Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add slsa v1?draft provenance experimental support #470

Merged
merged 4 commits into from
Feb 9, 2023
Merged

feat: add slsa v1?draft provenance experimental support #470

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2b77988
feat: add slsa v1?draft provenance support
asraa Feb 8, 2023
fc5ecbf
add provenance slsa v1 unit tests
asraa Feb 9, 2023
7139149
add newlines to end of testfiles
asraa Feb 9, 2023
924c0d2
address comments
asraa Feb 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion cli/slsa-verifier/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ func check(err error) {
}
}

//nolint:deadcode
func ExperimentalEnabled() bool {
return os.Getenv("SLSA_VERIFIER_EXPERIMENTAL") == "1"
}
Expand Down
17 changes: 16 additions & 1 deletion cli/slsa-verifier/verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ func verifyArtifactCmd() *cobra.Command {
Run: func(cmd *cobra.Command, args []string) {
v := verify.VerifyArtifactCommand{
ProvenancePath: o.ProvenancePath,
BundlePath: o.BundlePath,
SourceURI: o.SourceURI,
PrintProvenance: o.PrintProvenance,
BuildWorkflowInputs: o.BuildWorkflowInputs.AsMap(),
Expand All @@ -60,6 +61,21 @@ func verifyArtifactCmd() *cobra.Command {
v.BuilderID = &o.BuilderID
}

// In experimental mode, we allow either provenance or bundle path, but exactly
// one must be set. We already check to ensure that they are mutually exclusive.
if ExperimentalEnabled() {
if !(cmd.Flags().Changed("provenance-path") ||
cmd.Flags().Changed("bundle-path")) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if we want another options for this or simply re-use provenance-path?
Does a new option require users to be "aware" of the "type" of provenance file they want to verify? Is this OK?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm good point, from our perspective we will be having generators that may output DSSE or sigstore bundle, and clients may still want a uniform interface rather than switching over the extension type.

I can update to allow that -- we'll have to test unmarshal both to figure out the right type, but it will actually clean up the interface.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about this too but didn't comment since I figured that having separate options has the benefit of avoiding format type detection logic. If all types have the same security implications then probably it's fine, but if one format could be more secure than others then we might have to worry about downgrades.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#462

So long as we turn this option on my default the same content is present and same validations will occur. So let's definitely resolve this one before releasing.

fmt.Fprintf(os.Stderr, "%s\n%s", cmd.UsageString(),
"exactly one of --provenance-path or --bundle-path must be supplied")
os.Exit(1)
}
} else if !cmd.Flags().Changed("provenance-path") {
// --provenance-path must be set.
fmt.Fprintf(os.Stderr, "%s\n%s\n", cmd.UsageString(), "--provenance-path must be supplied")
os.Exit(1)
}

if _, err := v.Exec(cmd.Context(), args); err != nil {
fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
os.Exit(1)
Expand All @@ -70,7 +86,6 @@ func verifyArtifactCmd() *cobra.Command {
}

o.AddFlags(cmd)
cmd.MarkFlagRequired("provenance-path")
return cmd
}

Expand Down
7 changes: 7 additions & 0 deletions cli/slsa-verifier/verify/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ type VerifyOptions struct {
BuilderID string
/* Other */
ProvenancePath string
BundlePath string
PrintProvenance bool
}

Expand Down Expand Up @@ -67,11 +68,17 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
"path to a provenance file")

cmd.Flags().StringVar(&o.BundlePath, "bundle-path", "",
"path to a Sigstore provenance bundle file containing offline information.")

cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
"[optional] print the verified provenance to stdout")

cmd.MarkFlagRequired("source-uri")
cmd.MarkFlagsMutuallyExclusive("source-versioned-tag", "source-tag")

