nIjogIkxFR0FDWSIsCiAgICAgICAgICAicG9vbCI6IHt9LAogICAgICAgICAgInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6ICJWRVJJRklFRCIsCiAgICAgICAgICAic3Vic3RpdHV0aW9uT3B0aW9uIjogIkFMTE9XX0xPT1NFIgogICAgICAgIH0sCiAgICAgICAgInNvdXJjZVByb3ZlbmFuY2UiOiB7fSwKICAgICAgICAic3RlcHMiOiBbCiAgICAgICAgICB7CiAgICAgICAgICAgICJhcmdzIjogWwogICAgICAgICAgICAgICJidWlsZCIsCiAgICAgICAgICAgICAgIi10IiwKICAgICAgICAgICAgICAidXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5IiwKICAgICAgICAgICAgICAiLiIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIm5hbWUiOiAiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2RvY2tlciIsCiAgICAgICAgICAgICJwdWxsVGltaW5nIjogewogICAgICAgICAgICAgICJlbmRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MTMuMjQwNTAzNjQ5WiIsCiAgICAgICAgICAgICAgInN0YXJ0VGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJzdGF0dXMiOiAiU1VDQ0VTUyIsCiAgICAgICAgICAgICJ0aW1pbmciOiB7CiAgICAgICAgICAgICAgImVuZFRpbWUiOiAiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwKICAgICAgICAgICAgICAic3RhcnRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgInN1YnN0aXR1dGlvbnMiOiB7CiAgICAgICAgICAiQ09NTUlUX1NIQSI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwKICAgICAgICAgICJSRUZfTkFNRSI6ICJ2MzkiLAogICAgICAgICAgIlJFUE9fTkFNRSI6ICJnY2ItdGVzdHMiLAogICAgICAgICAgIlJFVklTSU9OX0lEIjogIjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLAogICAgICAgICAgIlNIT1JUX1NIQSI6ICIwMWNlMzkzIiwKICAgICAgICAgICJUQUdfTkFNRSI6ICJ2MzkiLAogICAgICAgICAgIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiAiY2xvdWRidWlsZC55YW1sIiwKICAgICAgICAgICJUUklHR0VSX05BTUUiOiAiVGFnIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImVudHJ5UG9pbnQiOiAiY2xvdWRidWlsZC55YW1sIiwKICAgICAgInR5cGUiOiAiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEiCiAgICB9CiAgfSwKICAicHJlZGljYXRlVHlwZSI6ICJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsCiAgInNsc2FQcm92ZW5hbmNlIjogewogICAgImJ1aWxkZXIiOiB7CiAgICAgICJpZCI6ICJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMiCiAgICB9LAogICAgIm1hdGVyaWFscyI6IFsKICAgICAgewogICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAic2hhMSI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIgogICAgICAgIH0sCiAgICAgICAgInVyaSI6ICJodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL2djYi10ZXN0cyIKICAgICAgfQogICAgXSwKICAgICJtZXRhZGF0YSI6IHsKICAgICAgImJ1aWxkRmluaXNoZWRPbiI6ICIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLAogICAgICAiYnVpbGRJbnZvY2F0aW9uSWQiOiAiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwKICAgICAgImJ1aWxkU3RhcnRlZE9uIjogIjIwMjItMDktMDZUMTc6NTQ6MTAuMjI2ODMzMzYxWiIKICAgIH0sCiAgICAicmVjaXBlIjogewogICAgICAiYXJndW1lbnRzIjogewogICAgICAgICJAdHlwZSI6ICJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwKICAgICAgICAiaWQiOiAiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwKICAgICAgICAib3B0aW9ucyI6IHsKICAgICAgICAgICJkeW5hbWljU3Vic3RpdHV0aW9ucyI6IHRydWUsCiAgICAgICAgICAibG9nZ2luZyI6ICJMRUdBQ1kiLAogICAgICAgICAgInBvb2wiOiB7fSwKICAgICAgICAgICJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiAiVkVSSUZJRUQiLAogICAgICAgICAgInN1YnN0aXR1dGlvbk9wdGlvbiI6ICJBTExPV19MT09TRSIKICAgICAgICB9LAogICAgICAgICJzb3VyY2VQcm92ZW5hbmNlIjoge30sCiAgICAgICAgInN0ZXBzIjogWwogICAgICAgICAgewogICAgICAgICAgICAiYXJncyI6IFsKICAgICAgICAgICAgICAiYnVpbGQiLAogICAgICAgICAgICAgICItdCIsCiAgICAgICAgICAgICAgInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsCiAgICAgICAgICAgICAgIi4iCