Skip to content

cdris/slsa-verifier

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
.github
.github
 
 
pkg
pkg
 
 
testdata
testdata
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
SHA256SUM.md
SHA256SUM.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 
renovate.json
renovate.json
 
 

Repository files navigation

Verification of SLSA provenance

This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.

Installation

Verification of provenance

Technical design

Installation

You have two options to install the verifier.

Compilation from source

Option 1: Install via go

$ go install github.com/slsa-framework/[email protected]
$ slsa-verifier <options>

Option 2: Compile manually

$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout v1.2.0
$ go run . <options>

Download the binary

Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.2.0

Download the SHA256SUM.md.

Verify the checksum:

$ sha256sum -c --strict SHA256SUM.md
  slsa-verifier-linux-amd64: OK

Verification of Provenance

Available options

Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.

$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ go run . --help
 Usage of ./slsa-verifier:
  -artifact-path string
    	path to an artifact to verify
  -branch string
    	expected branch the binary was compiled from (default "main")
  -print-provenance
    	output the verified provenance
  -provenance string
    	path to a provenance file
  -source string
    	expected source repository that should have produced the binary, e.g. github.com/some/repo
  -tag string
    	[optional] expected tag the binary was compiled from
  -versioned-tag string
    	[optional] expected version the binary was compiled from. Uses semantic version to match the tag

Example

$ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.2.0
Verified signature against tlog entry index 3027785 at URL: https://rekor.sigstore.dev/api/v1/log/entries/0cdff5b6a013379f9c1c5c6c598ad73c60de5acd969ba70ea2e874098b6e789f
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1 at commit fb9aeaf6384fd588e56ad90978fe025b3fd44849
PASSED: Verified SLSA provenance

The verified in-toto statement may be written to stdout with the --print-provenance flag to pipe into policy engines.

Technical design

Blog post

Find our blog post series here.

Specifications

For a more in-depth technical dive, read the SPECIFICATIONS.md.

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages

  • Go 100.0%