├── .github ├── actions │ ├── scai-gen-assert │ │ └── action.yml │ ├── scai-gen-rd │ │ └── action.yml │ ├── scai-gen-report │ │ └── action.yml │ └── scai-gen-sigstore │ │ └── action.yml ├── dependabot.yml └── workflows │ ├── lint.yml │ ├── test-e2e-flow.yml │ └── test-sigstore-integration.yml ├── .gitignore ├── .golangci.yml ├── CODEOWNERS ├── LICENSE ├── Makefile ├── README.md ├── coverity-output.txt ├── docs ├── intro.md ├── obj-reference.md └── usage.md ├── examples ├── .gitignore ├── README.md ├── gcc-helloworld │ ├── README.md │ ├── hello-world.c │ ├── metadata │ │ ├── cmd-annotation.json │ │ ├── hello-world.scai.json │ │ ├── stack-protection-assertion.json │ │ └── stack-protector-conditions.json │ ├── run-example.sh │ └── run-go-example.sh ├── hermetic-evidence │ ├── README.md │ ├── metadata │ │ ├── attestations │ │ │ ├── bad-build.1f575092.json │ │ │ └── build.1f575092.json │ │ ├── hermetic-annotation.json │ │ ├── hermetic-build.scai.json │ │ ├── is-hermetic-assertion.json │ │ ├── non-hermetic-assertion.json │ │ ├── non-hermetic-build.scai.json │ │ ├── pdo_client_wawaka.provenance.json │ │ └── strace.log │ ├── run-example.sh │ └── run-go-example.sh ├── run-container-examples-e2e.sh ├── sbom+slsa │ ├── README.md │ ├── metadata │ │ ├── attestations │ │ │ ├── build.452e628a.json │ │ │ └── evidence-collection.1f575092.json │ │ ├── container-img-desc.json │ │ ├── evidence-collection.scai.json │ │ ├── has-sbom-assertion.json │ │ ├── has-slsa-assertion.json │ │ ├── pdo_client_wawaka.provenance.json │ │ ├── pdo_client_wawaka.spdx.json │ │ ├── provenance-annotation.json │ │ └── slsa-provenance.json │ ├── run-example.sh │ └── run-go-example.sh ├── secure-boot │ ├── README.md │ ├── metadata │ │ ├── keylime_quote.json │ │ ├── mb-refstate-assertion.json │ │ ├── mb-refstate-desc.json │ │ ├── measured_boot_reference_state.json │ │ ├── secure-boot-assertion.json │ │ ├── secure-boot.scai.json │ │ ├── tpm-quote-desc.json │ │ └── tpm-ref-value.scai.json │ ├── run-example.sh │ └── run-go-example.sh └── vuln-scan │ ├── .gitignore │ ├── README.md │ ├── metadata │ ├── no-vuln.scai.json │ └── no-vulns-assertion.json │ └── run-go-example.sh ├── fuzzing ├── .coverage ├── fuzz-output.txt ├── run-fuzz.sh └── scai_fuzz.py ├── go.mod ├── go.sum ├── kccncna2023-demo ├── README.md ├── attestations │ ├── build.452e628a.json │ └── evidence-collection.1f575092.json ├── evidence-files │ └── build.452e628a.json ├── images │ └── intoto-kccncna2023-demo.png ├── policies │ ├── has-slsa.yml │ └── layout.yml └── verification-flow.sh ├── layouts ├── local_build.yml └── pdo_client_wawaka.yml ├── policies ├── has-slsa.yml ├── hermetic-evidence-fail.yml └── hermetic-evidence.yml ├── python ├── .gitignore ├── README.md ├── scai_generator │ ├── __init__.py │ ├── cli │ │ ├── __init__.py │ │ ├── gen_attr_assertion.py │ │ ├── gen_report.py │ │ └── gen_resource_desc.py │ └── utility.py └── setup.py ├── requirements.txt ├── scai-gen ├── Makefile ├── README.md ├── cmd │ ├── assert.go │ ├── check.go │ ├── rd.go │ ├── report.go │ ├── root.go │ └── sigstore.go ├── main.go └── pkg │ ├── fileio │ ├── common.go │ ├── dsse.go │ ├── map.go │ └── pb.go │ ├── generators │ ├── scai.go │ └── v1.go │ └── policy │ ├── attestation.go │ ├── checks.go │ └── plaintext.go └── scail-bandit-output.txt /.github/actions/scai-gen-assert/action.yml: -------------------------------------------------------------------------------- 1 | name: "SCAI AttributeAssertion generator" 2 | description: "Generates a SCAI AttributeAssertion with evidence" 3 | inputs: 4 | attribute: 5 | description: "The attribute being asserted" 6 | required: true 7 | evidence-file: 8 | description: "The file containing the evidence. This action assumes the evidence was an artifact uploaded during a previous step, unless otherwise specified." 9 | required: true 10 | evidence-path: 11 | description: "The path to the evidence file. Defaults to GITHUB_WORKSPACE." 12 | required: false 13 | default: "$GITHUB_WORKSPACE" 14 | evidence-type: 15 | description: "The media type of the evidence" 16 | required: optional 17 | default: "application/json" 18 | download-evidence: 19 | description: "Flag to download the evidence artifact" 20 | required: false 21 | default: 'true' 22 | assertion-name: 23 | description: "The artifact name of the unsigned SCAI AttributeAssertion. The file must have the .json extension. Defaults to -assert.json when not specified." 24 | required: false 25 | default: "scai-assertion.json" 26 | assertion-path: 27 | description: "The path to save the generated assertion" 28 | default: "$GITHUB_WORKSPACE/temp" 29 | outputs: 30 | assertion-name: 31 | description: "Filename of the generated AttributeAssertion" 32 | value: ${{ steps.scai-gen-assert.outputs.assertion-name }} 33 | 34 | runs: 35 | using: "composite" 36 | steps: 37 | - name: Get the evidence artifact 38 | id: get-evidence 39 | if: ${{ inputs.download-evidence == 'true' }} 40 | uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 41 | with: 42 | name: "${{ inputs.evidence-file }}" 43 | 44 | - name: Generate ResourceDescriptor for evidence 45 | id: gen-rd 46 | # change to v0.2 tag when released 47 | uses: in-toto/scai-demos/.github/actions/scai-gen-rd@main 48 | with: 49 | name: "${{ inputs.evidence-file }}" 50 | path: "${{ inputs.evidence-path }}" 51 | media-type: "${{ inputs.evidence-type }}" 52 | rd-name: "${{ inputs.evidence-file }}-desc.json" 53 | 54 | - name: Run scai-gen assert 55 | id: scai-gen-assert 56 | shell: bash 57 | run: | 58 | scai-gen assert --evidence ${{ steps.gen-rd.outputs.file-rd-name }} --out-file ${{ inputs.assertion-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} 59 | echo "assertion-name=${{ inputs.assertion-path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT" 60 | -------------------------------------------------------------------------------- /.github/actions/scai-gen-rd/action.yml: -------------------------------------------------------------------------------- 1 | name: "in-toto ResourceDescriptor generator" 2 | description: "Generates an in-toto ResourceDescriptor for a local file or remote resource" 3 | inputs: 4 | is-file: 5 | description: "Flag indicating whether the resource is a local file or remote. Default is `is-file=true`." 6 | required: false 7 | default: 'true' 8 | name: 9 | description: "The name of the resource file." 10 | required: true 11 | path: 12 | description: "The path to the resource file. Defaults to GITHUB_WORKSPACE." 13 | required: false 14 | default: "$GITHUB_WORKSPACE" 15 | uri: 16 | description: "The URI of the remote resource." 17 | required: false 18 | default: "https://github.com/$GITHUB_REPOSITORY/commit/$GITHUB_SHA" 19 | digest: 20 | description: "The digest associated with the remote resource (hex-encoded)" 21 | required: false 22 | default: "" 23 | hash-alg: 24 | description: "The hash algorithm used to compute the digest associated with the remote resource." 25 | required: false 26 | default: "sha256" 27 | location: 28 | description: "The download location of the file" 29 | required: false 30 | default: "https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" 31 | media-type: 32 | description: "The media type of the file" 33 | required: false 34 | default: "text/plain" 35 | rd-name: 36 | description: "The name of the output ResourceDescriptor file. The file must have the .json extension." 37 | required: true 38 | rd-path: 39 | description: "The path to save the generated descriptor" 40 | default: "$GITHUB_WORKSPACE/temp" 41 | outputs: 42 | file-rd-name: 43 | description: "Filename of the generated ResourceDescriptor" 44 | value: ${{ steps.scai-gen-rd-file.outputs.rd-name }} 45 | remote-rd-name: 46 | description: "Filename of the generated ResourceDescriptor" 47 | value: ${{ steps.scai-gen-rd-remote.outputs.rd-name }} 48 | 49 | runs: 50 | using: "composite" 51 | steps: 52 | - name: Run scai-gen rd file 53 | id: scai-gen-rd-file 54 | if: ${{ inputs.is-file == 'true' }} 55 | shell: bash 56 | run: | 57 | scai-gen rd file --name ${{ inputs.name }} --download-location ${{ inputs.location }} --media-type ${{ inputs.media-type }} --out-file ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.path }}/${{ inputs.name }} 58 | echo "rd-name=${{ inputs.rd-path }}/${{ inputs.rd-name }}" >> "$GITHUB_OUTPUT" 59 | 60 | - name: Run scai-gen rd remote 61 | id: scai-gen-rd-remote 62 | if: ${{ inputs.is-file == 'false' }} 63 | shell: bash 64 | run: | 65 | scai-gen rd remote --name ${{ inputs.name }} --digest ${{ inputs.digest }} --hash-alg ${{ inputs.hash-alg }} --out-file ${{ inputs.rd-path }}/${{ inputs.rd-name }} ${{ inputs.uri }} 66 | echo "rd-name=${{ inputs.rd-path }}/${{ inputs.rd-name }}" >> "$GITHUB_OUTPUT" 67 | -------------------------------------------------------------------------------- /.github/actions/scai-gen-report/action.yml: -------------------------------------------------------------------------------- 1 | name: "scai-gen-report" 2 | description: "Generates a signed SCAI AttributeReport" 3 | inputs: 4 | subject: 5 | description: "The subject ResourceDescriptor. This action currently assumes a single subject." 6 | required: true 7 | attr-assertions: 8 | description: "The names of the SCAI AttributeAssertions to be listed in the Report. This action assumes the Assertions were generated using the scai-gen-assert action." 9 | required: true 10 | report-name: 11 | description: "The name of the AttributeReport file" 12 | required: false 13 | default: "scai-report.json" 14 | report-path: 15 | description: "The directory to place the in-toto SCAI predicate attestation" 16 | required: false 17 | default: "$GITHUB_WORKSPACE/temp" 18 | outputs: 19 | report-name: 20 | description: "Filename of the generated AttributeReport" 21 | value: ${{ steps.scai-gen-report.outputs.report-name }} 22 | 23 | runs: 24 | using: "composite" 25 | steps: 26 | - name: Run scai-gen rd file 27 | id: scai-gen-report 28 | shell: bash 29 | run: | 30 | scai-gen report --subject ${{ inputs.subject }} --out-file ${{ inputs.report-path }}/${{ inputs.report-name }} --pretty-print ${{ inputs.attr-assertions }} 31 | echo "report-name=${{ inputs.report-path }}/${{ inputs.report-name }}" >> "$GITHUB_OUTPUT" 32 | 33 | - name: Upload the signed SCAI AttributeReport 34 | id: upload-assert 35 | uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 36 | with: 37 | name: ${{ inputs.report-name }} 38 | path: ${{ steps.scai-gen-report.outputs.report-name }} 39 | retention-days: 15 40 | -------------------------------------------------------------------------------- /.github/actions/scai-gen-sigstore/action.yml: -------------------------------------------------------------------------------- 1 | name: "in-toto Sigstore signer" 2 | description: "Generates a signed in-toto Attestation using cosign, and uploads it to the public Rekor log" 3 | inputs: 4 | save-signed: 5 | description: "Flag indicating whether to save the signed attestation as a local artifact (using actions/upload-artifact). Default is `save-signed=true`." 6 | required: false 7 | default: 'true' 8 | statement-name: 9 | description: "The name of the unsigned in-toto Statement file." 10 | required: true 11 | statement-path: 12 | description: "The path to the statement-file. Defaults to GITHUB_WORKSPACE." 13 | required: false 14 | default: "$GITHUB_WORKSPACE" 15 | attestation-name: 16 | description: "The name of the DSSE formatted signed in-toto Attestation file." 17 | required: true 18 | attestation-path: 19 | description: "The directory to place the signed in-toto Attestation." 20 | required: false 21 | default: "$GITHUB_WORKSPACE/attestations" 22 | 23 | outputs: 24 | attestation-name: 25 | description: "Filename of the generated signed in-toto Attestation" 26 | value: ${{ steps.sign.outputs.attestation-name }} 27 | 28 | runs: 29 | using: "composite" 30 | steps: 31 | - name: Sign and upload in-toto Statement 32 | id: sign 33 | shell: bash 34 | run: | 35 | scai-gen sigstore --out-file ${{ inputs.attestation-path}}/${{ inputs.attestation-name }} ${{ inputs.statement-path }}/${{ inputs.statement-name }} 36 | echo "attestation-name=${{ inputs.attestation-path }}/${{ inputs.attestation-name }}" >> "$GITHUB_OUTPUT" 37 | 38 | - name: Save the signed in-toto Attestation 39 | if: ${{ inputs.save-signed == 'true' }} 40 | id: upload-signed 41 | uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 42 | with: 43 | name: ${{ inputs.attestation-name }} 44 | path: ${{ steps.sign.outputs.attestation-name }} 45 | retention-days: 15 46 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | 4 | - package-ecosystem: github-actions 5 | directory: "/" 6 | schedule: 7 | interval: weekly 8 | 9 | - package-ecosystem: gomod 10 | directory: "/" 11 | schedule: 12 | interval: weekly 13 | 14 | - package-ecosystem: pip 15 | directory: "/" 16 | schedule: 17 | interval: weekly 18 | -------------------------------------------------------------------------------- /.github/workflows/lint.yml: -------------------------------------------------------------------------------- 1 | name: golangci-lint 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - "scai-gen/**" 8 | # Want to trigger these tests whenever the Go CLI or 9 | # APIs are modified 10 | pull_request: 11 | paths: 12 | - "scai-gen/**" 13 | permissions: 14 | contents: read 15 | jobs: 16 | golangci: 17 | name: lint 18 | runs-on: ubuntu-latest 19 | steps: 20 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 21 | with: 22 | go-version: '1.22.x' 23 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 24 | - name: golangci-lint 25 | uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 26 | with: 27 | version: v1.60.3 28 | -------------------------------------------------------------------------------- /.github/workflows/test-e2e-flow.yml: -------------------------------------------------------------------------------- 1 | name: Test composite actions on SBOM+SLSA example 2 | on: 3 | push: 4 | branches: 5 | - main 6 | paths: 7 | - "scai-gen/**" 8 | # Want to trigger these tests whenever the Go CLI or 9 | # APIs are modified 10 | pull_request: 11 | paths: 12 | - "scai-gen/**" 13 | 14 | jobs: 15 | sbom-slsa-ex: 16 | runs-on: ubuntu-22.04 17 | steps: 18 | - name: Install Go 19 | uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 20 | with: 21 | go-version: 1.22.x 22 | 23 | - name: Checkout updated scai-gen CLI tools 24 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 25 | 26 | - name: Setup Env 27 | run: | 28 | echo "$(go env GOPATH)/bin" >> $GITHUB_PATH 29 | 30 | - name: Install scai-gen CLI tools 31 | shell: bash 32 | run: | 33 | go install ./scai-gen 34 | mkdir -p temp 35 | 36 | - name: Generate SBOM SCAI AttributeAssertion 37 | id: gen-sbom-assert 38 | uses: ./.github/actions/scai-gen-assert 39 | with: 40 | attribute: "HasSBOM" 41 | evidence-file: "pdo_client_wawaka.spdx.json" 42 | evidence-path: "examples/sbom+slsa/metadata" 43 | evidence-type: "application/json" 44 | download-evidence: false 45 | assertion-name: "hassbom-assertion.json" 46 | 47 | - name: Generate SLSA Provenance SCAI AttributeAssertion 48 | id: gen-slsa-assert 49 | uses: ./.github/actions/scai-gen-assert 50 | with: 51 | attribute: "HasSLSA" 52 | evidence-file: "pdo_client_wawaka.provenance.json" 53 | evidence-path: "examples/sbom+slsa/metadata" 54 | evidence-type: "application/vnd.in-toto.provenance+dsse" 55 | download-evidence: false 56 | assertion-name: "hasslsa-assertion.json" 57 | 58 | - name: Generate SCAI AttributeReport 59 | id: gen-sbom-slsa-report 60 | uses: ./.github/actions/scai-gen-report 61 | with: 62 | subject: "examples/sbom+slsa/metadata/container-img-desc.json" 63 | attr-assertions: "${{ steps.gen-sbom-assert.outputs.assertion-name }} ${{ steps.gen-slsa-assert.outputs.assertion-name }}" 64 | report-name: "evidence-collection.scai.json" 65 | -------------------------------------------------------------------------------- /.github/workflows/test-sigstore-integration.yml: -------------------------------------------------------------------------------- 1 | name: Test Sigstore integration 2 | on: 3 | # Want to trigger these tests whenever the Sigstore command 4 | # is modified and PR is closed and merged. 5 | # Reason: OIDC token access constraints in PRs 6 | pull_request: 7 | paths: 8 | - "scai-gen/cmd/sigstore.go" 9 | types: 10 | - closed 11 | 12 | jobs: 13 | sigstore: 14 | if: github.event.pull_request.merged == true 15 | runs-on: ubuntu-22.04 16 | permissions: 17 | id-token: write # Needed for signing 18 | steps: 19 | - name: Install Go 20 | uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 21 | with: 22 | go-version: 1.20.x 23 | 24 | - name: Checkout updated scai-gen CLI tools 25 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 26 | 27 | - name: Setup Env 28 | run: | 29 | echo "$(go env GOPATH)/bin" >> $GITHUB_PATH 30 | 31 | - name: Install scai-gen CLI tools 32 | shell: bash 33 | run: | 34 | go install ./scai-gen 35 | 36 | - name: Sign and upload SCAI report (Sigstore) 37 | id: sign-report 38 | uses: ./.github/actions/scai-gen-sigstore 39 | with: 40 | statement-name: examples/sbom+slsa/metadata/evidence-collection.scai.json 41 | attestation-name: evidence-collection.scai.sig.json 42 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | scai-venv 2 | __pycache__ 3 | *~ 4 | *.pem 5 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | linters: 2 | enable: 3 | - asciicheck 4 | - errcheck 5 | - errorlint 6 | - gofmt 7 | - goimports 8 | - gosec 9 | - gocritic 10 | - importas 11 | - prealloc 12 | - revive 13 | - misspell 14 | - stylecheck 15 | - tparallel 16 | - unconvert 17 | - unparam 18 | - unused 19 | - whitespace 20 | output: 21 | uniq-by-line: false 22 | run: 23 | issues-exit-code: 1 24 | timeout: 10m 25 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @in-toto/scai-demos 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Intel Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | VENVDIR ?= ./scai-venv 16 | 17 | PY_VERSION=${shell python3 --version | sed 's/Python \(3\.[0-9]\).*/\1/'} 18 | PYTHON_DIR=$(VENVDIR)/lib/python$(PY_VERSION)/site-packages/ 19 | 20 | $(PYTHON_DIR): 21 | @echo INSTALL SCAI API 22 | python3 -m venv $(VENVDIR) 23 | . $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade pip 24 | . $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade wheel 25 | . $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade in-toto 26 | . $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade in-toto-attestation>=0.9.3 27 | . $(abspath $(VENVDIR)/bin/activate) && pip install --upgrade ./python 28 | 29 | $(VENVDIR): 30 | @echo CREATE SCAI VENV DIRECTORY $(VENVDIR) 31 | mkdir -p $(VENVDIR) 32 | 33 | py-venv: $(VENVDIR) $(PYTHON_DIR) 34 | 35 | go-mod: 36 | cd ./scai-gen && go build && go install 37 | 38 | clean: 39 | @echo REMOVE SCAI VENV AND PYTHON LIB DIRS 40 | rm -rf $(VENVDIR) __pycache__ 41 | cd ./python; rm -rf build dist *.egg-info 42 | 43 | test: py-venv 44 | @echo TESTING WITH GCC-HELLOWORLD EXAMPLE 45 | ./examples/gcc-helloworld/run-example.sh 46 | 47 | .phony: clean test py-venv go-mod 48 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # in-toto SCAI Generator and Demos 2 | 3 | The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), 4 | framework is a succinct data format specification for claims and evidence about 5 | attributes and integrity about a software artifact and its supply chain. 6 | 7 | For more details read our [intro doc] or the full [SCAI spec doc]. 8 | 9 | ## In this repo 10 | 11 | This repo provides [Go](scai-gen/) and [Python](python/) implementations of 12 | CLI tools for automatically generating SCAI metadata compliant with the 13 | [in-toto Attestation Framework]. 14 | 15 | A number of sample use cases for SCAI are implemented in 16 | [examples/](examples/). 17 | 18 | In addition, our Go [scai-gen](scai-gen/) CLI tool supports policy checking of 19 | SCAI attestations against evidence. Example policies can be found in 20 | [policies/](policies/). 21 | 22 | The [SCAI specification] is hosted under the 23 | in-toto Attestation Framework as an attestation predicate. 24 | 25 | All documentation can be found under [docs/](docs/). 26 | 27 | ## Usage 28 | 29 | Read the [usage doc] for instructions on setup and tool invocation 30 | for Python and Go environments. 31 | 32 | We encourage you to gain a basic understanding of the [SCAI specification] 33 | before using the scai-generator CLI tools in this repo. 34 | 35 | For a full demo of how to use the Go [scai-gen](scai-gen/) tools, read our 36 | [KubeCon + CloudNativeCon NA '23 doc]. 37 | 38 | ## Disclaimer 39 | 40 | While the tools in this repo are conformant to the 41 | [in-toto Attestation Framework], they do not generate **authenticated** SCAI 42 | attestations. The example use cases in this repo are only provided for 43 | illustrative purposes, and should not be used in production. 44 | 45 | [in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec 46 | [intro doc]: docs/intro.md 47 | [KubeCon + CloudNativeCon NA '23]: kccncna2023-demo/README.md 48 | [usage doc]: docs/usage.md 49 | [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md 50 | [SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf 51 | -------------------------------------------------------------------------------- /coverity-output.txt: -------------------------------------------------------------------------------- 1 | Coverity Static Analysis version 2022.3.1 on Linux 4.4.0-19041-Microsoft x86_64 2 | Internal version numbers: 09579d0e1a p-2022.3-push-62 3 | 4 | Using 8 workers as limited by CPU(s) 5 | Looking for translation units 6 | |0----------25-----------50----------75---------100| 7 | **************************************************** 8 | [STATUS] Computing links for 17 translation units 9 | |0----------25-----------50----------75---------100| 10 | **************************************************** 11 | [STATUS] Computing virtual overrides 12 | |0----------25-----------50----------75---------100| 13 | **************************************************** 14 | [STATUS] Resolving dataflow directives 15 | |0----------25-----------50----------75---------100| 16 | **************************************************** 17 | [STATUS] Computing callgraph 18 | |0----------25-----------50----------75---------100| 19 | **************************************************** 20 | [STATUS] Topologically sorting 43 functions 21 | |0----------25-----------50----------75---------100| 22 | **************************************************** 23 | [STATUS] Preparing for source code analysis 24 | |0----------25-----------50----------75---------100| 25 | **************************************************** 26 | [STATUS] Running Sigma analysis 27 | [STATUS] Computing node costs 28 | |0----------25-----------50----------75---------100| 29 | **************************************************** 30 | [STATUS] Running analysis 31 | |0----------25-----------50----------75---------100| 32 | **************************************************** 33 | [STATUS] Exporting summaries 34 | |0----------25-----------50----------75---------100| 35 | **************************************************** 36 | Analysis summary report: 37 | ------------------------ 38 | Files analyzed : 10 Total 39 | Python 3 : 6 40 | Text : 4 41 | Total LoC input to cov-analyze : 345 42 | Functions analyzed : 43 43 | Paths analyzed : 109 44 | Time taken by analysis : 00:00:14 45 | Defect occurrences found : 0 46 | 47 | -------------------------------------------------------------------------------- /docs/intro.md: -------------------------------------------------------------------------------- 1 | # Introduction to SCAI 2 | 3 | The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), 4 | specification is a data format for claims about functional attributes and 5 | integrity about a software artifact and its supply chain, along with any 6 | evidence for the claim. 