github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-07 09:06:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
45 Commits 40 Branches 45 Tags
v1.0.0
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Verification of SLSA provenance

This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.

Installation

Verification of provenance

Technical design

Installation

You have two options to install the verifier.

Compilation from source

Option 1: Install via go

$ go install github.com/slsa-framework/slsa-verifier@v1.0.0
$ slsa-verifier <options>

Option 2: Compile manually

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout tags/v0.0.1
$ go run . <options>

Download the binary

Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1

Download the SHA256SUM.md.

Verify the checksum:

$ sha256sum -c --strict SHA256SUM.md
  slsa-verifier-linux-amd64: OK

Verification of Provenance

Available options

Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ go run . --help
 Usage of ./slsa-verifier:
  -artifact-path string
    	path to an artifact to verify
  -branch string
    	expected branch the binary was compiled from (default "main")
  -provenance string
    	path to a provenance file
  -source string
    	expected source repository that should have produced the binary, e.g. github.com/some/repo
  -tag string
    	[optional] expected tag the binary was compiled from
  -versioned-tag string
    	[optional] expected version the binary was compiled from. Uses semantic version to match the tag

Example

$ go run . --artifact-path ~/Downloads/binary-linux-amd64 --provenance ~/Downloads/binary-linux-amd64.intoto.jsonl --source github.com/origin/repo

Verified against tlog entry 1544571
verified SLSA provenance produced at 
 {
        "caller": "origin/repo",
        "commit": "0dfcd24824432c4ce587f79c918eef8fc2c44d7b",
        "job_workflow_ref": "/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml",
        "trigger": "workflow_dispatch",
        "issuer": "https://token.actions.githubusercontent.com"
}
{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"binary-linux-amd64","digest":{"sha256":"723ccb85318bc8b1a9dd29340612ce1268cd3418d70f68e775edbdc16d1d9158"}}],"predicate":{...}}
successfully verified SLSA provenance

The verified in-toto statement is written to stdout and can be used to pipe into policy engines.

Technical design

Blog post

Find our blog post series here.

Specifications

For a more in-depth technical dive, read the SPECIFICATIONS.md.

Reference in New Issue View Git Blame Copy Permalink
Description
Verify provenance from SLSA compliant builders
Readme Apache-2.0 118 MiB
Languages
Go 96.1%
TypeScript 1.3%
Java 1%
Shell 0.9%
Makefile 0.6%