Skip to content

aquaproj/example-go-slsa-provenance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits

.github/workflows

.github/workflows

 
 

cmd/example-go-slsa-provenance

cmd/example-go-slsa-provenance

 
 

.envrc

.envrc

 
 

.gitignore

.gitignore

 
 

.goreleaser.yaml

.goreleaser.yaml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

aqua-policy.yaml

aqua-policy.yaml

 
 

aqua.yaml

aqua.yaml

 
 

go.mod

go.mod

 
 

renovate.json

renovate.json

 
 

Repository files navigation

example-go-slsa-provenance

Example Go Application with SLSA Provenance.

SLSA Provenance multiple.intoto.jsonl is released in GitHub Releases.

GitHub Actions Workflow

release.yaml

How to verify

  1. Install slsa-verifier v2.
  2. Download asset and multiple.intoto.jsonl from GitHub Releases
  3. Execute slsa-verifier
slsa-verifier verify-artifact example-go-slsa-provenance_darwin_arm64.tar.gz \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/aquaproj/example-go-slsa-provenance \
  --source-tag v0.1.2

👍 Passed.

Verified signature against tlog entry index 9476343 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a92eb2665ca9575614bc6b0833267eca755ca5d2e8d5a563c2b70c310dad3c0f6
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.4.0 at commit 4581df55e03c5155801ad10b88b19e42f99d8861
PASSED: Verified SLSA provenance

Let's verify example-go-slsa-provenance v0.1.1. Assets of this version were tamperred intentionally for demonstrating SLSA Verification.

slsa-verifier verify-artifact example-go-slsa-provenance_darwin_arm64.tar.gz \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/aquaproj/example-go-slsa-provenance \
  --source-tag v0.1.1

👍 The verification failed expectedly.

Verified signature against tlog entry index 9476343 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a92eb2665ca9575614bc6b0833267eca755ca5d2e8d5a563c2b70c310dad3c0f6
FAILED: SLSA verification failed: expected tag 'refs/tags/v0.1.1', got 'refs/tags/v0.1.2': tag used to generate the binary does not match provenance
Usage:
  slsa-verifier verify-artifact [flags]

Flags:
      --build-workflow-input map[]    [optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events on GitHub Actions). (default map[])
      --builder-id string             the unique builder ID who created the provenance
  -h, --help                          help for verify-artifact
      --print-provenance              print the verified provenance to stdout
      --provenance-path string        path to a provenance file
      --source-branch string          [optional] expected branch the binary was compiled from
      --source-tag string             [optional] expected tag the binary was compiled from
      --source-uri string             expected source repository that should have produced the binary, e.g. github.com/some/repo
      --source-versioned-tag string   [optional] expected version the binary was compiled from. Uses semantic version to match the tag

expected tag 'refs/tags/v0.1.1', got 'refs/tags/v0.1.2': tag used to generate the binary does not match provenance

LICENSE

MIT

About

Example Go Application with SLSA Provenance

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 7

v0.1.3 Latest
Jan 6, 2023
+ 6 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages