This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.
You have two options to install the verifier.
$ go install github.com/slsa-framework/slsa-verifier/cli/slsa-verifier@v1.3.0
$ slsa-verifier <options>
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout v1.3.0
$ go run ./cli/slsa-verifier <options>
Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.0
Download the SHA256SUM.md.
Verify the checksum:
$ sha256sum -c --strict SHA256SUM.md
slsa-verifier-linux-amd64: OK
We currently support artifact verification (for binary blobs) and container images.
Below is a list of options currently supported for binary blobs and container images. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys. See Available options for details on the options exposed to validate the provenance.
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ go run ./cli/slsa-verifier/ verify-artifact --help
Verifies SLSA provenance on an artifact blob
Usage:
slsa-verifier verify-artifact [flags]
Flags:
--build-workflow-input map[] [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events). (default map[])
--builder-id string EXPERIMENTAL: the unique builder ID who created the provenance
-h, --help help for verify-artifact
--print-provenance print the verified provenance to stdout
--provenance-path string path to a provenance file
--source-branch string [optional] expected branch the binary was compiled from
--source-tag string [optional] expected tag the binary was compiled from
--source-uri string expected source repository that should have produced the binary, e.g. github.com/some/repo
--source-versioned-tag string [optional] expected version the binary was compiled from. Uses semantic version to match the tag$ go run ./cli/slsa-verifier -provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.0 ~/Downloads/slsa-verifier-linux-amd64
Verified signature against tlog entry index 3189970 at URL: https://rekor.sigstore.dev/api/v1/log/entries/206071d5ca7a2346e4db4dcb19a648c7f13b4957e655f4382b735894059bd199
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 5bb13ef508b2b8ded49f9264d7712f1316830d10
PASSED: Verified SLSA provenanceThe verified in-toto statement may be written to stdout with the --print-provenance flag to pipe into policy engines.
The following options are supported for SLSA GitHub builders and generators:
| Option | Description |
|---|---|
source-uri |
Expects a source, for e.g. github.com/org/repo. |
source-branch |
Expects a branch like main or dev. Not supported for all GitHub Workflow triggers. |
source-tag |
Expects a tag like v0.0.1. Verifies exact tag used to create the binary. NSupported for new tag and release triggers. |
source-versioned-tag |
Like tag, but verifies using semantic versioning. |
build-workflow-input |
Expects key-value pairs like key=value to match against inputs for GitHub Actions workflow_dispatch triggers. |
Find our blog post series here.
For a more in-depth technical dive, read the SPECIFICATIONS.md.