/cc @mihaimaruseac
/cc @laurentsimon
Based off the prefix of the BuilderID within the provenance, if the
builder use to build the artifact is one of the BYOB builders of
slsa-framework/slsa-github-generator repo, the --builderid flag is not
need and is handled automatically. This was done to increase access to
users since before the automatic pickup of the builder-id would get the
delegator.
Test cases that cover verifyProvenance will need to be complete after
the v1.8.0 release of slsa-framework/slsa-github-generator.
The main structure that is changed is the ExpectedBuilderPath is
hardcoded now to slsa-framework builders within
`/cli/slsa-verifier/verify/verify_artifact.go `. This can later be
changed now if needed to be an input like the other fields of
`provenanceOpts` populated during `verify_artifact.go`. The added
function within `provenance.go`, `verifyBuilderIDPath` is called during
`verifyProvenance` to check this path within `provenanceOpts`. Upon
failure of this function, expected and received BuilderID's are also
outputted.
closes#659
makes use of discussion on closed pr #673
---------
Signed-off-by: Noah Elzner <elzner@google.com>
Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Internally use full builder IDs including server url rather than worflow
ref as a path. This should hopefully avoid confusion between dealing
with builder IDs and `GITHUB_WORKFLOW_REF` which only contains the path
portion. `GITHUB_WORKFLOW_REF` is the only thing that doesn't include
the domain/server url part of the workflow/builder ID. The Fulcio OID
claims include the full url.
Code extracted from #641
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
Adds the functions `NormalizeGitURI`, `ParseGitURIAndRef`, and
`ValidateGitRef`. `ParseGitRef` was updated to be permissive of the ref
type whereas `ValidateGitRef` validates that the type is of a given
type.
Code extracted from #641
Signed-off-by: Ian Lewis <ianlewis@google.com>
Fixes#473
Updates handling of provenance by providing implementations based on
[buildType](https://slsa.dev/provenance/v1#buildType) since this
determines how to interpret parameters and dependencies. This is done
because we need a way to interpret parameters not just based on the
predicateType. The 3 major build types with format differences are:
- non-BYOB SLSA v0.2
- BYOB SLSA v0.2
- BYOB SLSA v1.0
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format
Signed-off-by: Asra Ali <asraa@google.com>
* docs: update verifier README.md for docker-based builder
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
Refactors GHA provenance tests to use `testProvenance` which makes it clearer what is actually being tested. This will also make it easier to support `buildType` as a way to have different verification logic as the tests no longer rely on testdata with the `"https://github.com/Attestations/GitHubActionsWorkflow@v1"` build type, which isn't used by any supported builders.
A couple of updates to utilities:
- `VerifyTag` will now validate the ref returned by the `Provenance` instance.
- `VerifyBranch` will now validate the ref returned by the `Provenance` instance.
- `VerifyDigest` now supports the 160 bit `"sha1"` algo (FWIW) and will now search all subject entries even if one subject entry's algorithm does not match the expected algorithm.
---------
Signed-off-by: Ian Lewis <ianlewis@google.com>
* feat: add support for checking a source annotation when there are multiple resolveddependencies
Signed-off-by: Asra Ali <asraa@google.com>
* revert to using external parameters source key
Signed-off-by: Asra Ali <asraa@google.com>
* unused file
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
* Update SLSA verifier to support a global signing key for GCB V1 which creates the signature in a DSSE-conformant PAE format
- new public key for "global PAE signing key"
- test data and unit tests
Signed-off-by: Kevin Halk <khalk@google.com>
---------
Signed-off-by: Kevin Halk <khalk@google.com>
* cleanup: use a uniform verifier interface for provenance type
Signed-off-by: Asra Ali <asraa@google.com>
* fix experimental gateg
Signed-off-by: Asra Ali <asraa@google.com>
* oops
Signed-off-by: Asra Ali <asraa@google.com>
---------
Signed-off-by: Asra Ali <asraa@google.com>
