[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `b405b62` -> `f2eb989` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `d83472f` -> `b405b62` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNzcuOCIsInVwZGF0ZWRJblZlciI6IjM3LjQxMy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Signed-off-by: Mend Renovate <bot@renovateapp.com>
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `ec457a2` -> `81811f8` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuMzAxLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `c623859` -> `1a8ece8` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi42OC4xIiwidXBkYXRlZEluVmVyIjoiMzcuMjY5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
Signed-off-by: Mend Renovate <bot@renovateapp.com>
[](https://renovatebot.com)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | minor | `1.19` -> `1.21` |
---
### ⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.
---
### Configuration
📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Signed-off-by: Mend Renovate <bot@renovateapp.com>
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com>
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders.
A couple of updates to utilities:
- `VerifyTag` will now validate the ref returned by the `Provenance` instance.
- `VerifyBranch` will now validate the ref returned by the `Provenance` instance.
- `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm.
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* cleanup: use a uniform verifier interface for provenance type
Signed-off-by: Asra Ali <asraa@google.com>
* fix experimental gateg
Signed-off-by: Asra Ali <asraa@google.com>
* oops
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
* Use `Run` instead of `RunE` to handle usage/errors
We want to only display the usage message if there is an error in the
parsing of arguments. Once the arguments are parsed and we invoke the
internal implementation the usage message should not be displayed
anymore, regardless of what internal error gets returned. Fortunately,
the fix is easy.
Tested:
* passing scenario:
```
[...]$ slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/example/repo fib
Verified signature against tlog entry index 9712459 at URL: ...
Verified build using builder ...
Verifying artifact fib: PASSED
PASSED: Verified SLSA provenance
```
* failing scenario with missing artifact file:
```
[...]$ slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/example/repo fibs
Verifying artifact fibs: FAILED: open fibs: no such file or directory
FAILED: SLSA verification failed: open fibs: no such file or directory
```
* failing scenario with invalid artifact:
```
[...]$ slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/example/repo multiple.intoto.jsonl
Verified signature against tlog entry index 9712459 at URL: ...
Verifying artifact multiple.intoto.jsonl: FAILED: expected hash ...
FAILED: SLSA verification failed: expected hash ...
```
* failing scenario due to invalid usage (missing required arguments):
```
[...]$ slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl
Usage:
slsa-verifier verify-artifact [flags] artifact [artifact..]
Flags:
--build-workflow-input map[] [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
--builder-id string [optional] the unique builder ID who created the provenance
-h, --help help for verify-artifact
--print-provenance [optional] print the verified provenance to stdout
--provenance-path string path to a provenance file
--source-branch string [optional] expected branch the binary was compiled from
--source-tag string [optional] expected tag the binary was compiled from
--source-uri string expected source repository that should have produced the binary, e.g. github.com/some/repo
--source-versioned-tag string [optional] expected version the binary was compiled from. Uses semantic version to match the tag
required flag(s) "source-uri" not set
exit status 1
```
Fixes#307
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Handle the same fix in image verification
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* go fmt
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Remove limit of number of artifacts to verify
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Update short description
Mention that we support multiple artifacts as long as they come from the
same provenance.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Verify all artifacts passed in cmdline
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Remove header of verify step output
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Format the `cobra.Command.Use` argument
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Don't return a slice of builderIDs.
Since all images should come from the same provenance file, there's an
invariant that we will always get exactly one builderID. So, no need to
return a slice of them.
Just to preempt the case when the invariant would be broken, add a
specific check.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Change existing tests to support multiple artifacts.
No new tests added, just changing table test data type.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* [nfc] Format test file
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Change test to allow passing multiple artifacts.
For now, just allow passing the entire array of artifacts to command
line / arguments. The functionality should still be the same.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix typo
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix path to test artifacts
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Allow different provenance path
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Try 2 artifacts from existing testdata
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add more tests for multiple artifacts
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add failing test
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Fix artifact and error
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Add final test: no artifact match
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
* Update README.md
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
One part that is missing in the output if invocation is wrong is that
there is no indication that user has to pass path to a file
(artifact/image).
The remaining potential errors from #173 are handled via #231.
Found while looking at #174.
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
