feat: add slsa v1?draft provenance experimental support (#470)

* feat: add slsa v1?draft provenance support

Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>

cli/slsa-verifier/main.go

@@ -16,7 +16,6 @@ func check(err error) {
 	}
 }
 
-//nolint:deadcode
 func ExperimentalEnabled() bool {
 	return os.Getenv("SLSA_VERIFIER_EXPERIMENTAL") == "1"
 }

cli/slsa-verifier/verify.go

@@ -43,6 +43,7 @@ func verifyArtifactCmd() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			v := verify.VerifyArtifactCommand{
 				ProvenancePath:      o.ProvenancePath,
+				BundlePath:          o.BundlePath,
 				SourceURI:           o.SourceURI,
 				PrintProvenance:     o.PrintProvenance,
 				BuildWorkflowInputs: o.BuildWorkflowInputs.AsMap(),
@@ -60,6 +61,21 @@ func verifyArtifactCmd() *cobra.Command {
 				v.BuilderID = &o.BuilderID
 			}
 
+			// In experimental mode, we allow either provenance or bundle path, but exactly
+			// one must be set. We already check to ensure that they are mutually exclusive.
+			if ExperimentalEnabled() {
+				if !(cmd.Flags().Changed("provenance-path") ||
+					cmd.Flags().Changed("bundle-path")) {
+					fmt.Fprintf(os.Stderr, "%s\n%s", cmd.UsageString(),
+						"exactly one of --provenance-path or --bundle-path must be supplied")
+					os.Exit(1)
+				}
+			} else if !cmd.Flags().Changed("provenance-path") {
+				// --provenance-path must be set.
+				fmt.Fprintf(os.Stderr, "%s\n%s\n", cmd.UsageString(), "--provenance-path must be supplied")
+				os.Exit(1)
+			}
+
 			if _, err := v.Exec(cmd.Context(), args); err != nil {
 				fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
 				os.Exit(1)
@@ -70,7 +86,6 @@ func verifyArtifactCmd() *cobra.Command {
 	}
 
 	o.AddFlags(cmd)
-	cmd.MarkFlagRequired("provenance-path")
 	return cmd
 }
 

cli/slsa-verifier/verify/options.go

@@ -39,6 +39,7 @@ type VerifyOptions struct {
 	BuilderID           string
 	/* Other */
 	ProvenancePath  string
+	BundlePath      string
 	PrintProvenance bool
 }
 
@@ -67,11 +68,17 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ProvenancePath, "provenance-path", "",
 		"path to a provenance file")
 
+	cmd.Flags().StringVar(&o.BundlePath, "bundle-path", "",
+		"path to a Sigstore provenance bundle file containing offline information.")
+
 	cmd.Flags().BoolVar(&o.PrintProvenance, "print-provenance", false,
 		"[optional] print the verified provenance to stdout")
 
 	cmd.MarkFlagRequired("source-uri")
 	cmd.MarkFlagsMutuallyExclusive("source-versioned-tag", "source-tag")
+
+	// Enforce exactly one of --provenance-path and --bundle-path.
+	cmd.MarkFlagsMutuallyExclusive("provenance-path", "bundle-path")
 }
 
 type workflowInputs struct {

cli/slsa-verifier/verify/verify_artifact.go

@@ -30,6 +30,7 @@ import (
 // Note: nil branch, tag, version-tag and builder-id means we ignore them during verification.
 type VerifyArtifactCommand struct {
 	ProvenancePath      string
+	BundlePath          string
 	BuilderID           *string
 	SourceURI           string
 	SourceBranch        *string
@@ -62,10 +63,20 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (*
 			ExpectedID: c.BuilderID,
 		}
 
-		provenance, err := os.ReadFile(c.ProvenancePath)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
-			return nil, err
+		var provenance []byte
+		if c.ProvenancePath != "" {
+			provenance, err = os.ReadFile(c.ProvenancePath)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
+				return nil, err
+			}
+		} else {
+			bundle, err := os.ReadFile(c.BundlePath)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "Verifying artifact %s: FAILED: %v\n\n", artifact, err)
+				return nil, err
+			}
+			provenanceOpts.ProvenanceBundle = bundle
 		}
 
 		verifiedProvenance, outBuilderID, err := verifiers.VerifyArtifact(ctx, provenance, artifactHash, provenanceOpts, builderOpts)

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/go-openapi/runtime v0.25.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect
-	github.com/in-toto/in-toto-golang v0.6.0
+	github.com/in-toto/in-toto-golang v0.6.1-0.20230207212643-96dcb8c596fb
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
 	github.com/sigstore/rekor v1.0.1
 	github.com/sigstore/sigstore v1.5.1
@@ -23,21 +23,24 @@ require (
 	github.com/slsa-framework/slsa-github-generator v1.4.0
 	github.com/spf13/cobra v1.6.1
 	github.com/transparency-dev/merkle v0.0.1
-	golang.org/x/mod v0.7.0
+	golang.org/x/mod v0.8.0
 	sigs.k8s.io/release-utils v0.7.3
 )
 
 require (
 	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect
 	github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
 	github.com/sigstore/timestamp-authority v0.2.1 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.1.2 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
 	go.step.sm/crypto v0.23.1 // indirect
 )
 
 require (
 	bitbucket.org/creachadair/shell v0.0.7 // indirect
-	cloud.google.com/go/compute v1.14.0 // indirect
+	cloud.google.com/go/compute v1.15.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v67.3.0+incompatible // indirect
@@ -82,12 +85,12 @@ require (
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
 	github.com/clbanning/mxj/v2 v2.5.6 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
+	github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe // indirect
+	github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
@@ -102,8 +105,8 @@ require (
 	github.com/docker/docker v20.10.21+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
+	github.com/envoyproxy/go-control-plane v0.10.3 // indirect
+	github.com/envoyproxy/protoc-gen-validate v0.9.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fullstorydev/grpcurl v1.8.7 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
@@ -144,7 +147,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
 	github.com/jhump/protoreflect v1.14.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -234,14 +237,14 @@ require (
 	golang.org/x/net v0.5.0 // indirect
 	golang.org/x/oauth2 v0.4.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
 	golang.org/x/term v0.4.0 // indirect
 	golang.org/x/text v0.6.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.5.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa // indirect
-	google.golang.org/grpc v1.52.3 // indirect
+	google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
+	google.golang.org/grpc v1.53.0 // indirect
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect