mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-02-14 09:39:54 +00:00
a481a1974e
@fweikert these are the changes I think might be needed to get this to work (it's somewhat hacky, I'm not sure I've fully covered what's needed). @ramonpetgrave64 is this kinda what's needed? This now adds the `verify-github-attestation` sub command. Use this instead of `verify-artifact`. --------- Signed-off-by: Appu Goundan <appu@google.com> Signed-off-by: Appu <appu@google.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
138 lines
3.9 KiB
Go
138 lines
3.9 KiB
Go
package gcb
|
|
|
|
import (
|
|
"context"
|
|
|
|
serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
|
|
"github.com/slsa-framework/slsa-verifier/v2/options"
|
|
register "github.com/slsa-framework/slsa-verifier/v2/register"
|
|
_ "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gcb/keys"
|
|
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
|
|
)
|
|
|
|
const VerifierName = "GCB"
|
|
|
|
//nolint:gochecknoinits
|
|
func init() {
|
|
register.RegisterVerifier(VerifierName, GCBVerifierNew())
|
|
}
|
|
|
|
type GCBVerifier struct{}
|
|
|
|
func GCBVerifierNew() *GCBVerifier {
|
|
return &GCBVerifier{}
|
|
}
|
|
|
|
// IsAuthoritativeFor returns true of the verifier can verify provenance
|
|
// generated by the builderID.
|
|
func (v *GCBVerifier) IsAuthoritativeFor(builderIDName string) bool {
|
|
// This verifier only supports the GCB builders.
|
|
return builderIDName == "https://cloudbuild.googleapis.com/GoogleHostedWorker"
|
|
}
|
|
|
|
// VerifyArtifact verifies provenance for an artifact.
|
|
func (v *GCBVerifier) VerifyArtifact(ctx context.Context,
|
|
provenance []byte, artifactHash string,
|
|
provenanceOpts *options.ProvenanceOpts,
|
|
builderOpts *options.BuilderOpts,
|
|
) ([]byte, *utils.TrustedBuilderID, error) {
|
|
return nil, nil, serrors.ErrorNotSupported
|
|
}
|
|
|
|
// VerifyGithubAttestation verifies provenance for a Github Attestations.
|
|
func (v *GCBVerifier) VerifyGithubAttestation(ctx context.Context,
|
|
attestation []byte,
|
|
provenanceOpts *options.ProvenanceOpts,
|
|
builderOpts *options.BuilderOpts,
|
|
) ([]byte, *utils.TrustedBuilderID, error) {
|
|
return nil, nil, serrors.ErrorNotSupported
|
|
}
|
|
|
|
// VerifyNpmPackage verifies an npm package tarball.
|
|
func (v *GCBVerifier) VerifyNpmPackage(ctx context.Context,
|
|
attestations []byte, tarballHash string,
|
|
provenanceOpts *options.ProvenanceOpts,
|
|
builderOpts *options.BuilderOpts,
|
|
) ([]byte, *utils.TrustedBuilderID, error) {
|
|
return nil, nil, serrors.ErrorNotSupported
|
|
}
|
|
|
|
// VerifyImage verifies provenance for an OCI image.
|
|
func (v *GCBVerifier) VerifyImage(ctx context.Context,
|
|
provenance []byte, artifactImage string,
|
|
provenanceOpts *options.ProvenanceOpts,
|
|
builderOpts *options.BuilderOpts,
|
|
) ([]byte, *utils.TrustedBuilderID, error) {
|
|
prov, err := ProvenanceFromBytes(provenance)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify signature on the intoto attestation.
|
|
if err := prov.VerifySignature(); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify the builder.
|
|
builderID, err := prov.VerifyBuilder(builderOpts)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify subject digest.
|
|
if err := prov.VerifySubjectDigest(provenanceOpts.ExpectedDigest); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify source.
|
|
if err := prov.VerifySourceURI(provenanceOpts.ExpectedSourceURI, *builderID); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify metadata.
|
|
// This is metadata that GCB appends to the DSSE content.
|
|
if err := prov.VerifyMetadata(provenanceOpts); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify the summary.
|
|
// This is an additional structure that GCB prepends to the provenance.
|
|
if err := prov.VerifySummary(provenanceOpts); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify the text provenance.
|
|
// This is an additional structure that GCB prepends to the provenance,
|
|
// intended for humans. It reflect the DSSE payload.
|
|
if err := prov.VerifyTextProvenance(); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Verify branch.
|
|
if provenanceOpts.ExpectedBranch != nil {
|
|
if err := prov.VerifyBranch(*provenanceOpts.ExpectedBranch); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
// Verify the tag.
|
|
if provenanceOpts.ExpectedTag != nil {
|
|
if err := prov.VerifyTag(*provenanceOpts.ExpectedTag); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
// Verify the versioned tag.
|
|
if provenanceOpts.ExpectedVersionedTag != nil {
|
|
if err := prov.VerifyVersionedTag(*provenanceOpts.ExpectedVersionedTag); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
content, err := prov.GetVerifiedIntotoStatement()
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
return content, builderID, nil
|
|
}
|