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJuYW1lIjogImdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLAogICAgICAgICAgICAicHVsbFRpbWluZyI6IHsKICAgICAgICAgICAgICAiZW5kVGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLAogICAgICAgICAgICAgICJzdGFydFRpbWUiOiAiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIgogICAgICAgICAgICB9LAogICAgICAgICAgICAic3RhdHVzIjogIlNVQ0NFU1MiLAogICAgICAgICAgICAidGltaW5nIjogewogICAgICAgICAgICAgICJlbmRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsCiAgICAgICAgICAgICAgInN0YXJ0VGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICBdLAogICAgICAgICJzdWJzdGl0dXRpb25zIjogewogICAgICAgICAgIkNPTU1JVF9TSEEiOiAiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsCiAgICAgICAgICAiUkVGX05BTUUiOiAidjM5IiwKICAgICAgICAgICJSRVBPX05BTUUiOiAiZ2NiLXRlc3RzIiwKICAgICAgICAgICJSRVZJU0lPTl9JRCI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwKICAgICAgICAgICJTSE9SVF9TSEEiOiAiMDFjZTM5MyIsCiAgICAgICAgICAiVEFHX05BTUUiOiAidjM5IiwKICAgICAgICAgICJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjogImNsb3VkYnVpbGQueWFtbCIsCiAgICAgICAgICAiVFJJR0dFUl9OQU1FIjogIlRhZyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJlbnRyeVBvaW50IjogImNsb3VkYnVpbGQueWFtbCIsCiAgICAgICJ0eXBlIjogImh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIgogICAgfQogIH0sCiAgInN1YmplY3QiOiBbCiAgICB7CiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTI1NiI6ICJmNDcyY2E0YjY4ODk4Yzk1MWFjM2I0NzZjYmE5MTlkMGQ1NmZjYTRjZWQ2MzFmYWJjZWFkNTFlNGIyYjY5MGU3IgogICAgICB9LAogICAgICAibmFtZSI6ICJodHRwczovL3VzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIKICAgIH0KICBdCn0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-digest.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-digest.json new file mode 100644 index 0000000..f4464c8 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-payload-digest.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "ewogICJfdHlwZSI6ICJodHRwczovL2luLXRvdG8uaW8vU3RhdGVtZW50L3YwLjEiLAogICJwcmVkaWNhdGUiOiB7CiAgICAiYnVpbGRlciI6IHsKICAgICAgImlkIjogImh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9Hb29nbGVIb3N0ZWRXb3JrZXJAdjAuMyIKICAgIH0sCiAgICAibWF0ZXJpYWxzIjogWwogICAgICB7CiAgICAgICAgImRpZ2VzdCI6IHsKICAgICAgICAgICJzaGExIjogIjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiCiAgICAgICAgfSwKICAgICAgICAidXJpIjogImh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIgogICAgICB9CiAgICBdLAogICAgIm1ldGFkYXRhIjogewogICAgICAiYnVpbGRGaW5pc2hlZE9uIjogIjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsCiAgICAgICJidWlsZEludm9jYXRpb25JZCI6ICIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLAogICAgICAiYnVpbGRTdGFydGVkT24iOiAiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIgogICAgfSwKICAgICJyZWNpcGUiOiB7CiAgICAgICJhcmd1bWVudHMiOiB7CiAgICAgICAgIkB0eXBlIjogInR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLAogICAgICAgICJpZCI6ICIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLAogICAgICAgICJvcHRpb25zIjogewogICAgICAgICAgImR5bmFtaWNTdWJzdGl0dXRpb25zIjogdHJ1ZSwKICAgICAgICAgICJsb2dnaW5nIjogIkxFR0FDWSIsCiAgICAgICAgICAicG9vbCI6IHt9LAogICAgICAgICAgInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6ICJWRVJJRklFRCIsCiAgICAgICAgICAic3Vic3RpdHV0aW9uT3B0aW9uIjogIkFMTE9XX0xPT1NFIgogICAgICAgIH0sCiAgICAgICAgInNvdXJjZVByb3ZlbmFuY2UiOiB7fSwKICAgICAgICAic3RlcHMiOiBbCiAgICAgICAgICB7CiAgICAgICAgICAgICJhcmdzIjogWwogICAgICAgICAgICAgICJidWlsZCIsCiAgICAgICAgICAgICAgIi10IiwKICAgICAgICAgICAgICAidXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5IiwKICAgICAgICAgICAgICAiLiIKICAgICAgICAgICAgXSwKICAgICAgICAgICAgIm5hbWUiOiAiZ2NyLmlvL2Nsb3VkLWJ1aWxkZXJzL2RvY2tlciIsCiAgICAgICAgICAgICJwdWxsVGltaW5nIjogewogICAgICAgICAgICAgICJlbmRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MTMuMjQwNTAzNjQ5WiIsCiAgICAgICAgICAgICAgInN0YXJ0VGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloiCiAgICAgICAgICAgIH0sCiAgICAgICAgICAgICJzdGF0dXMiOiAiU1VDQ0VTUyIsCiAgICAgICAgICAgICJ0aW1pbmciOiB7CiAgICAgICAgICAgICAgImVuZFRpbWUiOiAiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwKICAgICAgICAgICAgICAic3RhcnRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiIKICAgICAgICAgICAgfQogICAgICAgICAgfQogICAgICAgIF0sCiAgICAgICAgInN1YnN0aXR1dGlvbnMiOiB7CiAgICAgICAgICAiQ09NTUlUX1NIQSI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwKICAgICAgICAgICJSRUZfTkFNRSI6ICJ2MzkiLAogICAgICAgICAgIlJFUE9fTkFNRSI6ICJnY2ItdGVzdHMiLAogICAgICAgICAgIlJFVklTSU9OX0lEIjogIjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLAogICAgICAgICAgIlNIT1JUX1NIQSI6ICIwMWNlMzkzIiwKICAgICAgICAgICJUQUdfTkFNRSI6ICJ2MzkiLAogICAgICAgICAgIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiAiY2xvdWRidWlsZC55YW1sIiwKICAgICAgICAgICJUUklHR0VSX05BTUUiOiAiVGFnIgogICAgICAgIH0KICAgICAgfSwKICAgICAgImVudHJ5UG9pbnQiOiAiY2xvdWRidWlsZC55YW1sIiwKICAgICAgInR5cGUiOiAiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEiCiAgICB9CiAgfSwKICAicHJlZGljYXRlVHlwZSI6ICJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsCiAgInNsc2FQcm92ZW5hbmNlIjogewogICAgImJ1aWxkZXIiOiB7CiAgICAgICJpZCI6ICJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMiCiAgICB9LAogICAgIm1hdGVyaWFscyI6IFsKICAgICAgewogICAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgICAic2hhMSI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIgogICAgICAgIH0sCiAgICAgICAgInVyaSI6ICJodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL2djYi10ZXN0cyIKICAgICAgfQogICAgXSwKICAgICJtZXRhZGF0YSI6IHsKICAgICAgImJ1aWxkRmluaXNoZWRPbiI6ICIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLAogICAgICAiYnVpbGRJbnZvY2F0aW9uSWQiOiAiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwKICAgICAgImJ1aWxkU3RhcnRlZE9uIjogIjIwMjItMDktMDZUMTc6NTQ6MTAuMjI2ODMzMzYxWiIKICAgIH0sCiAgICAicmVjaXBlIjogewogICAgICAiYXJndW1lbnRzIjogewogICAgICAgICJAdHlwZSI6ICJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwKICAgICAgICAiaWQiOiAiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwKICAgICAgICAib3B0aW9ucyI6IHsKICAgICAgICAgICJkeW5hbWljU3Vic3RpdHV0aW9ucyI6IHRydWUsCiAgICAgICAgICAibG9nZ2luZyI6ICJMRUdBQ1kiLAogICAgICAgICAgInBvb2wiOiB7fSwKICAgICAgICAgICJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiAiVkVSSUZJRUQiLAogICAgICAgICAgInN1YnN0aXR1dGlvbk9wdGlvbiI6ICJBTExPV19MT09TRSIKICAgICAgICB9LAogICAgICAgICJzb3VyY2VQcm92ZW5hbmNlIjoge30sCiAgICAgICAgInN0ZXBzIjogWwogICAgICAgICAgewogICAgICAgICAgICAiYXJncyI6IFsKICAgICAgICAgICAgICAiYnVpbGQiLAogICAgICAgICAgICAgICItdCIsCiAgICAgICAgICAgICAgInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsCiAgICAgICAgICAgICAgIi4iCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJuYW1lIjogImdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLAogICAgICAgICAgICAicHVsbFRpbWluZyI6IHsKICAgICAgICAgICAgICAiZW5kVGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLAogICAgICAgICAgICAgICJzdGFydFRpbWUiOiAiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIgogICAgICAgICAgICB9LAogICAgICAgICAgICAic3RhdHVzIjogIlNVQ0NFU1MiLAogICAgICAgICAgICAidGltaW5nIjogewogICAgICAgICAgICAgICJlbmRUaW1lIjogIjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsCiAgICAgICAgICAgICAgInN0YXJ0VGltZSI6ICIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloiCiAgICAgICAgICAgIH0KICAgICAgICAgIH0KICAgICAgICBdLAogICAgICAgICJzdWJzdGl0dXRpb25zIjogewogICAgICAgICAgIkNPTU1JVF9TSEEiOiAiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsCiAgICAgICAgICAiUkVGX05BTUUiOiAidjM5IiwKICAgICAgICAgICJSRVBPX05BTUUiOiAiZ2NiLXRlc3RzIiwKICAgICAgICAgICJSRVZJU0lPTl9JRCI6ICIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwKICAgICAgICAgICJTSE9SVF9TSEEiOiAiMDFjZTM5MyIsCiAgICAgICAgICAiVEFHX05BTUUiOiAidjM5IiwKICAgICAgICAgICJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjogImNsb3VkYnVpbGQueWFtbCIsCiAgICAgICAgICAiVFJJR0dFUl9OQU1FIjogIlRhZyIKICAgICAgICB9CiAgICAgIH0sCiAgICAgICJlbnRyeVBvaW50IjogImNsb3VkYnVpbGQueWFtbCIsCiAgICAgICJ0eXBlIjogImh0dHBzOi8vY2xvdWRidWlsZC5nb29nbGVhcGlzLmNvbS9DbG91ZEJ1aWxkWWFtbEB2MC4xIgogICAgfQogIH0sCiAgInN1YmplY3QiOiBbCiAgICB7CiAgICAgICJkaWdlc3QiOiB7CiAgICAgICAgInNoYTI1NiI6ICJmNDcyY2E0YjY4ODk4Yzk1MWFjM2I0NzZjYmE5MTlkMGQ1NmZjYTRjZWQ2MzFmYWJjZWFkNTFlNGIyYjY5MGU4IgogICAgICB9LAogICAgICAibmFtZSI6ICJodHRwczovL3VzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIKICAgIH0KICBdCn0=", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-summary-digest.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-summary-digest.json new file mode 100644 index 0000000..9f30c56 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-summary-digest.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e8", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-digest.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-digest.json new file mode 100644 index 0000000..70fc9bb --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-digest.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ad" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-steps.json b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-steps.json new file mode 100644 index 0000000..d651110 --- /dev/null +++ b/cli/slsa-verifier/testdata/gcb_container/v0.3/gcloud-container-mismatch-text-steps.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v40", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/go.mod b/go.mod index 6fc50a0..6df1325 100644 --- a/go.mod +++ b/go.mod @@ -21,6 +21,7 @@ require ( github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/sigstore/cosign v1.11.1 github.com/slsa-framework/slsa-github-generator v1.2.0 + github.com/spf13/cobra v1.5.0 github.com/transparency-dev/merkle v0.0.1 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 ) @@ -168,7 +169,6 @@ require ( github.com/soheilhy/cmux v0.1.5 // indirect github.com/spf13/afero v1.8.2 // indirect github.com/spf13/cast v1.5.0 // indirect - github.com/spf13/cobra v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.12.0 // indirect diff --git a/verifiers/internal/gcb/provenance.go b/verifiers/internal/gcb/provenance.go index 2ba46df..19dba9a 100644 --- a/verifiers/internal/gcb/provenance.go +++ b/verifiers/internal/gcb/provenance.go @@ -351,7 +351,7 @@ func (self *Provenance) VerifySubjectDigest(expectedHash string) error { } // Verify source URI in provenance statement. -func (self *Provenance) VerifySourceURI(expectedSourceURI string) error { +func (self *Provenance) VerifySourceURI(expectedSourceURI, builderID