slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-24 17:32:46 +00:00

Author	SHA1	Message	Date
Ian Lewis	e7fc7a4621	feat: Verification for when sha1 is specified in BYOB TRW (#641 ) Fixes #600 --------- Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-07-25 11:29:15 +09:00
laurentsimon	c6d12b745c	feat: Use tags `vX.Y.Z-<language>` for JReleaser builders (#644 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-07-10 16:42:48 +00:00
Ian Lewis	1778495466	refactor: Use full builder id (#648 ) Internally use full builder IDs including server url rather than worflow ref as a path. This should hopefully avoid confusion between dealing with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include the domain/server url part of the workflow/builder ID. The Fulcio OID claims include the full url. Code extracted from #641 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-10 06:23:48 +00:00
Ian Lewis	965f5784c1	refactor: Add more git utils (#645 ) Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and `ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref type whereas `ValidateGitRef` validates that the type is of a given type. Code extracted from #641 Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-07-01 09:03:52 +09:00
Ian Lewis	90f4f23e1e	test: Add more ProvenanceFromEnvelope tests (#640 ) Fixes #573 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-26 02:03:34 +00:00
Ian Lewis	d2dc8193ae	feat: Verify provenance by build type (#632 ) Fixes #473 Updates handling of provenance by providing implementations based on [buildType](https://slsa.dev/provenance/v1#buildType) since this determines how to interpret parameters and dependencies. This is done because we need a way to interpret parameters not just based on the predicateType. The 3 major build types with format differences are: - non-BYOB SLSA v0.2 - BYOB SLSA v0.2 - BYOB SLSA v1.0 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-16 09:54:20 +09:00
asraa	aac022747e	feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format (#634 ) * feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format Signed-off-by: Asra Ali <asraa@google.com> * docs: update verifier README.md for docker-based builder Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-06-06 22:07:20 +00:00
Ian Lewis	8faf24c6dc	fix: builder ID verification for testing (#635 ) Fix builder ID verification for testing Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-06 08:32:20 -05:00
laurentsimon	7b942b8666	fix: only allow hashes of 256 bits or more (#633 ) Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-06-05 08:32:53 +09:00
Ian Lewis	9bfbc91c5b	refactor: Provenance tests (#628 ) Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders. A couple of updates to utilities: - `VerifyTag` will now validate the ref returned by the `Provenance` instance. - `VerifyBranch` will now validate the ref returned by the `Provenance` instance. - `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm. --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-06-02 13:34:56 +09:00
asraa	8fe8ee9f3f	fix: revert to using resolvedDepdendencies for source verification (#629 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-06-01 20:15:22 +00:00
asraa	db0560e328	fix: use ExternalParameters["source"] for the Source URI for SLSA v1.0 provenance (#621 ) * feat: add support for checking a source annotation when there are multiple resolveddependencies Signed-off-by: Asra Ali <asraa@google.com> * revert to using external parameters source key Signed-off-by: Asra Ali <asraa@google.com> * unused file Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-05-27 02:28:44 +00:00
laurentsimon	93d3f8c06c	fix: Verify the TRW tag is a semver tag (#619 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/utils/builder.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-05-26 01:15:32 +00:00
laurentsimon	fba178ea9c	feat: Use env variable to retrieve trigger workflow (#615 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-25 14:32:48 -07:00
laurentsimon	ba32c706ac	feat: Support for v1.0 verification in BYOB (#609 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 07:31:13 -07:00
laurentsimon	bda35e0238	feat: BYOB verification support (#604 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-23 01:41:17 +00:00
laurentsimon	3a4e992444	feat: verify claims in provenance match the certificate (#572 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-05-09 23:52:36 +00:00
asraa	467e0820b6	chore: update slsa provenance to v1 (#579 ) * chore: update slsa provenance to v1 Signed-off-by: Asra Ali <asraa@google.com> * fix import path Signed-off-by: Asra Ali <asraa@google.com> * update dsse testcases Signed-off-by: Asra Ali <asraa@google.com> * fix cosign image verification in update Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-05-08 15:18:16 +00:00
Ian Lewis	88cd40e2ee	feat: Use low-perms delegator for Node.js builder (#577 ) Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-05-01 16:27:58 +09:00
Ian Lewis	2e60ff0e48	fix: Read newer attestation file format (#564 ) * Read newer attestation file format Signed-off-by: Ian Lewis <ianlewis@google.com> * Update error message Signed-off-by: Ian Lewis <ianlewis@google.com> * revert change Signed-off-by: Ian Lewis <ianlewis@google.com> * Update test data Signed-off-by: Ian Lewis <ianlewis@google.com> --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-04-21 07:38:16 +09:00
laurentsimon	c0cadc0117	feat: support for BYOB verification (#562 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/internal/gha/provenance.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-04-19 19:07:27 +00:00
Ian Lewis	f96d91bdd2	fix: Support pre-releases on trusted repos (#552 ) Support pre-releases on trusted repos --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-04-11 08:54:33 +09:00