7 | 8 | That is, in addition to code attributes, SCAI can capture metadata about any 9 | layer of a software stack, from the tool that built an artifact, to 10 | information about the software system or the hardware platform that ran a 11 | given supply chain step. 12 | 13 | SCAI data can be associated with executable binaries, statically- or 14 | dynamically-linked libraries, software packages, container images, 15 | software toolchains, and compute environments. 16 | 17 | As such, SCAI is intended to be implemented as part of an existing software 18 | supply chain attestation framework by software development tools or services 19 | (e.g., builders, CI/CD pipelines, software analysis tools) seeking to 20 | capture more granular information about the attributes and behavior of the 21 | software artifacts they produce. That is, SCAI assumes that implementers will 22 | have appropriate processes and tooling in place for capturing other types of 23 | software supply chain metadata, which can be extended to add support for SCAI. 24 | 25 | ## Integration with in-toto 26 | 27 | SCAI integrates with the [in-toto Attestation Framework] as an attestation 28 | predicate that can be generated alongside any other supply chain metadata, 29 | such as SBOM or SLSA Provenance. 30 | 31 | [in-toto Attestation Framework]: https://github.com/in-toto/attestation -------------------------------------------------------------------------------- /docs/obj-reference.md: -------------------------------------------------------------------------------- 1 | # Object Reference 2 | 3 | ## Motivation 4 | 5 | An Object Reference is designed to be a size-efficient representation of any object, artifact or metadata, 6 | that may be included in any SW supply chain metadata. The Object Reference must allow both humans and automated 7 | verifier programs to easily parse, identify and locate the referenced objects. 8 | 9 | For more details, see Section 3 of the [SCAI v0.1 specification](). 10 | 11 | ## Schema 12 | 13 | ``` 14 | { 15 | "name": "", 16 | "digest": { "": "VALUE", "...": "..." }, 17 | "locationURI": "", 18 | "objectType": "" 19 | } 20 | 21 | ``` 22 | 23 | `name` _string, required_ 24 | 25 | > Human-readable identifier to distinguish the referenced object. 26 | > 27 | > The semantics are up to the producer and consumer. Because consumers may evaluate 28 | > the name against a policy, the name SHOULD be stable between Attestations. 29 | > 30 | > Use: Object lookups. 31 | 32 | `digest` _object ([DigestSet](https://github.com/in-toto/Attestation/blob/main/spec/field_types.md#DigestSet)), required_ 33 | 34 | > Collection of one or more cryptographic digests of the referenced object. 35 | > 36 | > Two DigestSets are considered matching if ANY of the fields match. The 37 | > producer and consumer must agree on acceptable algorithms. If there are no 38 | > overlapping algorithms, the object is considered not matching. 39 | > 40 | > Use: Integrity checks and policy evaluation. 41 | 42 | `locationURI` _string ([ResourceURI](https://github.com/in-toto/Attestation/blob/main/spec/field_types.md#ResourceURI)), optional_ 43 | 44 | > URI to the location of the referenced object. 45 | > 46 | > Acceptable locations (web server, local, git etc.) are up to the producer 47 | > and consumer. To enable a consumer to automatically validate the 48 | > referenced object, the locationURI SHOULD resolve to the object. 49 | > 50 | > Use: Locating and downloading the object matching the `digest`. 51 | 52 | `objectType` _string, optional_ 53 | 54 | > Indicates the type of referenced object. 55 | > 56 | > Acceptable object type formats are up to the producer 57 | > and consumer. Typically, the objectType for an artifact will be its file type. 58 | > The objectType for a metadata object will commonly be a 59 | > data format or schema identifier. 60 | > 61 | > Use: Provide hint about object type, enable type-specific validation. -------------------------------------------------------------------------------- /docs/usage.md: -------------------------------------------------------------------------------- 1 | # scai-generator Usage 2 | 3 | We encourage you to gain a basic understanding of the [SCAI specification] 4 | before using the CLI tools in this repo. 5 | 6 | The general flow is to first generate any [ResourceDescriptors], 7 | one or more [AttributeAssertions] and then generate a SCAI [Report]. 8 | The generated SCAI report document is a valid [in-toto Statement]. 9 | 10 | Note, that the CLI tools do not generate **signed** SCAI Reports or 11 | in-toto attestations. 12 | 13 | ## CLI Usage 14 | 15 | The SCAI CLI tools and examples have been tested on Ubuntu 20.04 or higher. 16 | 17 | For information on how to use our CLI tools in [Python] or [Go] environments, 18 | please refer to their instructions. 19 | 20 | [in-toto Statement]: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md 21 | [ResourceDescriptors]: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md 22 | [AttributeAssertions]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L16 23 | [Report]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L28 24 | [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md 25 | [Go]: ../scai-gen/README.md 26 | [Python]: ../python/README.md 27 | -------------------------------------------------------------------------------- /examples/.gitignore: -------------------------------------------------------------------------------- 1 | hello-world 2 | *-desc.json 3 | *-spdx.json 4 | */metadata/go/ 5 | -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # SCAI Examples 2 | 3 | This directory contains examples for SCAI use cases: 4 | 5 | * [Binary attributes](./gcc-helloworld) 6 | * [Build process attributes](./sbom+slsa) 7 | * [Build environment attributes](./hermetic-evidence) 8 | * [Build platform attributes](./secure-boot) 9 | * [Dependency vulnerability attributes](./vuln-scan) 10 | 11 | ## Basic Usage 12 | 13 | Before running any example, make sure to follow the [setup instructions]. 14 | 15 | Each directory contains a script to run the Python example: 16 | 17 | ```bash 18 | ./run-example.sh 19 | ``` 20 | 21 | And to run the Go example: 22 | 23 | ```bash 24 | ./run-go-example.sh 25 | ``` 26 | 27 | The resulting metadata will be stored in the respective `metadata/` directory. 28 | 29 | :: warn :: The scai-generator CLI tools do not generate digitally signed in-toto 30 | attestations. Any digitally signed attestations included in this repo are only 31 | provided for demo purposes. 32 | 33 | ## End-to-End Examples 34 | 35 | We provide one end-to-end example for a container build that showcases both 36 | SCAI attestation generation, as well as verification of an ITE-10 in-toto layout 37 | and SCAI policy checking. 38 | 39 | Use the `examples/run-container-examples-e2e.sh` bash script to run the full 40 | example. 41 | 42 | [setup instructions]: ../docs/usage.md 43 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/README.md: -------------------------------------------------------------------------------- 1 | # Binary attributes example 2 | 3 | This example shows how to capture fine-grained binary properties during 4 | the compilation of a hello-world program based on the gcc flags used for a 5 | given build. 6 | 7 | ## Generated SCAI attestation 8 | 9 | ```jsonc 10 | { 11 | "_type": "https://in-toto.io/Statement/v1", 12 | "subject": [ 13 | { 14 | "name": "hello-world", 15 | "digest": { 16 | "sha256": "0b222de8bcb1ea30807f1a4d733108e96de4512b689da8c5f371ac8a572e9271" 17 | } 18 | } 19 | ], 20 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 21 | "predicate": { 22 | "attributes": [ 23 | { 24 | "attribute": "HAS_STACK_PROTECTION", 25 | "conditions": { 26 | "flags": "-fstack-protector*" 27 | } 28 | } 29 | ], 30 | "producer": { 31 | "name": "gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0", 32 | "digest": { 33 | "sha256": "fb60c5945ce785d0cb2ef0303dac5249f25bd0d0324317a0734aae6aa24f609b" 34 | }, 35 | "uri": "file://usr/bin/gcc", 36 | "annotations": { 37 | "command": "gcc -fstack-protector -o hello-world hello-world.c" 38 | } 39 | } 40 | } 41 | } 42 | ``` 43 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/hello-world.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | printf("Hello, world!"); 5 | return 0; 6 | } 7 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/metadata/cmd-annotation.json: -------------------------------------------------------------------------------- 1 | {"command": "gcc -fstack-protector -o hello-world hello-world.c"} 2 | 3 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/metadata/hello-world.scai.json: -------------------------------------------------------------------------------- 1 | { 2 | "_type": "https://in-toto.io/Statement/v1", 3 | "subject": [ 4 | { 5 | "name": "hello-world", 6 | "digest": { 7 | "sha256": "0b222de8bcb1ea30807f1a4d733108e96de4512b689da8c5f371ac8a572e9271" 8 | } 9 | } 10 | ], 11 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 12 | "predicate": { 13 | "producer": { 14 | "digest": { 15 | "sha256": "fb60c5945ce785d0cb2ef0303dac5249f25bd0d0324317a0734aae6aa24f609b" 16 | }, 17 | "annotations": { 18 | "command": "gcc -fstack-protector -o hello-world hello-world.c" 19 | }, 20 | "uri": "file://usr/bin/gcc", 21 | "name": "gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0" 22 | }, 23 | "attributes": [ 24 | { 25 | "attribute": "HAS_STACK_PROTECTION", 26 | "conditions": { 27 | "flags": "-fstack-protector*" 28 | } 29 | } 30 | ] 31 | } 32 | } -------------------------------------------------------------------------------- /examples/gcc-helloworld/metadata/stack-protection-assertion.json: -------------------------------------------------------------------------------- 1 | { 2 | "attribute": "HAS_STACK_PROTECTION", 3 | "conditions": { 4 | "flags": "-fstack-protector*" 5 | } 6 | } -------------------------------------------------------------------------------- /examples/gcc-helloworld/metadata/stack-protector-conditions.json: -------------------------------------------------------------------------------- 1 | {"flags": "-fstack-protector*"} 2 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/run-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | # Run gcc hello-world example 10 | # ----------------------------------------------------------------- 11 | 12 | mkdir -p ${EXAMPLE_DIR}/metadata 13 | 14 | echo RUN GCC 15 | 16 | gcc -fstack-protector -o ${EXAMPLE_DIR}/hello-world ${EXAMPLE_DIR}/hello-world.c 17 | 18 | echo GENERATE HELLO-WORLD DESCRIPTOR 19 | 20 | scai-gen-resource-desc -n hello-world -d -f hello-world --resource-dir ${EXAMPLE_DIR} -o hello-world-desc.json --out-dir ${EXAMPLE_DIR}/metadata 21 | 22 | echo GENERATE GCC DESCRIPTOR 23 | 24 | GCC_PATH=`which gcc` 25 | GCC_NAME=`gcc --version | head -n 1` 26 | 27 | scai-gen-resource-desc -n "${GCC_NAME}" -d -u "file:/${GCC_PATH}" -a cmd-annotation.json --annotation-dir ${EXAMPLE_DIR}/metadata -f ${GCC_PATH} --resource-dir '/' -o gcc-desc.json --out-dir ${EXAMPLE_DIR}/metadata 28 | 29 | echo GENERATE STACK PROTECTION SCAI ATTRIBUTE ASSERTION 30 | 31 | scai-attr-assertion -a "HAS_STACK_PROTECTION" -c ${EXAMPLE_DIR}/metadata/stack-protector-conditions.json -o stack-protection-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 32 | 33 | echo GENERATE SCAI REPORT FOR GCC COMPILATION 34 | 35 | scai-report -s hello-world-desc.json --subject-dirs ${EXAMPLE_DIR}/metadata -a stack-protection-assertion.json --assertion-dir ${EXAMPLE_DIR}/metadata -p gcc-desc.json --producer-dir ${EXAMPLE_DIR}/metadata -o hello-world.scai.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 36 | -------------------------------------------------------------------------------- /examples/gcc-helloworld/run-go-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | # Run gcc hello-world example 10 | # ----------------------------------------------------------------- 11 | 12 | OUTDIR=${EXAMPLE_DIR}/metadata/go 13 | 14 | mkdir -p ${OUTDIR} 15 | 16 | echo RUN GCC 17 | 18 | gcc -fstack-protector -o ${EXAMPLE_DIR}/hello-world ${EXAMPLE_DIR}/hello-world.c 19 | 20 | echo GENERATE HELLO-WORLD DESCRIPTOR 21 | 22 | scai-gen rd file -n hello-world -o ${OUTDIR}/hello-world-desc.json ${EXAMPLE_DIR}/hello-world 23 | 24 | echo GENERATE GCC DESCRIPTOR 25 | 26 | GCC_PATH=`which gcc` 27 | GCC_NAME=`gcc --version | head -n 1` 28 | 29 | scai-gen rd file -n "${GCC_NAME}" -o ${OUTDIR}/gcc-desc.json ${GCC_PATH} 30 | 31 | echo GENERATE STACK PROTECTION SCAI ATTRIBUTE ASSERTION 32 | 33 | scai-gen assert -c ${EXAMPLE_DIR}/metadata/stack-protector-conditions.json -o ${OUTDIR}/stack-protection-assertion.json "HAS_STACK_PROTECTION" 34 | 35 | echo GENERATE SCAI REPORT FOR GCC COMPILATION 36 | 37 | scai-gen report -s ${OUTDIR}/hello-world-desc.json -p ${OUTDIR}/gcc-desc.json -o ${OUTDIR}/hello-world.scai.json ${OUTDIR}/stack-protection-assertion.json 38 | -------------------------------------------------------------------------------- /examples/hermetic-evidence/README.md: -------------------------------------------------------------------------------- 1 | # Build environment attributes 2 | 3 | This example shows how SCAI can be used to capture information as evidence for 4 | other supply chain metadata. Specifically, this example captures a run-time 5 | trace of a SLSA builder, and uses this log as evidence for the [hermetic] 6 | requirement of the SLSA v0.1 spec. 7 | 8 | The SLSA Provenance and strace log files used in this example were generated 9 | using [this workflow]. 10 | 11 | ## A negative test 12 | 13 | The SLSA build environment used to generate the metadata in this 14 | example is not configured to support hermetic builds, so the included log 15 | should not be considered valid evidence for the claimed `IsHermeticBuild` 16 | attribute in the SCAI attribute assertion. 17 | 18 | ## Generated SCAI attestation 19 | 20 | ```jsonc 21 | { 22 | "_type": "https://in-toto.io/Statement/v1", 23 | "subject": [ 24 | { 25 | "name": "pdo_client_wawaka", 26 | "digest": { 27 | "sha256": "9b151e8b47a372bb686a441349d981ebf38951d70c4e7bf4669672651da7d33e" 28 | } 29 | } 30 | ], 31 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 32 | "predicate": { 33 | "attributes": [ 34 | { 35 | "attribute": "IsHermeticBuild", 36 | "target": { 37 | "name": "pdo_client_wawaka.provenance.json", 38 | "digest": { 39 | "sha256": "d094023e47dadedb5591d70bf203b967daa1e0784b29135053e410e6627ab261" 40 | }, 41 | "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/15001861846/artifacts/856214822", 42 | "mediaType": "application/vnd.in-toto.provenance+json" 43 | }, 44 | "evidence": { 45 | "name": "strace.log", 46 | "digest": { 47 | "sha256": "1fbd9b1a3b867657666edf7ac1f17a3cad6ff691364ab46848ca5f49720688a8" 48 | }, 49 | "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/15001861846/artifacts/856214824", 50 | "mediaType": "text/plain", 51 | "annotations": { 52 | "expectedResult": "fail" 53 | } 54 | } 55 | } 56 | ] 57 | } 58 | } 59 | ``` 60 | 61 | [hermetic]: https://slsa.dev/spec/v0.1/requirements#hermetic 62 | [this workflow]: https://github.com/marcelamelara/private-data-objects/blob/generate-swsc-build-metadata/.github/workflows/ci-slsa3-tracing.yaml 63 | -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/attestations/bad-build.1f575092.json: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSXNIZXJtZXRpY0J1aWxkIiwiZXZpZGVuY2UiOnsiYW5ub3RhdGlvbnMiOnsiZXhwZWN0ZWRSZXN1bHQiOiJmYWlsIn0sImRpZ2VzdCI6eyJzaGEyNTYiOiJjMzZlOTY2OWJlNzkyMmZlZDBlYzRmMGU0NTQzZTcwMWRhMDhiY2NhZDAzZGQwNDIzZDM4ZTQ4NmZlZGM4M2QzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5OCIsIm1lZGlhVHlwZSI6InRleHQvcGxhaW4iLCJuYW1lIjoic3RyYWNlLmxvZyJ9LCJ0YXJnZXQiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"LH8wuhKTQNj3weL9UdF6SqqQy7TWhm+Jg8kcd+KVkjVk6+y6/xwob1sgvsJ+ZpIbM07zDKHd9W6Qvon0oEhx9mEeBwW90DIJexWdd4MpkcU7qCnU0DhBKGPdc6tjCBz3RGIRbpIgi5LgC/TR+ihuoFSPT07/inaRLcfIf5F1D/FV+rbi80bnAHE9OzsVX8o0UrHDoQmdukytcagy9YWnOh0hwDG0mMxoHd3xM3R8/03DP7iZMJHmv8SRQQdUFFaUGyskzari5D4jPFRI4eQByOn20bd8TsOqH06uSd4jEda/IZa8eZwisZctEFssQfRBfpFOB7T71E9kQeYUaMlunsjvKXOfbP8ixFjJSLYXO09c6KMsrO9yuxv2whewIKwpYX/EiJFwyztxVYh0JfT9CjI+z8VUhJ+Eh0DmgRX+jG9liX0DKXQNDtZmFHo8tTdmflcuT1FLchm4IAPB467xl9tGxycBzEL5ac9r9ZCKcbx8lxpOxBIFpH1G2g+d143L"}]} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/attestations/build.1f575092.json: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiTm9uSGVybWV0aWNCdWlsZCIsImV2aWRlbmNlIjp7ImFubm90YXRpb25zIjp7ImV4cGVjdGVkUmVzdWx0IjoiZmFpbCJ9LCJkaWdlc3QiOnsic2hhMjU2IjoiYzM2ZTk2NjliZTc5MjJmZWQwZWM0ZjBlNDU0M2U3MDFkYTA4YmNjYWQwM2RkMDQyM2QzOGU0ODZmZWRjODNkMyJ9LCJkb3dubG9hZExvY2F0aW9uIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3VpdGVzLzE1NDE3NzI2MTQyL2FydGlmYWN0cy84ODA0MDMzOTgiLCJtZWRpYVR5cGUiOiJ0ZXh0L3BsYWluIiwibmFtZSI6InN0cmFjZS5sb2cifSwidGFyZ2V0Ijp7ImRpZ2VzdCI6eyJzaGEyNTYiOiI5NGQxODcxNmVlNDQxMjE3NWM1ZDlkYTFjZTUwOTQ3MTUzZTA5YzQ3NjJmOTA0NGFmNmYyZDY4MjhiMTJmZTViIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5Mi9wZG9fY2xpZW50X3dhd2FrYS5zbHNhLmludG90by5qc29ubCIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5pbi10b3RvK2Rzc2UiLCJuYW1lIjoiYnVpbGQuNDUyZTYyOGEuanNvbiJ9fV19fQ==","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"QOT13X+lAC22Bw+f8/zOkZGkaQcfbbt73k0CdKbz1P3F4UWvDlFk6bZG5sldLzF94tDY5C3QznCBBzppVg8QCZvAghxRM8RH/hCezOTf9zk37u2jDmPiEuo747RBPJKiea1hTeW1pihMhJdrYL6Hmi6PVOMno1TFVwrBoXZ2dn+fMyhIyhgbeMyveiT6lG0uwcZSdO11R3EkfmOGUa+7ohNmlcHxJ/n2J3tmgUZKQwnl2hiY1gVNZClM4nvQrPvsb2Y4Xy5wqLVjxL3IQ/7QkKJ2vn4HzuKzqe1mtUuwQMMd8xVHAHAoe3IrR7xJU5rhd0YUeLJSBHdDRoaloD8wuGOeEREY0fJzzttdFtMuvWsSbRTA7HK1gnqR+yex6PMn7ylzyc51/rxvPD6USsQrHhTUGpwD9e1vgkiH4jMIg02uWg71I8EhpDuEaq4gq4Da54w+sC1HDSoR/HZOWCJ2z6U8j8rDcUi3Urilik/mG0ixMR5pezPT+bC3XC/CLr3t"}]} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/hermetic-annotation.json: -------------------------------------------------------------------------------- 1 | {"expectedResult": "fail"} 2 | -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/hermetic-build.scai.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"pdo_client_wawaka","digest":{"sha256":"9fb7ef552298f8fbad84604d06100e760b7b8c4cb4d6c4b727865f1f285d06ac"}}],"predicateType":"https://in-toto.io/attestation/scai/attribute-report/v0.2","predicate":{"attributes":[{"attribute":"IsHermeticBuild","evidence":{"annotations":{"expectedResult":"fail"},"digest":{"sha256":"c36e9669be7922fed0ec4f0e4543e701da08bccad03dd0423d38e486fedc83d3"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398","mediaType":"text/plain","name":"strace.log"},"target":{"digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse","name":"build.452e628a.json"}}]}} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/is-hermetic-assertion.json: -------------------------------------------------------------------------------- 1 | {"attribute":"IsHermeticBuild","target":{"name":"build.452e628a.json","digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse"},"evidence":{"name":"strace.log","digest":{"sha256":"c36e9669be7922fed0ec4f0e4543e701da08bccad03dd0423d38e486fedc83d3"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398","mediaType":"text/plain","annotations":{"expectedResult":"fail"}}} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/non-hermetic-assertion.json: -------------------------------------------------------------------------------- 1 | {"attribute":"NonHermeticBuild","target":{"name":"build.452e628a.json","digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse"},"evidence":{"name":"strace.log","digest":{"sha256":"c36e9669be7922fed0ec4f0e4543e701da08bccad03dd0423d38e486fedc83d3"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398","mediaType":"text/plain","annotations":{"expectedResult":"fail"}}} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/non-hermetic-build.scai.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"pdo_client_wawaka","digest":{"sha256":"9fb7ef552298f8fbad84604d06100e760b7b8c4cb4d6c4b727865f1f285d06ac"}}],"predicateType":"https://in-toto.io/attestation/scai/attribute-report/v0.2","predicate":{"attributes":[{"attribute":"NonHermeticBuild","evidence":{"annotations":{"expectedResult":"fail"},"digest":{"sha256":"c36e9669be7922fed0ec4f0e4543e701da08bccad03dd0423d38e486fedc83d3"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398","mediaType":"text/plain","name":"strace.log"},"target":{"digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse","name":"build.452e628a.json"}}]}} -------------------------------------------------------------------------------- /examples/hermetic-evidence/metadata/pdo_client_wawaka.provenance.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"pdo_client_wawaka","digest":{"sha256":"03413b4ecb73bba78a71afaf41ac9e921a14b307c9f18fe13344774723a20d82"}}],"predicate":{"builder":{"id":"https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0"},"buildType":"https://github.com/slsa-framework/slsa-github-generator/generic@v1","invocation":{"configSource":{"uri":"git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata","digest":{"sha1":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1"},"entryPoint":".github/workflows/ci-slsa3-tracing.yaml"},"parameters":{},"environment":{"github_actor":"marcelamelara","github_actor_id":"93797898","github_base_ref":"","github_event_name":"push","github_event_payload":{"after":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1","base_ref":null,"before":"81f0ea96ae79436cd3b407caf866c49886895788","commits":[{"author":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"committer":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"distinct":true,"id":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1","message":"Fix docker inspect command\n\nSigned-off-by: Marcela Melara \u003cmarcela.melara@intel.com\u003e","timestamp":"2023-08-10T16:22:31-07:00","tree_id":"ea7da4d89aec80ac777169bb0521fa44dd86f61e","url":"https://github.com/marcelamelara/private-data-objects/commit/89ea53b883573c6295d8ee63ed7aa1e0d14c78e1"}],"compare":"https://github.com/marcelamelara/private-data-objects/compare/81f0ea96ae79...89ea53b88357","created":false,"deleted":false,"forced":true,"head_commit":{"author":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"committer":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"distinct":true,"id":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1","message":"Fix docker inspect command\n\nSigned-off-by: Marcela Melara \u003cmarcela.melara@intel.com\u003e","timestamp":"2023-08-10T16:22:31-07:00","tree_id":"ea7da4d89aec80ac777169bb0521fa44dd86f61e","url":"https://github.com/marcelamelara/private-data-objects/commit/89ea53b883573c6295d8ee63ed7aa1e0d14c78e1"},"pusher":{"email":"marcela.melara@intel.com","name":"marcelamelara"},"ref":"refs/heads/generate-swsc-build-metadata","repository":{"allow_forking":true,"archive_url":"https://api.github.com/repos/marcelamelara/private-data-objects/{archive_format}{/ref}","archived":false,"assignees_url":"https://api.github.com/repos/marcelamelara/private-data-objects/assignees{/user}","blobs_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/blobs{/sha}","branches_url":"https://api.github.com/repos/marcelamelara/private-data-objects/branches{/branch}","clone_url":"https://github.com/marcelamelara/private-data-objects.git","collaborators_url":"https://api.github.com/repos/marcelamelara/private-data-objects/collaborators{/collaborator}","comments_url":"https://api.github.com/repos/marcelamelara/private-data-objects/comments{/number}","commits_url":"https://api.github.com/repos/marcelamelara/private-data-objects/commits{/sha}","compare_url":"https://api.github.com/repos/marcelamelara/private-data-objects/compare/{base}...{head}","contents_url":"https://api.github.com/repos/marcelamelara/private-data-objects/contents/{+path}","contributors_url":"https://api.github.com/repos/marcelamelara/private-data-objects/contributors","created_at":1580158534,"default_branch":"main","deployments_url":"https://api.github.com/repos/marcelamelara/private-data-objects/deployments","description":"The Private Data Objects lab provides technology for confidentiality-preserving, off-chain smart contracts.","disabled":false,"downloads_url":"https://api.github.com/repos/marcelamelara/private-data-objects/downloads","events_url":"https://api.github.com/repos/marcelamelara/private-data-objects/events","fork":true,"forks":1,"forks_count":1,"forks_url":"https://api.github.com/repos/marcelamelara/private-data-objects/forks","full_name":"marcelamelara/private-data-objects","git_commits_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/commits{/sha}","git_refs_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/refs{/sha}","git_tags_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/tags{/sha}","git_url":"git://github.com/marcelamelara/private-data-objects.git","has_discussions":false,"has_downloads":true,"has_issues":false,"has_pages":false,"has_projects":true,"has_wiki":true,"homepage":null,"hooks_url":"https://api.github.com/repos/marcelamelara/private-data-objects/hooks","html_url":"https://github.com/marcelamelara/private-data-objects","id":236592908,"is_template":false,"issue_comment_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues/comments{/number}","issue_events_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues/events{/number}","issues_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues{/number}","keys_url":"https://api.github.com/repos/marcelamelara/private-data-objects/keys{/key_id}","labels_url":"https://api.github.com/repos/marcelamelara/private-data-objects/labels{/name}","language":"C++","languages_url":"https://api.github.com/repos/marcelamelara/private-data-objects/languages","license":{"key":"apache-2.0","name":"Apache License 2.0","node_id":"MDc6TGljZW5zZTI=","spdx_id":"Apache-2.0","url":"https://api.github.com/licenses/apache-2.0"},"master_branch":"main","merges_url":"https://api.github.com/repos/marcelamelara/private-data-objects/merges","milestones_url":"https://api.github.com/repos/marcelamelara/private-data-objects/milestones{/number}","mirror_url":null,"name":"private-data-objects","node_id":"MDEwOlJlcG9zaXRvcnkyMzY1OTI5MDg=","notifications_url":"https://api.github.com/repos/marcelamelara/private-data-objects/notifications{?since,all,participating}","open_issues":0,"open_issues_count":0,"owner":{"avatar_url":"https://avatars.githubusercontent.com/u/93797898?v=4","email":"marcela.melara@intel.com","events_url":"https://api.github.com/users/marcelamelara/events{/privacy}","followers_url":"https://api.github.com/users/marcelamelara/followers","following_url":"https://api.github.com/users/marcelamelara/following{/other_user}","gists_url":"https://api.github.com/users/marcelamelara/gists{/gist_id}","gravatar_id":"","html_url":"https://github.com/marcelamelara","id":93797898,"login":"marcelamelara","name":"marcelamelara","node_id":"U_kgDOBZc-Cg","organizations_url":"https://api.github.com/users/marcelamelara/orgs","received_events_url":"https://api.github.com/users/marcelamelara/received_events","repos_url":"https://api.github.com/users/marcelamelara/repos","site_admin":false,"starred_url":"https://api.github.com/users/marcelamelara/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/marcelamelara/subscriptions","type":"User","url":"https://api.github.com/users/marcelamelara"},"private":false,"pulls_url":"https://api.github.com/repos/marcelamelara/private-data-objects/pulls{/number}","pushed_at":1691709763,"releases_url":"https://api.github.com/repos/marcelamelara/private-data-objects/releases{/id}","size":3391,"ssh_url":"git@github.com:marcelamelara/private-data-objects.git","stargazers":0,"stargazers_count":0,"stargazers_url":"https://api.github.com/repos/marcelamelara/private-data-objects/stargazers","statuses_url":"https://api.github.com/repos/marcelamelara/private-data-objects/statuses/{sha}","subscribers_url":"https://api.github.com/repos/marcelamelara/private-data-objects/subscribers","subscription_url":"https://api.github.com/repos/marcelamelara/private-data-objects/subscription","svn_url":"https://github.com/marcelamelara/private-data-objects","tags_url":"https://api.github.com/repos/marcelamelara/private-data-objects/tags","teams_url":"https://api.github.com/repos/marcelamelara/private-data-objects/teams","topics":[],"trees_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/trees{/sha}","updated_at":"2022-01-11T01:04:34Z","url":"https://github.com/marcelamelara/private-data-objects","visibility":"public","watchers":0,"watchers_count":0,"web_commit_signoff_required":false},"sender":{"avatar_url":"https://avatars.githubusercontent.com/u/93797898?v=4","events_url":"https://api.github.com/users/marcelamelara/events{/privacy}","followers_url":"https://api.github.com/users/marcelamelara/followers","following_url":"https://api.github.com/users/marcelamelara/following{/other_user}","gists_url":"https://api.github.com/users/marcelamelara/gists{/gist_id}","gravatar_id":"","html_url":"https://github.com/marcelamelara","id":93797898,"login":"marcelamelara","node_id":"U_kgDOBZc-Cg","organizations_url":"https://api.github.com/users/marcelamelara/orgs","received_events_url":"https://api.github.com/users/marcelamelara/received_events","repos_url":"https://api.github.com/users/marcelamelara/repos","site_admin":false,"starred_url":"https://api.github.com/users/marcelamelara/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/marcelamelara/subscriptions","type":"User","url":"https://api.github.com/users/marcelamelara"}},"github_head_ref":"","github_ref":"refs/heads/generate-swsc-build-metadata","github_ref_type":"branch","github_repository_id":"236592908","github_repository_owner":"marcelamelara","github_repository_owner_id":"93797898","github_run_attempt":"1","github_run_id":"5827089341","github_run_number":"6","github_sha1":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1"}},"metadata":{"buildInvocationID":"5827089341-1","completeness":{"parameters":true,"environment":false,"materials":false},"reproducible":false},"materials":[{"uri":"git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata","digest":{"sha1":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1"}}]}} 2 | -------------------------------------------------------------------------------- /examples/hermetic-evidence/run-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | VENV_DIR="${VENVDIR:=../../scai-venv}" 7 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 8 | 9 | # ----------------------------------------------------------------- 10 | # Run HERMETIC build example 11 | # ----------------------------------------------------------------- 12 | 13 | mkdir -p ${EXAMPLE_DIR}/metadata 14 | 15 | source ${VENV_DIR}/scai-venv/bin/activate 16 | 17 | STRACE_LOG_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398" 18 | 19 | echo GENERATE CONTAINER BUILD STRACE LOG DESCRIPTOR 20 | 21 | scai-gen-resource-desc -n "strace.log" -d -f strace.log -l ${STRACE_LOG_URL} -t text/plain -a ${EXAMPLE_DIR}/metadata/hermetic-annotation.json --resource-dir ${EXAMPLE_DIR}/metadata -o strace-log-desc.json --out-dir ${EXAMPLE_DIR}/metadata 22 | 23 | echo GENERATE IS_HERMETIC_BUILD SCAI ATTRIBUTE ASSERTION 24 | 25 | scai-attr-assertion -a "IsHermeticBuild" -t ${EXAMPLE_DIR}/../sbom+slsa/metadata/slsa-desc.json -e ${EXAMPLE_DIR}/metadata/strace-log-desc.json -o is-hermetic-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 26 | 27 | echo GENERATE SCAI REPORT FOR HERMETIC BUILD REPORT 28 | 29 | scai-report -s container-img-desc.json --subject-dirs ${EXAMPLE_DIR}/../sbom+slsa/metadata -a is-hermetic-assertion.json --assertion-dir ${EXAMPLE_DIR}/metadata -o hermetic-build.scai.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 30 | -------------------------------------------------------------------------------- /examples/hermetic-evidence/run-go-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | # Run HERMETIC build example 10 | # ----------------------------------------------------------------- 11 | 12 | OUTDIR=${EXAMPLE_DIR}/metadata 13 | mkdir -p ${OUTDIR} 14 | 15 | STRACE_LOG_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403398" 16 | 17 | echo GENERATE CONTAINER BUILD STRACE LOG DESCRIPTOR 18 | 19 | scai-gen rd file -n "strace.log" -l ${STRACE_LOG_URL} -t text/plain -a ${EXAMPLE_DIR}/metadata/hermetic-annotation.json -o ${OUTDIR}/strace-log-desc.json ${EXAMPLE_DIR}/metadata/strace.log 20 | 21 | echo GENERATE IS_HERMETIC_BUILD SCAI ATTRIBUTE ASSERTION 22 | 23 | scai-gen assert -t ${EXAMPLE_DIR}/../sbom+slsa/metadata/slsa-desc.json -e ${OUTDIR}/strace-log-desc.json -o ${OUTDIR}/is-hermetic-assertion.json "IsHermeticBuild" 24 | 25 | echo GENERATE SCAI REPORT FOR HERMETIC BUILD REPORT 26 | 27 | scai-gen report -s ${EXAMPLE_DIR}/../sbom+slsa/metadata/container-img-desc.json -o ${OUTDIR}/hermetic-build.scai.json ${OUTDIR}/is-hermetic-assertion.json 28 | 29 | echo GENERATE NON_HERMETIC_BUILD SCAI ATTRIBUTE ASSERTION 30 | 31 | scai-gen assert -t ${EXAMPLE_DIR}/../sbom+slsa/metadata/slsa-desc.json -e ${OUTDIR}/strace-log-desc.json -o ${OUTDIR}/non-hermetic-assertion.json "NonHermeticBuild" 32 | 33 | echo GENERATE SCAI REPORT FOR HERMETIC BUILD REPORT 34 | 35 | scai-gen report -s ${EXAMPLE_DIR}/../sbom+slsa/metadata/container-img-desc.json -o ${OUTDIR}/non-hermetic-build.scai.json ${OUTDIR}/non-hermetic-assertion.json 36 | -------------------------------------------------------------------------------- /examples/run-container-examples-e2e.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | echo RUN SCAI ATTESTATION GENERATION FOR PDO CLIENT CONTAINER EXAMPLE PIPELINE 7 | 8 | ./examples/sbom+slsa/run-go-example.sh 9 | ./examples/hermetic-evidence/run-go-example.sh 10 | 11 | echo CHECK PDO CLIENT CONTAINER IN-TOTO LAYOUT 12 | 13 | scai-gen check layout -l layouts/pdo_client_wawaka.yml examples/sbom+slsa/metadata/attestations/build.452e628a.json examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json 14 | 15 | echo CHECK PDO CLIENT CONTAINER HERMETIC BUILD ASSERTION 16 | 17 | scai-gen check evidence -p policies/hermetic-evidence.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/build.1f575092.json 18 | 19 | echo CHECK PDO CLIENT CONTAINER HAS-SLSA ASSERTION 20 | 21 | scai-gen check evidence -p policies/has-slsa.yml -e examples/sbom+slsa/metadata examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json 22 | 23 | echo NEGATIVE TEST: CHECK BAD PDO CLIENT CONTAINER SCAI ASSERTION 24 | 25 | scai-gen check evidence -p policies/hermetic-evidence-fail.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/bad-build.1f575092.json 26 | -------------------------------------------------------------------------------- /examples/sbom+slsa/README.md: -------------------------------------------------------------------------------- 1 | # SBOM + SLSA example 2 | 3 | This example shows how SCAI can be used to bind multiple pieces of metadata 4 | (in this case an SPDX SBOM and a SLSA Provenance attestation) to capture 5 | multiple attributes about an artifact's build process or supply chain. 6 | 7 | To showcase further integration with the SW supply chain ecosystem, the 8 | generated attestation in this example matches what an attestation to a [GUAC] 9 | [evidence trees] for an SBOM and SLSA Provenance information might be. 10 | 11 | The SPDX and SLSA Provenance files used in this example were generated using 12 | [this workflow]. 13 | 14 | ## Generated SCAI attestation 15 | 16 | ```jsonc 17 | { 18 | "_type": "https://in-toto.io/Statement/v1", 19 | "subject": [ 20 | { 21 | "name": "pdo_client_wawaka", 22 | "digest": { 23 | "sha256": "9b151e8b47a372bb686a441349d981ebf38951d70c4e7bf4669672651da7d33e" 24 | } 25 | } 26 | ], 27 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 28 | "predicate": { 29 | "attributes": [ 30 | { 31 | "attribute": "HasSBOM", 32 | "evidence": { 33 | "mediaType": "application/spdx+json", 34 | "digest": { 35 | "sha256": "911d4365b61ba7ace55f7333b2c638caca4b811ee73da5beb28b9ecbbd22ca78" 36 | }, 37 | "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758122" 38 | } 39 | }, 40 | { 41 | "attribute": "HasSLSA", 42 | "evidence": { 43 | "mediaType": "application/x.dsse+jsonl", 44 | "digest": { 45 | "sha256": "ea4d1e56e739f26a451c095b9fb40a353b3e73ea1778fdddafe13562e81bd745" 46 | }, 47 | "downloadLocation": "https://github.com/marcelamelara/private-data-objects/suites/14359811861/artifacts/808758121" 48 | } 49 | } 50 | ] 51 | } 52 | } 53 | ``` 54 | 55 | [GUAC]: https://github.com/guacsec/guac 56 | [evidence trees]: https://docs.guac.sh/graphql/#the-guac-evidence-trees 57 | [this workflow]: https://github.com/marcelamelara/private-data-objects/blob/generate-swsc-build-metadata/.github/workflows/ci-swsc.yaml 58 | -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSGFzU0JPTSIsImV2aWRlbmNlIjp7ImRpZ2VzdCI6eyJzaGEyNTYiOiJkOTVjMjAyZTBlNDAyMTQ0ZDYzNjM4MGU5ODJlYWZmNTRiZTU1OWI1NTU5OGZkMTgwNzFlOTZkNmYzYTdlYjAzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5NSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3NwZHgranNvbiIsIm5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYS5zcGR4Lmpzb24ifX0seyJhdHRyaWJ1dGUiOiJIYXNTTFNBIiwiZXZpZGVuY2UiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"W5terKjmGajjJLl1mXNgPzIamE0omBDUkXzmrAVZMI51FTvv2a4ixCRAMSvT8qxcs/ZvqMXxMGQV5RR2x1aF1JkBLSP9nY7mQLcl7GYJ6E+KltLMgO3Bw9b4vXDp/JZ1y8Dby+rUEt0umehFJYj0Yl8/ndhWVK6QNMzrCDghK8TdZ8N1+HhyxewOYdP2i+yrM0Ll0Q0DiXO4r5SPGgGTY6BWe5Sjc2HNrt+J6fJcnXpvfCBlTAuG0pGNDbIS9jtimsh+AKAlpdcgJUPGpL3baTRW/1liyzVmtJtIrTl1kDDm/rzKmFi/OaMS6Vwm4RkaEkXaLPYpzz6pBaCHm8JxNJVjijtoTrNyuhEyHuvZW3o/p9/TmW9O6kyDc8Sybk5S8iWca0N3sLAfIsQw4968PHo4p7jf/bWWPFhSag2nIz4fKdiLXSzaDvxKtuuMfa6BG15j45Nwqq6qcKf2ZssYP4sjyuzYcJe912HFPPo8ZasQmFBcuBMhpu7NHU6yP/19"}]} -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/container-img-desc.json: -------------------------------------------------------------------------------- 1 | {"name": "pdo_client_wawaka", "digest": {"sha256": "9fb7ef552298f8fbad84604d06100e760b7b8c4cb4d6c4b727865f1f285d06ac"}} 2 | -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/evidence-collection.scai.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v1","subject":[{"name":"pdo_client_wawaka","digest":{"sha256":"9fb7ef552298f8fbad84604d06100e760b7b8c4cb4d6c4b727865f1f285d06ac"}}],"predicateType":"https://in-toto.io/attestation/scai/attribute-report/v0.2","predicate":{"attributes":[{"attribute":"HasSBOM","evidence":{"digest":{"sha256":"d95c202e0e402144d636380e982eaff54be559b55598fd18071e96d6f3a7eb03"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403395","mediaType":"application/spdx+json","name":"pdo_client_wawaka.spdx.json"}},{"attribute":"HasSLSA","evidence":{"digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse","name":"build.452e628a.json"}}]}} -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/has-sbom-assertion.json: -------------------------------------------------------------------------------- 1 | {"attribute":"HasSBOM","evidence":{"name":"pdo_client_wawaka.spdx.json","digest":{"sha256":"d95c202e0e402144d636380e982eaff54be559b55598fd18071e96d6f3a7eb03"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403395","mediaType":"application/spdx+json"}} -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/has-slsa-assertion.json: -------------------------------------------------------------------------------- 1 | {"attribute":"HasSLSA","evidence":{"name":"build.452e628a.json","digest":{"sha256":"94d18716ee4412175c5d9da1ce50947153e09c4762f9044af6f2d6828b12fe5b"},"downloadLocation":"https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl","mediaType":"application/vnd.in-toto+dsse"}} -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/pdo_client_wawaka.provenance.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://slsa.dev/provenance/v0.2","subject":[{"name":"pdo_client_wawaka","digest":{"sha256":"9fb7ef552298f8fbad84604d06100e760b7b8c4cb4d6c4b727865f1f285d06ac"}}],"predicate":{"builder":{"id":"https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0"},"buildType":"https://github.com/slsa-framework/slsa-github-generator/generic@v1","invocation":{"configSource":{"uri":"git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata","digest":{"sha1":"87b74378e8c9ccf335a27ffcdc16636990254e1e"},"entryPoint":".github/workflows/ci-swsc.yaml"},"parameters":{},"environment":{"github_actor":"marcelamelara","github_actor_id":"93797898","github_base_ref":"","github_event_name":"push","github_event_payload":{"after":"87b74378e8c9ccf335a27ffcdc16636990254e1e","base_ref":null,"before":"89ea53b883573c6295d8ee63ed7aa1e0d14c78e1","commits":[{"author":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"committer":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"distinct":true,"id":"87b74378e8c9ccf335a27ffcdc16636990254e1e","message":"Merge swsc metadata workflows\n\nSigned-off-by: Marcela Melara \u003cmarcela.melara@intel.com\u003e","timestamp":"2023-08-23T16:55:20-07:00","tree_id":"34699a554210ff93fc860f70e4a183e664b3725e","url":"https://github.com/marcelamelara/private-data-objects/commit/87b74378e8c9ccf335a27ffcdc16636990254e1e"}],"compare":"https://github.com/marcelamelara/private-data-objects/compare/89ea53b88357...87b74378e8c9","created":false,"deleted":false,"forced":false,"head_commit":{"author":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"committer":{"email":"marcela.melara@intel.com","name":"Marcela Melara","username":"marcelamelara"},"distinct":true,"id":"87b74378e8c9ccf335a27ffcdc16636990254e1e","message":"Merge swsc metadata workflows\n\nSigned-off-by: Marcela Melara \u003cmarcela.melara@intel.com\u003e","timestamp":"2023-08-23T16:55:20-07:00","tree_id":"34699a554210ff93fc860f70e4a183e664b3725e","url":"https://github.com/marcelamelara/private-data-objects/commit/87b74378e8c9ccf335a27ffcdc16636990254e1e"},"pusher":{"email":"marcela.melara@intel.com","name":"marcelamelara"},"ref":"refs/heads/generate-swsc-build-metadata","repository":{"allow_forking":true,"archive_url":"https://api.github.com/repos/marcelamelara/private-data-objects/{archive_format}{/ref}","archived":false,"assignees_url":"https://api.github.com/repos/marcelamelara/private-data-objects/assignees{/user}","blobs_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/blobs{/sha}","branches_url":"https://api.github.com/repos/marcelamelara/private-data-objects/branches{/branch}","clone_url":"https://github.com/marcelamelara/private-data-objects.git","collaborators_url":"https://api.github.com/repos/marcelamelara/private-data-objects/collaborators{/collaborator}","comments_url":"https://api.github.com/repos/marcelamelara/private-data-objects/comments{/number}","commits_url":"https://api.github.com/repos/marcelamelara/private-data-objects/commits{/sha}","compare_url":"https://api.github.com/repos/marcelamelara/private-data-objects/compare/{base}...