Skip to content

Latest commit

 

History

History
93 lines (70 loc) · 3.51 KB

README.md

File metadata and controls

93 lines (70 loc) · 3.51 KB

Verification of SLSA provenance

This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.

Installation

Verification of provenance

Technical design

Installation

You have two options to install the verifier.

Compilation from source

Option 1: Install via go

$ go install github.com/slsa-framework/slsa-verifier/cli/slsa-verifier@v1.3.0
$ slsa-verifier <options>

Option 2: Compile manually

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout v1.3.0
$ go run ./cli/slsa-verifier <options>

Download the binary

Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.0

Download the SHA256SUM.md.

Verify the checksum:

$ sha256sum -c --strict SHA256SUM.md
  slsa-verifier-linux-amd64: OK

Verification of Provenance

Available options

Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ go run ./cli/slsa-verifier --help
 Usage of ./slsa-verifier:
  -artifact-path string
    	path to an artifact to verify
  -branch string
    	expected branch the binary was compiled from (default "main")
  -print-provenance
    	output the verified provenance
  -provenance string
    	path to a provenance file
  -source string
    	expected source repository that should have produced the binary, e.g. github.com/some/repo
  -tag string
    	[optional] expected tag the binary was compiled from
  -versioned-tag string
    	[optional] expected version the binary was compiled from. Uses semantic version to match the tag

Example

$ go run ./cli/slsa-verifier -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.3.0
Verified signature against tlog entry index 3189970 at URL: https://rekor.sigstore.dev/api/v1/log/entries/206071d5ca7a2346e4db4dcb19a648c7f13b4957e655f4382b735894059bd199
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 5bb13ef508b2b8ded49f9264d7712f1316830d10
PASSED: Verified SLSA provenance

The verified in-toto statement may be written to stdout with the --print-provenance flag to pipe into policy engines.

Technical design

Blog post

Find our blog post series here.

Specifications

For a more in-depth technical dive, read the SPECIFICATIONS.md.