github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 14:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
444 Commits 40 Branches 45 Tags
bc65aede9871b3b07e2fc35c85f97acf6ac4bb74
Commit Graph

20 Commits

Author SHA1 Message Date
Ramon Petgrave
c789437815 feat: refactor: use sigstore-go for fetching TrustedRoot (#791) 
Uses the `sigstore-go` library for fetching the `TrustedRoot`, which
contains the Sigstore infrastructure certificates needed to validate the
leaf ephemeral certificates used to sign artifacts.

Refactors:

- replace `TrustedRootSingleton()` with `getDefaultCosignCheckOpts()`,
since only `VerifyImage()` will now need that data.
- replace `cosign.ValidateAndUnpackCert`
with`sigstoreVerify.VerifyLeafCertificate()`
- use `sync.Once` for sigstore and rekor clients, and the `TrustedRoot`

## Testing

- existing tests continue to pass
- [negative tests
](d96b977709/cli/slsa-verifier/main_regression_test.go (L450-L471))
against rekor TLogs
- manual invocations of `verify-artifact`.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-08-02 21:47:50 +00:00
Ramon Petgrave
208ac12589 feat: vsa support (#777) 
Fixes #542

Adds support for VSAs.

## Testing process

- added some unit an end-to-end tests
- manually invoking

    ```
    go run ./cli/slsa-verifier/ verify-vsa \
    --subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
    --verified-level BCID_L1 \
    --verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
    --public-key-id keystore://76574:prod:vsa_signing_public_key \
    --print-attestation



{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
    Verifying VSA: PASSED
    
    PASSED: SLSA verification passed
    ```

TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-07-10 21:25:16 -04:00
laurentsimon
3b171c4140 feat: Address unresolved comments from #705 (#708) 
closes https://github.com/slsa-framework/slsa-verifier/issues/707

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-10-09 23:17:48 +00:00
laurentsimon
f6ae402f45 fix: npm publish verification (#705) 
- adding support for IEEE P1363 formatted signatures
- fix the npm publish attestation bug. The verification always return
success, because it was not using PAE signature

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
 2023-10-02 10:12:51 -07:00
laurentsimon
c6d12b745c feat: Use tags vX.Y.Z-<language> for JReleaser builders (#644) 
Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-07-10 16:42:48 +00:00
Ian Lewis
965f5784c1 refactor: Add more git utils (#645) 
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.

Code extracted from #641

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2023-07-01 09:03:52 +09:00
Ian Lewis
8faf24c6dc fix: builder ID verification for testing (#635) 
Fix builder ID verification for testing

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2023-06-06 08:32:20 -05:00
Ian Lewis
9bfbc91c5b refactor: Provenance tests (#628) 
Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders.

A couple of updates to utilities:
- `VerifyTag` will now validate the ref returned by the `Provenance` instance.
- `VerifyBranch` will now validate the ref returned by the `Provenance` instance.
- `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm.

---------

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2023-06-02 13:34:56 +09:00
laurentsimon
93d3f8c06c fix: Verify the TRW tag is a semver tag (#619) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update verifiers/utils/builder.go

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
 2023-05-26 01:15:32 +00:00
laurentsimon
bda35e0238 feat: BYOB verification support (#604) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-05-23 01:41:17 +00:00
asraa
467e0820b6 chore: update slsa provenance to v1 (#579) 
* chore: update slsa provenance to v1

Signed-off-by: Asra Ali <asraa@google.com>

* fix import path

Signed-off-by: Asra Ali <asraa@google.com>

* update dsse testcases

Signed-off-by: Asra Ali <asraa@google.com>

* fix cosign image verification in update

Signed-off-by: Asra Ali <asraa@google.com>

---------

Signed-off-by: Asra Ali <asraa@google.com>
 2023-05-08 15:18:16 +00:00
Ian Lewis
88cd40e2ee feat: Use low-perms delegator for Node.js builder (#577) 
Signed-off-by: Ian Lewis <ianlewis@google.com>
 2023-05-01 16:27:58 +09:00
laurentsimon
c0cadc0117 feat: support for BYOB verification (#562) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* Update verifiers/internal/gha/provenance.go

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
 2023-04-19 19:07:27 +00:00
laurentsimon
37e3b406cb feat: GCB tag and versioned-tag support for containers (#540) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-03-23 16:57:34 +00:00
laurentsimon
82a12591ff feat: npm default runner support (#495) 
* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

* update

Signed-off-by: laurentsimon <laurentsimon@google.com>

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
 2023-03-02 21:53:29 +00:00
asraa
5d6c770d43 feat: support branch and tag from slsa v1 provenance (#476) 
* feat: support branch and tag from slsa v1 provenance

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>
 2023-02-10 21:33:16 +00:00
asraa
239c4489ce feat: add slsa v1?draft provenance experimental support (#470) 
* feat: add slsa v1?draft provenance support

Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
 2023-02-09 17:21:15 +00:00
Shunsuke Suzuki
74fd528309 fix: fix the Go package version to v2 (#373) 
* fix: fix the package version to v2

```
git ls-files | grep ".go$" | xargs -n 1 gsed -i "s|github.com/slsa-framework/slsa-verifier|github.com/slsa-framework/slsa-verifier/v2|g"
```

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>

* fix: fix the package version to v2

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>

* test: fix source

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
 2022-12-01 18:49:39 -08:00
laurentsimon
533d347a4b feat: support builderID matching with or without semver for GHA (#257) 
* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
 2022-09-15 14:32:03 -07:00
laurentsimon
b58e752378 feat: support builderID matching with or without semver for GCB (#256) 
* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update

* update
 2022-09-12 17:17:46 -07:00