slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Test for `--print-provenance` option

Open laurentsimon opened this issue 2 years ago • 5 comments

We don't have tests for these. For GCB, it's particularly important since multiple provenances may be contained in the gcloud provenance.

laurentsimon avatar Dec 05 '22 17:12 laurentsimon

/cc @asraa

laurentsimon avatar Dec 05 '22 18:12 laurentsimon

Good point. It seems like we probably do the right thing. We currently set the provenance printed statement to the v01IntotoStatement. This doesn't include the human readable summary in the exterior wrapping. It also shouldn't include the slsaPredicate that's there for backwards compatibility, since that won't be included in the v01IntotoStatement.

That being said, I was taking a look at verification and it looks like the algorithm used is a signature over the entire b64 encoded payload in the envelope, rather than the PAE of the contents.

asraa avatar Dec 05 '22 18:12 asraa

We can test out that slsaPredicate was NOT included (but note, it IS signed over).

I think the signing algorithm/PAE difference is a spec incompatibiilty..

asraa avatar Dec 05 '22 18:12 asraa

I think I misunderstood you: multiple provenances actually meant multiple in the lists of provenance. Got it! Ignore my first statements.

asraa avatar Dec 05 '22 21:12 asraa

This is relevant https://github.com/slsa-framework/slsa-verifier/issues/382#issuecomment-1343081652

laurentsimon avatar Dec 08 '22 17:12 laurentsimon