github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 14:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
467 Commits 40 Branches 45 Tags
721eee5f2dd2b5c5e215921b88dbf24197caef13
Commit Graph

467 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ramon Petgrave
721eee5f2d singular attestation 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:43:34 +00:00
Ramon Petgrave
781304651e remove experimental 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:39:11 +00:00
Ramon Petgrave
e45249353a fix cap 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:38:44 +00:00
Ramon Petgrave
9b2554e400 cli about print-attestation 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:32:31 +00:00
Ramon Petgrave
f9a4b35ff6 cli help about default options 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:32:17 +00:00
Ramon Petgrave
92ce34e767 fix capitalization 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:28:18 +00:00
Ramon Petgrave
1ccec0e405 comment doc 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:22:34 +00:00
Ramon Petgrave
bf38fb0e9c help docs 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:52:47 +00:00
Ramon Petgrave
23d8e33dfd singular attestation path 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:46:28 +00:00
Ramon Petgrave
e0919a83e0 hash-algo description 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:41:08 +00:00
Ramon Petgrave
f3b63b7194 reword simple hash 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:39:13 +00:00
Ramon Petgrave
b9c6de5635 flag descriptions, optional --verified-levels 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:34:53 +00:00
Ramon Petgrave
519a928c72 clarify comments 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:19:46 +00:00
Ramon Petgrave
968a34d1dd typo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-21 15:32:11 +00:00
Ramon Petgrave
e27f99f15d no need for sigstoreEnvelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 23:07:05 +00:00
Ramon Petgrave
0172a12823 lint 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 22:17:11 +00:00
Ramon Petgrave
73c9884da6 lint: no pointer for crypto.publickkey 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 22:10:46 +00:00
Ramon Petgrave
942d8bbe3d remove accidental binary 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:50:28 +00:00
Ramon Petgrave
ff1cf43ce9 undo regression tag change 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:48:19 +00:00
Ramon Petgrave
cba639f855 specific errors and test cases 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:43:26 +00:00
Ramon Petgrave
e47312f593 literl hash algo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:56:21 +00:00
Ramon Petgrave
00fed87dbc typo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:53:45 +00:00
Ramon Petgrave
fbe83fb372 change error type 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:50:18 +00:00
Ramon Petgrave
7fb5bf933c switch wanted, got order 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:13:06 +00:00
Ramon Petgrave
8befbc6e94 use plain bool 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:12:51 +00:00
Ramon Petgrave
fec61b1f27 use pointers 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:03:48 +00:00
Ramon Petgrave
5636d0a832 rename to resource URI 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:58:13 +00:00
Ramon Petgrave
f5362e5a4a rename to PublicKeyHashAlgo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:49:43 +00:00
Ramon Petgrave
ad1b81dc5d update README 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:33:38 +00:00
Ramon Petgrave
f0fedec1dd verify vsa passed message 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 15:59:09 +00:00
Ramon Petgrave
2ef9a40437 minify test data 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 15:52:17 +00:00
Ramon Petgrave
944c9a6f4c singular print-attestation 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:32:31 +00:00
Ramon Petgrave
610ef6f1af verify reamining fields, print attestations 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:30:15 +00:00
Ramon Petgrave
13a74b5b4a embed the google vsa key, match against all signatures, match the subject digests 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 22:18:25 +00:00
Ramon Petgrave
ead4e9bf4e use utility to parse envelope, docs, use keyID 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 20:23:24 +00:00
Ramon Petgrave
edde0a8aca cleanup, more skeleton 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:48:42 +00:00
Ramon Petgrave
1f123f3c1d attempt to verify envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:53 +00:00
Ramon Petgrave
2dc64f7bda vsa parser 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:24 +00:00
Ramon Petgrave
2f76f12ff3 different test example 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:34:37 +00:00
Ramon Petgrave
9704c97a22 parse dsse envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:07:41 +00:00
Ramon Petgrave
a3a573a800 cleanup 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:06:50 +00:00
Ramon Petgrave
b90ede0bde rename to TrustedProducerID, allow muyltiple --subject-digest flags 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-14 18:15:25 +00:00
Ramon Petgrave
a25abe2323 testdata, sample invocation in README.md 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:58 +00:00
Ramon Petgrave
b5eb1473b8 skeletion verify-vsa command 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:08 +00:00
Ramon Petgrave
7980fdebf6 Changed success message to a more general "PASSED: SLSA verification passed" 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:22:56 +00:00
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4 chore: Update Renovate config (#769) 
# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc chore: fix pr-title-checker (#770) 
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c fix(deps): update dependency @actions/core to v1.10.1 (#717) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2024-05-07 14:09:48 -04:00