@fweikert these are the changes I think might be needed to get this to
work (it's somewhat hacky, I'm not sure I've fully covered what's
needed).
@ramonpetgrave64 is this kinda what's needed?
This now adds the `verify-github-attestation` sub command. Use this
instead of `verify-artifact`.
---------
Signed-off-by: Appu Goundan <appu@google.com>
Signed-off-by: Appu <appu@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.
Refactors:
- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`
## Testing
- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
We've long had the problem that slsa-verifier has too many dependencies.
This PR replaces `"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`
with `"github.com/sigstore/sigstore/pkg/fulcioroots"`,
removing lot's of unneeded transitive dependencies like
`"github.com/aws/aws-sdk-go-v2"` and
`"github.com/Azure/go-autorest/autorest"` from our `go.mod`.
## Investigation
At
[deps.dep](https://deps.dev/go/github.com%2Fslsa-framework%2Fslsa-verifier%2Fv2/v2.4.1/dependencies/graph?filter=aws),
we can see that the indirect dependencies of `aws/aws-sdk-go-v2` come
from `cosign/cosign`.
<img width="1110" alt="image"
src="https://github.com/slsa-framework/slsa-verifier/assets/32398091/3de1adf4-29ac-4bec-a511-0ae191c3141c">
That's a good start, but this gives us only module-wide dependencies,
not package-level dependencies. We can instead use `go mod why <pkg>` to
get the package-level dependency chain.
Now we know that it's our `gha` package that imports a fulcio package,
which imports an aws package.
```
➜ slsa-verifier git:(main) ✗ go mod why github.com/aws/aws-sdk-go-v2/
# github.com/aws/aws-sdk-go-v2
github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha
github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio
github.com/sigstore/cosign/v2/cmd/cosign/cli/options
github.com/awslabs/amazon-ecr-credential-helper/ecr-login
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api
github.com/aws/aws-sdk-go-v2/config
github.com/aws/aws-sdk-go-v2/internal/ini
github.com/aws/aws-sdk-go-v2
```
Looking at our `gha` package we can see that the required methods from
fulcio are `Get()` and `GetIntermediates()`. Looking at the source
codes, we see that
`"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"`'s implementation
of these methods is the same as
`"github.com/sigstore/sigstore/pkg/fulcioroots"`'s implementation. So we
chose the latter's implementation, which happens to require fewer
module-level dependencies.
-
546f1c5b91/cmd/cosign/cli/fulcio/fulcio.go (L16)
-
546f1c5b91/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go (L16)
-
25dd9f3e52/pkg/fulcioroots/fulcioroots.go (L17)
## Testing
- unit tests continue to pass
- manual test to verify a provenance with the steps in our
[readme](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#npm-packages-built-using-the-slsa3-nodejs-builder)
## Future Work
The sigstore-go library is meant to be a more long-term solution, for
replacing much of the sigstore-related functionality that slsa-verifier
implements directly.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This is in preparation for switching over the Rekor entry type in the
slsa github generator to be the newer DSSE type. This adds support for
searching for both intoto v001 and dsse v001 entries.
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Previously we used the go-cmp's Diff for displaying a human-friendly
diff between two structs in an error message.
I had intended to do a json print of the structs and do a line-by-line
diff. There is an internal library for calculating text diff, but I
don't see any external functions that expose it to make it available for
our use: https://pkg.go.dev/golang.org/x/tools/internal/diff
Instead, this we will simply display both structs in their own "actual"
and "expected" sections. The user can use their other tools to find a
human-friendly diff.
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
/cc @mihaimaruseac
/cc @laurentsimon
Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.
Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.
The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.
closes#659
makes use of discussion on closed pr #673
---------
Signed-off-by: Noah Elzner <elzner@google.com>
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Internally use full builder IDs including server url rather than worflow
ref as a path. This should hopefully avoid confusion between dealing
with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path
portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include
the domain/server url part of the workflow/builder ID. The Fulcio OID
claims include the full url.
Code extracted from #641
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.
Code extracted from #641
Signed-off-by: Ian Lewis <ianlewis@google.com>
Fixes#473
Updates handling of provenance by providing implementations based on
[buildType](https://slsa.dev/provenance/v1#buildType) since this
determines how to interpret parameters and dependencies. This is done
because we need a way to interpret parameters not just based on the
predicateType. The 3 major build types with format differences are:
- non-BYOB SLSA v0.2
- BYOB SLSA v0.2
- BYOB SLSA v1.0
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com>
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders.
A couple of updates to utilities:
- `VerifyTag` will now validate the ref returned by the `Provenance` instance.
- `VerifyBranch` will now validate the ref returned by the `Provenance` instance.
- `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm.
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* feat: add support for checking a source annotation when there are multiple resolveddependencies
Signed-off-by: Asra Ali <asraa@google.com>
* revert to using external parameters source key
Signed-off-by: Asra Ali <asraa@google.com>
* unused file
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
---------
Signed-off-by: Kevin Halk <khalk@google.com>
