mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-19 06:56:53 +00:00
208ac12589
Fixes #542
Adds support for VSAs.
## Testing process
- added some unit an end-to-end tests
- manually invoking
```
go run ./cli/slsa-verifier/ verify-vsa \
--subject-digest gce_image_id:8970095005306000053 \
--attestation-path
./cli/slsa-verifier/testdata/vsa/gce/v1/gke-gce-pre.bcid-vsa.jsonl \
--verifier-id
https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \
--resource-uri
gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre
\
--verified-level BCID_L1 \
--verified-level SLSA_BUILD_LEVEL_2 \
--public-key-path
./cli/slsa-verifier/testdata/vsa/gce/v1/vsa_signing_public_key.pem \
--public-key-id keystore://76574:prod:vsa_signing_public_key \
--print-attestation
{"_type":"https://in-toto.io/Statement/v1","predicateType":"https://slsa.dev/verification_summary/v1","predicate":{"timeVerified":"2024-06-12T07:24:34.351608Z","verifier":{"id":"https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1"},"verificationResult":"PASSED","verifiedLevels":["BCID_L1","SLSA_BUILD_LEVEL_2"],"resourceUri":"gce_image://gke-node-images:gke-12615-gke1418000-cos-101-17162-463-29-c-cgpv1-pre","policy":{"uri":"googlefile:/google_src/files/642513192/depot/google3/production/security/bcid/software/gce_image/gke/vm_images.sw_policy.textproto"}},"subject":[{"name":"_","digest":{"gce_image_id":"8970095005306000053"}}]}
Verifying VSA: PASSED
PASSED: SLSA verification passed
```
TODOS:
- open issue on the in_toto attestations repo about the incorrect json
[fields](36c1129542/go/predicates/vsa/v1/vsa.pb.go (L26-L40))
for vsa 1.0
---------
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
68 lines
2.0 KiB
Go
68 lines
2.0 KiB
Go
package options
|
|
|
|
import "crypto"
|
|
|
|
// ProvenanceOpts are the options for checking provenance information.
|
|
type ProvenanceOpts struct {
|
|
// ExpectedBranch is the expected branch (github_ref or github_base_ref) in
|
|
// the invocation parameters.
|
|
ExpectedBranch *string
|
|
|
|
// ExpectedTag is the expected tag, github_ref, in the invocation parameters.
|
|
ExpectedTag *string
|
|
|
|
// ExpectedVersionedTag is the expected versioned tag.
|
|
ExpectedVersionedTag *string
|
|
|
|
// ExpectedDigest is the expected artifact sha included in the provenance.
|
|
ExpectedDigest string
|
|
|
|
// ExpectedSourceURI is the expected source URI in the provenance.
|
|
ExpectedSourceURI string
|
|
|
|
// ExpectedBuilderID is the expected builder ID that is passed from user and verified
|
|
ExpectedBuilderID string
|
|
|
|
// ExpectedWorkflowInputs is a map of key=value inputs.
|
|
ExpectedWorkflowInputs map[string]string
|
|
|
|
ExpectedPackageName *string
|
|
|
|
ExpectedPackageVersion *string
|
|
|
|
// ExpectedProvenanceRepository is the provenance repository that is passed from user.
|
|
ExpectedProvenanceRepository *string
|
|
}
|
|
|
|
// BuildOpts are the options for checking the builder.
|
|
type BuilderOpts struct {
|
|
// ExpectedBuilderID is the builderID passed in from the user.
|
|
ExpectedID *string
|
|
}
|
|
|
|
// VSAOpts are the options for checking the VSA.
|
|
type VSAOpts struct {
|
|
// ExpectedDigests are the digests expected to be in the VSA.
|
|
ExpectedDigests *[]string
|
|
|
|
// ExpectedVerifierID is the verifier ID that is passed from user.
|
|
ExpectedVerifierID *string
|
|
|
|
// ExpectedResourceURI is the resource URI that is passed from user.
|
|
ExpectedResourceURI *string
|
|
|
|
// ExpectedVerifiedLevels is the levels of verification that are passed from user.
|
|
ExpectedVerifiedLevels *[]string
|
|
}
|
|
|
|
type VerificationOpts struct {
|
|
// PublicKey is the public key used to verify the signature on the Envelope.
|
|
PublicKey crypto.PublicKey
|
|
|
|
// PublicKeyID is the ID of the public key.
|
|
PublicKeyID *string
|
|
|
|
// PublicKeyHashAlgo is the hash algorithm used to compute digest that was signed.
|
|
PublicKeyHashAlgo crypto.Hash
|
|
}
|