{head}","contents_url":"https://api.github.com/repos/marcelamelara/private-data-objects/contents/{+path}","contributors_url":"https://api.github.com/repos/marcelamelara/private-data-objects/contributors","created_at":1580158534,"default_branch":"main","deployments_url":"https://api.github.com/repos/marcelamelara/private-data-objects/deployments","description":"The Private Data Objects lab provides technology for confidentiality-preserving, off-chain smart contracts.","disabled":false,"downloads_url":"https://api.github.com/repos/marcelamelara/private-data-objects/downloads","events_url":"https://api.github.com/repos/marcelamelara/private-data-objects/events","fork":true,"forks":1,"forks_count":1,"forks_url":"https://api.github.com/repos/marcelamelara/private-data-objects/forks","full_name":"marcelamelara/private-data-objects","git_commits_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/commits{/sha}","git_refs_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/refs{/sha}","git_tags_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/tags{/sha}","git_url":"git://github.com/marcelamelara/private-data-objects.git","has_discussions":false,"has_downloads":true,"has_issues":false,"has_pages":false,"has_projects":true,"has_wiki":true,"homepage":null,"hooks_url":"https://api.github.com/repos/marcelamelara/private-data-objects/hooks","html_url":"https://github.com/marcelamelara/private-data-objects","id":236592908,"is_template":false,"issue_comment_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues/comments{/number}","issue_events_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues/events{/number}","issues_url":"https://api.github.com/repos/marcelamelara/private-data-objects/issues{/number}","keys_url":"https://api.github.com/repos/marcelamelara/private-data-objects/keys{/key_id}","labels_url":"https://api.github.com/repos/marcelamelara/private-data-objects/labels{/name}","language":"C++","languages_url":"https://api.github.com/repos/marcelamelara/private-data-objects/languages","license":{"key":"apache-2.0","name":"Apache License 2.0","node_id":"MDc6TGljZW5zZTI=","spdx_id":"Apache-2.0","url":"https://api.github.com/licenses/apache-2.0"},"master_branch":"main","merges_url":"https://api.github.com/repos/marcelamelara/private-data-objects/merges","milestones_url":"https://api.github.com/repos/marcelamelara/private-data-objects/milestones{/number}","mirror_url":null,"name":"private-data-objects","node_id":"MDEwOlJlcG9zaXRvcnkyMzY1OTI5MDg=","notifications_url":"https://api.github.com/repos/marcelamelara/private-data-objects/notifications{?since,all,participating}","open_issues":0,"open_issues_count":0,"owner":{"avatar_url":"https://avatars.githubusercontent.com/u/93797898?v=4","email":"marcela.melara@intel.com","events_url":"https://api.github.com/users/marcelamelara/events{/privacy}","followers_url":"https://api.github.com/users/marcelamelara/followers","following_url":"https://api.github.com/users/marcelamelara/following{/other_user}","gists_url":"https://api.github.com/users/marcelamelara/gists{/gist_id}","gravatar_id":"","html_url":"https://github.com/marcelamelara","id":93797898,"login":"marcelamelara","name":"marcelamelara","node_id":"U_kgDOBZc-Cg","organizations_url":"https://api.github.com/users/marcelamelara/orgs","received_events_url":"https://api.github.com/users/marcelamelara/received_events","repos_url":"https://api.github.com/users/marcelamelara/repos","site_admin":false,"starred_url":"https://api.github.com/users/marcelamelara/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/marcelamelara/subscriptions","type":"User","url":"https://api.github.com/users/marcelamelara"},"private":false,"pulls_url":"https://api.github.com/repos/marcelamelara/private-data-objects/pulls{/number}","pushed_at":1692834923,"releases_url":"https://api.github.com/repos/marcelamelara/private-data-objects/releases{/id}","size":3436,"ssh_url":"git@github.com:marcelamelara/private-data-objects.git","stargazers":0,"stargazers_count":0,"stargazers_url":"https://api.github.com/repos/marcelamelara/private-data-objects/stargazers","statuses_url":"https://api.github.com/repos/marcelamelara/private-data-objects/statuses/{sha}","subscribers_url":"https://api.github.com/repos/marcelamelara/private-data-objects/subscribers","subscription_url":"https://api.github.com/repos/marcelamelara/private-data-objects/subscription","svn_url":"https://github.com/marcelamelara/private-data-objects","tags_url":"https://api.github.com/repos/marcelamelara/private-data-objects/tags","teams_url":"https://api.github.com/repos/marcelamelara/private-data-objects/teams","topics":[],"trees_url":"https://api.github.com/repos/marcelamelara/private-data-objects/git/trees{/sha}","updated_at":"2022-01-11T01:04:34Z","url":"https://github.com/marcelamelara/private-data-objects","visibility":"public","watchers":0,"watchers_count":0,"web_commit_signoff_required":false},"sender":{"avatar_url":"https://avatars.githubusercontent.com/u/93797898?v=4","events_url":"https://api.github.com/users/marcelamelara/events{/privacy}","followers_url":"https://api.github.com/users/marcelamelara/followers","following_url":"https://api.github.com/users/marcelamelara/following{/other_user}","gists_url":"https://api.github.com/users/marcelamelara/gists{/gist_id}","gravatar_id":"","html_url":"https://github.com/marcelamelara","id":93797898,"login":"marcelamelara","node_id":"U_kgDOBZc-Cg","organizations_url":"https://api.github.com/users/marcelamelara/orgs","received_events_url":"https://api.github.com/users/marcelamelara/received_events","repos_url":"https://api.github.com/users/marcelamelara/repos","site_admin":false,"starred_url":"https://api.github.com/users/marcelamelara/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/marcelamelara/subscriptions","type":"User","url":"https://api.github.com/users/marcelamelara"}},"github_head_ref":"","github_ref":"refs/heads/generate-swsc-build-metadata","github_ref_type":"branch","github_repository_id":"236592908","github_repository_owner":"marcelamelara","github_repository_owner_id":"93797898","github_run_attempt":"1","github_run_id":"5957672580","github_run_number":"10","github_sha1":"87b74378e8c9ccf335a27ffcdc16636990254e1e"}},"metadata":{"buildInvocationID":"5957672580-1","completeness":{"parameters":true,"environment":false,"materials":false},"reproducible":false},"materials":[{"uri":"git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata","digest":{"sha1":"87b74378e8c9ccf335a27ffcdc16636990254e1e"}}]}} 2 | -------------------------------------------------------------------------------- /examples/sbom+slsa/metadata/provenance-annotation.json: -------------------------------------------------------------------------------- 1 | {"warning": "For demo purposes only. Provenance does not match hello-world subject"} 2 | -------------------------------------------------------------------------------- /examples/sbom+slsa/run-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | VENV_DIR="${VENVDIR:=../../scai-venv}" 7 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 8 | 9 | # ----------------------------------------------------------------- 10 | # Run SBOM and SLSA evidence collection example 11 | # ----------------------------------------------------------------- 12 | 13 | mkdir -p ${EXAMPLE_DIR}/metadata 14 | 15 | source ${VENV_DIR}/bin/activate 16 | 17 | SBOM_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403395" 18 | 19 | PROVENANCE_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl" 20 | 21 | echo GENERATE PDO CLIENT CONTAINER SBOM DESCRIPTOR 22 | 23 | scai-gen-resource-desc -n "pdo_client_wawaka.spdx.json" -d -f pdo_client_wawaka.spdx.json -l ${SBOM_URL} -t application/spdx+json --resource-dir ${EXAMPLE_DIR}/metadata -o sbom-desc.json --out-dir ${EXAMPLE_DIR}/metadata 24 | 25 | echo GENERATE PDO CLIENT CONTAINER SLSA PROVENANCE DESCRIPTOR 26 | 27 | scai-gen-resource-desc -n "build.452e628a.json" -d -f build.452e628a.json -l ${PROVENANCE_URL} -t application/vnd.in-toto.provenance+dsse --resource-dir ${EXAMPLE_DIR}/metadata/attestations -o slsa-desc.json --out-dir ${EXAMPLE_DIR}/metadata 28 | 29 | echo GENERATE HAS-SBOM SCAI ATTRIBUTE ASSERTION 30 | 31 | scai-attr-assertion -a "HasSBOM" -e ${EXAMPLE_DIR}/metadata/sbom-desc.json -o has-sbom-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 32 | 33 | echo GENERATE HAS-SLSA SCAI ATTRIBUTE ASSERTION 34 | 35 | scai-attr-assertion -a "HasSLSA" -e ${EXAMPLE_DIR}/metadata/slsa-desc.json -o has-slsa-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 36 | 37 | echo GENERATE SCAI REPORT FOR CONTAINER EVIDENCE COLLECTION 38 | 39 | scai-report -s container-img-desc.json --subject-dirs ${EXAMPLE_DIR}/metadata -a has-sbom-assertion.json has-slsa-assertion.json --assertion-dir ${EXAMPLE_DIR}/metadata -o evidence-collection.scai.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 40 | -------------------------------------------------------------------------------- /examples/sbom+slsa/run-go-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | # Run SBOM and SLSA evidence collection example 10 | # ----------------------------------------------------------------- 11 | 12 | OUTDIR=${EXAMPLE_DIR}/metadata 13 | mkdir -p ${OUTDIR} 14 | 15 | SBOM_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403395" 16 | 17 | PROVENANCE_URL="https://github.com/marcelamelara/private-data-objects/suites/15417726142/artifacts/880403392/pdo_client_wawaka.slsa.intoto.jsonl" 18 | 19 | echo GENERATE PDO CLIENT CONTAINER SBOM DESCRIPTOR 20 | 21 | scai-gen rd file -n "pdo_client_wawaka.spdx.json" -l ${SBOM_URL} -t application/spdx+json -o ${OUTDIR}/sbom-desc.json ${EXAMPLE_DIR}/metadata/pdo_client_wawaka.spdx.json 22 | 23 | echo GENERATE PDO CLIENT CONTAINER SLSA PROVENANCE DESCRIPTOR 24 | 25 | scai-gen rd file -n "build.452e628a.json" -l ${PROVENANCE_URL} -t application/vnd.in-toto+dsse -o ${OUTDIR}/slsa-desc.json ${EXAMPLE_DIR}/metadata/attestations/build.452e628a.json 26 | 27 | echo GENERATE HAS-SBOM SCAI ATTRIBUTE ASSERTION 28 | 29 | scai-gen assert -e ${OUTDIR}/sbom-desc.json -o ${OUTDIR}/has-sbom-assertion.json "HasSBOM" 30 | 31 | echo GENERATE HAS-SLSA SCAI ATTRIBUTE ASSERTION 32 | 33 | scai-gen assert -e ${OUTDIR}/slsa-desc.json -o ${OUTDIR}/has-slsa-assertion.json "HasSLSA" 34 | 35 | echo GENERATE SCAI REPORT FOR CONTAINER EVIDENCE COLLECTION 36 | 37 | scai-gen report -s ${EXAMPLE_DIR}/metadata/container-img-desc.json -o ${OUTDIR}/evidence-collection.scai.json ${OUTDIR}/has-sbom-assertion.json ${OUTDIR}/has-slsa-assertion.json 38 | -------------------------------------------------------------------------------- /examples/secure-boot/README.md: -------------------------------------------------------------------------------- 1 | # Secure boot-attested builder example 2 | 3 | This example shows how to expose a hardware platform attestation for a SW 4 | supply chain component, like a build system. Using TPM 2.0-based secure boot 5 | as an example, this proof of concept demonstrates a way for both build service 6 | providers and their users to check the integrity of the build system itself. 7 | 8 | For consistency in language and standards conformance, this example uses 9 | terminology and concepts from the IETF [RATS] (RFC 9334) rfc standard. 10 | 11 | ## Attestation flow 12 | 13 | To use secure boot attestations to check build system integrity, a two-stage 14 | attetation process is required. First, a good-known reference value for the 15 | state of the build platform is needed, against which the secure boot 16 | attestation (i.e., the evidence) can be later compared. In this example, we 17 | first generate such a TPM reference value attestation. 18 | 19 | ### TPM reference value SCAI attestation 20 | 21 | ```jsonc 22 | { 23 | "_type": "https://in-toto.io/Statement/v1", 24 | "subject": [ 25 | { 26 | "digest": { 27 | "sha256": "7f13e3ce0c34086f3a4e4aaccab8b42eddd0a8e8aa5efe817905f93522e17739" 28 | }, 29 | "content": "eyJoYXNfc2VjdXJlYm9vdCI6IHRydWUsICJzY3J0b...", 30 | "mediaType": "application/json" 31 | } 32 | ], 33 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 34 | "predicate": { 35 | "attributes": [ 36 | { 37 | "attribute": "TPM2.0_REFERENCE_STATE", 38 | "target": { 39 | "name": "localhost", 40 | "uri": "http://127.0.0.1" 41 | } 42 | } 43 | ] 44 | } 45 | } 46 | ``` 47 | 48 | In this case, this TPM reference value (obtained using the [Keylime] 49 | framework for TPM 2.0 attestation) is itself the subject artifact of the 50 | attestation. The second stage of build system integrity checking then 51 | requires the secure boot quote, which together with the reference value can 52 | be used to check that the build system used to build binary (such as 53 | hello-world) has tamper-evident properties. 54 | 55 | ### Build platform attestation 56 | 57 | ```jsonc 58 | { 59 | "_type": "https://in-toto.io/Statement/v1", 60 | "subject": [ 61 | { 62 | "name": "hello-world", 63 | "digest": { 64 | "sha256": "4ad979bf2f60aa07011b974094a415e05d238d7507f8c65568a76c6c291a6b62" 65 | } 66 | } 67 | ], 68 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 69 | "predicate": { 70 | "attributes": [ 71 | { 72 | "attribute": "TAMPER-EVIDENT BUILD PLATFORM", 73 | "target": { 74 | "uri": "http://127.0.0.1", 75 | "name": "localhost" 76 | }, 77 | "evidence": { 78 | "name": "secure boot quote", 79 | "digest": { 80 | "sha256": "0dc21d96a4f6f86f015b498f979bb1ce0daa1cc19903d9d1109a0ef4819f6acd" 81 | }, 82 | "mediaType": "application/json" 83 | } 84 | } 85 | ] 86 | } 87 | } 88 | ``` 89 | 90 | For this second stage of build system attestation, the secure boot quote 91 | provided by the TPM is the evidence for the tamper-evidence claim. 92 | A relying party seeking to validate the build system for the hello-world 93 | binary would then require both the TPM reference value and secure boot quote 94 | attestations. 95 | 96 | [Keylime]: https://keylime.dev/ 97 | [RATS]: https://datatracker.ietf.org/doc/rfc9334/ 98 | -------------------------------------------------------------------------------- /examples/secure-boot/metadata/keylime_quote.json: -------------------------------------------------------------------------------- 1 | {'quote': 'r/1RDR4AYACIACw45UI2QtNKVI5OK8ZlCnxzbFe1FctSkMWRdM8J2UhSKABR6ek03cWxpT1pvZEdMN1hVZkdaZQAAAAAN3co+AAAACAAAAAEBAfQABQA8CGwAAAABAAsDAAABACBZjcpLwX3SE+b4XxuAIEIXe7/vYUNwlqs9cRyf8nz5JA==:ABQACwEAEMxchUKQGprZNY/a//ECrxYmwHvQNrVKdlr9RvBlLlL4B1WgBKKzVEQo7gm41QtT+onHPL2pk5L9rIx24fSb9Wp4uufIqQM4Fe6KRPY+uTdPl3oTub+f3o1bktlK5eJp4+tX/jqYLvkmVDtZqWIzsr/NeCbtC6RRspdfnjqlgCbNhRx7x16A1y5pciVGKhVfTE5FP7wkv/ZcbbdyQFj2FWwLZtwm/stk5fy1AOgBXC4Q5iJopI+kxeGl9cel0zTqObVwb/cU13xgCxWAesrhfHvbzA/m4tPWyhxFFJM5PXoTE4sPlC3QtgR7+R7ogtFM4CnRr1q0uJGht5Sr5XVsyg==:AQAAAAsAAwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEAAAAgADkKM238lB/orqWcNLoau59XyI0TuOgYbQeDkkVyYwsEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=', 'hash_alg': 'sha256', 'enc_alg': 'rsa', 'sign_alg': 'rsassa', 'pubkey': '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvmyPlzFUx/1r9Qe45PG\nqC8W1F6sra26qHS39gACCcjja6kjYHXcXgGXM6gipNR2xteuwU97U9ajmyGXn7GS\nHsvIllp+Y9RnKCgzgaD7a/cG51clhBdGpG6SxSal+urUPz4qMf/veKXak82NiBhe\n+1yufq6TrUKFOA6L52cXDjGrji4GpgjEow0N2ZGrQAEr0kttR7AdXmXX0Ys+wrDG\nuYxRDfkHREEnTNkB+6PIdUXlxV7xnbpd7e4nWvwMkAIHi6t+iVwXdA4C+4aW54fo\no8tPtADIOv2/hvROtCo7g/ukg4pyO2+yomCbZVgTFVlYdJbhtE000iCbxOcC+Dvs\nowIDAQAB\n-----END PUBLIC KEY-----\n'} 2 | -------------------------------------------------------------------------------- /examples/secure-boot/metadata/mb-refstate-assertion.json: -------------------------------------------------------------------------------- 1 | { 2 | "attribute": "TPM2.0_REFERENCE_STATE", 3 | "target": { 4 | "name": "localhost", 5 | "uri": "http://127.0.0.1" 6 | } 7 | } -------------------------------------------------------------------------------- /examples/secure-boot/metadata/secure-boot-assertion.json: -------------------------------------------------------------------------------- 1 | { 2 | "attribute": "TAMPER-EVIDENT BUILD PLATFORM", 3 | "target": { 4 | "name": "localhost", 5 | "uri": "http://127.0.0.1" 6 | }, 7 | "evidence": { 8 | "name": "secure boot quote", 9 | "digest": { 10 | "sha256": "0dc21d96a4f6f86f015b498f979bb1ce0daa1cc19903d9d1109a0ef4819f6acd" 11 | }, 12 | "mediaType": "application/json" 13 | } 14 | } -------------------------------------------------------------------------------- /examples/secure-boot/metadata/secure-boot.scai.json: -------------------------------------------------------------------------------- 1 | { 2 | "_type": "https://in-toto.io/Statement/v1", 3 | "subject": [ 4 | { 5 | "name": "hello-world", 6 | "digest": { 7 | "sha256": "4ad979bf2f60aa07011b974094a415e05d238d7507f8c65568a76c6c291a6b62" 8 | } 9 | } 10 | ], 11 | "predicateType": "https://in-toto.io/attestation/scai/attribute-report/v0.2", 12 | "predicate": { 13 | "attributes": [ 14 | { 15 | "target": { 16 | "uri": "http://127.0.0.1", 17 | "name": "localhost" 18 | }, 19 | "evidence": { 20 | "mediaType": "application/json", 21 | "digest": { 22 | "sha256": "0dc21d96a4f6f86f015b498f979bb1ce0daa1cc19903d9d1109a0ef4819f6acd" 23 | }, 24 | "name": "secure boot quote" 25 | }, 26 | "attribute": "TAMPER-EVIDENT BUILD PLATFORM" 27 | } 28 | ] 29 | } 30 | } -------------------------------------------------------------------------------- /examples/secure-boot/metadata/tpm-quote-desc.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "secure boot quote", 3 | "digest": { 4 | "sha256": "0dc21d96a4f6f86f015b498f979bb1ce0daa1cc19903d9d1109a0ef4819f6acd" 5 | }, 6 | "mediaType": "application/json" 7 | } -------------------------------------------------------------------------------- /examples/secure-boot/run-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | VENV_DIR="${VENVDIR:=../../scai-venv}" 7 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 8 | 9 | # ----------------------------------------------------------------- 10 | echo "Run TPM2.0 secure boot attestation example" 11 | # ----------------------------------------------------------------- 12 | 13 | mkdir -p ${EXAMPLE_DIR}/metadata 14 | 15 | source ${VENV_DIR}/bin/activate 16 | 17 | echo GENERATE LOCALHOST DESCRIPTOR 18 | 19 | scai-gen-resource-desc -n "localhost" -u "http://127.0.0.1" -o localhost-desc.json --out-dir ${EXAMPLE_DIR}/metadata 20 | 21 | echo GENERATE MEASURED BOOT REFERENCE STATE DESCRIPTOR 22 | 23 | scai-gen-resource-desc -d -c -f measured_boot_reference_state.json -t application/json --resource-dir ${EXAMPLE_DIR}/metadata -o mb-refstate-desc.json --out-dir ${EXAMPLE_DIR}/metadata 24 | 25 | echo GENERATE MEASURED BOOT REF STATE SCAI ATTRIBUTE ASSERTION 26 | 27 | scai-attr-assertion -a "TPM2.0_REFERENCE_STATE" -t localhost-desc.json -o mb-refstate-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --target-dir ${EXAMPLE_DIR}/metadata --pretty-print 28 | 29 | echo GENERATE SCAI REPORT FOR TPM REFERENCE VALUE CLAIM 30 | 31 | scai-report -s mb-refstate-desc.json --subject-dirs ${EXAMPLE_DIR}/metadata -a mb-refstate-assertion.json --assertion-dir ${EXAMPLE_DIR}/metadata -o tpm-ref-value.scai.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 32 | 33 | echo RUN LOCAL GCC BUILD 34 | 35 | gcc -fstack-protector -o ${EXAMPLE_DIR}/../gcc-helloworld/hello-world ${EXAMPLE_DIR}/../gcc-helloworld/hello-world.c 36 | 37 | echo GENERATE HELLO-WORLD DESCRIPTOR 38 | 39 | scai-gen-resource-desc -n hello-world -d -f hello-world --resource-dir ${EXAMPLE_DIR}/../gcc-helloworld -o hello-world-desc.json --out-dir ${EXAMPLE_DIR}/metadata 40 | 41 | echo GENERATE TPM QUOTE DESCRIPTOR 42 | 43 | scai-gen-resource-desc -n "secure boot quote" -d -f keylime_quote.json -t application/json --resource-dir ${EXAMPLE_DIR}/metadata -o tpm-quote-desc.json --out-dir ${EXAMPLE_DIR}/metadata 44 | 45 | echo GENERATE SECURE BOOT SCAI ATTRIBUTE ASSERTION 46 | 47 | scai-attr-assertion -a "TAMPER-EVIDENT BUILD PLATFORM" -e ${EXAMPLE_DIR}/metadata/tpm-quote-desc.json -t ${EXAMPLE_DIR}/metadata/localhost-desc.json -o secure-boot-assertion.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 48 | 49 | echo GENERATE SCAI REPORT FOR BUILD WITH SECURE BOOT ATTESTATION 50 | 51 | scai-report -s hello-world-desc.json --subject-dirs ${EXAMPLE_DIR}/metadata -a secure-boot-assertion.json --assertion-dir ${EXAMPLE_DIR}/metadata -o secure-boot.scai.json --out-dir ${EXAMPLE_DIR}/metadata --pretty-print 52 | -------------------------------------------------------------------------------- /examples/secure-boot/run-go-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | echo "Run TPM2.0 secure boot attestation example" 10 | # ----------------------------------------------------------------- 11 | 12 | OUTDIR=${EXAMPLE_DIR}/metadata/go 13 | mkdir -p ${OUTDIR} 14 | 15 | echo GENERATE LOCALHOST DESCRIPTOR 16 | 17 | scai-gen rd remote -n "localhost" -o ${OUTDIR}/localhost-desc.json "http://127.0.0.1" 18 | 19 | echo GENERATE MEASURED BOOT REFERENCE STATE DESCRIPTOR 20 | 21 | scai-gen rd file -c -t application/json -o ${OUTDIR}/mb-refstate-desc.json ${EXAMPLE_DIR}/metadata/measured_boot_reference_state.json 22 | 23 | echo GENERATE MEASURED BOOT REF STATE SCAI ATTRIBUTE ASSERTION 24 | 25 | scai-gen assert -t ${OUTDIR}/localhost-desc.json -o ${OUTDIR}/mb-refstate-assertion.json "TPM2.0_REFERENCE_STATE" 26 | 27 | echo GENERATE SCAI REPORT FOR TPM REFERENCE VALUE CLAIM 28 | 29 | scai-gen report -s ${OUTDIR}/mb-refstate-desc.json -o ${OUTDIR}/tpm-ref-value.scai.json ${OUTDIR}/mb-refstate-assertion.json 30 | 31 | echo RUN LOCAL GCC BUILD 32 | 33 | gcc -fstack-protector -o ${EXAMPLE_DIR}/../gcc-helloworld/hello-world ${EXAMPLE_DIR}/../gcc-helloworld/hello-world.c 34 | 35 | echo GENERATE HELLO-WORLD DESCRIPTOR 36 | 37 | scai-gen rd file -n "hello-world" -o ${OUTDIR}/hello-world-desc.json ${EXAMPLE_DIR}/../gcc-helloworld/hello-world 38 | 39 | echo GENERATE TPM QUOTE DESCRIPTOR 40 | 41 | scai-gen rd file -n "secure boot quote" -t application/json -o ${OUTDIR}/tpm-quote-desc.json ${EXAMPLE_DIR}/metadata/keylime_quote.json 42 | 43 | echo GENERATE SECURE BOOT SCAI ATTRIBUTE ASSERTION 44 | 45 | scai-gen assert -e ${EXAMPLE_DIR}/metadata/tpm-quote-desc.json -t ${OUTDIR}/localhost-desc.json -o ${OUTDIR}/secure-boot-assertion.json "TAMPER-EVIDENT BUILD PLATFORM" 46 | 47 | echo GENERATE SCAI REPORT FOR BUILD WITH SECURE BOOT ATTESTATION 48 | 49 | scai-gen report -s ${OUTDIR}/hello-world-desc.json -o ${OUTDIR}/secure-boot.scai.json ${OUTDIR}/secure-boot-assertion.json 50 | -------------------------------------------------------------------------------- /examples/vuln-scan/.gitignore: -------------------------------------------------------------------------------- 1 | metadata/snyk-results.txt 2 | -------------------------------------------------------------------------------- /examples/vuln-scan/README.md: -------------------------------------------------------------------------------- 1 | # Dependency vulnerability attributes 2 | 3 | This example shows how SCAI can be used to make evidence-based assertions 4 | about third-party dependencies. Specifically, this example captures the 5 | results of a vulnerability scan (Snyk) as evidence for the claim that no 6 | known vulnerabilities were found in the dependencies of source code stored 7 | in a particular git repository. 8 | 9 | The Snyk results file used in this example was generated using a private 10 | workflow. 