string) error { if err := self.isVerified(); err != nil { return err } @@ -365,12 +365,33 @@ func (self *Provenance) VerifySourceURI(expectedSourceURI string) error { if !strings.HasPrefix(expectedSourceURI, "https://") { expectedSourceURI = "https://" + expectedSourceURI } - if !strings.HasPrefix(uri, expectedSourceURI+"/commit/") { - return fmt.Errorf("%w: expected '%s', got '%s'", - serrors.ErrorMismatchSource, expectedSourceURI, uri) + + v, err := getBuilderVersion(builderID) + if err != nil { + return err } - return nil + switch v { + case "v0.2": + // In v0.2, it uses format + // `https://github.com/laurentsimon/gcb-tests/commit/01ce393d04eb6df2a7b2b3e95d4126e687afb7ae`. + if !strings.HasPrefix(uri, expectedSourceURI+"/commit/") { + return fmt.Errorf("%w: expected '%s', got '%s'", + serrors.ErrorMismatchSource, expectedSourceURI, uri) + } + // In v0.3, it uses the standard intoto and has the commit sha in its own + // `digest.sha1` field. + case "v0.3": + if uri != expectedSourceURI { + return fmt.Errorf("%w: expected '%s', got '%s'", + serrors.ErrorMismatchSource, expectedSourceURI, uri) + } + default: + err = fmt.Errorf("%w: version '%s'", + serrors.ErrorInvalidBuilderID, v) + } + + return err } func (self *Provenance) VerifyBranch(branch string) error { @@ -385,6 +406,25 @@ func (self *Provenance) VerifyVersionedTag(tag string) error { return fmt.Errorf("%w: GCB versioned-tag verification", serrors.ErrorNotSupported) } +func decodeSignature(s string) ([]byte, []error) { + var errs []error + rsig, err := base64.StdEncoding.DecodeString(s) + if err == nil { + // No error, return the value. + return rsig, nil + } + errs = append(errs, err) + + rsig, err = base64.URLEncoding.DecodeString(s) + if err == nil { + // No error, return the value. + return rsig, nil + } + errs = append(errs, err) + + return nil, errs +} + // verifySignatures iterates over all the signatures in the DSSE and verifies them. // It succeeds if one of them can ne verified. func (self *Provenance) verifySignatures(prov *provenance) error { @@ -416,9 +456,9 @@ func (self *Provenance) verifySignatures(prov *provenance) error { } // Decode the signature. - rsig, err := base64.RawURLEncoding.DecodeString(sig.Sig) + rsig, es := decodeSignature(sig.Sig) if err != nil { - errs = append(errs, err) + errs = append(errs, es...) continue } diff --git a/verifiers/internal/gcb/provenance_test.go b/verifiers/internal/gcb/provenance_test.go index 15500e1..a609524 100644 --- a/verifiers/internal/gcb/provenance_test.go +++ b/verifiers/internal/gcb/provenance_test.go @@ -265,39 +265,96 @@ func Test_validateRecipeType(t *testing.T) { func Test_VerifySourceURI(t *testing.T) { t.Parallel() tests := []struct { - name string - path string - source string - expected error + name string + path string + builderID string + source string + expected error }{ + // v0.1 { - name: "valid gcb provenance", - path: "./testdata/gcloud-container-github.json", - source: "https://github.com/laurentsimon/gcb-tests", + name: "v0.1 invalid builder id", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.1", + source: "https://github.com/laurentsimon/gcb-tests", + expected: serrors.ErrorInvalidBuilderID, + }, + // v0.2 + { + name: "v0.2 valid gcb provenance", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "https://github.com/laurentsimon/gcb-tests", }, { - name: "mismatch name", - path: "./testdata/gcloud-container-github.json", - source: "https://github.com/laurentsimon/gcb-tests2", - expected: serrors.ErrorMismatchSource, + name: "v0.2 mismatch name", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "https://github.com/laurentsimon/gcb-tests2", + expected: serrors.ErrorMismatchSource, }, { - name: "mismatch org", - path: "./testdata/gcloud-container-github.json", - source: "https://github.com/wrong/gcb-tests", - expected: serrors.ErrorMismatchSource, + name: "v0.2 mismatch org", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "https://github.com/wrong/gcb-tests", + expected: serrors.ErrorMismatchSource, }, { - name: "mismatch protocol", - path: "./testdata/gcloud-container-github.json", - source: "http://github.com/laurentsimon/gcb-tests", - expected: serrors.ErrorMismatchSource, + name: "v0.2 mismatch protocol", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "http://github.com/laurentsimon/gcb-tests", + expected: serrors.ErrorMismatchSource, }, { - name: "mismatch full uri", - path: "./testdata/gcloud-container-github.json", - source: "https://github.com/laurentsimon/gcb-tests/commit/fbbb98765e85ad464302dc5977968104d36e455e", - expected: serrors.ErrorMismatchSource, + name: "v0.2 mismatch full uri", + path: "./testdata/gcloud-container-github.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "https://github.com/laurentsimon/gcb-tests/commit/fbbb98765e85ad464302dc5977968104d36e455e", + expected: serrors.ErrorMismatchSource, + }, + // v0.3 + { + name: "v0.3 valid gcb provenance", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3", + source: "https://github.com/laurentsimon/gcb-tests", + }, + { + name: "v0.3 mismatch name", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3", + source: "https://github.com/laurentsimon/gcb-tests2", + expected: serrors.ErrorMismatchSource, + }, + { + name: "v0.3 mismatch org", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3", + source: "https://github.com/wrong/gcb-tests", + expected: serrors.ErrorMismatchSource, + }, + { + name: "v0.3 mismatch protocol", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.2", + source: "http://github.com/laurentsimon/gcb-tests", + expected: serrors.ErrorMismatchSource, + }, + { + name: "v0.3 mismatch full uri", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3", + source: "https://github.com/laurentsimon/gcb-tests/commit/fbbb98765e85ad464302dc5977968104d36e455e", + expected: serrors.ErrorMismatchSource, + }, + { + name: "v0.3 mismatch full uri uses v0.2 format", + path: "./testdata/gcloud-container-github-v03.json", + builderID: "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3", + source: "https://github.com/laurentsimon/gcb-tests/commit/01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + expected: serrors.ErrorMismatchSource, }, } for _, tt := range tests { @@ -319,7 +376,7 @@ func Test_VerifySourceURI(t *testing.T) { panic(fmt.Errorf("ProvenanceFromBytes: %w", err)) } - err = prov.VerifySourceURI(tt.source) + err = prov.VerifySourceURI(tt.source, tt.builderID) if !cmp.Equal(err, tt.expected, cmpopts.EquateErrors()) { t.Errorf(cmp.Diff(err, tt.expected, cmpopts.EquateErrors())) } diff --git a/verifiers/internal/gcb/testdata/gcloud-container-github-v03.json b/verifiers/internal/gcb/testdata/gcloud-container-github-v03.json new file