37 Commits

Author	SHA1	Message	Date
Ian Lewis	f96d91bdd2	fix: Support pre-releases on trusted repos (#552) ... Support pre-releases on trusted repos --------- Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-04-11 08:54:33 +09:00
laurentsimon	37e3b406cb	feat: GCB tag and versioned-tag support for containers (#540) ... * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-03-23 16:57:34 +00:00
laurentsimon	ae38103ecf	feat: verify sourceURI for npm packages (#521) ... * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/internal/gha/provenance.go Co-authored-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-03-10 17:13:29 +00:00
asraa	5a77b25fb4	fix: fix GCB verification with git material source prefix (#519) ... Signed-off-by: Asra Ali <asraa@google.com>	2023-03-09 10:00:19 +09:00
Kevin Halk	47495c7d5b	feat: Update SLSA verifier to support a global signing key for GCB V1 which… (#509) ... * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> * Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format - new public key for "global PAE signing key" - test data and unit tests Signed-off-by: Kevin Halk <khalk@google.com> --------- Signed-off-by: Kevin Halk <khalk@google.com>	2023-03-06 16:02:30 +00:00
laurentsimon	82a12591ff	feat: npm default runner support (#495) ... * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>	2023-03-02 21:53:29 +00:00
asraa	d8c2961d82	test: add docker based spport and start adding tests (#486) ... Signed-off-by: Asra Ali <asraa@google.com>	2023-02-15 20:46:11 +00:00
asraa	0bb98050f2	fix: use a uniform verifier interface for provenance type (#478) ... * cleanup: use a uniform verifier interface for provenance type Signed-off-by: Asra Ali <asraa@google.com> * fix experimental gateg Signed-off-by: Asra Ali <asraa@google.com> * oops Signed-off-by: Asra Ali <asraa@google.com> --------- Signed-off-by: Asra Ali <asraa@google.com>	2023-02-10 14:04:12 -08:00
asraa	5d6c770d43	feat: support branch and tag from slsa v1 provenance (#476) ... * feat: support branch and tag from slsa v1 provenance Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-02-10 21:33:16 +00:00
asraa	239c4489ce	feat: add slsa v1?draft provenance experimental support (#470) ... * feat: add slsa v1?draft provenance support Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-02-09 17:21:15 +00:00
asraa	fec5b6a7b5	refactor: generalize provenance out of predicate type info (#463) ... * refactor: generalize provenance out of predicate type info Signed-off-by: Asra Ali <asraa@google.com>	2023-02-03 23:30:23 +00:00
asraa	362bd1a331	feat: add offline bundle signature verification (#457) ... * feat: add bundle signature verification Signed-off-by: Asra Ali <asraa@google.com>	2023-02-03 09:31:40 -06:00
asraa	bcd23c945e	chore: enable some Go linters (#456) ... * enable deadcode Signed-off-by: Asra Ali <asraa@google.com> * enable unconvert Signed-off-by: Asra Ali <asraa@google.com> * enable thelper Signed-off-by: Asra Ali <asraa@google.com> * enable stylecheck Signed-off-by: Asra Ali <asraa@google.com> * enable misspell Signed-off-by: Asra Ali <asraa@google.com> * enable gocritic Signed-off-by: Asra Ali <asraa@google.com> * enable godot Signed-off-by: Asra Ali <asraa@google.com> * enable staticcheck Signed-off-by: Asra Ali <asraa@google.com> * address experimental deadcode Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2023-01-25 19:51:10 +00:00
Mend Renovate	e8c3438638	fix(deps): update go (#386) ... Co-authored-by: Ian Lewis <ianlewis@google.com>	2022-12-15 01:39:54 +00:00
laurentsimon	4a6c5b1677	feat: add more tests for GCB verification (#389) ... * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com>	2022-12-05 13:31:58 -08:00
Ian Lewis	267242e153	fix: Fix error check for decodeSignature (#385) ... Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianmlewis@gmail.com>	2022-12-03 11:05:56 -08:00
laurentsimon	b9058c5596	docs: Add comment for signature decoding (#380) ... * update Signed-off-by: laurentsimon <laurentsimon@google.com> * Update verifiers/internal/gcb/provenance.go Co-authored-by: asraa <asraa@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: asraa <asraa@google.com>	2022-12-02 19:34:29 +00:00
