Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/in-toto/attestation-verifier

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts
https://github.com/in-toto/attestation-verifier

in-toto

Last synced: about 1 month ago
JSON representation

Prototype in-toto attestation verifier based on ITE-10 and ITE-11 layouts

Awesome Lists containing this project

README 

        
# in-toto/attestation-verifier



This is a **prototype** of verification capabilities introduced in in-toto

enhancements [10](https://github.com/in-toto/ITE/blob/master/ITE/10/README.adoc)

and [11](https://github.com/in-toto/ITE/pull/50). This verifier must not be used

in production systems.



## Usage



Install using `go install`. Assuming `$GOPATH/bin` is in your path, you should

be able to invoke the verifier using `attestation-verifier`.



## Example



The example [layout](layout.yml) has three steps: `clone`, `test`, and `build`.

The clone step is represented with an [in-toto link

predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/link.md),

the test step with an [in-toto test-result

predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/test-result.md),

and the build step with a [SLSA Provenance

predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md).

The test and build steps match their materials with the products of the clone

step. Additionally, each step definition in the layout has some additional

attribute checks.



```bash

$ attestation-verifier -l layouts/layout.yml -a test-data

INFO[0000] Verifying layout expiry...

INFO[0000] Done.

INFO[0000] Fetching verifiers...

INFO[0000] Creating verifier for key fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a

INFO[0000] Done.

INFO[0000] Loading attestations as claims...

INFO[0000] Done.

INFO[0000] Verifying claim for step 'clone' of type 'https://in-toto.io/attestation/link/v0.3' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...

INFO[0000] Applying material rules...

INFO[0000] Evaluating rule `DISALLOW *`...

INFO[0000] Applying product rules...

INFO[0000] Evaluating rule `CREATE foo`...

INFO[0000] Evaluating rule `DISALLOW *`...

INFO[0000] Applying attribute rules...

INFO[0000] Evaluating rule `predicate.command == ['git', 'clone', 'https://example.com/foo.git']`...

INFO[0000] Done.

INFO[0000] Verifying claim for step 'test' of type 'https://in-toto.io/attestation/test-result/v0.1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...

INFO[0000] Applying material rules...

INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`...

INFO[0000] Evaluating rule `DISALLOW *`...

INFO[0000] Applying product rules...

INFO[0000] Applying attribute rules...

INFO[0000] Evaluating rule `size(predicate.failedTests) == 0`...

INFO[0000] Evaluating rule `predicate.result == 'PASSED'`...

INFO[0000] Evaluating rule `size(subject) != 0`...

INFO[0000] Done.

INFO[0000] Verifying claim for step 'build' of type 'https://slsa.dev/provenance/v1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'...

INFO[0000] Applying material rules...

INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`...

INFO[0000] Evaluating rule `DISALLOW *`...

INFO[0000] Applying product rules...

INFO[0000] Evaluating rule `CREATE bin/foo`...

INFO[0000] Evaluating rule `DISALLOW *`...

INFO[0000] Applying attribute rules...

INFO[0000] Evaluating rule `predicate.buildDefinition.buildType == 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'`...

INFO[0000] Evaluating rule `predicate.runDetails.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.7.0'`...

INFO[0000] Done.

INFO[0000] Verification successful!

```