mode 100644 index 0000000..6477a2a --- /dev/null +++ b/verifiers/internal/gcb/testdata/gcloud-container-github-v03.json @@ -0,0 +1,108 @@ +{ + "image_summary": { + "digest": "sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "fully_qualified_digest": "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "registry": "us-west2-docker.pkg.dev", + "repository": "quickstart-docker-repo" + }, + "provenance_summary": { + "provenance": [ + { + "build": { + "intotoStatement": { + "_type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.1", + "slsaProvenance": { + "builder": { + "id": "https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3" + }, + "materials": [ + { + "digest": { + "sha1": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae" + }, + "uri": "https://github.com/laurentsimon/gcb-tests" + } + ], + "metadata": { + "buildFinishedOn": "2022-09-06T17:54:22.169342Z", + "buildInvocationId": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "buildStartedOn": "2022-09-06T17:54:10.226833361Z" + }, + "recipe": { + "arguments": { + "@type": "type.googleapis.com/google.devtools.cloudbuild.v1.Build", + "id": "11f6c682-3451-4f72-ac2a-8e386eab66af", + "options": { + "dynamicSubstitutions": true, + "logging": "LEGACY", + "pool": {}, + "requestedVerifyOption": "VERIFIED", + "substitutionOption": "ALLOW_LOOSE" + }, + "sourceProvenance": {}, + "steps": [ + { + "args": [ + "build", + "-t", + "us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39", + "." + ], + "name": "gcr.io/cloud-builders/docker", + "pullTiming": { + "endTime": "2022-09-06T17:54:13.240503649Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + }, + "status": "SUCCESS", + "timing": { + "endTime": "2022-09-06T17:54:20.155242044Z", + "startTime": "2022-09-06T17:54:13.237138056Z" + } + } + ], + "substitutions": { + "COMMIT_SHA": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "REF_NAME": "v39", + "REPO_NAME": "gcb-tests", + "REVISION_ID": "01ce393d04eb6df2a7b2b3e95d4126e687afb7ae", + "SHORT_SHA": "01ce393", + "TAG_NAME": "v39", + "TRIGGER_BUILD_CONFIG_PATH": "cloudbuild.yaml", + "TRIGGER_NAME": "Tag" + } + }, + "entryPoint": "cloudbuild.yaml", + "type": "https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1" + } + }, + "subject": [ + { + "digest": { + "sha256": "f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7" + }, + "name": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image:v39" + } + ] + } + }, + "createTime": "2022-09-06T17:54:23.761540Z", + "envelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIn0sInVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vZ2NiLXRlc3RzIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjIyLjE2OTM0MloiLCJidWlsZEludm9jYXRpb25JZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMi0wOS0wNlQxNzo1NDoxMC4yMjY4MzMzNjFaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiIxMWY2YzY4Mi0zNDUxLTRmNzItYWMyYS04ZTM4NmVhYjY2YWYiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbImJ1aWxkIiwiLXQiLCJ1cy13ZXN0Mi1kb2NrZXIucGtnLmRldi9nb3NzdC1zY2FyZS1zYW5kYm94L3F1aWNrc3RhcnQtZG9ja2VyLXJlcG8vcXVpY2tzdGFydC1pbWFnZTp2MzkiLCIuIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yNDA1MDM2NDlaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MjAuMTU1MjQyMDQ0WiIsInN0YXJ0VGltZSI6IjIwMjItMDktMDZUMTc6NTQ6MTMuMjM3MTM4MDU2WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQ09NTUlUX1NIQSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUiLCJSRUZfTkFNRSI6InYzOSIsIlJFUE9fTkFNRSI6ImdjYi10ZXN0cyIsIlJFVklTSU9OX0lEIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlNIT1JUX1NIQSI6IjAxY2UzOTMiLCJUQUdfTkFNRSI6InYzOSIsIlRSSUdHRVJfQlVJTERfQ09ORklHX1BBVEgiOiJjbG91ZGJ1aWxkLnlhbWwiLCJUUklHR0VSX05BTUUiOiJUYWcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjAxY2UzOTNkMDRlYjZkZjJhN2IyYjNlOTVkNDEyNmU2ODdhZmI3YWUifSwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9nY2ItdGVzdHMifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjItMDktMDZUMTc6NTQ6MjIuMTY5MzQyWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiMTFmNmM2ODItMzQ1MS00ZjcyLWFjMmEtOGUzODZlYWI2NmFmIiwiYnVpbGRTdGFydGVkT24iOiIyMDIyLTA5LTA2VDE3OjU0OjEwLjIyNjgzMzM2MVoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6IjExZjZjNjgyLTM0NTEtNGY3Mi1hYzJhLThlMzg2ZWFiNjZhZiIsIm9wdGlvbnMiOnsiZHluYW1pY1N1YnN0aXR1dGlvbnMiOnRydWUsImxvZ2dpbmciOiJMRUdBQ1kiLCJwb29sIjp7fSwicmVxdWVzdGVkVmVyaWZ5T3B0aW9uIjoiVkVSSUZJRUQiLCJzdWJzdGl0dXRpb25PcHRpb24iOiJBTExPV19MT09TRSJ9LCJzb3VyY2VQcm92ZW5hbmNlIjp7fSwic3RlcHMiOlt7ImFyZ3MiOlsiYnVpbGQiLCItdCIsInVzLXdlc3QyLWRvY2tlci5wa2cuZGV2L2dvc3N0LXNjYXJlLXNhbmRib3gvcXVpY2tzdGFydC1kb2NrZXItcmVwby9xdWlja3N0YXJ0LWltYWdlOnYzOSIsIi4iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjI0MDUwMzY0OVoiLCJzdGFydFRpbWUiOiIyMDIyLTA5LTA2VDE3OjU0OjEzLjIzNzEzODA1NloifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoyMC4xNTUyNDIwNDRaIiwic3RhcnRUaW1lIjoiMjAyMi0wOS0wNlQxNzo1NDoxMy4yMzcxMzgwNTZaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJDT01NSVRfU0hBIjoiMDFjZTM5M2QwNGViNmRmMmE3YjJiM2U5NWQ0MTI2ZTY4N2FmYjdhZSIsIlJFRl9OQU1FIjoidjM5IiwiUkVQT19OQU1FIjoiZ2NiLXRlc3RzIiwiUkVWSVNJT05fSUQiOiIwMWNlMzkzZDA0ZWI2ZGYyYTdiMmIzZTk1ZDQxMjZlNjg3YWZiN2FlIiwiU0hPUlRfU0hBIjoiMDFjZTM5MyIsIlRBR19OQU1FIjoidjM5IiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6IlRhZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6ImY0NzJjYTRiNjg4OThjOTUxYWMzYjQ3NmNiYTkxOWQwZDU2ZmNhNGNlZDYzMWZhYmNlYWQ1MWU0YjJiNjkwZTcifSwibmFtZSI6Imh0dHBzOi8vdXMtd2VzdDItZG9ja2VyLnBrZy5kZXYvZ29zc3Qtc2NhcmUtc2FuZGJveC9xdWlja3N0YXJ0LWRvY2tlci1yZXBvL3F1aWNrc3RhcnQtaW1hZ2U6djM5In1dfQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "keyid": "projects/verified-builder/locations/us-west2/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1", + "sig": "MEQCID2DrzUtVIv55nSl0FdoYdaaayxrjOOF2i35yadBIvFdAiAZhG4k1dC2RmSbIBVctPQ10bTzeN4XKU7Vm9E5oMJAJQ==" + } + ] + }, + "kind": "BUILD", + "name": "projects/gosst-scare-sandbox/occurrences/768ee56d-2064-4ed9-9cd4-8232df1a1792", + "noteName": "projects/verified-builder/notes/intoto_11f6c682-3451-4f72-ac2a-8e386eab66af", + "resourceUri": "https://us-west2-docker.pkg.dev/gosst-scare-sandbox/quickstart-docker-repo/quickstart-image@sha256:f472ca4b68898c951ac3b476cba919d0d56fca4ced631fabcead51e4b2b690e7", + "updateTime": "2022-09-06T17:54:23.761540Z" + } + ] + } +} diff --git a/verifiers/internal/gcb/verifier.go b/verifiers/internal/gcb/verifier.go index a1ef8eb..0832362 100644 --- a/verifiers/internal/gcb/verifier.go +++ b/verifiers/internal/gcb/verifier.go @@ -72,7 +72,7 @@ func (v *GCBVerifier) VerifyImage(ctx context.Context, } // Verify source. - if err = prov.VerifySourceURI(provenanceOpts.ExpectedSourceURI); err != nil { + if err = prov.VerifySourceURI(provenanceOpts.ExpectedSourceURI, builderID); err != nil { return nil, "", err }