feat: Verify all artifacts passed in cmdline (slsa-framework#419)

* Remove limit of number of artifacts to verify Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Update short description Mention that we support multiple artifacts as long as they come from the same provenance. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Verify all artifacts passed in cmdline Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Remove header of verify step output Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Format the `cobra.Command.Use` argument Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Don't return a slice of builderIDs. Since all images should come from the same provenance file, there's an invariant that we will always get exactly one builderID. So, no need to return a slice of them. Just to preempt the case when the invariant would be broken, add a specific check. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Change existing tests to support multiple artifacts. No new tests added, just changing table test data type. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * [nfc] Format test file Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Change test to allow passing multiple artifacts. For now, just allow passing the entire array of artifacts to command line / arguments. The functionality should still be the same. Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Fix typo Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Fix path to test artifacts Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Allow different provenance path Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Try 2 artifacts from existing testdata Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Add more tests for multiple artifacts Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Add failing test Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Fix artifact and error Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Add final test: no artifact match Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> * Update README.md Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com> Signed-off-by: Mihai Maruseac <mihaimaruseac@google.com>
laurentsimon · Dec 29, 2022 · e20f3cc · e20f3cc
1 parent 19030f3
commit e20f3cc
Show file tree

Hide file tree

Showing 4 changed files with 220 additions and 137 deletions.
diff --git a/README.md b/README.md
@@ -156,13 +156,13 @@ Below is a list of options currently supported for binary blobs and container im
 ```bash
 $ git clone git@github.com:slsa-framework/slsa-verifier.git
 $ go run ./cli/slsa-verifier/ verify-artifact --help
-Verifies SLSA provenance on an artifact blob
+Verifies SLSA provenance on artifact blobs given as arguments (assuming same provenance)
 
 Usage:
-  slsa-verifier verify-artifact [flags]
+  slsa-verifier verify-artifact [flags] artifact [artifact..]
 
 Flags:
-      --build-workflow-input map[]    [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events). (default map[])
+      --build-workflow-input map[]    [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
       --builder-id string             [optional] the unique builder ID who created the provenance
   -h, --help                          help for verify-artifact
       --print-provenance              [optional] print the verified provenance to stdout
@@ -173,6 +173,8 @@ Flags:
       --source-versioned-tag string   [optional] expected version the binary was compiled from. Uses semantic version to match the tag
 ```
 
+Multiple artifacts can be passed to `verify-artifact`. As long as they are all covered by the same provenance file, the verification will succeed.
+
 ### Option details
 
 The following options are available:
@@ -205,6 +207,27 @@ The verified in-toto statement may be written to stdout with the `--print-proven
 
 Only GitHub URIs are supported with the `--source-uri` flag. A tag should not be specified, even if the provenance was built at some tag. If you intend to do source versioning validation, use `--print-provenance` and inspect the commit SHA of the config source or materials.
 
+Multiple artifacts built from the same GitHub builder can be verified in the same command, by passing them in the same command line as arguments:
+
+```bash
+$ slsa-verifier verify-artifact \
+  --provenance-path /tmp/demo/multiple.intoto.jsonl \
+  --source-uri github.com/mihaimaruseac/example \
+  /tmp/demo/fib /tmp/demo/hello
+
+Verified signature against tlog entry index 9712459 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a1544828b67bb5a2335f7e0d01c504a32ceb6f3a8814ed12c8f1b222d308bd9e8
+Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.4.0 at commit 11fab87c5ee6f46c6f5e68f6c5378c62ce1ca77c
+Verifying artifact /tmp/demo/fib: PASSED
+
+Verified signature against tlog entry index 9712459 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a1544828b67bb5a2335f7e0d01c504a32ceb6f3a8814ed12c8f1b222d308bd9e8
+Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.4.0 at commit 11fab87c5ee6f46c6f5e68f6c5378c62ce1ca77c
+Verifying artifact /tmp/demo/hello: PASSED
+
+PASSED: Verified SLSA provenance
+```
+
+The only requirement is that the provenance file covers all artifacts passed as arguments in the command line (that is, they are a subset of `subject` field in the provenance file).
+
 ### Containers
 
 This is WIP and currently not supported.