719def4bbb
Bumps [github.com/google/cel-go](https://github.com/google/cel-go) from 0.25.0 to 0.26.0. - [Release notes](https://github.com/google/cel-go/releases) - [Commits](https://github.com/google/cel-go/compare/v0.25.0...v0.26.0) --- updated-dependencies: - dependency-name: github.com/google/cel-go dependency-version: 0.26.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|---|---|---|
| .github | ||
| cmd | ||
| layouts | ||
| parameters | ||
| test-data | ||
| test-data-npm | ||
| test-data-npm-raw | ||
| test-data-raw | ||
| verifier | ||
| .gitignore | ||
| CODEOWNERS | ||
| LICENSE | ||
| README.md | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
README.md
in-toto/attestation-verifier
This is a prototype of verification capabilities introduced in in-toto enhancements 10 and 11. This verifier must not be used in production systems.
Usage
Install using go install. Assuming $GOPATH/bin is in your path, you should
be able to invoke the verifier using attestation-verifier.
Example
The example layout has three steps: clone, test, and build.
The clone step is represented with an in-toto link
predicate,
the test step with an in-toto test-result
predicate,
and the build step with a SLSA Provenance
predicate.
The test and build steps match their materials with the products of the clone
step. Additionally, each step definition in the layout has some additional
attribute checks.
$ attestation-verifier -l layouts/layout.yml -a test-data
INFO[0000] Verifying layout expiry...
INFO[0000] Done.
INFO[0000] Fetching verifiers...
INFO[0000] Creating verifier for key fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a
INFO[0000] Done.
INFO[0000] Loading attestations as claims...
INFO[0000] Done.
INFO[0000] Verifying claim for step 'clone' of type 'https://in-toto.io/attestation/link/v0.3' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...
INFO[0000] Applying material rules...
INFO[0000] Evaluating rule `DISALLOW *`...
INFO[0000] Applying product rules...
INFO[0000] Evaluating rule `CREATE foo`...
INFO[0000] Evaluating rule `DISALLOW *`...
INFO[0000] Applying attribute rules...
INFO[0000] Evaluating rule `predicate.command == ['git', 'clone', 'https://example.com/foo.git']`...
INFO[0000] Done.
INFO[0000] Verifying claim for step 'test' of type 'https://in-toto.io/attestation/test-result/v0.1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...
INFO[0000] Applying material rules...
INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`...
INFO[0000] Evaluating rule `DISALLOW *`...
INFO[0000] Applying product rules...
INFO[0000] Applying attribute rules...
INFO[0000] Evaluating rule `size(predicate.failedTests) == 0`...
INFO[0000] Evaluating rule `predicate.result == 'PASSED'`...
INFO[0000] Evaluating rule `size(subject) != 0`...
INFO[0000] Done.
INFO[0000] Verifying claim for step 'build' of type 'https://slsa.dev/provenance/v1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...
INFO[0000] Applying material rules...
INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`...
INFO[0000] Evaluating rule `DISALLOW *`...
INFO[0000] Applying product rules...
INFO[0000] Evaluating rule `CREATE bin/foo`...
INFO[0000] Evaluating rule `DISALLOW *`...
INFO[0000] Applying attribute rules...
INFO[0000] Evaluating rule `predicate.buildDefinition.buildType == 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'`...
INFO[0000] Evaluating rule `predicate.runDetails.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.7.0'`...
INFO[0000] Done.
INFO[0000] Verification successful!