github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-02-14 17:49:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
489 Commits 40 Branches 45 Tags
main
Commit Graph

16 Commits

Author SHA1 Message Date
Ramon Petgrave
208ac12589 feat: vsa support (#777) 
Fixes #542

Adds support for VSAs.

## Testing process

- added some unit an end-to-end tests
- manually invoking

    ```
    go run ./cli/slsa-verifier/ verify-vsa \
    --subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
    --verified-level BCID_L1 \
    --verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
    --public-key-id keystore://76574:prod:vsa_signing_public_key \
    --print-attestation



{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
    Verifying VSA: PASSED
    
    PASSED: SLSA verification passed
    ```

TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-10 21:25:16 -04:00
laurentsimon
f6ae402f45 fix: npm publish verification (#705) 
- adding support for IEEE P1363 formatted signatures
- fix the npm publish attestation bug. The verification always return
success, because it was not using PAE signature

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
 2023-10-02 10:12:51 -07:00
Ian Lewis
e7fc7a4621 feat: Verification for when sha1 is specified in BYOB TRW (#641) 
Fixes #600

---------

Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2023-07-25 11:29:15 +09:00
laurentsimon
7b942b8666 fix: only allow hashes of 256 bits or more (#633) 
Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-06-05 08:32:53 +09:00
laurentsimon
fba178ea9c feat: Use env variable to retrieve trigger workflow (#615) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-05-25 14:32:48 -07:00
laurentsimon
3a4e992444 feat: verify claims in provenance match the certificate (#572) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-05-09 23:52:36 +00:00
laurentsimon
82a12591ff feat: npm default runner support (#495) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-03-02 21:53:29 +00:00
asraa
362bd1a331 feat: add offline bundle signature verification (#457) 
* feat: add bundle signature verification

Signed-off-by: Asra Ali <asraa@google.com>
 2023-02-03 09:31:40 -06:00
laurentsimon
4a6c5b1677 feat: add more tests for GCB verification (#389) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2022-12-05 13:31:58 -08:00
laurentsimon
533d347a4b feat: support builderID matching with or without semver for GHA (#257) 
* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
 2022-09-15 14:32:03 -07:00
laurentsimon
e0edc0c46f feat: support for GCB v0.3 verification (#248) 
* update

* update

* update

* update
 2022-09-06 23:54:59 +00:00
laurentsimon
d5b56c334e feat: add CLI tests for GCB verification (#245) 
* update

* update

* update

* update
 2022-09-02 20:42:40 +00:00
laurentsimon
26c928f5b7 Verify text provenance for GCB (#242) 
* update

* update

* update

* update

* update

* comments

* comments
 2022-08-30 23:08:46 +00:00
laurentsimon
3b5c68f561 feat: Support for GCB verification (#202) 
* add testing folder

Signed-off-by: Asra Ali <asraa@google.com>

* add tests

Signed-off-by: Asra Ali <asraa@google.com>

* update

* updated comments

Signed-off-by: Asra Ali <asraa@google.com>

* update

* update

* update

* update

* update

* update

* update

* draft

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

Signed-off-by: Asra Ali <asraa@google.com>
Co-authored-by: Asra Ali <asraa@google.com>
 2022-08-24 10:17:14 -07:00
laurentsimon
5bb13ef508 feat: add a -workflow-input option (#216) 
* update
 2022-08-15 19:38:15 +00:00
laurentsimon
edb792b342 feat: Create interface for verifiers (#187) 
* update

* update

* unit tests

* update

* comments

* update

* update

* update

* update

* Use interface for builders

* update

* update

* update

* update

* fix

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
 2022-08-05 14:31:34 -07:00