github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-14 20:46:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
458 Commits 40 Branches 45 Tags
190fddac0ef7fcc481d43c2c2fa714031f34c700
Commit Graph

10 Commits

Author SHA1 Message Date
Ramon Petgrave
208ac12589 feat: vsa support (#777) 
Fixes #542

Adds support for VSAs.

## Testing process

- added some unit an end-to-end tests
- manually invoking

    ```
    go run ./cli/slsa-verifier/ verify-vsa \
    --subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
    --verified-level BCID_L1 \
    --verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
    --public-key-id keystore://76574:prod:vsa_signing_public_key \
    --print-attestation



{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
    Verifying VSA: PASSED
    
    PASSED: SLSA verification passed
    ```

TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-10 21:25:16 -04:00
saisatishkarra
9b2467f836 feat: fixes #724: add input for --provenance-repository while image verification (#736) 
@laurentsimon Added a new image verification cmd input
`--provenance-repository`
This replicates the feature of the `COSIGN_REPOSITORY` environment
variable when provenance is stored in a different repository/registry

Order of precedence:
- If input `--provenance-repository` is set, leverages the non-empty
input value
- If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed

README edit :
https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280

---------

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2024-01-22 18:10:11 +00:00
Noah Elzner
8bcf1f0525 feat: Non-compulsory BuilderID for BYOB Builders (#674) 
/cc @mihaimaruseac
/cc @laurentsimon 

Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.

Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.

The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.

closes #659 
makes use of discussion on closed pr #673

---------

Signed-off-by: Noah Elzner <elzner@google.com>
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
 2023-08-11 14:20:58 +00:00
Ian Lewis
f96d91bdd2 fix: Support pre-releases on trusted repos (#552) 
Support pre-releases on trusted repos

---------

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2023-04-11 08:54:33 +09:00
laurentsimon
82a12591ff feat: npm default runner support (#495) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-03-02 21:53:29 +00:00
asraa
0bb98050f2 fix: use a uniform verifier interface for provenance type (#478) 
* cleanup: use a uniform verifier interface for provenance type

Signed-off-by: Asra Ali <asraa@google.com>

* fix experimental gateg

Signed-off-by: Asra Ali <asraa@google.com>

* oops

Signed-off-by: Asra Ali <asraa@google.com>

---------

Signed-off-by: Asra Ali <asraa@google.com>
 2023-02-10 14:04:12 -08:00
asraa
239c4489ce feat: add slsa v1?draft provenance experimental support (#470) 
* feat: add slsa v1?draft provenance support

Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
 2023-02-09 17:21:15 +00:00
laurentsimon
5bb13ef508 feat: add a -workflow-input option (#216) 
* update
 2022-08-15 19:38:15 +00:00
laurentsimon
4ca6320994 feat: make branch optional (#192) 
* update

* update

* update

* update

* Update verifiers/internal/gha/provenance.go

Co-authored-by: Ian Lewis <ianlewis@google.com>

* update

* update

* update

* update

* update

* update

* update

* update

Co-authored-by: Ian Lewis <ianlewis@google.com>
 2022-08-09 22:49:36 +00:00
laurentsimon
edb792b342 feat: Create interface for verifiers (#187) 
* update

* update

* unit tests

* update

* comments

* update

* update

* update

* update

* Use interface for builders

* update

* update

* update

* update

* fix

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
 2022-08-05 14:31:34 -07:00