slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Support verification of generic builders

Open netomi opened this issue 1 year ago • 9 comments

Right now the slsa-verifier is designed around a closed-world assumption, i.e. it can validate attestations generated by known builders and rejects attestations for unknown builders.

Ideally, there would be a set of generic requirements that must be fulfilled by any SLSA compliant builder which can be verified by the slsa-verifier in order to conclude if the given attestation is valid.

This would help to work on other builders.

netomi avatar Jan 11 '24 19:01 netomi

Thanks for the issue. @ramonpetgrave64 Can you give an overview of a solution that you'd like to see? We've considered using an internal cue / rego or other policy engine so that users with private builders can more easily integrate new builders in slsa-verifier. Would that be god enough or not?

I think it'd be useful to have one tool to verify many builders, as it improves UX for end-users

laurentsimon avatar Jan 13 '24 01:01 laurentsimon

I dont have a technical solution in mind as of now, but wanted to create this ticket to raise awareness that we will need some kind of generic way to verify attestations generated from different builders unless you put all the burden to the user to figure out by himself how artifacts with attestations can be verified.

netomi avatar Jan 31 '24 18:01 netomi

Would something like an interface https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gcb/slsaprovenance/iface/provenance.go help?

Do you imagine some sort of plugin mechanism or a way for developers to extend the slsa-verifier with a fork where they add their own code, eg via an interface as above?

@ramonpetgrave64

laurentsimon avatar Feb 12 '24 17:02 laurentsimon

What kinds of unknown builders are you thinking? Are they still github actions?

ramonpetgrave64 avatar Feb 13 '24 18:02 ramonpetgrave64

They may be builder for CircleCI or others, even private builder. So there are not GitHub based

laurentsimon avatar Feb 13 '24 20:02 laurentsimon

I would also like to see this. While the SLSA data formats themselves are generic and pretty well documented, the infrastructure around is quite use-case specific.

I'm considering generating provenance attestation data in KAS. The implementation is quite straight-forward, but testing this is nearly impossible as I can only verify the data with my own tooling. By that, I can't be sure to correctly generate the "statement" and the DSSEv1 "envelope". This makes it impossible to check interoperability. Also a lot of documentation, tooling and end-to-end examples are still based on the in-toto v0.1 spec (link format), which is not very helpful.

For a wider adoption of in-toto / SLSA, it would tremendously help to have a generic tool that works on information passed on the command line:

  • take at least one artifact file as input (corresponds to "subject")
  • take a DSSEv1 envelope as input + some params for checking the signature (like a GPG keyid, PEM file, ...)

The tool should check the following:

  • the signature is correct
  • the resource descriptors are syntactically valid
  • the attestation format is a well-known one
  • For well-known formats, also check if the format is syntactically valid

fmoessbauer avatar Mar 24 '24 17:03 fmoessbauer

Will any of you attend the OSS@NA in Seattle next month?

laurentsimon avatar Mar 25 '24 15:03 laurentsimon

Will any of you attend the OSS@NA in Seattle next month?

I will be at the co-located "Embedded OSS Summit". Let's meet.

fmoessbauer avatar Mar 26 '24 10:03 fmoessbauer

Great. How do we get in touch? Slack? Email?

laurentsimon avatar Mar 26 '24 21:03 laurentsimon