11 | 12 | ## Generated SCAI attestation 13 | 14 | ```jsonc 15 | { 16 | "_type":"https://in-toto.io/Statement/v1", 17 | "subject":[ 18 | { 19 | "uri":"https://github.com/IntelLabs/supply-chain-attribute-integrity", 20 | "digest": { 21 | "sha1":"caf62c3caf2ab1228fb546f149f26df23c308802" 22 | } 23 | } 24 | ], 25 | "predicateType":"https://in-toto.io/attestation/scai/attribute-report/v0.2", 26 | "predicate":{ 27 | "attributes":[ 28 | { 29 | "attribute":"NO KNOWN VULNERABILITIES", 30 | "evidence":{ 31 | "name":"snyk-results.txt", 32 | "digest":{ 33 | "sha256":"6db3ee1d8bdf7ea064281ecfaf999f9eb5749e4647d2a59e62eaa1ea8fcf6837" 34 | }, 35 | "downloadLocation":"https://scans.example.com/results/snyk", 36 | "mediaType":"text/plain" 37 | } 38 | } 39 | ] 40 | } 41 | } 42 | ``` 43 | -------------------------------------------------------------------------------- /examples/vuln-scan/metadata/no-vuln.scai.json: -------------------------------------------------------------------------------- 1 | {"_type":"https://in-toto.io/Statement/v1","subject":[{"uri":"https://github.com/IntelLabs/supply-chain-attribute-integrity","digest":{"sha1":"caf62c3caf2ab1228fb546f149f26df23c308802"}}],"predicateType":"https://in-toto.io/attestation/scai/attribute-report/v0.2","predicate":{"attributes":[{"attribute":"NO KNOWN VULNERABILITIES","evidence":{"digest":{"sha256":"6db3ee1d8bdf7ea064281ecfaf999f9eb5749e4647d2a59e62eaa1ea8fcf6837"},"downloadLocation":"https://scans.example.com/results/snyk","mediaType":"text/plain","name":"snyk-results.txt"}}]}} -------------------------------------------------------------------------------- /examples/vuln-scan/metadata/no-vulns-assertion.json: -------------------------------------------------------------------------------- 1 | {"attribute":"NO KNOWN VULNERABILITIES","evidence":{"name":"snyk-results.txt","digest":{"sha256":"6db3ee1d8bdf7ea064281ecfaf999f9eb5749e4647d2a59e62eaa1ea8fcf6837"},"downloadLocation":"https://scans.example.com/results/snyk","mediaType":"text/plain"}} -------------------------------------------------------------------------------- /examples/vuln-scan/run-go-example.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2023 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | EXAMPLE_DIR=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P ) 7 | 8 | # ----------------------------------------------------------------- 9 | echo "Run Snyk scan attestation example" 10 | # ----------------------------------------------------------------- 11 | 12 | OUTDIR=${EXAMPLE_DIR}/metadata 13 | mkdir -p ${OUTDIR} 14 | 15 | SNYK_LOG_LOCATION="https://scans.example.com/results/snyk" 16 | 17 | echo GENERATE SNYK LOG DESCRIPTOR 18 | 19 | scai-gen rd file -n "snyk-results.txt" -l ${SNYK_LOG_LOCATION} -t text/plain -o ${OUTDIR}/snyk-log-desc.json ${EXAMPLE_DIR}/metadata/snyk-results.txt 20 | 21 | echo GENERATE VULN SCAN ATTRIBUTE ASSERTION 22 | 23 | scai-gen assert -e ${OUTDIR}/snyk-log-desc.json -o ${OUTDIR}/no-vulns-assertion.json "NO KNOWN VULNERABILITIES" 24 | 25 | echo GENERATE GIT REPO DESCRIPTOR 26 | 27 | scai-gen rd remote -g sha1 -d caf62c3caf2ab1228fb546f149f26df23c308802 -o ${OUTDIR}/repo-desc.json "https://github.com/IntelLabs/supply-chain-attribute-integrity" 28 | 29 | echo GENERATE VULN SCAN ATTRIBUTE REPORT 30 | 31 | scai-gen report -s ${OUTDIR}/repo-desc.json -o ${OUTDIR}/no-vuln.scai.json ${OUTDIR}/no-vulns-assertion.json 32 | -------------------------------------------------------------------------------- /fuzzing/.coverage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/in-toto/scai-demos/f26aed11a200df490ba2e5f362834650616bc745/fuzzing/.coverage -------------------------------------------------------------------------------- /fuzzing/fuzz-output.txt: -------------------------------------------------------------------------------- 1 | INFO: Instrumenting scai.report 2 | INFO: Instrumenting attr 3 | INFO: Instrumenting attr.converters 4 | INFO: Instrumenting attr._compat 5 | INFO: Instrumenting attr._make 6 | INFO: Instrumenting attr._config 7 | INFO: Instrumenting attr.setters 8 | INFO: Instrumenting attr.exceptions 9 | INFO: Instrumenting attr.filters 10 | INFO: Instrumenting attr.validators 11 | INFO: Instrumenting attr._cmp 12 | INFO: Instrumenting attr._funcs 13 | INFO: Instrumenting attr._version_info 14 | INFO: Instrumenting attr._next_gen 15 | INFO: Instrumenting securesystemslib.formats 16 | INFO: Instrumenting calendar 17 | INFO: Instrumenting securesystemslib.schema 18 | INFO: Instrumenting in_toto 19 | INFO: Instrumenting in_toto.log 20 | INFO: Instrumenting in_toto.settings 21 | INFO: Instrumenting in_toto.models 22 | INFO: Instrumenting in_toto.models.common 23 | INFO: Instrumenting scai.attribute_assertion 24 | INFO: Instrumenting scai.object_reference 25 | INFO: Using built-in libfuzzer 26 | WARNING: Failed to find function "__sanitizer_acquire_crash_state". 27 | WARNING: Failed to find function "__sanitizer_print_stack_trace". 28 | WARNING: Failed to find function "__sanitizer_set_death_callback". 29 | INFO: Running with entropic power schedule (0xFF, 100). 30 | INFO: Seed: 4033311005 31 | INFO: A corpus is not provided, starting from an empty corpus 32 | #2 INITED exec/s: 0 rss: 40Mb 33 | WARNING: no interesting inputs were found so far. Is the code instrumented for coverage? 34 | This may also happen if the target rejected all inputs we tried so far 35 | #524288 pulse corp: 1/1b lim: 5212 exec/s: 174762 rss: 40Mb 36 | #1048576 pulse corp: 1/1b lim: 8192 exec/s: 104857 rss: 40Mb 37 | #2097152 pulse corp: 1/1b lim: 8192 exec/s: 87381 rss: 40Mb 38 | #3904947 NEW cov: 48 ft: 48 corp: 2/4b lim: 8192 exec/s: 86776 rss: 40Mb L: 3/3 MS: 5 ChangeByte-ChangeBit-CopyPart-CopyPart-InsertByte- 39 | #4194304 pulse cov: 48 ft: 48 corp: 2/4b lim: 8192 exec/s: 82241 rss: 40Mb 40 | #8388608 pulse cov: 48 ft: 48 corp: 2/4b lim: 8192 exec/s: 64527 rss: 40Mb 41 | Done 10000000 in 161 second(s) -------------------------------------------------------------------------------- /fuzzing/run-fuzz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright 2022 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCAI_DIR=~/supply-chain-attribute-integrity 7 | VENV=${SCAI_DIR}/cli/scai-venv/bin/activate 8 | 9 | if [ ! -f "$VENV" ]; then 10 | echo "Need to setup SCAI virtualenv first. Please run `make -C cli` from the SCAI root directory first." 11 | exit -1 12 | fi 13 | 14 | source ${VENV} 15 | 16 | # Install atheris and coverage 17 | pip install --upgrade atheris 18 | pip install --upgrade coverage 19 | 20 | # Run the JSON input fuzzer 21 | echo RUN THE SCAI FUZZER 22 | 23 | python3 -m coverage run scai_fuzz.py -atheris_runs=10000000 -max_len=8192 > fuzz-output.txt 2>&1 24 | -------------------------------------------------------------------------------- /fuzzing/scai_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2022 Intel Corporation 3 | # SPDX-License-Identifier: Apache-2.0 4 | 5 | import sys 6 | import atheris 7 | import json 8 | from collections.abc import Mapping 9 | import securesystemslib.exceptions 10 | 11 | with atheris.instrument_imports(): 12 | from scai.report import Report 13 | from scai.attribute_assertion import AttributeAssertion 14 | from scai.object_reference import ObjectReference 15 | 16 | def TestOneInput(input_bytes): 17 | fdp = atheris.FuzzedDataProvider(input_bytes) 18 | data = fdp.ConsumeUnicode(sys.maxsize) 19 | 20 | try: 21 | json_dict = json.loads(data) 22 | except json.JSONDecodeError: 23 | return 24 | 25 | if not isinstance(json_dict, Mapping): 26 | return 27 | 28 | try: 29 | ObjectReference.read(json_dict) 30 | AttributeAssertion.read(json_dict) 31 | Report.read(json_dict) 32 | except securesystemslib.exceptions.FormatError: 33 | pass 34 | 35 | atheris.Setup(sys.argv, TestOneInput) 36 | atheris.Fuzz() -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/in-toto/scai-demos 2 | 3 | go 1.22.8 4 | toolchain go1.24.1 5 | 6 | require ( 7 | github.com/google/cel-go v0.25.0 8 | github.com/in-toto/attestation v1.1.1 9 | github.com/in-toto/attestation-verifier v0.0.0-20231007025621-3193280f5194 10 | github.com/secure-systems-lab/go-securesystemslib v0.9.0 11 | github.com/sigstore/cosign/v2 v2.5.0 12 | github.com/sigstore/sigstore v1.9.4 13 | github.com/slsa-framework/slsa-github-generator v1.10.0 14 | github.com/spf13/cobra v1.9.1 15 | google.golang.org/protobuf v1.36.6 16 | gopkg.in/yaml.v3 v3.0.1 17 | ) 18 | 19 | require ( 20 | cel.dev/expr v0.23.1 // indirect 21 | cloud.google.com/go/auth v0.15.0 // indirect 22 | cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect 23 | cloud.google.com/go/compute/metadata v0.6.0 // indirect 24 | github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.14.0 // indirect 25 | github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect 26 | github.com/Azure/go-autorest v14.2.0+incompatible // indirect 27 | github.com/Azure/go-autorest/autorest v0.11.29 // indirect 28 | github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect 29 | github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect 30 | github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect 31 | github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect 32 | github.com/Azure/go-autorest/logger v0.2.1 // indirect 33 | github.com/Azure/go-autorest/tracing v0.6.0 // indirect 34 | github.com/Microsoft/go-winio v0.6.2 // indirect 35 | github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect 36 | github.com/ThalesIgnite/crypto11 v1.2.5 // indirect 37 | github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect 38 | github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect 39 | github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect 40 | github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect 41 | github.com/alibabacloud-go/debug v1.0.0 // indirect 42 | github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect 43 | github.com/alibabacloud-go/openapi-util v0.1.0 // indirect 44 | github.com/alibabacloud-go/tea v1.2.1 // indirect 45 | github.com/alibabacloud-go/tea-utils v1.4.5 // indirect 46 | github.com/alibabacloud-go/tea-xml v1.1.3 // indirect 47 | github.com/aliyun/credentials-go v1.3.2 // indirect 48 | github.com/antlr4-go/antlr/v4 v4.13.0 // indirect 49 | github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect 50 | github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect 51 | github.com/aws/aws-sdk-go-v2/config v1.29.10 // indirect 52 | github.com/aws/aws-sdk-go-v2/credentials v1.17.63 // indirect 53 | github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect 54 | github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect 55 | github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect 56 | github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect 57 | github.com/aws/aws-sdk-go-v2/service/ecr v1.40.3 // indirect 58 | github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.31.2 // indirect 59 | github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect 60 | github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect 61 | github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect 62 | github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.2 // indirect 63 | github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect 64 | github.com/aws/smithy-go v1.22.2 // indirect 65 | github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 // indirect 66 | github.com/blang/semver v3.5.1+incompatible // indirect 67 | github.com/buildkite/agent/v3 v3.95.1 // indirect 68 | github.com/buildkite/go-pipeline v0.13.3 // indirect 69 | github.com/buildkite/interpolate v0.1.5 // indirect 70 | github.com/buildkite/roko v1.3.1 // indirect 71 | github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect 72 | github.com/clbanning/mxj/v2 v2.7.0 // indirect 73 | github.com/cloudflare/circl v1.3.7 // indirect 74 | github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect 75 | github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect 76 | github.com/coreos/go-oidc/v3 v3.14.1 // indirect 77 | github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect 78 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 79 | github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect 80 | github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect 81 | github.com/dimchansky/utfbom v1.1.1 // indirect 82 | github.com/docker/cli v27.5.0+incompatible // indirect 83 | github.com/docker/distribution v2.8.3+incompatible // indirect 84 | github.com/docker/docker-credential-helpers v0.8.2 // indirect 85 | github.com/dustin/go-humanize v1.0.1 // indirect 86 | github.com/emicklei/go-restful/v3 v3.11.0 // indirect 87 | github.com/felixge/httpsnoop v1.0.4 // indirect 88 | github.com/fsnotify/fsnotify v1.8.0 // indirect 89 | github.com/go-chi/chi v4.1.2+incompatible // indirect 90 | github.com/go-jose/go-jose/v3 v3.0.4 // indirect 91 | github.com/go-jose/go-jose/v4 v4.0.5 // indirect 92 | github.com/go-logr/logr v1.4.2 // indirect 93 | github.com/go-logr/stdr v1.2.2 // indirect 94 | github.com/go-openapi/analysis v0.23.0 // indirect 95 | github.com/go-openapi/errors v0.22.1 // indirect 96 | github.com/go-openapi/jsonpointer v0.21.0 // indirect 97 | github.com/go-openapi/jsonreference v0.21.0 // indirect 98 | github.com/go-openapi/loads v0.22.0 // indirect 99 | github.com/go-openapi/runtime v0.28.0 // indirect 100 | github.com/go-openapi/spec v0.21.0 // indirect 101 | github.com/go-openapi/strfmt v0.23.0 // indirect 102 | github.com/go-openapi/swag v0.23.1 // indirect 103 | github.com/go-openapi/validate v0.24.0 // indirect 104 | github.com/go-piv/piv-go/v2 v2.3.0 // indirect 105 | github.com/go-viper/mapstructure/v2 v2.2.1 // indirect 106 | github.com/gogo/protobuf v1.3.2 // indirect 107 | github.com/golang-jwt/jwt/v4 v4.5.2 // indirect 108 | github.com/golang/protobuf v1.5.4 // indirect 109 | github.com/golang/snappy v0.0.4 // indirect 110 | github.com/google/certificate-transparency-go v1.3.1 // indirect 111 | github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect 112 | github.com/google/go-cmp v0.7.0 // indirect 113 | github.com/google/go-containerregistry v0.20.3 // indirect 114 | github.com/google/go-github/v55 v55.0.0 // indirect 115 | github.com/google/go-querystring v1.1.0 // indirect 116 | github.com/google/gofuzz v1.2.0 // indirect 117 | github.com/google/s2a-go v0.1.9 // indirect 118 | github.com/google/uuid v1.6.0 // indirect 119 | github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect 120 | github.com/googleapis/gax-go/v2 v2.14.1 // indirect 121 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 122 | github.com/hashicorp/go-retryablehttp v0.7.7 // indirect 123 | github.com/imdario/mergo v0.3.16 // indirect 124 | github.com/in-toto/in-toto-golang v0.9.0 // indirect 125 | github.com/inconshreveable/mousetrap v1.1.0 // indirect 126 | github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect 127 | github.com/josharian/intern v1.0.0 // indirect 128 | github.com/json-iterator/go v1.1.12 // indirect 129 | github.com/klauspost/compress v1.17.11 // indirect 130 | github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect 131 | github.com/mailru/easyjson v0.9.0 // indirect 132 | github.com/miekg/pkcs11 v1.1.1 // indirect 133 | github.com/mitchellh/go-homedir v1.1.0 // indirect 134 | github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect 135 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 136 | github.com/modern-go/reflect2 v1.0.2 // indirect 137 | github.com/mozillazg/docker-credential-acr-helper v0.4.0 // indirect 138 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 139 | github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect 140 | github.com/oklog/ulid v1.3.1 // indirect 141 | github.com/oleiade/reflections v1.1.0 // indirect 142 | github.com/opencontainers/go-digest v1.0.0 // indirect 143 | github.com/opencontainers/image-spec v1.1.0 // indirect 144 | github.com/opentracing/opentracing-go v1.2.0 // indirect 145 | github.com/pborman/uuid v1.2.1 // indirect 146 | github.com/pelletier/go-toml/v2 v2.2.3 // indirect 147 | github.com/pkg/errors v0.9.1 // indirect 148 | github.com/sagikazarmark/locafero v0.7.0 // indirect 149 | github.com/sassoftware/relic v7.2.1+incompatible // indirect 150 | github.com/segmentio/ksuid v1.0.4 // indirect 151 | github.com/shibumi/go-pathspec v1.3.0 // indirect 152 | github.com/sigstore/fulcio v1.6.6 // indirect 153 | github.com/sigstore/protobuf-specs v0.4.1 // indirect 154 | github.com/sigstore/rekor v1.3.9 // indirect 155 | github.com/sigstore/sigstore-go v0.7.1 // indirect 156 | github.com/sigstore/timestamp-authority v1.2.5 // indirect 157 | github.com/sirupsen/logrus v1.9.3 // indirect 158 | github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect 159 | github.com/sourcegraph/conc v0.3.0 // indirect 160 | github.com/spf13/afero v1.12.0 // indirect 161 | github.com/spf13/cast v1.7.1 // indirect 162 | github.com/spf13/pflag v1.0.6 // indirect 163 | github.com/spf13/viper v1.20.1 // indirect 164 | github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect 165 | github.com/stoewer/go-strcase v1.2.0 // indirect 166 | github.com/subosito/gotenv v1.6.0 // indirect 167 | github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect 168 | github.com/thales-e-security/pool v0.0.2 // indirect 169 | github.com/theupdateframework/go-tuf v0.7.0 // indirect 170 | github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect 171 | github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect 172 | github.com/tjfoc/gmsm v1.4.1 // indirect 173 | github.com/transparency-dev/merkle v0.0.2 // indirect 174 | github.com/vbatts/tar-split v0.11.6 // indirect 175 | github.com/zeebo/errs v1.4.0 // indirect 176 | gitlab.com/gitlab-org/api/client-go v0.127.0 // indirect 177 | go.mongodb.org/mongo-driver v1.14.0 // indirect 178 | go.opentelemetry.io/auto/sdk v1.1.0 // indirect 179 | go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect 180 | go.opentelemetry.io/otel v1.35.0 // indirect 181 | go.opentelemetry.io/otel/metric v1.35.0 // indirect 182 | go.opentelemetry.io/otel/trace v1.35.0 // indirect 183 | go.uber.org/multierr v1.11.0 // indirect 184 | go.uber.org/zap v1.27.0 // indirect 185 | golang.org/x/crypto v0.37.0 // indirect 186 | golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect 187 | golang.org/x/mod v0.24.0 // indirect 188 | golang.org/x/net v0.38.0 // indirect 189 | golang.org/x/oauth2 v0.29.0 // indirect 190 | golang.org/x/sync v0.13.0 // indirect 191 | golang.org/x/sys v0.32.0 // indirect 192 | golang.org/x/term v0.31.0 // indirect 193 | golang.org/x/text v0.24.0 // indirect 194 | golang.org/x/time v0.11.0 // indirect 195 | google.golang.org/api v0.227.0 // indirect 196 | google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect 197 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect 198 | google.golang.org/grpc v1.71.0 // indirect 199 | gopkg.in/inf.v0 v0.9.1 // indirect 200 | gopkg.in/ini.v1 v1.67.0 // indirect 201 | gopkg.in/yaml.v2 v2.4.0 // indirect 202 | k8s.io/api v0.28.3 // indirect 203 | k8s.io/apimachinery v0.28.3 // indirect 204 | k8s.io/client-go v0.28.3 // indirect 205 | k8s.io/klog/v2 v2.130.1 // indirect 206 | k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect 207 | k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect 208 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 209 | sigs.k8s.io/release-utils v0.11.1 // indirect 210 | sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect 211 | sigs.k8s.io/yaml v1.4.0 // indirect 212 | ) 213 | -------------------------------------------------------------------------------- /kccncna2023-demo/README.md: -------------------------------------------------------------------------------- 1 | # KubeCon + CloudNativeCon NA '23 Demo 2 | 3 | As part of the [in-toto Maintainer Track talk] at KubeCon + CloudNativeCon NA 4 | '23, we present a demo of the in-toto Attestation Framework, SCAI, and the 5 | in-toto Attestation Verifier. 6 | 7 | ## Demo Setup 8 | 9 | The overall flow implemented in the demo is as follows: 10 | 11 | in-toto demo flow 12 | 13 | This demo setup is implemented using the [scai-gen GitHub Actions] in a Docker 14 | container build [demo workflow] for the Hyperledger Labs Private Data Objects 15 | project. 16 | 17 | ### Generated Attestations 18 | 19 | This demo generates the follow _authenticated_ in-toto attestations: 20 | 21 | * [SLSA Provenance] attestation for the container build 22 | * [SCAI Attribute Report] attestation for additional integrity metadata about 23 | the build 24 | 25 | These two attestations are signed using cosign OIDC-based keyless signing, 26 | and uploaded to the public Rekor log. 27 | 28 | ### Verified Policies 29 | 30 | This demo verifies the following policies using the generated attestations: 31 | 32 | * [in-toto Layout] checks that the expected attestations were generated for each step 33 | of the demo workflow. 34 | * [SCAI policy] checks the attested attributes against the evidence indicated in the 35 | SCAI Attribute Report. 36 | 37 | This verification flow is implemented in the [verification-flow.sh] script. 