laurentsimon	37e3b406cb	feat: GCB tag and versioned-tag support for containers (#540 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-03-23 16:57:34 +00:00
laurentsimon	ae38103ecf	feat: verify sourceURI for npm packages (#521 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/internal/gha/provenance.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-03-10 17:13:29 +00:00
asraa	5a77b25fb4	fix: fix GCB verification with git material source prefix (#519 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-03-09 10:00:19 +09:00
Kevin Halk	47495c7d5b	feat: Update SLSA verifier to support a global signing key for GCB V1 which… (#509 ) * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> --------- Signed-off-by: Kevin Halk <khalk@google.com>	2023-03-06 16:02:30 +00:00
laurentsimon	82a12591ff	feat: npm default runner support (#495 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-03-02 21:53:29 +00:00
asraa	d8c2961d82	test: add docker based spport and start adding tests (#486 ) Signed-off-by: Asra Ali <asraa@google.com>	2023-02-15 20:46:11 +00:00
asraa	0bb98050f2	fix: use a uniform verifier interface for provenance type (#478 ) * cleanup: use a uniform verifier interface for provenance type Signed-off-by: Asra Ali <asraa@google.com> * fix experimental gateg Signed-off-by: Asra Ali <asraa@google.com> * oops Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-02-10 14:04:12 -08:00
asraa	5d6c770d43	feat: support branch and tag from slsa v1 provenance (#476 ) * feat: support branch and tag from slsa v1 provenance Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-02-10 21:33:16 +00:00
asraa	239c4489ce	feat: add slsa v1?draft provenance experimental support (#470 ) * feat: add slsa v1?draft provenance support Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-02-09 17:21:15 +00:00
asraa	fec5b6a7b5	refactor: generalize provenance out of predicate type info (#463 ) * refactor: generalize provenance out of predicate type info Signed-off-by: Asra Ali <asraa@google.com>	2023-02-03 23:30:23 +00:00
asraa	362bd1a331	feat: add offline bundle signature verification (#457 ) * feat: add bundle signature verification Signed-off-by: Asra Ali <asraa@google.com>	2023-02-03 09:31:40 -06:00
asraa	bcd23c945e	chore: enable some Go linters (#456 ) * enable deadcode Signed-off-by: Asra Ali <asraa@google.com> * enable unconvert Signed-off-by: Asra Ali <asraa@google.com> * enable thelper Signed-off-by: Asra Ali <asraa@google.com> * enable stylecheck Signed-off-by: Asra Ali <asraa@google.com> * enable misspell Signed-off-by: Asra Ali <asraa@google.com> * enable gocritic Signed-off-by: Asra Ali <asraa@google.com> * enable godot Signed-off-by: Asra Ali <asraa@google.com> * enable staticcheck Signed-off-by: Asra Ali <asraa@google.com> * address experimental deadcode Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-01-25 19:51:10 +00:00
Mend Renovate	e8c3438638	fix(deps): update go (#386 ) Co-authored-by: Ian Lewis <ianlewis@google.com>	2022-12-15 01:39:54 +00:00
laurentsimon	4a6c5b1677	feat: add more tests for GCB verification (#389 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com>	2022-12-05 13:31:58 -08:00
Ian Lewis	267242e153	fix: Fix error check for decodeSignature (#385 ) Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianmlewis@gmail.com>	2022-12-03 11:05:56 -08:00
laurentsimon	b9058c5596	docs: Add comment for signature decoding (#380 ) * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/internal/gcb/provenance.go Co-authored-by: asraa <asraa@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: asraa <asraa@google.com>	2022-12-02 19:34:29 +00:00
Shunsuke Suzuki	74fd528309	fix: fix the Go package version to v2 (#373 ) * fix: fix the package version to v2 ``` git ls-files \| grep ".go$" \| xargs -n 1 gsed -i "s\|github.com/slsa-framework/slsa-verifier\|github.com/slsa-framework/slsa-verifier/v2\|g" ``` Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> * fix: fix the package version to v2 Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> * test: fix source Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>	2022-12-01 18:49:39 -08:00
Shunsuke Suzuki	f7bd16431b	fix: fix error logs (#356 )	2022-11-11 10:44:03 -06:00
asraa	ef0f1a7a24	refactor: consolidate verification funcs for GHA (#348 ) * consolidate verification funcs Signed-off-by: Asra Ali <asraa@google.com>	2022-11-02 15:32:39 -05:00
asraa	e9cd6b763c	fix: address gcb verifier comments and add gcb documentation (#300 ) * address gcb verifier comments Signed-off-by: Asra Ali <asraa@google.com>	2022-10-21 21:06:22 +00:00
asraa	05d247fb14	rekor: use rekor client with retries (#301 ) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-10-17 16:55:40 +00:00
asraa	a6e069c0ab	gcb: add gcb compatibility (#292 ) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-10-07 14:21:50 -07:00
asraa	0ad6136f60	fix: make client shard aware when verifying (#282 ) Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-09-30 16:08:33 -05:00
laurentsimon	533d347a4b	feat: support builderID matching with or without semver for GHA (#257 ) * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update	2022-09-15 14:32:03 -07:00
laurentsimon	b58e752378	feat: support builderID matching with or without semver for GCB (#256 ) * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update	2022-09-12 17:17:46 -07:00
laurentsimon	d12dce9526	feat: CLI tests for GCB verification (#251 ) * update * update * update	2022-09-08 13:36:56 -07:00
laurentsimon	e0edc0c46f	feat: support for GCB v0.3 verification (#248 ) * update * update * update * update	2022-09-06 23:54:59 +00:00
asraa	ff0ced42ef	refactor: add subcommands and separate functionality from artifacts a… (#231 ) * refactor: add subcommands and separate functionality from artifacts and images Signed-off-by: Asra Ali <asraa@google.com>	2022-09-06 17:10:58 -05:00

1 2

58 Commits