github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 05:56:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
463 Commits 40 Branches 45 Tags
f9a4b35ff6bea63a67e7d178938db2984481d7dd
Commit Graph

463 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ramon Petgrave
f9a4b35ff6 cli help about default options 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:32:17 +00:00
Ramon Petgrave
92ce34e767 fix capitalization 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:28:18 +00:00
Ramon Petgrave
1ccec0e405 comment doc 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-25 15:22:34 +00:00
Ramon Petgrave
bf38fb0e9c help docs 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:52:47 +00:00
Ramon Petgrave
23d8e33dfd singular attestation path 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:46:28 +00:00
Ramon Petgrave
e0919a83e0 hash-algo description 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:41:08 +00:00
Ramon Petgrave
f3b63b7194 reword simple hash 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:39:13 +00:00
Ramon Petgrave
b9c6de5635 flag descriptions, optional --verified-levels 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:34:53 +00:00
Ramon Petgrave
519a928c72 clarify comments 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-22 00:19:46 +00:00
Ramon Petgrave
968a34d1dd typo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-21 15:32:11 +00:00
Ramon Petgrave
e27f99f15d no need for sigstoreEnvelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 23:07:05 +00:00
Ramon Petgrave
0172a12823 lint 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 22:17:11 +00:00
Ramon Petgrave
73c9884da6 lint: no pointer for crypto.publickkey 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 22:10:46 +00:00
Ramon Petgrave
942d8bbe3d remove accidental binary 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:50:28 +00:00
Ramon Petgrave
ff1cf43ce9 undo regression tag change 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:48:19 +00:00
Ramon Petgrave
cba639f855 specific errors and test cases 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 20:43:26 +00:00
Ramon Petgrave
e47312f593 literl hash algo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:56:21 +00:00
Ramon Petgrave
00fed87dbc typo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:53:45 +00:00
Ramon Petgrave
fbe83fb372 change error type 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 19:50:18 +00:00
Ramon Petgrave
7fb5bf933c switch wanted, got order 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:13:06 +00:00
Ramon Petgrave
8befbc6e94 use plain bool 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:12:51 +00:00
Ramon Petgrave
fec61b1f27 use pointers 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 18:03:48 +00:00
Ramon Petgrave
5636d0a832 rename to resource URI 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:58:13 +00:00
Ramon Petgrave
f5362e5a4a rename to PublicKeyHashAlgo 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:49:43 +00:00
Ramon Petgrave
ad1b81dc5d update README 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 16:33:38 +00:00
Ramon Petgrave
f0fedec1dd verify vsa passed message 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 15:59:09 +00:00
Ramon Petgrave
2ef9a40437 minify test data 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-20 15:52:17 +00:00
Ramon Petgrave
944c9a6f4c singular print-attestation 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:32:31 +00:00
Ramon Petgrave
610ef6f1af verify reamining fields, print attestations 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-19 00:30:15 +00:00
Ramon Petgrave
13a74b5b4a embed the google vsa key, match against all signatures, match the subject digests 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 22:18:25 +00:00
Ramon Petgrave
ead4e9bf4e use utility to parse envelope, docs, use keyID 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 20:23:24 +00:00
Ramon Petgrave
edde0a8aca cleanup, more skeleton 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:48:42 +00:00
Ramon Petgrave
1f123f3c1d attempt to verify envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:53 +00:00
Ramon Petgrave
2dc64f7bda vsa parser 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:35:24 +00:00
Ramon Petgrave
2f76f12ff3 different test example 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-18 18:34:37 +00:00
Ramon Petgrave
9704c97a22 parse dsse envelope 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:07:41 +00:00
Ramon Petgrave
a3a573a800 cleanup 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-17 16:06:50 +00:00
Ramon Petgrave
b90ede0bde rename to TrustedProducerID, allow muyltiple --subject-digest flags 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-14 18:15:25 +00:00
Ramon Petgrave
a25abe2323 testdata, sample invocation in README.md 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:58 +00:00
Ramon Petgrave
b5eb1473b8 skeletion verify-vsa command 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:28:08 +00:00
Ramon Petgrave
7980fdebf6 Changed success message to a more general "PASSED: SLSA verification passed" 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-06-13 22:22:56 +00:00
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ian Lewis
87b5bae6d4 chore: Update Renovate config (#769) 
# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-16 07:13:09 +09:00
Ian Lewis
138a2348fc chore: fix pr-title-checker (#770) 
Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <ianlewis@google.com>
 2024-05-15 12:10:15 -04:00
Mend Renovate
e7a8f74b9c fix(deps): update dependency @actions/core to v1.10.1 (#717) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Signed-off-by: github-actions <github-actions@github.com>
Co-authored-by: github-actions <github-actions@github.com>
 2024-05-07 14:09:48 -04:00
Ramon Petgrave
23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 17:56:35 -04:00
Mend Renovate
9c4e2196d8 chore(deps): update gcr.io/distroless/base:nonroot docker digest to 53745e9 (#763) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| gcr.io/distroless/base | final | digest | `1a8ece8` -> `53745e9` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 16:01:16 +00:00
Mend Renovate
f787eeebf7 chore(deps): update golang:1.21 docker digest to d83472f (#764) 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| golang | stage | digest | `81811f8` -> `d83472f` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMjEuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMyMS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <bot@renovateapp.com>
 2024-05-06 11:48:47 -04:00
Ramon Petgrave
637b07fdab chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata (#758) 
https://github.com/slsa-framework/slsa-github-generator/issues/3576

Next step in 

https://github.com/slsa-framework/slsa-github-generator/blob/main/RELEASE.md#update-verifier

Creating new test data for slsa-github-generator@v2.0.0

# Instructions:

## diff to download-artifacts.sh

```
diff --git a/download-artifacts.sh b/download-artifacts.sh
old mode 100644
new mode 100755
index e5e218e8..49257ea6
--- a/download-artifacts.sh
+++ b/download-artifacts.sh
@@ -88,6 +88,10 @@ unzip_files() {
         rm -rf "${tmp_dir}"
         ;;
 
+    ./*.zip)
+        unzip -o "${zip_path}" -d "${output_path}"
+        ;;
+
     *)
         echo "unexpected file path: ${zip_path}"
         exit 1
@@ -167,7 +171,7 @@ rename_java_files "test-java-project-" "maven"
 rename_java_files "workflow_dispatch-" "gradle"
 
 # Files downloaded. Now copy them
-repo_path="../.."
+repo_path="/path/to/slsa-verifier"
 
 # Go builder files.
 copy_files "gha_go-binary-linux-amd64-" "${repo_path}/cli/slsa-verifier/testdata/gha_go/${version}"
```

## download the artifacts

```
../slsa-verifier/download-artifacts.sh 8791212155 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219359 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219514 v2.0.0
../slsa-verifier/download-artifacts.sh 8791219607 v2.0.0
```

## docker github auth

```
gh auth login --scopes=read:packages
echo `gh auth token` | docker login ghcr.io -u ramonpetgrave64 --password-stdin
cosign save \
    --dir ./cli/slsa-verifier/testdata/gha_generic_container/v2.0.0/container_workflow_dispatch \
    ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:55aee984fd6b1d0e0a19a55265d10d40063a2212bdbabd75b202b1728236548d
```

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
 2024-04-23 12:26:13 -04:00