slsa-verifier/README.md

# Verification of SLSA provenance
This repository contains the implementation for verifying [SLSA provenance](https://slsa.dev/). It currently supports verifying provenance generated by the [SLSA generator for Go projects](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml). We are working on support for verifying provenance for other ecosystems.

________
[Installation](#installation)
- [Compilation from source](#compilation-from-source)
- [Download the binary](#download-the-binary)

[Verification of provenance](#verification-of-provenance)
- [Available options](#available-options)
- [Example](#example)

[Technical design](#technial-design)
- [Blog posts](#blog-posts)
- [Specifications](#specifications)
________

## Installation

You have two options to install the verifier.

### Compilation from source

#### Option 1: Install via go
```
$ go install github.com/slsa-framework/slsa-verifier@v1.0.0
$ slsa-verifier <options>
```

#### Option 2: Compile manually
```
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout tags/v0.0.1
$ go run . <options>
```

### Download the binary

Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1](https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1)

Download the [SHA256SUM.md](https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md).

Verify the checksum:

```
$ sha256sum -c --strict SHA256SUM.md
  slsa-verifier-linux-amd64: OK
```

## Verification of Provenance

### Available options

Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.

```bash
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ go run . --help
 Usage of ./slsa-verifier:
  -artifact-path string
    	path to an artifact to verify
  -branch string
    	expected branch the binary was compiled from (default "main")
  -provenance string
    	path to a provenance file
  -source string
    	expected source repository that should have produced the binary, e.g. github.com/some/repo
  -tag string
    	[optional] expected tag the binary was compiled from
  -versioned-tag string
    	[optional] expected version the binary was compiled from. Uses semantic version to match the tag
```

### Example

```bash
$ go run . --artifact-path ~/Downloads/binary-linux-amd64 --provenance ~/Downloads/binary-linux-amd64.intoto.jsonl --source github.com/origin/repo

Verified against tlog entry 1544571
verified SLSA provenance produced at 
 {
        "caller": "origin/repo",
        "commit": "0dfcd24824432c4ce587f79c918eef8fc2c44d7b",
        "job_workflow_ref": "/slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml",
        "trigger": "workflow_dispatch",
        "issuer": "https://token.actions.githubusercontent.com"
}
{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"binary-linux-amd64","digest":{"sha256":"723ccb85318bc8b1a9dd29340612ce1268cd3418d70f68e775edbdc16d1d9158"}}],"predicate":{...}}
successfully verified SLSA provenance
```

The verified in-toto statement is written to stdout and can be used to pipe into policy engines. 

## Technical design

### Blog post
Find our blog post series [here](https://security.googleblog.com/2022/04/improving-software-supply-chain.html).

### Specifications
For a more in-depth technical dive, read the [SPECIFICATIONS.md](https://github.com/slsa-framework/slsa-github-generator/blob/main/SPECIFICATIONS.md).