38 | 39 | ### Additional Tools 40 | 41 | This demo makes use of the following additional tools: 42 | 43 | * in-toto [attestation-verifier] 44 | * [Anchore SBOM generator] GitHub Action 45 | * [SLSA generic Provenance generator] GitHub Action 46 | * [strace] Linux syscall tracer 47 | 48 | [Anchore SBOM generator]: https://github.com/anchore/sbom-action 49 | [attestation-verifier]: https://github.com/in-toto/attestation-verifier 50 | [demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/intoto-kccncna2023-demo/.github/workflows/intoto-kccncna2023-demo.yml 51 | [in-toto Layout]: ./policies/layout.yml 52 | [in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx 53 | [SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator 54 | [SLSA Provenance]: https://github.com/in-toto/attestation/blob/v1.0.1/spec/predicates/provenance.md 55 | [SCAI Attribute Report]: https://github.com/in-toto/attestation/v1.0.1/main/spec/predicates/scai.md 56 | [SCAI policy]: ./policies/has-slsa.yml 57 | [scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions 58 | [strace]: https://strace.io/ 59 | [verification-flow.sh]: ./verification-flow.sh 60 | -------------------------------------------------------------------------------- /kccncna2023-demo/attestations/build.452e628a.json: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5ZmI3ZWY1NTIyOThmOGZiYWQ4NDYwNGQwNjEwMGU3NjBiN2I4YzRjYjRkNmM0YjcyNzg2NWYxZjI4NWQwNmFjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNy4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZ2VuZXJpY0B2MSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2MueWFtbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoibWFyY2VsYW1lbGFyYSIsImdpdGh1Yl9hY3Rvcl9pZCI6IjkzNzk3ODk4IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwiYmFzZV9yZWYiOm51bGwsImJlZm9yZSI6Ijg5ZWE1M2I4ODM1NzNjNjI5NWQ4ZWU2M2VkN2FhMWUwZDE0Yzc4ZTEiLCJjb21taXRzIjpbeyJhdXRob3IiOnsiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJuYW1lIjoiTWFyY2VsYSBNZWxhcmEiLCJ1c2VybmFtZSI6Im1hcmNlbGFtZWxhcmEifSwiY29tbWl0dGVyIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImRpc3RpbmN0Ijp0cnVlLCJpZCI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUiLCJtZXNzYWdlIjoiTWVyZ2Ugc3dzYyBtZXRhZGF0YSB3b3JrZmxvd3NcblxuU2lnbmVkLW9mZi1ieTogTWFyY2VsYSBNZWxhcmEgXHUwMDNjbWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tXHUwMDNlIiwidGltZXN0YW1wIjoiMjAyMy0wOC0yM1QxNjo1NToyMC0wNzowMCIsInRyZWVfaWQiOiIzNDY5OWE1NTQyMTBmZjkzZmM4NjBmNzBlNGExODNlNjY0YjM3MjVlIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWl0Lzg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifV0sImNvbXBhcmUiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21wYXJlLzg5ZWE1M2I4ODM1Ny4uLjg3Yjc0Mzc4ZThjOSIsImNyZWF0ZWQiOmZhbHNlLCJkZWxldGVkIjpmYWxzZSwiZm9yY2VkIjpmYWxzZSwiaGVhZF9jb21taXQiOnsiYXV0aG9yIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImNvbW1pdHRlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJNYXJjZWxhIE1lbGFyYSIsInVzZXJuYW1lIjoibWFyY2VsYW1lbGFyYSJ9LCJkaXN0aW5jdCI6dHJ1ZSwiaWQiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwibWVzc2FnZSI6Ik1lcmdlIHN3c2MgbWV0YWRhdGEgd29ya2Zsb3dzXG5cblNpZ25lZC1vZmYtYnk6IE1hcmNlbGEgTWVsYXJhIFx1MDAzY21hcmNlbGEubWVsYXJhQGludGVsLmNvbVx1MDAzZSIsInRpbWVzdGFtcCI6IjIwMjMtMDgtMjNUMTY6NTU6MjAtMDc6MDAiLCJ0cmVlX2lkIjoiMzQ2OTlhNTU0MjEwZmY5M2ZjODYwZjcwZTRhMTgzZTY2NGIzNzI1ZSIsInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbW1pdC84N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIn0sInB1c2hlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sInJlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsInJlcG9zaXRvcnkiOnsiYWxsb3dfZm9ya2luZyI6dHJ1ZSwiYXJjaGl2ZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2dpdC9ibG9ic3svc2hhfSIsImJyYW5jaGVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbGxhYm9yYXRvcnN7L2NvbGxhYm9yYXRvcn0iLCJjb21tZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tcGFyZS97YmFzZX0uLi57aGVhZH0iLCJjb250ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6MTU4MDE1ODUzNCwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2RlcGxveW1lbnRzIiwiZGVzY3JpcHRpb24iOiJUaGUgUHJpdmF0ZSBEYXRhIE9iamVjdHMgbGFiIHByb3ZpZGVzIHRlY2hub2xvZ3kgZm9yIGNvbmZpZGVudGlhbGl0eS1wcmVzZXJ2aW5nLCBvZmYtY2hhaW4gc21hcnQgY29udHJhY3RzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2V2ZW50cyIsImZvcmsiOnRydWUsImZvcmtzIjoxLCJmb3Jrc19jb3VudCI6MSwiZm9ya3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2ZvcmtzIiwiZnVsbF9uYW1lIjoibWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvY29tbWl0c3svc2hhfSIsImdpdF9yZWZzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0IiwiaGFzX2Rpc2N1c3Npb25zIjpmYWxzZSwiaGFzX2Rvd25sb2FkcyI6dHJ1ZSwiaGFzX2lzc3VlcyI6ZmFsc2UsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjpudWxsLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwiaWQiOjIzNjU5MjkwOCwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IkMrKyIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJhcGFjaGUtMi4wIiwibmFtZSI6IkFwYWNoZSBMaWNlbnNlIDIuMCIsIm5vZGVfaWQiOiJNRGM2VEdsalpXNXpaVEk9Iiwic3BkeF9pZCI6IkFwYWNoZS0yLjAiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL2FwYWNoZS0yLjAifSwibWFzdGVyX2JyYW5jaCI6Im1haW4iLCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoicHJpdmF0ZS1kYXRhLW9iamVjdHMiLCJub2RlX2lkIjoiTURFd09sSmxjRzl6YVhSdmNua3lNelkxT1RJNU1EZz0iLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9ub3RpZmljYXRpb25zez9zaW5jZSxhbGwscGFydGljaXBhdGluZ30iLCJvcGVuX2lzc3VlcyI6MCwib3Blbl9pc3N1ZXNfY291bnQiOjAsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvOTM3OTc4OTg/dj00IiwiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIiwibm9kZV9pZCI6IlVfa2dET0JaYy1DZyIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL29yZ3MiLCJyZWNlaXZlZF9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9zdGFycmVkey9vd25lcn17L3JlcG99Iiwic3Vic2NyaXB0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvcHVsbHN7L251bWJlcn0iLCJwdXNoZWRfYXQiOjE2OTI4MzQ5MjMsInJlbGVhc2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MzQzNiwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0Iiwic3RhcmdhemVycyI6MCwic3RhcmdhemVyc19jb3VudCI6MCwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMi0wMS0xMVQwMTowNDozNFoiLCJ1cmwiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS85Mzc5Nzg5OD92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5vZGVfaWQiOiJVX2tnRE9CWmMtQ2ciLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYSJ9fSwiZ2l0aHViX2hlYWRfcmVmIjoiIiwiZ2l0aHViX3JlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsImdpdGh1Yl9yZWZfdHlwZSI6ImJyYW5jaCIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiMjM2NTkyOTA4IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJtYXJjZWxhbWVsYXJhIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiI5Mzc5Nzg5OCIsImdpdGh1Yl9ydW5fYXR0ZW1wdCI6IjEiLCJnaXRodWJfcnVuX2lkIjoiNTk1NzY3MjU4MCIsImdpdGh1Yl9ydW5fbnVtYmVyIjoiMTAiLCJnaXRodWJfc2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklEIjoiNTk1NzY3MjU4MC0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX1dfX0=","signatures":[{"keyid":"","sig":"MEUCIBtd37BUemlRGSAtupB5MUNpuoY3M8sjizO8vNoF/XRzAiEA6MbwPr+GkoQ7O/gAzGqMO3YVRfnOn2CSrme14Y/Vq7g=","cert":"-----BEGIN CERTIFICATE-----\nMIIHnjCCBySgAwIBAgIUdt3q/jeQLjQLrp9xhKPIodrsiFEwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjMwODI0MDAxMzQxWhcNMjMwODI0MDAyMzQxWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4iCY36NC3\nk/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFaOCBkMwggY/MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUYUr0\ngD1Frvh23NrGG+OeTrkO+fgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2Vu\nZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92MS43LjAwOQYKKwYB\nBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50\nLmNvbTASBgorBgEEAYO/MAECBARwdXNoMDYGCisGAQQBg78wAQMEKDg3Yjc0Mzc4\nZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwMgYKKwYBBAGDvzABBAQk\nUERPIENJIHdpdGggU1cgc3VwcGx5IGNoYWluIG1ldGFkYXRhMDAGCisGAQQBg78w\nAQUEIm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMwNQYKKwYBBAGD\nvzABBgQncmVmcy9oZWFkcy9nZW5lcmF0ZS1zd3NjLWJ1aWxkLW1ldGFkYXRhMDsG\nCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJj\nb250ZW50LmNvbTCBhgYKKwYBBAGDvzABCQR4DHZodHRwczovL2dpdGh1Yi5jb20v\nc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29y\na2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEu\nNy4wMDgGCisGAQQBg78wAQoEKgwoZTU1Yjc2Y2U0MjEwODJkZmE0YjM0YTZhYzNj\nNWU1OWRlMGYzYmI1ODAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwRQYK\nKwYBBAGDvzABDAQ3DDVodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9w\ncml2YXRlLWRhdGEtb2JqZWN0czA4BgorBgEEAYO/MAENBCoMKDg3Yjc0Mzc4ZThj\nOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwNwYKKwYBBAGDvzABDgQpDCdy\nZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwGQYKKwYBBAGD\nvzABDwQLDAkyMzY1OTI5MDgwMAYKKwYBBAGDvzABEAQiDCBodHRwczovL2dpdGh1\nYi5jb20vbWFyY2VsYW1lbGFyYTAYBgorBgEEAYO/MAERBAoMCDkzNzk3ODk4MIGM\nBgorBgEEAYO/MAESBH4MfGh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJh\nL3ByaXZhdGUtZGF0YS1vYmplY3RzLy5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2Mu\neWFtbEByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwOAYK\nKwYBBAGDvzABEwQqDCg4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkw\nMjU0ZTFlMBQGCisGAQQBg78wARQEBgwEcHVzaDBoBgorBgEEAYO/MAEVBFoMWGh0\ndHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmpl\nY3RzL2FjdGlvbnMvcnVucy81OTU3NjcyNTgwL2F0dGVtcHRzLzEwFgYKKwYBBAGD\nvzABFgQIDAZwdWJsaWMwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZ\nHhyZZzcCokpeuN48rf+HinKALynujgAAAYok48Y6AAAEAwBIMEYCIQDlB6pBRLqz\nOVzWrWDyAKjqbj/+In4R1ZIV1ZpPBOibpgIhAOD0US5lEsq/jbd6+TFuCNGAwSmT\njLX6qaZM51mil8GAMAoGCCqGSM49BAMDA2gAMGUCMQCobhDekCwGfSHneSK9wVlo\nlm+5HAzWWCXP0MqB+z3BKrlncSTvfTtLT6Ai0uylV48CMBr+qUk5b34MOr3AfkFL\nwZPYsMpbWP4k8SXbi6NaBqwAAnAl3s+w3qbR/Nt2wtoPwA==\n-----END CERTIFICATE-----\n"}]} -------------------------------------------------------------------------------- /kccncna2023-demo/attestations/evidence-collection.1f575092.json: -------------------------------------------------------------------------------- 1 | {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSGFzU0JPTSIsImV2aWRlbmNlIjp7ImRpZ2VzdCI6eyJzaGEyNTYiOiJkOTVjMjAyZTBlNDAyMTQ0ZDYzNjM4MGU5ODJlYWZmNTRiZTU1OWI1NTU5OGZkMTgwNzFlOTZkNmYzYTdlYjAzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5NSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3NwZHgranNvbiIsIm5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYS5zcGR4Lmpzb24ifX0seyJhdHRyaWJ1dGUiOiJIYXNTTFNBIiwiZXZpZGVuY2UiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"W5terKjmGajjJLl1mXNgPzIamE0omBDUkXzmrAVZMI51FTvv2a4ixCRAMSvT8qxcs/ZvqMXxMGQV5RR2x1aF1JkBLSP9nY7mQLcl7GYJ6E+KltLMgO3Bw9b4vXDp/JZ1y8Dby+rUEt0umehFJYj0Yl8/ndhWVK6QNMzrCDghK8TdZ8N1+HhyxewOYdP2i+yrM0Ll0Q0DiXO4r5SPGgGTY6BWe5Sjc2HNrt+J6fJcnXpvfCBlTAuG0pGNDbIS9jtimsh+AKAlpdcgJUPGpL3baTRW/1liyzVmtJtIrTl1kDDm/rzKmFi/OaMS6Vwm4RkaEkXaLPYpzz6pBaCHm8JxNJVjijtoTrNyuhEyHuvZW3o/p9/TmW9O6kyDc8Sybk5S8iWca0N3sLAfIsQw4968PHo4p7jf/bWWPFhSag2nIz4fKdiLXSzaDvxKtuuMfa6BG15j45Nwqq6qcKf2ZssYP4sjyuzYcJe912HFPPo8ZasQmFBcuBMhpu7NHU6yP/19"}]} -------------------------------------------------------------------------------- /kccncna2023-demo/images/intoto-kccncna2023-demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/in-toto/scai-demos/f26aed11a200df490ba2e5f362834650616bc745/kccncna2023-demo/images/intoto-kccncna2023-demo.png -------------------------------------------------------------------------------- /kccncna2023-demo/policies/has-slsa.yml: -------------------------------------------------------------------------------- 1 | attestationID: "f7dbd9211f8c9ee70313454ddba0ffacec91139ff325b3ef90eccf706bd06ecf" 2 | inspections: 3 | - name: "build.452e628a.json" 4 | expectedAttributes: 5 | - rule: "assertion.attribute == 'HasSLSA' && predicateType == 'https://slsa.dev/provenance/v0.2'" 6 | - rule: "predicate.buildType == 'https://github.com/slsa-framework/slsa-github-generator/generic@v1'" 7 | -------------------------------------------------------------------------------- /kccncna2023-demo/policies/layout.yml: -------------------------------------------------------------------------------- 1 | expires: "2024-10-10T12:23:22Z" 2 | functionaries: 3 | 1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6: 4 | keyType: "rsa" 5 | scheme: "rsassa-pss-sha256" 6 | keyIDHashAlgorithms: 7 | - "sha256" 8 | - "sha512" 9 | keyVal: 10 | public: "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0o+jumXN3tE2Xqx1qKjC\ngzCCvAPoOlzQlg+7OLGHnJbQgDxOyhFYMNqJ6cztb26NettmEpPtLDSnM5fPvHuH\nPVoPctzLqE9MiXdD1C7RHbjeSaUBxJV6wSGdAGzNa+8oxxG1ex4H7KHOXD8Mo61o\nitzViEw8knQNDhKHA/JWMnnhX07J1wF+EBWHpBsquAxZMLwy9h4uSlJjbK6TVZS8\nzLEtChVHLqF71px3/rRLlx6gyvSfqsVUd86JDrZtC+MHiq72nnx6N7+4wmSFB6ZQ\naBJvEemP9f54KgSMPLH4fZ63noQKUj9dnOZ+N4f0SGRIIvhN03/LlVA9ifkJBQml\nLKbiNWGAk92+C6NEp2Tj7olNsQ1zOTLzC27CJSWlDq9hSiS7LuaZUy7Gb3acX6Zf\nGZkwYXpXQPp/vM66InJcr5/T1iW/XhtmCHiRd7T24R4qDvS+Xuqv9+pJtHemCUpz\nWhn7N5L7Hr/t0b0SIUNd1PZzD4+lKElcAt99vCVlKQmVAgMBAAE=\n-----END PUBLIC KEY-----" 11 | keyID: "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 12 | 452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c: 13 | keyType: "ecdsa" 14 | scheme: "ecdsa-sha2-nistp256" 15 | keyIDHashAlgorithms: 16 | - "sha256" 17 | - "sha512" 18 | keyVal: 19 | public: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4\niCY36NC3k/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFQ==\n-----END PUBLIC KEY-----" 20 | keyID: "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" 21 | steps: 22 | - name: "build" 23 | expectedMaterials: 24 | - "ALLOW git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata" 25 | - "DISALLOW *" 26 | expectedProducts: 27 | - "CREATE pdo_client_wawaka" 28 | - "DISALLOW *" 29 | expectedPredicates: 30 | - predicateType: "https://slsa.dev/provenance/v0.2" 31 | expectedAttributes: 32 | - rule: "predicate.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0'" 33 | - rule: "predicate.invocation.configSource.uri == 'git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata'" 34 | - rule: "predicate.invocation.configSource.digest.sha1 == '87b74378e8c9ccf335a27ffcdc16636990254e1e'" 35 | functionaries: 36 | - "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" 37 | - name: "evidence-collection" 38 | expectedMaterials: 39 | - "MATCH pdo_client_wawaka WITH products FROM build" 40 | - "DISALLOW *" 41 | expectedPredicates: 42 | - predicateType: "https://in-toto.io/attestation/scai/attribute-report/v0.2" 43 | expectedAttributes: 44 | - rule: "size(predicate.attributes) >= 2" 45 | - rule: "predicate.attributes.exists(a, a.attribute == 'HasSBOM')" 46 | - rule: "predicate.attributes.exists(a, a.attribute == 'HasSLSA')" 47 | functionaries: 48 | - "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 49 | -------------------------------------------------------------------------------- /kccncna2023-demo/verification-flow.sh: -------------------------------------------------------------------------------- 1 | printf "in-toto KubeCon + CloudNativeCon NA 2023 demo (verification flow only)\n\n" 2 | 3 | printf "DISCLAIMER: This verification flow is only for demo purposes.\n" 4 | printf "A production verification flow includes retrieving and validating the identities/keys of attestation signers, which is not shown in this demo.\n\n" 5 | 6 | printf "Verifying ITE-10 Layout\n\n" 7 | attestation-verifier --attestations-directory ./attestations --layout ./policies/layout.yml 8 | 9 | printf "\nVerifying SCAI evidence\n\n" 10 | scai-gen check evidence --policy-file ./policies/has-slsa.yml --evidence-dir ./evidence-files ./attestations/evidence-collection.1f575092.json 11 | -------------------------------------------------------------------------------- /layouts/local_build.yml: -------------------------------------------------------------------------------- 1 | expires: "2024-10-10T12:23:22Z" 2 | functionaries: 3 | 1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6: 4 | keyType: "rsa" 5 | keyID: "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 6 | steps: 7 | - name: "evidence-collection" 8 | expectedMaterials: 9 | - "DISALLOW *" 10 | expectedPredicates: 11 | - predicateType: "https://in-toto.io/attestation/scai/attribute-report/v0.2" 12 | expectedAttributes: 13 | - rule: "size(predicate.attributes) >= 2" 14 | - rule: "predicate.attributes[0].attribute == 'HasSBOM'" 15 | functionaries: 16 | - "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 17 | -------------------------------------------------------------------------------- /layouts/pdo_client_wawaka.yml: -------------------------------------------------------------------------------- 1 | expires: "2024-10-10T12:23:22Z" 2 | functionaries: 3 | 1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6: 4 | keyType: "rsa" 5 | scheme: "rsassa-pss-sha256" 6 | keyIDHashAlgorithms: 7 | - "sha256" 8 | - "sha512" 9 | keyVal: 10 | public: "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0o+jumXN3tE2Xqx1qKjC\ngzCCvAPoOlzQlg+7OLGHnJbQgDxOyhFYMNqJ6cztb26NettmEpPtLDSnM5fPvHuH\nPVoPctzLqE9MiXdD1C7RHbjeSaUBxJV6wSGdAGzNa+8oxxG1ex4H7KHOXD8Mo61o\nitzViEw8knQNDhKHA/JWMnnhX07J1wF+EBWHpBsquAxZMLwy9h4uSlJjbK6TVZS8\nzLEtChVHLqF71px3/rRLlx6gyvSfqsVUd86JDrZtC+MHiq72nnx6N7+4wmSFB6ZQ\naBJvEemP9f54KgSMPLH4fZ63noQKUj9dnOZ+N4f0SGRIIvhN03/LlVA9ifkJBQml\nLKbiNWGAk92+C6NEp2Tj7olNsQ1zOTLzC27CJSWlDq9hSiS7LuaZUy7Gb3acX6Zf\nGZkwYXpXQPp/vM66InJcr5/T1iW/XhtmCHiRd7T24R4qDvS+Xuqv9+pJtHemCUpz\nWhn7N5L7Hr/t0b0SIUNd1PZzD4+lKElcAt99vCVlKQmVAgMBAAE=\n-----END PUBLIC KEY-----" 11 | keyID: "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 12 | 452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c: 13 | keyType: "ecdsa" 14 | scheme: "ecdsa-sha2-nistp256" 15 | keyIDHashAlgorithms: 16 | - "sha256" 17 | - "sha512" 18 | keyVal: 19 | public: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4\niCY36NC3k/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFQ==\n-----END PUBLIC KEY-----" 20 | keyID: "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" 21 | steps: 22 | - name: "build" 23 | expectedMaterials: 24 | - "ALLOW git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata" 25 | - "DISALLOW *" 26 | expectedProducts: 27 | - "CREATE pdo_client_wawaka" 28 | - "DISALLOW *" 29 | expectedPredicates: 30 | - predicateType: "https://slsa.dev/provenance/v0.2" 31 | expectedAttributes: 32 | - rule: "predicate.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0'" 33 | - rule: "predicate.invocation.configSource.uri == 'git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata'" 34 | - rule: "predicate.invocation.configSource.digest.sha1 == '87b74378e8c9ccf335a27ffcdc16636990254e1e'" 35 | functionaries: 36 | - "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" 37 | - name: "evidence-collection" 38 | expectedMaterials: 39 | - "MATCH pdo_client_wawaka WITH products FROM build" 40 | - "DISALLOW *" 41 | expectedPredicates: 42 | - predicateType: "https://in-toto.io/attestation/scai/attribute-report/v0.2" 43 | expectedAttributes: 44 | - rule: "size(predicate.attributes) >= 2" 45 | - rule: "predicate.attributes.exists(a, a.attribute == 'HasSBOM')" 46 | - rule: "predicate.attributes.exists(a, a.attribute == 'HasSLSA')" 47 | functionaries: 48 | - "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" 49 | -------------------------------------------------------------------------------- /policies/has-slsa.yml: -------------------------------------------------------------------------------- 1 | attestationID: "f7dbd9211f8c9ee70313454ddba0ffacec91139ff325b3ef90eccf706bd06ecf" 2 | inspections: 3 | - name: "build.452e628a.json" 4 | expectedAttributes: 5 | - rule: "assertion.attribute == 'HasSLSA' && predicateType == 'https://slsa.dev/provenance/v0.2'" 6 | - rule: "predicate.buildType == 'https://github.com/slsa-framework/slsa-github-generator/generic@v1'" 7 | -------------------------------------------------------------------------------- /policies/hermetic-evidence-fail.yml: -------------------------------------------------------------------------------- 1 | attestationID: "331046d1131de62d0bb9c919a27cc85b5a267136515f54bd354c8aa98f3ceb3b" 2 | inspections: 3 | - name: "strace.log" 4 | expectedAttributes: 5 | - rule: "assertion.attribute == 'IsHermeticBuild' && text.contains('inet_addr') == false" 6 | -------------------------------------------------------------------------------- /policies/hermetic-evidence.yml: -------------------------------------------------------------------------------- 1 | attestationID: "56288398ee71b2c054306fb989325b0f86e380fa1de8240c9646ba00d071db1d" 2 | inspections: 3 | - name: "strace.log" 4 | expectedAttributes: 5 | - rule: "assertion.attribute == 'NonHermeticBuild' && text.contains('inet_addr') == true" 6 | -------------------------------------------------------------------------------- /python/.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | dist 3 | *.egg-info 4 | -------------------------------------------------------------------------------- /python/README.md: -------------------------------------------------------------------------------- 1 | # scai-generator Python CLI 2 | 3 | ## CLI Environment Setup 4 | 5 | To run the SCAI CLI tools and examples, the following packages 6 | are required on a minimal Ubuntu system. We assume Ubuntu 20.04 or higher. 7 | 8 | ``` 9 | sudo apt install git python3 python3-dev python3-venv virtualenv build-essential 10 | ``` 11 | 12 | Then, set up the Python virtualenv for the SCAI CLI tools from this 13 | repo's root directory. 14 | 15 | ``` 16 | make VENVDIR= py-venv 17 | ``` 18 | 19 | ## Basic CLI Invocation 20 | 21 | ``` 22 | source $VENVDIR/bin/activate 23 | ``` 24 | 25 | ### Generate a ResourceDescriptor 26 | 27 | To generate ResourceDescriptors for SCAI AttributeAssertion or Report fields: 28 | ``` 29 | scai-gen-resource-desc -o [-n -d -u ] [-r ] [-l ] [-c] [-t ] 30 | ``` 31 | 32 | **:warn: Note:** Because at least one of `name`, `uri` or `digest` fields 33 | are required in [ResourceDescriptors], the tool will throw an error if 34 | none of these options are passed in. 35 | 36 | ### Generate an AttributeAssertion 37 | 38 | To generate AttributeAssertions for a SCAI Report: 39 | ``` 40 | scai-attr-assertion -a -o [-t ] [-e ] [-c ] 41 | ``` 42 | 43 | **:warn: Note:** Since the `conditions` field in [AttributeAssertions] can 44 | be an arbitrary JSON object, the tool assumes that this object has been 45 | written to a file beforehand. 46 | 47 | ### Generate a SCAI report 48 | 49 | To generate a SCAI Report: 50 | ``` 51 | scai-report -s -a -o [-p ] 52 | ``` 53 | 54 | **Note:** The generated SCAI report document is a valid [in-toto Statement]. 55 | 56 | For a full list of CLI tool options, invoke with the `-h` option. 57 | 58 | [in-toto Statement]: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md 59 | [ResourceDescriptors]: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md 60 | [AttributeAssertions]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L16 61 | [Report]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L28 62 | [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md 63 | -------------------------------------------------------------------------------- /python/scai_generator/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Intel Corporation 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | __import__('pkg_resources').declare_namespace('cdi') 16 | -------------------------------------------------------------------------------- /python/scai_generator/cli/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/in-toto/scai-demos/f26aed11a200df490ba2e5f362834650616bc745/python/scai_generator/cli/__init__.py -------------------------------------------------------------------------------- /python/scai_generator/cli/gen_attr_assertion.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2023 Intel Corporation 3 | # SPDX-License-Identifier: Apache-2.0 4 | 5 | """ 6 | 7 | scai-attr-assertion 8 | 9 | 10 | Marcela Melara 11 | 12 | 13 | See LICENSE for licensing information. 14 | 15 | 16 | Command-line interface for generating ITE-9 SCAI Attribute Assertions. 