mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-02-14 17:49:58 +00:00
208ac12589
Fixes #542
Adds support for VSAs.
## Testing process
- added some unit an end-to-end tests
- manually invoking
```
go run ./cli/slsa-verifier/ verify-vsa \
--subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
--verified-level BCID_L1 \
--verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
--public-key-id keystore://76574:prod:vsa_signing_public_key \
--print-attestation
{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
Verifying VSA: PASSED
PASSED: SLSA verification passed
```
TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
55 lines
3.6 KiB
Go
55 lines
3.6 KiB
Go
package verification
|
|
|
|
import "errors"
|
|
|
|
var (
|
|
ErrorInvalidDssePayload = errors.New("invalid DSSE envelope payload")
|
|
ErrorMismatchBranch = errors.New("branch used to generate the binary does not match provenance")
|
|
ErrorMismatchPackageVersion = errors.New("package version does not match provenance")
|
|
ErrorMismatchPackageName = errors.New("package name does not match provenance")
|
|
ErrorMismatchBuilderID = errors.New("builderID does not match provenance")
|
|
ErrorInvalidBuilderID = errors.New("builderID is invalid")
|
|
ErrorInvalidBuildType = errors.New("buildType is invalid")
|
|
ErrorMismatchSource = errors.New("source used to generate the binary does not match provenance")
|
|
ErrorMismatchWorkflowInputs = errors.New("workflow input does not match")
|
|
ErrorMalformedURI = errors.New("URI is malformed")
|
|
ErrorMismatchCertificate = errors.New("certificate and provenance mismatch")
|
|
ErrorInvalidCertificate = errors.New("invalid certificate")
|
|
ErrorMismatchTag = errors.New("tag used to generate the binary does not match provenance")
|
|
ErrorInvalidRecipe = errors.New("the recipe is invalid")
|
|
ErrorMismatchVersionedTag = errors.New("tag used to generate the binary does not match provenance")
|
|
ErrorInvalidSemver = errors.New("invalid semantic version")
|
|
ErrorRekorSearch = errors.New("error searching rekor entries")
|
|
ErrorMismatchHash = errors.New("artifact hash does not match provenance subject")
|
|
ErrorNonVerifiableClaim = errors.New("provenance claim cannot be verified")
|
|
ErrorMismatchIntoto = errors.New("verified intoto provenance does not match text provenance")
|
|
ErrorInvalidRef = errors.New("invalid ref")
|
|
ErrorUntrustedReusableWorkflow = errors.New("untrusted reusable workflow")
|
|
ErrorNoValidRekorEntries = errors.New("could not find a matching valid signature entry")
|
|
ErrorVerifierNotSupported = errors.New("no verifier support the builder")
|
|
ErrorInvalidOIDCIssuer = errors.New("invalid OIDC issuer")
|
|
ErrorNotSupported = errors.New("not supported")
|
|
ErrorInvalidFormat = errors.New("invalid format")
|
|
ErrorInvalidPEM = errors.New("invalid PEM")
|
|
ErrorInvalidSignature = errors.New("invalid signature")
|
|
ErrorNoValidSignature = errors.New("no valid signature")
|
|
ErrorMutableImage = errors.New("the image is mutable")
|
|
ErrorImageHash = errors.New("cannot retrieve sha256 of image")
|
|
ErrorInvalidEncoding = errors.New("invalid encoding")
|
|
ErrorInternal = errors.New("internal error")
|
|
ErrorInvalidRekorEntry = errors.New("invalid Rekor entry")
|
|
ErrorRekorPubKey = errors.New("error retrieving Rekor public keys")
|
|
ErrorInvalidPackageName = errors.New("invalid package name")
|
|
ErrorInvalidSubject = errors.New("invalid subject")
|
|
ErrorInvalidHash = errors.New("invalid hash")
|
|
ErrorNotPresent = errors.New("not present")
|
|
ErrorInvalidPublicKey = errors.New("invalid public key")
|
|
ErrorInvalidVerificationResult = errors.New("verificationResult is not PASSED")
|
|
ErrorMismatchVerifiedLevels = errors.New("verified levels do not match")
|
|
ErrorMissingSubjectDigest = errors.New("missing subject digest")
|
|
ErrorEmptyRequiredField = errors.New("empty value in required field")
|
|
ErrorMismatchResourceURI = errors.New("resource URI does not match")
|
|
ErrorMismatchVerifierID = errors.New("verifier ID does not match")
|
|
ErrorInvalidSLSALevel = errors.New("invalid SLSA level")
|
|
)
|