This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.
You have two options to install the verifier.
$ go install github.com/slsa-framework/[email protected]
$ slsa-verifier <options>
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout tags/v0.0.1
$ go run . <options>
Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.0.0
Download the SHA256SUM.md.
Verify the checksum:
$ sha256sum -c --strict SHA256SUM.md
slsa-verifier-linux-amd64: OK
Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ go run . --help
Usage of ./slsa-verifier:
-artifact-path string
path to an artifact to verify
-branch string
expected branch the binary was compiled from (default "main")
-print-provenance
output the verified provenance
-provenance string
path to a provenance file
-source string
expected source repository that should have produced the binary, e.g. github.com/some/repo
-tag string
[optional] expected tag the binary was compiled from
-versioned-tag string
[optional] expected version the binary was compiled from. Uses semantic version to match the tag$ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.0.0
Verified signature against tlog entry index 2592016 at URL: https://rekor.sigstore.dev/api/v1/log/entries/d77621eaf1de74592546f773192f49ed995e8b12f2e5eeed02057ae32b24aa95
Signing certificate information:
{
"caller": "slsa-framework/slsa-verifier",
"commit": "c1b6db643d6134285dc929206fdcfa3712a877eb",
"job_workflow_ref": "/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v0.0.1",
"trigger": "push",
"issuer": "https://token.actions.githubusercontent.com"
}
PASSED: Verified SLSA provenanceThe verified in-toto statement may be written to stdout with the --print-provenance flag to pipe into policy engines.
Find our blog post series here.
For a more in-depth technical dive, read the SPECIFICATIONS.md.