17 | """ 18 | 19 | import argparse 20 | import json 21 | import os 22 | import sys 23 | 24 | from scai_generator.utility import load_json_file 25 | from in_toto_attestation.predicates.scai.v0.scai import AttributeAssertion 26 | import in_toto_attestation.v1.resource_descriptor_pb2 as rdpb 27 | from in_toto_attestation.v1.resource_descriptor import ResourceDescriptor 28 | 29 | import google.protobuf.json_format as pb_json 30 | 31 | def Main(): 32 | parser = argparse.ArgumentParser(allow_abbrev=False) 33 | 34 | parser.add_argument('-a', '--attribute', help='Attribute keyword', type=str, required=True) 35 | parser.add_argument('-c', '--conditions', help='Filename of json-encoded conditions object', type=str) 36 | parser.add_argument('-e', '--evidence', help='Filename of json-encoded evidence resource descriptor', type=str) 37 | parser.add_argument('-t', '--target', help='Filename of json-encoded target resource descriptor', type=str) 38 | parser.add_argument('-o', '--outfile', help='Filename to write out this assertion object', type=str, required=True) 39 | parser.add_argument('--target-dir', help='Directory for searching target files', type=str) 40 | parser.add_argument('--evidence-dir', help='Directory for searching evidence files', type=str) 41 | parser.add_argument('--conditions-dir', help='Directory for searching conditions files', type=str) 42 | parser.add_argument('--out-dir', help='Directory for storing generated files', type=str) 43 | parser.add_argument('--pretty-print', help='Flag to pretty-print all json before storing', action='store_true') 44 | 45 | options = parser.parse_args() 46 | 47 | # Create target reference 48 | target_rd = None 49 | if options.target: 50 | target_dict = load_json_file(options.target, search_path=options.target_dir) 51 | target_rd = pb_json.ParseDict(target_dict, rdpb.ResourceDescriptor()) 52 | 53 | # Read conditions 54 | conditions_dict = None 55 | if options.conditions: 56 | conditions_dict = load_json_file(options.conditions, search_path=options.conditions_dir) 57 | 58 | # Read evidence 59 | evidence_rd = None 60 | if options.evidence: 61 | evidence_dict = load_json_file(options.evidence, search_path=options.evidence_dir) 62 | evidence_rd = pb_json.ParseDict(evidence_dict, rdpb.ResourceDescriptor()) 63 | 64 | assertion = AttributeAssertion(options.attribute, target=target_rd, conditions=conditions_dict, evidence=evidence_rd) 65 | 66 | # validate the assertion format, including resource descriptors 67 | try: 68 | assertion.validate() 69 | except ValueError as e: 70 | sys.exit(e) 71 | 72 | # Write out the assertions file 73 | out_dir = '.' 74 | if options.out_dir: 75 | out_dir = options.out_dir 76 | 77 | outfile = options.outfile 78 | if not outfile.endswith('.json'): 79 | outfile += '.json' 80 | 81 | indent = 0 82 | if options.pretty_print: 83 | indent = 4 84 | 85 | assertion_file = os.path.join(out_dir, outfile) 86 | with open(assertion_file, 'w+') as afile : 87 | afile.write(pb_json.MessageToJson(assertion.pb, indent=indent)) 88 | 89 | print('Wrote attribute assertion to %s' % assertion_file) 90 | 91 | if __name__ == "__main__": 92 | Main() 93 | -------------------------------------------------------------------------------- /python/scai_generator/cli/gen_report.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # Copyright 2023 Intel Corporation 3 | # SPDX-License-Identifier: Apache-2.0 4 | 5 | """ 6 | 7 | scai-report 8 | 9 | 10 | Marcela Melara 11 | 12 | 13 | See LICENSE for licensing information. 14 | 15 | 16 | Command-line interface for generating ITE-9 SCAI Attribute Reports. 17 | """ 18 | 19 | import argparse 20 | import json 21 | import os 22 | import sys 23 | 24 | from scai_generator.utility import load_json_file 25 | from in_toto_attestation.predicates.scai.v0.scai import AttributeReport, SCAI_PREDICATE_TYPE, SCAI_PREDICATE_VERSION 26 | import in_toto_attestation.predicates.scai.v0.scai_pb2 as scaipb 27 | import in_toto_attestation.v1.resource_descriptor_pb2 as rdpb 28 | from in_toto_attestation.v1.statement import Statement 29 | 30 | import google.protobuf.json_format as pb_json 31 | 32 | def Main(): 33 | parser = argparse.ArgumentParser(allow_abbrev=False) 34 | 35 | parser.add_argument('-s', '--subjects', help='Filenames of JSON-encoded subject resource descriptors', nargs='+', type=str, required=True) 36 | parser.add_argument('-a', '--attribute-assertions', help='Filenames of JSON-encoded SCAI attribute assertions', nargs='+', type=str, required=True) 37 | parser.add_argument('-p', '--producer', help='Filename of JSON-encoded producer resource descriptor', type=str) 38 | parser.add_argument('-o', '--outfile', help='Filename to write out this SCAI attribute report', type=str, required=True) 39 | parser.add_argument('--subject-dirs', help='Directories for searching subject artifact descriptors', nargs='+', type=str) 40 | parser.add_argument('--assertion-dir', help='Directory for searching assertion files', type=str, default='.') 41 | parser.add_argument('--producer-dir', help='Directory for searching producer descriptors', type=str, default='.') 42 | parser.add_argument('--out-dir', help='Directory for storing generated files', type=str, default='.') 43 | parser.add_argument('--pretty-print', help='Flag to pretty-print all json before storing', action='store_true') 44 | 45 | options = parser.parse_args() 46 | 47 | print('Generating SCAI Attribute Report for subjects: {0}'.format(str(options.subjects))) 48 | 49 | # check all possible subject directories 50 | subjects_dir = ['.'] 51 | subjects_dir.extend(options.subject_dirs) 52 | 53 | subject_list = [] 54 | for s in options.subjects: 55 | for d in subjects_dir: 56 | try: 57 | sdict = load_json_file(s, search_path=d) 58 | except FileNotFoundError: 59 | continue 60 | 61 | subject_pb = pb_json.ParseDict(sdict, rdpb.ResourceDescriptor()) 62 | subject_list.append(subject_pb) 63 | break 64 | 65 | # assume all SCAI assertions are in the same location 66 | assertions = [] 67 | for a in options.attribute_assertions: 68 | adict = load_json_file(a, search_path=options.assertion_dir) 69 | assertion_pb = pb_json.ParseDict(adict, scaipb.AttributeAssertion()) 70 | assertions.append(assertion_pb) 71 | 72 | # Load the producer descriptor 73 | producer_pb = None 74 | if options.producer: 75 | pdict = load_json_file(options.producer, options.producer_dir) 76 | producer_pb = pb_json.ParseDict(pdict, rdpb.ResourceDescriptor()) 77 | 78 | report = AttributeReport(assertions, producer=producer_pb) 79 | 80 | # validate the report format, including assertions and RDs 81 | try: 82 | report.validate() 83 | except ValueError as e: 84 | sys.exit(e) 85 | 86 | # Write the SCAI AttributeReport as an in-toto Statement 87 | scai_pred_type = SCAI_PREDICATE_TYPE+SCAI_PREDICATE_VERSION 88 | scai_pred_dict = pb_json.MessageToDict(report.pb) 89 | statement = Statement(subject_list, scai_pred_type, scai_pred_dict) 90 | 91 | # validate the statement format, including the subjects 92 | # NOTE: this does not validate the predicate itself 93 | try: 94 | statement.validate() 95 | except ValueError as e: 96 | sys.exit(e) 97 | 98 | # Write out the statement file 99 | outfile = options.outfile 100 | if not outfile.endswith('.json'): 101 | outfile += '.json' 102 | 103 | indent = 0 104 | if options.pretty_print: 105 | indent = 4 106 | 107 | stmt_file = os.path.join(options.out_dir, outfile) 108 | with open(stmt_file, 'w+') as f : 109 | f.write(pb_json.MessageToJson(statement.pb, indent=indent)) 110 | 111 | print('Wrote in-toto SCAI report: {0}'.format(stmt_file)) 112 | 113 | if __name__ == "__main__": 114 | Main() 115 | -------------------------------------------------------------------------------- /python/scai_generator/cli/gen_resource_desc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2023 Intel Corporation 3 | # SPDX-License-Identifier: Apache-2.0 4 | 5 | """ 6 | 7 | scai-gen-resource-desc 8 | 9 | 10 | Marcela Melara 11 | 12 | 13 | See LICENSE for licensing information. 14 | 15 | 16 | Command-line interface for generating ITE-9 Resource Descriptors. 17 | """ 18 | 19 | import argparse 20 | import json 21 | import os 22 | 23 | from scai_generator.utility import load_json_file 24 | from in_toto_attestation.v1.resource_descriptor import ResourceDescriptor 25 | 26 | from securesystemslib.hash import digest_filename 27 | import google.protobuf.json_format as pb_json 28 | 29 | def Main(): 30 | parser = argparse.ArgumentParser(allow_abbrev=False) 31 | 32 | parser.add_argument('-n', '--name', help='The name', type=str, default='') 33 | parser.add_argument('-u', '--uri', help='The URI', type=str, default='') 34 | parser.add_argument('-d', '--digest', help='Flag to generate the SHA256 hash of the resource', action='store_true') 35 | parser.add_argument('-c', '--content', help='Flag to include the content of the resource', action='store_true') 36 | parser.add_argument('-l', '--download-location', help='The download location of the resource (if different from the URI)', type=str, default='') 37 | parser.add_argument('-t', '--media-type', help='The media type of the resource', type=str, default='') 38 | parser.add_argument('-a', '--annotations', help='Filename of JSON-encoded annotations for the resource descriptor', type=str) 39 | parser.add_argument('-f', '--resource-file', help='Filename of the resource to be described', type=str) 40 | parser.add_argument('-o', '--outfile', help='Filename to write out this assertion object', type=str, required=True) 41 | parser.add_argument('--resource-dir', help='Directory for searching resource files', type=str, default='.') 42 | parser.add_argument('--annotation-dir', help='Directory for searching annotations files', type=str, default='.') 43 | parser.add_argument('--out-dir', help='Directory for storing generated files', type=str, default='.') 44 | parser.add_argument('--pretty-print', help='Flag to pretty-print all json before storing', action='store_true') 45 | 46 | options = parser.parse_args() 47 | 48 | # Fail if the resource descriptor doesn't at least have a name, URI, or digest algorithm specified 49 | if not options.name and not options.uri and not options.digest: 50 | print('Error: Need at least one of name, URI or digest for a valid in-toto resource descriptor') 51 | exit(-1) 52 | 53 | # Generate the digest, if requested 54 | resource_file_path = None 55 | if options.resource_file: 56 | resource_file_path = os.path.join(options.resource_dir, options.resource_file) 57 | 58 | resource_digest_set = {} 59 | if options.digest and resource_file_path: 60 | # we're ok with using the default hash algorithm (sha256) 61 | hash_obj = digest_filename(resource_file_path) 62 | # convert the hash object into a digest set 63 | resource_digest_set.update({hash_obj.name: hash_obj.hexdigest()}) 64 | 65 | resource_bytes = bytes() 66 | if options.content and resource_file_path: 67 | with open(resource_file_path, 'rb') as f: 68 | resource_bytes = f.read() 69 | 70 | annotations_dict = None 71 | if options.annotations: 72 | annotations_dict = load_json_file(options.annotations, search_path=options.annotation_dir) 73 | 74 | rd = ResourceDescriptor(name=options.name, uri=options.uri, digest=resource_digest_set, content=resource_bytes, download_location=options.download_location, media_type=options.media_type, annotations=annotations_dict) 75 | 76 | # validate the resource descriptor format 77 | try: 78 | rd.validate() 79 | except ValueError as e: 80 | sys.exit(e) 81 | 82 | # Write out the resource descriptor file 83 | outfile = options.outfile 84 | if not outfile.endswith('.json'): 85 | outfile += '.json' 86 | 87 | indent = 0 88 | if options.pretty_print: 89 | indent = 4 90 | 91 | rd_file = os.path.join(options.out_dir, outfile) 92 | with open(rd_file, 'w+') as f : 93 | f.write(pb_json.MessageToJson(rd.pb, indent=indent)) 94 | 95 | print('Wrote resource descriptor to %s' % rd_file) 96 | 97 | if __name__ == "__main__": 98 | Main() 99 | -------------------------------------------------------------------------------- /python/scai_generator/utility.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2022 Intel Corporation 3 | 4 | import json 5 | import os 6 | import errno 7 | 8 | # ----------------------------------------------------------------- 9 | # ----------------------------------------------------------------- 10 | def find_file_in_path(filename, search_path='.') : 11 | """general utility to search for a file name in a path 12 | :param str filename: name of the file to locate, absolute path ignores search_path 13 | :param list(str) search_path: list of directores where the files may be located 14 | """ 15 | 16 | # os.path.abspath only works for full paths, not relative paths 17 | # this check should catch './abc' 18 | if os.path.split(filename)[0] : 19 | if os.path.isfile(filename) : 20 | return filename 21 | raise FileNotFoundError(errno.ENOENT, "file does not exist", filename) 22 | 23 | if search_path: 24 | full_filename = os.path.join(search_path, filename) 25 | if os.path.isfile(full_filename) : 26 | return full_filename 27 | 28 | raise FileNotFoundError(errno.ENOENT, "unable to locate file in search path", filename) 29 | 30 | def load_json_file(filename, search_path): 31 | full_file = find_file_in_path(filename, search_path) 32 | with open(full_file, "r") as rfile : 33 | contents = rfile.read() 34 | contents = contents.rstrip('\0') 35 | return json.loads(contents) 36 | 37 | def load_text_file(filename, search_path): 38 | full_file = find_file_in_path(filename, search_path) 39 | with open(full_file, "r") as rfile : 40 | contents = rfile.read() 41 | contents = contents.rstrip('\0') 42 | return contents 43 | 44 | # read private .pem key file 45 | def parse_pem_file(key_file, search_path): 46 | full_file = find_file_in_path(key_file, search_path) 47 | with open(full_file, 'r') as k: 48 | key = k.read() 49 | assert key.startswith('-----BEGIN EC PRIVATE KEY-----\n') and key.endswith('\n-----END EC PRIVATE KEY-----\n'), "Malformed .pem key" 50 | 51 | return key 52 | 53 | # read public .pem key file 54 | def parse_public_pem_file(key_file, search_path): 55 | full_file = find_file_in_path(key_file, search_path) 56 | with open(full_file, 'r') as k: 57 | key = k.read() 58 | assert key.startswith('-----BEGIN PUBLIC KEY-----\n') and key.endswith('\n-----END PUBLIC KEY-----\n'), "Malformed .pem key" 59 | 60 | return key -------------------------------------------------------------------------------- /python/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2022 Intel Corporation 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | import re 17 | 18 | import os 19 | import shutil 20 | 21 | # this should only be run with python3 22 | import sys 23 | if sys.version_info[0] < 3: 24 | print('ERROR: must run with python3') 25 | sys.exit(1) 26 | 27 | from setuptools import setup, find_packages, Extension 28 | 29 | setup(name='scai-generator', 30 | version='0.2', 31 | description='SCAI metadata generation tools', 32 | author='Intel Corporation', 33 | packages=find_packages(), 34 | entry_points = { 35 | 'console_scripts': [ 36 | 'scai-attr-assertion = scai_generator.cli.gen_attr_assertion:Main', 37 | 'scai-gen-resource-desc = scai_generator.cli.gen_resource_desc:Main', 38 | 'scai-report = scai_generator.cli.gen_report:Main' 39 | ] 40 | } 41 | ) 42 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # scai library python requirements 2 | in-toto-attestation>=0.9.2 3 | -------------------------------------------------------------------------------- /scai-gen/Makefile: -------------------------------------------------------------------------------- 1 | setup: 2 | go get github.com/in-toto/attestation@858b9917479327f2d1e88a08394a1534ac1f892d 3 | 4 | .phony: setup 5 | 6 | -------------------------------------------------------------------------------- /scai-gen/README.md: -------------------------------------------------------------------------------- 1 | # scai-gen Go CLI 2 | 3 | This package provides a Go CLI for generating in-toto compatible [SCAI] 4 | metadata. We assume a minimal Ubuntu 20.04+ platform. 5 | 6 | ## Setup 7 | 8 | First, install Go version 1.20 or higher following the 9 | [Go installation instructions](https://go.dev/doc/install), as well as 10 | additional dependencies: 11 | 12 | ``` 13 | sudo apt install build-essential 14 | ``` 15 | 16 | Then, install the scai-gen Go module from this repo's root directory: 17 | 18 | ```bash 19 | make go-mod 20 | ``` 21 | 22 | ## Usage 23 | 24 | scai-gen can be used to generate JSON encoded in-toto [Resource Descriptors], 25 | SCAI [Attribute Assertions], and SCAI [Attribute Reports]. 26 | 27 | scai-gen also provides a feature for checking [DSSE]-signed in-toto 28 | attestations against an in-toto [Layout] or a SCAI [evidence policy]. 29 | Examples can be found in the [layouts](../layouts) and 30 | [policies](../policies) directories. 31 | 32 | ### Generate an in-toto Resource Descriptor 33 | 34 | Local file: 35 | 36 | ```bash 37 | scai-gen rd file -o [-n ] [-u ] [-l ] [-t ] 38 | ``` 39 | 40 | Remote resource or service: 41 | 42 | ```bash 43 | scai-gen rd remote -o [-a -d ] [-n ] 44 | ``` 45 | 46 | ### Generate a SCAI Attribute Assertion 47 | 48 | ```bash 49 | scai-gen assert -o [-e ] 50 | ``` 51 | 52 | Run `scai-gen assert help` for a full list of command-line options. 53 | 54 | ### Generate a SCAI Attribute Report 55 | 56 | ```bash 57 | scai-gen report -o [-e ] [ ...] 58 | ``` 59 | 60 | Run `scai-gen report help` for a full list of command-line options. 61 | 62 | ## SCAI policy checker 63 | 64 | ### Check the in-toto Layout for SCAI attestations 65 | 66 | ```bash 67 | scai-gen check layout -l [ ...] 68 | ``` 69 | 70 | ### Check SCAI attestation against an evidence policy 71 | 72 | The `scai-gen check evidence` command currently only supports checking 73 | policies about evidence that is located locally. Support for checking 74 | evidence formats other than plaintext or in-toto attestations is upcoming. 75 | 76 | ```bash 77 | scai-gen check evidence -p -e 78 | ``` 79 | 80 | Run `scai-gen check help` for a full list of command-line options. 81 | 82 | [Attribute Assertions]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L16 83 | [Attribute Reports]: https://github.com/in-toto/attestation/blob/main/protos/in_toto_attestation/predicates/scai/v0/scai.proto#L28 84 | [DSSE]: https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md 85 | [Layout]: https://github.com/in-toto/ITE/tree/master/ITE/10 86 | [Resource Descriptors]: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md 87 | [SCAI]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md 88 | [evidence policy]: ./policy/checks.go#L15 89 | -------------------------------------------------------------------------------- /scai-gen/cmd/assert.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/in-toto/scai-demos/scai-gen/pkg/fileio" 7 | "github.com/in-toto/scai-demos/scai-gen/pkg/generators" 8 | 9 | ita "github.com/in-toto/attestation/go/v1" 10 | "github.com/spf13/cobra" 11 | "google.golang.org/protobuf/types/known/structpb" 12 | ) 13 | 14 | var assertCmd = &cobra.Command{ 15 | Use: "assert", 16 | Args: cobra.ExactArgs(1), 17 | Short: "Generate a JSON-encoded SCAI Attribute Assertion", 18 | RunE: genAttrAssertion, 19 | } 20 | 21 | var ( 22 | targetFile string 23 | conditionsFile string 24 | evidenceFile string 25 | ) 26 | 27 | func init() { 28 | assertCmd.Flags().StringVarP( 29 | &outFile, 30 | "out-file", 31 | "o", 32 | "", 33 | "Filename to write out the JSON-encoded object", 34 | ) 35 | assertCmd.MarkFlagRequired("out-file") //nolint:errcheck 36 | 37 | assertCmd.Flags().StringVarP( 38 | &targetFile, 39 | "target", 40 | "t", 41 | "", 42 | "The filename of the JSON-encoded target resource descriptor", 43 | ) 44 | 45 | assertCmd.Flags().StringVarP( 46 | &conditionsFile, 47 | "conditions", 48 | "c", 49 | "", 50 | "The filename of the JSON-encoded conditions object", 51 | ) 52 | 53 | assertCmd.Flags().StringVarP( 54 | &evidenceFile, 55 | "evidence", 56 | "e", 57 | "", 58 | "The filename of the JSON-encoded evidence resource descriptor", 59 | ) 60 | } 61 | 62 | func genAttrAssertion(_ *cobra.Command, args []string) error { 63 | // want to make sure the AttributeAssertion is a JSON file 64 | if !fileio.HasJSONExt(outFile) { 65 | return fmt.Errorf("expected a .json extension for the generated SCAI AttributeAssertion file %s", outFile) 66 | } 67 | 68 | attribute := args[0] 69 | 70 | var target *ita.ResourceDescriptor 71 | if len(targetFile) > 0 { 72 | target = &ita.ResourceDescriptor{} 73 | err := fileio.ReadPbFromFile(targetFile, target) 74 | if err != nil { 75 | return err 76 | } 77 | } 78 | 79 | var conditions *structpb.Struct 80 | if len(conditionsFile) > 0 { 81 | conditions = &structpb.Struct{} 82 | err := fileio.ReadPbFromFile(conditionsFile, conditions) 83 | if err != nil { 84 | return err 85 | } 86 | } 87 | 88 | var evidence *ita.ResourceDescriptor 89 | if len(evidenceFile) > 0 { 90 | evidence = &ita.ResourceDescriptor{} 91 | err := fileio.ReadPbFromFile(evidenceFile, evidence) 92 | if err != nil { 93 | return err 94 | } 95 | } 96 | 97 | aa, err := generators.NewSCAIAssertion(attribute, target, conditions, evidence) 98 | if err != nil { 99 | return fmt.Errorf("unable to generate SCAI attribute assertion: %w", err) 100 | } 101 | 102 | return fileio.WritePbToFile(aa, outFile, false) 103 | } 104 | -------------------------------------------------------------------------------- /scai-gen/cmd/check.