Shunsuke Suzuki	74fd528309	fix: fix the Go package version to v2 (#373) ... * fix: fix the package version to v2 ``` git ls-files | grep ".go$" | xargs -n 1 gsed -i "s|github.com/slsa-framework/slsa-verifier|github.com/slsa-framework/slsa-verifier/v2|g" ``` Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> * fix: fix the package version to v2 Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> * test: fix source Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com> Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>	2022-12-01 18:49:39 -08:00
Shunsuke Suzuki	f7bd16431b	fix: fix error logs (#356)	2022-11-11 10:44:03 -06:00
asraa	ef0f1a7a24	refactor: consolidate verification funcs for GHA (#348) ... * consolidate verification funcs Signed-off-by: Asra Ali <asraa@google.com>	2022-11-02 15:32:39 -05:00
asraa	e9cd6b763c	fix: address gcb verifier comments and add gcb documentation (#300) ... * address gcb verifier comments Signed-off-by: Asra Ali <asraa@google.com>	2022-10-21 21:06:22 +00:00
asraa	05d247fb14	rekor: use rekor client with retries (#301) ... Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-10-17 16:55:40 +00:00
asraa	a6e069c0ab	gcb: add gcb compatibility (#292) ... Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-10-07 14:21:50 -07:00
asraa	0ad6136f60	fix: make client shard aware when verifying (#282) ... Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>	2022-09-30 16:08:33 -05:00
laurentsimon	533d347a4b	feat: support builderID matching with or without semver for GHA (#257) ... * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update	2022-09-15 14:32:03 -07:00
laurentsimon	b58e752378	feat: support builderID matching with or without semver for GCB (#256) ... * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update * update	2022-09-12 17:17:46 -07:00
laurentsimon	d12dce9526	feat: CLI tests for GCB verification (#251) ... * update * update * update	2022-09-08 13:36:56 -07:00
laurentsimon	e0edc0c46f	feat: support for GCB v0.3 verification (#248) ... * update * update * update * update	2022-09-06 23:54:59 +00:00
asraa	ff0ced42ef	refactor: add subcommands and separate functionality from artifacts a… (#231) ... * refactor: add subcommands and separate functionality from artifacts and images Signed-off-by: Asra Ali <asraa@google.com>	2022-09-06 17:10:58 -05:00
laurentsimon	d5b56c334e	feat: add CLI tests for GCB verification (#245) ... * update * update * update * update	2022-09-02 20:42:40 +00:00
laurentsimon	0c543fcce0	update (#244)	2022-09-01 01:00:56 +00:00
laurentsimon	26c928f5b7	Verify text provenance for GCB (#242) ... * update * update * update * update * update * comments * comments	2022-08-30 23:08:46 +00:00
laurentsimon	3b5c68f561	feat: Support for GCB verification (#202) ... * add testing folder Signed-off-by: Asra Ali <asraa@google.com> * add tests Signed-off-by: Asra Ali <asraa@google.com> * update * updated comments Signed-off-by: Asra Ali <asraa@google.com> * update * update * update * update * update * update * update * draft * update * update * update * update * update * update * update * update * update * update Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: Asra Ali <asraa@google.com>	2022-08-24 10:17:14 -07:00
asraa	7b4b9cde06	feat: support oci image verification (#147) ... * feat: support oci image verification Signed-off-by: Asra Ali <asraa@google.com> * add testing folder Signed-off-by: Asra Ali <asraa@google.com> * update name and make fix Signed-off-by: Asra Ali <asraa@google.com> * add tests Signed-off-by: Asra Ali <asraa@google.com> * Add initial testing Signed-off-by: Asra Ali <asraa@google.com> * updated comments Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com> * fix digest calculation Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2022-08-17 15:59:01 -05:00
laurentsimon	5bb13ef508	feat: add a -workflow-input option (#216) ... * update	2022-08-15 19:38:15 +00:00
laurentsimon	4ca6320994	feat: make branch optional (#192) ... * update * update * update * update * Update verifiers/internal/gha/provenance.go Co-authored-by: Ian Lewis <ianlewis@google.com> * update * update * update * update * update * update * update * update Co-authored-by: Ian Lewis <ianlewis@google.com>	2022-08-09 22:49:36 +00:00
laurentsimon	edb792b342	feat: Create interface for verifiers (#187) ... * update * update * unit tests * update * comments * update * update * update * update * Use interface for builders * update * update * update * update * fix * update * update * update * update * update * update * update * update * update * update * update * update	2022-08-05 14:31:34 -07:00