From bc1d2971a367a0d1fc6b84fc660d188a60d0bebb Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Thu, 21 Jul 2022 11:49:53 -0500 Subject: [PATCH 1/4] remove signing certificate output Signed-off-by: Asra Ali --- README.md | 8 -------- main.go | 7 ------- 2 files changed, 15 deletions(-) diff --git a/README.md b/README.md index 6cb848861..8cba49e50 100644 --- a/README.md +++ b/README.md @@ -78,14 +78,6 @@ $ go run . --help ```bash $ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.1.1 Verified signature against tlog entry index 2727751 at URL: https://rekor.sigstore.dev/api/v1/log/entries/8f3d898ef17d9c4c028fe3da09fb786c900bf786361e75432f325b4848fdba24 -Signing certificate information: - { - "caller": "slsa-framework/slsa-verifier", - "commit": "5875b0a74f4c04e1f123a3ad81d6c7c5a86860ce", - "job_workflow_ref": "/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1", - "trigger": "push", - "issuer": "https://token.actions.githubusercontent.com" -} PASSED: Verified SLSA provenance ``` diff --git a/main.go b/main.go index 0457b3670..18ab1c9b7 100644 --- a/main.go +++ b/main.go @@ -5,7 +5,6 @@ import ( "crypto/sha256" "encoding/base64" "encoding/hex" - "encoding/json" "flag" "fmt" "io" @@ -48,12 +47,6 @@ func verify(ctx context.Context, return nil, err } - b, err := json.MarshalIndent(workflowInfo, "", "\t") - if err != nil { - return nil, err - } - fmt.Fprintf(os.Stderr, "Signing certificate information:\n %s\n", b) - // Verify the workflow identity. if err := pkg.VerifyWorkflowIdentity(workflowInfo, source); err != nil { return nil, err From 44239250118242f6c4558b6d7862291445b07465 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Thu, 21 Jul 2022 11:53:10 -0500 Subject: [PATCH 2/4] add verified Signed-off-by: Asra Ali --- main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.go b/main.go index 18ab1c9b7..db85ec7ca 100644 --- a/main.go +++ b/main.go @@ -58,6 +58,9 @@ func verify(ctx context.Context, return nil, err } + fmt.Fprintf(os.Stderr, "Verified build using builder https://github.com%s at commit %s\n", + workflowInfo.JobWobWorkflowRef, + workflowInfo.CallerHash) // Return verified provenance. return base64.StdEncoding.DecodeString(env.Payload) } From cef1c632ba70ac8e2f40508c0d0e32c3f0a77496 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Thu, 21 Jul 2022 11:54:50 -0500 Subject: [PATCH 3/4] update readme Signed-off-by: Asra Ali --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8cba49e50..833973d9a 100644 --- a/README.md +++ b/README.md @@ -78,6 +78,7 @@ $ go run . --help ```bash $ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.1.1 Verified signature against tlog entry index 2727751 at URL: https://rekor.sigstore.dev/api/v1/log/entries/8f3d898ef17d9c4c028fe3da09fb786c900bf786361e75432f325b4848fdba24 +Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.0 at commit 76a59d8413f27259b97298da91bbb6511fc775d1 PASSED: Verified SLSA provenance ``` From f56f880e4004d0fa5827ba80a8f2937949d1bf4f Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Fri, 22 Jul 2022 09:54:59 -0500 Subject: [PATCH 4/4] add error message about pem Signed-off-by: Asra Ali --- pkg/rekor.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/rekor.go b/pkg/rekor.go index ccb508622..fce42dc95 100644 --- a/pkg/rekor.go +++ b/pkg/rekor.go @@ -244,6 +244,9 @@ func extractCert(e *models.LogEntryAnon) (*x509.Certificate, error) { } func intotoEntry(certPem []byte, provenance []byte) (*intotod.V001Entry, error) { + if len(certPem) == 0 { + return nil, fmt.Errorf("no signing certificate found in intoto envelope") + } cert := strfmt.Base64(certPem) return &intotod.V001Entry{ IntotoObj: models.IntotoV001Schema{