// Enforce exactly one of --provenance-path and --bundle-path.
cmd.MarkFlagsMutuallyExclusive("provenance-path", "bundle-path")
}

type workflowInputs struct {
Expand Down
19 changes: 15 additions & 4 deletions cli/slsa-verifier/verify/verify_artifact.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
// Note: nil branch, tag, version-tag and builder-id means we ignore them during verification.
type VerifyArtifactCommand struct {
ProvenancePath string
BundlePath string
BuilderID *string
SourceURI string
SourceBranch *string
Expand Down Expand Up @@ -62,10 +63,20 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (*
ExpectedID: c.BuilderID,
}

provenance, err := os.ReadFile(c.ProvenancePath)
if err != nil {
fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
return nil, err
var provenance []byte
if c.ProvenancePath != "" {
provenance, err = os.ReadFile(c.ProvenancePath)
if err != nil {
fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
return nil, err
}
} else {
bundle, err := os.ReadFile(c.BundlePath)
if err != nil {
fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
return nil, err
}
provenanceOpts.ProvenanceBundle = bundle
}

verifiedProvenance, outBuilderID, err := verifiers.VerifyArtifact(ctx, provenance, artifactHash, provenanceOpts, builderOpts)
Expand Down
29 changes: 16 additions & 13 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ require (
github.com/go-openapi/runtime v0.25.0
github.com/google/go-cmp v0.5.9
github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect
github.com/in-toto/in-toto-golang v0.6.0
github.com/in-toto/in-toto-golang v0.6.1-0.20230207212643-96dcb8c596fb
github.com/secure-systems-lab/go-securesystemslib v0.4.0
github.com/sigstore/rekor v1.0.1
github.com/sigstore/sigstore v1.5.1
Expand All @@ -23,21 +23,24 @@ require (
github.com/slsa-framework/slsa-github-generator v1.4.0
github.com/spf13/cobra v1.6.1
github.com/transparency-dev/merkle v0.0.1
golang.org/x/mod v0.7.0
golang.org/x/mod v0.8.0
sigs.k8s.io/release-utils v0.7.3
)

require (
filippo.io/edwards25519 v1.0.0 // indirect
github.com/Microsoft/go-winio v0.6.0 // indirect
github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect
github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
github.com/sigstore/timestamp-authority v0.2.1 // indirect
github.com/spiffe/go-spiffe/v2 v2.1.2 // indirect
github.com/zeebo/errs v1.3.0 // indirect
go.step.sm/crypto v0.23.1 // indirect
)

require (
bitbucket.org/creachadair/shell v0.0.7 // indirect
cloud.google.com/go/compute v1.14.0 // indirect
cloud.google.com/go/compute v1.15.1 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
github.com/Azure/azure-sdk-for-go v67.3.0+incompatible // indirect
Expand Down Expand Up @@ -82,12 +85,12 @@ require (
github.com/bgentry/speakeasy v0.1.0 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cenkalti/backoff/v4 v4.1.3 // indirect
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
github.com/clbanning/mxj/v2 v2.5.6 // indirect
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
github.com/coreos/go-oidc/v3 v3.5.0 // indirect
Expand All @@ -102,8 +105,8 @@ require (
github.com/docker/docker v20.10.21+incompatible // indirect
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
github.com/envoyproxy/go-control-plane v0.10.3 // indirect
github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/fullstorydev/grpcurl v1.8.7 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
Expand Down Expand Up @@ -144,7 +147,7 @@ require (
github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jhump/protoreflect v1.14.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
Expand Down Expand Up @@ -234,14 +237,14 @@ require (
golang.org/x/net v0.5.0 // indirect
golang.org/x/oauth2 v0.4.0 // indirect
golang.org/x/sync v0.1.0 // indirect
golang.org/x/sys v0.4.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.4.0 // indirect
golang.org/x/text v0.6.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.5.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa // indirect
google.golang.org/grpc v1.52.3 // indirect
google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
google.golang.org/grpc v1.53.0 // indirect
google.golang.org/protobuf v1.28.1
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
Expand Down
Loading