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "io/fs" 7 | "os" 8 | "path/filepath" 9 | "slices" 10 | "strings" 11 | 12 | "github.com/in-toto/scai-demos/scai-gen/pkg/fileio" 13 | "github.com/in-toto/scai-demos/scai-gen/pkg/policy" 14 | 15 | "github.com/in-toto/attestation-verifier/verifier" 16 | scai "github.com/in-toto/attestation/go/predicates/scai/v0" 17 | ita "github.com/in-toto/attestation/go/v1" 18 | "github.com/secure-systems-lab/go-securesystemslib/dsse" 19 | "github.com/spf13/cobra" 20 | "google.golang.org/protobuf/encoding/protojson" 21 | "google.golang.org/protobuf/types/known/structpb" 22 | "gopkg.in/yaml.v3" 23 | ) 24 | 25 | var checkCmd = &cobra.Command{ 26 | Use: "check", 27 | Short: "Check one or more JSON-encoded SCAI attestations", 28 | } 29 | 30 | var layoutCmd = &cobra.Command{ 31 | Use: "layout", 32 | Args: cobra.MinimumNArgs(1), 33 | Short: "Check the attributes of one or more JSON-encoded SCAI attestations according to an in-toto ITE-10 layout", 34 | RunE: checkLayout, 35 | } 36 | 37 | var evCmd = &cobra.Command{ 38 | Use: "evidence", 39 | Args: cobra.ExactArgs(1), 40 | Short: "Check the evidence for a JSON-encoded SCAI attestation according to an evidence policy", 41 | RunE: checkEvidence, 42 | } 43 | 44 | var ( 45 | layoutFile string 46 | evidenceDir string 47 | policyFile string 48 | ) 49 | 50 | func init() { 51 | checkCmd.AddCommand(layoutCmd) 52 | checkCmd.AddCommand(evCmd) 53 | } 54 | 55 | func init() { 56 | layoutCmd.Flags().StringVarP( 57 | &layoutFile, 58 | "layout", 59 | "l", 60 | "", 61 | "The filename of the YAML-encoded in-toto Layout", 62 | ) 63 | layoutCmd.MarkFlagRequired("layout") //nolint:errcheck 64 | } 65 | 66 | func init() { 67 | evCmd.Flags().StringVarP( 68 | &evidenceDir, 69 | "evidence-dir", 70 | "e", 71 | "", 72 | "The directory containing evidence files", 73 | ) 74 | evCmd.MarkFlagRequired("evidence-dir") //nolint:errcheck 75 | 76 | evCmd.Flags().StringVarP( 77 | &policyFile, 78 | "policy-file", 79 | "p", 80 | "", 81 | "The filename of the policy file", 82 | ) 83 | evCmd.MarkFlagRequired("policy-file") //nolint:errcheck 84 | } 85 | 86 | func checkLayout(_ *cobra.Command, args []string) error { 87 | layout, err := verifier.LoadLayout(layoutFile) 88 | if err != nil { 89 | return err 90 | } 91 | 92 | attestations := map[string]*dsse.Envelope{} 93 | for _, attestationPath := range args { 94 | name := filepath.Base(attestationPath) 95 | 96 | envelope, err := fileio.ReadDSSEFile(attestationPath) 97 | if err != nil { 98 | return err 99 | } 100 | 101 | attestationName := strings.TrimSuffix(name, ".json") 102 | attestations[attestationName] = envelope 103 | fmt.Println("Found attestation ", attestationName) 104 | } 105 | 106 | parameters := map[string]string{} 107 | 108 | fmt.Println("Checking ", len(attestations), "attestation(s)") 109 | 110 | return verifier.Verify(layout, attestations, parameters) 111 | } 112 | 113 | func checkEvidence(_ *cobra.Command, args []string) error { 114 | attestationPath := args[0] 115 | fmt.Println("Reading attestation file", attestationPath) 116 | 117 | envBytes, err := os.ReadFile(attestationPath) 118 | if err != nil { 119 | return err 120 | } 121 | 122 | fmt.Println("Reading policy file", policyFile) 123 | 124 | policyBytes, err := os.ReadFile(policyFile) 125 | if err != nil { 126 | return err 127 | } 128 | 129 | evPolicy := &policy.SCAIEvidencePolicy{} 130 | if err := yaml.Unmarshal(policyBytes, evPolicy); err != nil { 131 | return err 132 | } 133 | 134 | fmt.Println("Checking attestation matches ID in policy") 135 | 136 | if !policy.MatchDigest(evPolicy.AttestationID, envBytes) { 137 | return fmt.Errorf("attestation does not match attestation ID in policy") 138 | } 139 | 140 | // now, let's get the Statement 141 | // we don't call fileio.ReadDSSEFile to ensure we are evaluating 142 | // over the matched attestation 143 | envelope := &dsse.Envelope{} 144 | if err := json.Unmarshal(envBytes, envelope); err != nil { 145 | return err 146 | } 147 | 148 | statement, err := getStatementDSSEPayload(envelope) 149 | if err != nil { 150 | return err 151 | } 152 | 153 | fmt.Println("Collecting all evidence files") 154 | 155 | evidenceFiles, err := getAllEvidenceFiles(evidenceDir) 156 | if err != nil { 157 | return fmt.Errorf("failed read evidence files in directory %s: %w", evidenceDir, err) 158 | } 159 | 160 | if !isSupportedPredicateType(statement.GetPredicateType()) { 161 | return fmt.Errorf("evidence checking only supported for SCAI attestations") 162 | } 163 | 164 | report, err := pbStructToSCAI(statement.GetPredicate()) 165 | if err != nil { 166 | return err 167 | } 168 | 169 | // validate the report 170 | if err := report.Validate(); err != nil { 171 | return fmt.Errorf("malformed SCAI Attribute Report: %w", err) 172 | } 173 | 174 | // order attribute assertions by evidence name 175 | // FIXME: for now assume that there's a 1:1 mapping of AA to evidence 176 | attrAssertions := map[string]*scai.AttributeAssertion{} 177 | for _, attrAssertion := range report.GetAttributes() { 178 | if ev := attrAssertion.GetEvidence(); ev != nil { 179 | attrAssertions[ev.GetName()] = attrAssertion 180 | } 181 | } 182 | 183 | fmt.Println("Checking policy rules...") 184 | 185 | for _, check := range evPolicy.Inspections { 186 | rules := check.ExpectedAttributes 187 | if len(rules) == 0 { 188 | return fmt.Errorf("no rules for check %s", check.Name) 189 | } 190 | 191 | attrAssertion, ok := attrAssertions[check.Name] 192 | if !ok { 193 | return fmt.Errorf("attestation evidence missing %s", check.Name) 194 | } 195 | 196 | fmt.Println("Validating attribute assertion format") 197 | if err := attrAssertion.Validate(); err != nil { 198 | return fmt.Errorf("malformed attribute assertion in attestation: %w", err) 199 | } 200 | 201 | ev := attrAssertion.GetEvidence() 202 | 203 | evContent, ok := evidenceFiles[ev.GetName()] 204 | if !ok { 205 | return fmt.Errorf("evidence file to check not found") 206 | } 207 | 208 | fmt.Println("Checking evidence content according to policy rules...") 209 | 210 | switch ev.GetMediaType() { 211 | case "text/plain": 212 | err := policy.ApplyPlaintextRules(string(evContent), attrAssertion, rules) 213 | if err != nil { 214 | return fmt.Errorf("plaintext policy check failed: %w", err) 215 | } 216 | 217 | case "application/vnd.in-toto+dsse": 218 | evEnv := &dsse.Envelope{} 219 | if err := json.Unmarshal(evContent, evEnv); err != nil { 220 | return err 221 | } 222 | 223 | evStatement, err := getStatementDSSEPayload(evEnv) 224 | if err != nil { 225 | return err 226 | } 227 | 228 | err = policy.ApplyAttestationRules(evStatement, attrAssertion, rules) 229 | if err != nil { 230 | return fmt.Errorf("attestation policy check failed: %w", err) 231 | } 232 | 233 | default: 234 | return fmt.Errorf("evidence type not supported: %s", ev.GetMediaType()) 235 | } 236 | } 237 | 238 | fmt.Println("Evidence policy checks successful!") 239 | 240 | return nil 241 | } 242 | 243 | func pbStructToSCAI(s *structpb.Struct) (*scai.AttributeReport, error) { 244 | structJSON, err := protojson.Marshal(s) 245 | if err != nil { 246 | return nil, err 247 | } 248 | 249 | report := &scai.AttributeReport{} 250 | err = protojson.Unmarshal(structJSON, report) 251 | if err != nil { 252 | return nil, err 253 | } 254 | 255 | return report, nil 256 | } 257 | 258 | func getStatementDSSEPayload(envelope *dsse.Envelope) (*ita.Statement, error) { 259 | stBytes, err := envelope.DecodeB64Payload() 260 | if err != nil { 261 | return nil, fmt.Errorf("failed to decode DSSE payload: %w", err) 262 | } 263 | 264 | statement := &ita.Statement{} 265 | if err = protojson.Unmarshal(stBytes, statement); err != nil { 266 | return nil, fmt.Errorf("failed to unmarshal Statement: %w", err) 267 | } 268 | 269 | return statement, nil 270 | } 271 | 272 | func getAllEvidenceFiles(evidenceDir string) (map[string][]byte, error) { 273 | evidenceMap := map[string][]byte{} 274 | err := filepath.Walk(evidenceDir, func(path string, info fs.FileInfo, err error) error { 275 | if err == nil && !info.IsDir() { 276 | return fileio.ReadFileIntoMap(path, evidenceMap) 277 | } 278 | return err 279 | }) 280 | if err != nil { 281 | return nil, err 282 | } 283 | 284 | return evidenceMap, nil 285 | } 286 | 287 | func isSupportedPredicateType(predicateType string) bool { 288 | supportedTypes := []string{"attribute-report/v0.2", "v0.3"} 289 | 290 | // TODO: a future version of the scai Go package will have a const for this URI 291 | version, found := strings.CutPrefix(predicateType, "https://in-toto.io/attestation/scai/") 292 | 293 | if found { 294 | idx := slices.IndexFunc(supportedTypes, func(v string) bool { 295 | return v == version 296 | }) 297 | return idx > -1 298 | } 299 | return false 300 | } 301 | -------------------------------------------------------------------------------- /scai-gen/cmd/rd.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/in-toto/scai-demos/scai-gen/pkg/fileio" 7 | "github.com/in-toto/scai-demos/scai-gen/pkg/generators" 8 | 9 | "github.com/spf13/cobra" 10 | "google.golang.org/protobuf/types/known/structpb" 11 | ) 12 | 13 | var rdCmd = &cobra.Command{ 14 | Use: "rd", 15 | Short: "Generate a JSON-encoded in-toto Resource Descriptor", 16 | } 17 | 18 | var rdFileCmd = &cobra.Command{ 19 | Use: "file", 20 | Args: cobra.ExactArgs(1), 21 | Short: "Generate a JSON-encoded in-toto Resource Descriptor for a file", 22 | RunE: genRdFromFile, 23 | } 24 | 25 | var rdRemoteCmd = &cobra.Command{ 26 | Use: "remote", 27 | Args: cobra.ExactArgs(1), 28 | Short: "Generate a JSON-encoded in-toto Resource Descriptor for a remote resource, identified via a URI, incl. git repos, container images, packages, and services", 29 | RunE: genRdForRemote, 30 | } 31 | 32 | var ( 33 | digest string 34 | downloadLocation string 35 | hashAlg string 36 | mediaType string 37 | name string 38 | uri string 39 | withContent bool 40 | annotationsFile string 41 | ) 42 | 43 | func init() { 44 | rdCmd.PersistentFlags().StringVarP( 45 | &outFile, 46 | "out-file", 47 | "o", 48 | "", 49 | "Filename to write out the JSON-encoded object", 50 | ) 51 | rdCmd.MarkPersistentFlagRequired("out-file") //nolint:errcheck 52 | 53 | rdCmd.AddCommand(rdFileCmd) 54 | rdCmd.AddCommand(rdRemoteCmd) 55 | } 56 | 57 | func init() { 58 | rdFileCmd.Flags().StringVarP( 59 | &name, 60 | "name", 61 | "n", 62 | "", 63 | "A name for the local file", 64 | ) 65 | 66 | rdFileCmd.Flags().StringVarP( 67 | &uri, 68 | "uri", 69 | "u", 70 | "", 71 | "The URI of the resource", 72 | ) 73 | 74 | rdFileCmd.Flags().StringVarP( 75 | &downloadLocation, 76 | "download-location", 77 | "l", 78 | "", 79 | "The download location of the resource (if different from the URI)", 80 | ) 81 | 82 | rdFileCmd.Flags().StringVarP( 83 | &mediaType, 84 | "media-type", 85 | "t", 86 | "", 87 | "The media type of the resource", 88 | ) 89 | 90 | rdFileCmd.Flags().StringVarP( 91 | &annotationsFile, 92 | "annotations", 93 | "a", 94 | "", 95 | "Filename of a JSON-encoded file containingt annotations for the file", 96 | ) 97 | } 98 | 99 | func init() { 100 | rdRemoteCmd.Flags().StringVarP( 101 | &name, 102 | "name", 103 | "n", 104 | "", 105 | "A name for the remote resource or service", 106 | ) 107 | 108 | rdRemoteCmd.Flags().StringVarP( 109 | &downloadLocation, 110 | "download-location", 111 | "l", 112 | "", 113 | "The download location of the remote resource (if different from the URI)", 114 | ) 115 | 116 | rdRemoteCmd.Flags().StringVarP( 117 | &digest, 118 | "digest", 119 | "d", 120 | "", 121 | "The digest associated with the remote resource (hex-encoded)", 122 | ) 123 | 124 | rdRemoteCmd.Flags().StringVarP( 125 | &hashAlg, 126 | "hash-alg", 127 | "g", 128 | "", 129 | "The hash algorithm used to compute the digest associated with the remote resource", 130 | ) 131 | rdRemoteCmd.MarkFlagsRequiredTogether("digest", "hash-alg") 132 | 133 | rdRemoteCmd.Flags().StringVarP( 134 | &annotationsFile, 135 | "annotations", 136 | "a", 137 | "", 138 | "Filename of a JSON-encoded file containingt annotations for the resource", 139 | ) 140 | } 141 | 142 | func readAnnotations(filename string) (*structpb.Struct, error) { 143 | var annotations *structpb.Struct 144 | if len(filename) > 0 { 145 | annotations = &structpb.Struct{} 146 | err := fileio.ReadPbFromFile(filename, annotations) 147 | if err != nil { 148 | return nil, err 149 | } 150 | } 151 | 152 | return annotations, nil 153 | } 154 | 155 | func genRdFromFile(_ *cobra.Command, args []string) error { 156 | // want to make sure the ResourceDescriptor is a JSON file 157 | if !fileio.HasJSONExt(outFile) { 158 | return fmt.Errorf("expected a .json extension for the generated ResourceDescriptor file %s", outFile) 159 | } 160 | 161 | filename := args[0] 162 | 163 | annotations, err := readAnnotations(annotationsFile) 164 | if err != nil { 165 | return fmt.Errorf("unable to read annotations file: %w", err) 166 | } 167 | 168 | rd, err := generators.NewRdForFile(filename, name, uri, hashAlg, withContent, mediaType, downloadLocation, annotations) 169 | if err != nil { 170 | return fmt.Errorf("unable to generate RD: %w", err) 171 | } 172 | 173 | return fileio.WritePbToFile(rd, outFile, false) 174 | } 175 | 176 | func genRdForRemote(_ *cobra.Command, args []string) error { 177 | // want to make sure the ResourceDescriptor is a JSON file 178 | if !fileio.HasJSONExt(outFile) { 179 | return fmt.Errorf("expected a .json extension for the generated ResourceDescriptor file %s", outFile) 180 | } 181 | 182 | remoteURI := args[0] 183 | 184 | annotations, err := readAnnotations(annotationsFile) 185 | if err != nil { 186 | return fmt.Errorf("unable to read annotations file: %w", err) 187 | } 188 | 189 | rd, err := generators.NewRdForRemote(remoteURI, name, hashAlg, digest, downloadLocation, annotations) 190 | if err != nil { 191 | return fmt.Errorf("unable to generate RD: %w", err) 192 | } 193 | 194 | return fileio.WritePbToFile(rd, outFile, false) 195 | } 196 | -------------------------------------------------------------------------------- /scai-gen/cmd/report.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/in-toto/scai-demos/scai-gen/pkg/fileio" 7 | "github.com/in-toto/scai-demos/scai-gen/pkg/generators" 8 | 9 | scai "github.com/in-toto/attestation/go/predicates/scai/v0" 10 | ita "github.com/in-toto/attestation/go/v1" 11 | "github.com/spf13/cobra" 12 | "google.golang.org/protobuf/encoding/protojson" 13 | "google.golang.org/protobuf/types/known/structpb" 14 | ) 15 | 16 | var reportCmd = &cobra.Command{ 17 | Use: "report", 18 | Args: cobra.MinimumNArgs(1), 19 | Short: "Generate a JSON-encoded SCAI Attribute Report", 20 | RunE: genAttrReport, 21 | } 22 | 23 | var ( 24 | subjectFile string 25 | producerFile string 26 | version string 27 | ) 28 | 29 | func init() { 30 | reportCmd.Flags().StringVarP( 31 | &outFile, 32 | "out-file", 33 | "o", 34 | "", 35 | "Filename to write out the JSON-encoded object", 36 | ) 37 | reportCmd.MarkFlagRequired("out-file") //nolint:errcheck 38 | 39 | reportCmd.Flags().StringVarP( 40 | &subjectFile, 41 | "subject", 42 | "s", 43 | "", 44 | "The filename of the JSON-encoded subject resource descriptor", 45 | ) 46 | reportCmd.MarkFlagRequired("subject") //nolint:errcheck 47 | 48 | reportCmd.Flags().StringVarP( 49 | &producerFile, 50 | "producer", 51 | "p", 52 | "", 53 | "The filename of the JSON-encoded producer resource descriptor", 54 | ) 55 | 56 | reportCmd.Flags().StringVarP( 57 | &version, 58 | "version", 59 | "v", 60 | "v0.3", 61 | "The spec version to generate for the generated attribute report", 62 | ) 63 | 64 | reportCmd.Flags().BoolVarP( 65 | &prettyPrint, 66 | "pretty-print", 67 | "y", 68 | false, 69 | "Flag to JSON pretty-print the generated Report", 70 | ) 71 | } 72 | 73 | func genAttrReport(_ *cobra.Command, args []string) error { 74 | // want to make sure the Report is a JSON file 75 | if !fileio.HasJSONExt(outFile) { 76 | return fmt.Errorf("expected a .json extension for the generated in-toto Statement file %s", outFile) 77 | } 78 | 79 | attrAsserts := make([]*scai.AttributeAssertion, 0, len(args)) 80 | for _, attrAssertPath := range args { 81 | aa := &scai.AttributeAssertion{} 82 | err := fileio.ReadPbFromFile(attrAssertPath, aa) 83 | if err != nil { 84 | return err 85 | } 86 | 87 | attrAsserts = append(attrAsserts, aa) 88 | } 89 | 90 | var producer *ita.ResourceDescriptor 91 | if len(producerFile) > 0 { 92 | producer = &ita.ResourceDescriptor{} 93 | err := fileio.ReadPbFromFile(producerFile, producer) 94 | if err != nil { 95 | return err 96 | } 97 | } 98 | 99 | // first, generate the SCAI Report 100 | 101 | ar, err := generators.NewSCAIReport(attrAsserts, producer) 102 | if err != nil { 103 | return fmt.Errorf("unable to generate SCAI Report: %w", err) 104 | } 105 | 106 | // then, plug the Report into an in-toto Statement 107 | 108 | var subject *ita.ResourceDescriptor 109 | if len(subjectFile) > 0 { 110 | subject = &ita.ResourceDescriptor{} 111 | err := fileio.ReadPbFromFile(subjectFile, subject) 112 | if err != nil { 113 | return err 114 | } 115 | } 116 | 117 | reportJSON, err := protojson.Marshal(ar) 118 | if err != nil { 119 | return err 120 | } 121 | reportStruct := &structpb.Struct{} 122 | err = protojson.Unmarshal(reportJSON, reportStruct) 123 | if err != nil { 124 | return err 125 | } 126 | 127 | // TODO: a future version of the scai Go package will have a const for this URI 128 | predicateType := "https://in-toto.io/attestation/scai/" 129 | if version == "v0.2" { 130 | suffix := "attribute-report/v0.2" 131 | predicateType += suffix 132 | } else { 133 | predicateType += version 134 | } 135 | 136 | statement, err := generators.NewStatement([]*ita.ResourceDescriptor{subject}, predicateType, reportStruct) 137 | if err != nil { 138 | return fmt.Errorf("unable to generate in-toto Statement: %w", err) 139 | } 140 | 141 | return fileio.WritePbToFile(statement, outFile, prettyPrint) 142 | } 143 | -------------------------------------------------------------------------------- /scai-gen/cmd/root.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/spf13/cobra" 7 | ) 8 | 9 | // rootCmd represents the base command when called without any subcommands 10 | var rootCmd = &cobra.Command{ 11 | Use: "scai-gen", 12 | Short: "A CLI tool for generating/checking SCAI metadata", 13 | } 14 | 15 | var ( 16 | outFile string 17 | prettyPrint bool 18 | ) 19 | 20 | func init() { 21 | rootCmd.AddCommand(rdCmd) 22 | rootCmd.AddCommand(assertCmd) 23 | rootCmd.AddCommand(reportCmd) 24 | rootCmd.AddCommand(checkCmd) 25 | rootCmd.AddCommand(sigstoreCmd) 26 | } 27 | 28 | // Execute adds all child commands to the root command and sets flags appropriately. 29 | // This is called by main.main(). It only needs to happen once to the rootCmd. 30 | func Execute() { 31 | err := rootCmd.Execute() 32 | if err != nil { 33 | os.Exit(1) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /scai-gen/cmd/sigstore.go: -------------------------------------------------------------------------------- 1 | // adapted from https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/fulcio.go 2 | // and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/attest.go 3 | package cmd 4 | 5 | import ( 6 | "bytes" 7 | "context" 8 | "fmt" 9 | 10 | "github.com/in-toto/scai-demos/scai-gen/pkg/fileio" 11 | 12 | ita "github.com/in-toto/attestation/go/v1" 13 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio" 14 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" 15 | "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" 16 | "github.com/sigstore/cosign/v2/pkg/providers" 17 | "github.com/sigstore/sigstore/pkg/signature/dsse" 18 | "github.com/slsa-framework/slsa-github-generator/signing/envelope" 19 | "github.com/slsa-framework/slsa-github-generator/signing/sigstore" 20 | "github.com/spf13/cobra" 21 | "google.golang.org/protobuf/encoding/protojson" 22 | ) 23 | 24 | var sigstoreCmd = &cobra.Command{ 25 | Use: "sigstore", 26 | Args: cobra.ExactArgs(1), 27 | Short: "Use Sigstore signing to create a signed DSSE for an in-toto Statements", 28 | RunE: signWithSigstore, 29 | } 30 | 31 | // attestation is a signed attestation. 32 | type attestation struct { 33 | cert []byte 34 | att []byte 35 | } 36 | 37 | // Bytes returns the signed attestation as an encoded DSSE JSON envelope. 38 | func (a *attestation) Bytes() []byte { 39 | return a.att 40 | } 41 | 42 | // Cert returns the certificate used to sign the attestation. 43 | func (a *attestation) Cert() []byte { 44 | return a.cert 45 | } 46 | 47 | func init() { 48 | sigstoreCmd.Flags().StringVarP( 49 | &outFile, 50 | "out-file", 51 | "o", 52 | "", 53 | "Filename to write out the signed DSSE object", 54 | ) 55 | sigstoreCmd.MarkFlagRequired("out-file") //nolint:errcheck 56 | } 57 | 58 | func getNewFulcioSigner(ctx context.Context) (*fulcio.Signer, error) { 59 | ko := options.KeyOpts{ 60 | OIDCIssuer: options.DefaultOIDCIssuerURL, 61 | OIDCClientID: "sigstore", 62 | FulcioURL: options.DefaultFulcioURL, 63 | } 64 | 65 | sv, err := sign.SignerFromKeyOpts(ctx, "", "", ko) 66 | if err != nil { 67 | return nil, fmt.Errorf("getting Fulcio signer: %w", err) 68 | } 69 | 70 | return fulcio.NewSigner(ctx, ko, sv) 71 | } 72 | 73 | func signWithSigstore(cmd *cobra.Command, args []string) error { 74 | fmt.Println("EXPERIMENTAL FEATURE. DO NOT USE IN PRODUCTION.") 75 | 76 | // want to make sure the DSSE is a JSON file 77 | if !fileio.HasJSONExt(outFile) { 78 | return fmt.Errorf("expected a .json extension for the generated DSSE file %s", outFile) 79 | } 80 | 81 | statementFile := args[0] 82 | statement := &ita.Statement{} 83 | err := fileio.ReadPbFromFile(statementFile, statement) 84 | if err != nil { 85 | return err 86 | } 87 | 88 | // will only sign valid Statements 89 | err = statement.Validate() 90 | if err != nil { 91 | return fmt.Errorf("invalid in-toto Statement: %w", err) 92 | } 93 | 94 | ctx := cmd.Context() 95 | 96 | // Get Fulcio signer 97 | if !providers.Enabled(ctx) { 98 | return fmt.Errorf("no auth provider is enabled. Are you running outside of Github Actions?") 99 | } 100 | 101 | attBytes, err := protojson.Marshal(statement) 102 | if err != nil { 103 | return fmt.Errorf("error marshalling Statement: %w", err) 104 | } 105 | 106 | k, err := getNewFulcioSigner(ctx) 107 | if err != nil { 108 | return fmt.Errorf("error creating Fulcio signer: %w", err) 109 | } 110 | 111 | dsseSigner := dsse.WrapSigner(k, "application/vnd.in-toto") 112 | signedAtt, err := dsseSigner.SignMessage(bytes.NewReader(attBytes)) 113 | if err != nil { 114 | return fmt.Errorf("error signing DSSE: %w", err) 115 | } 116 | 117 | // Add certificate to envelope. This is needed for 118 | // Rekor compatibility. 119 | signedAttWithCert, err := envelope.AddCertToEnvelope(signedAtt, k.Cert) 120 | if err != nil { 121 | return fmt.Errorf("error adding Fulcio certificate to DSSE: %w", err) 122 | } 123 | 124 | tlog := sigstore.NewDefaultRekor() 125 | _, err = tlog.Upload(ctx, &attestation{ 126 | att: signedAttWithCert, 127 | cert: k.Cert, 128 | }) 129 | if err != nil { 130 | return fmt.Errorf("error uploading signed DSSE to public Rekor log: %w", err) 131 | } 132 | 133 | return fileio.WriteDSSEToFile(signedAtt, outFile) 134 | } 135 | -------------------------------------------------------------------------------- /scai-gen/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "github.com/in-toto/scai-demos/scai-gen/cmd" 4 | 5 | func main() { 6 | cmd.Execute() 7 | } 8 | -------------------------------------------------------------------------------- /scai-gen/pkg/fileio/common.go: -------------------------------------------------------------------------------- 1 | package fileio 2 | 3 | import ( 4 | "os" 5 | "path/filepath" 6 | "strings" 7 | ) 8 | 9 | func HasJSONExt(filename string) bool { 10 | return strings.HasSuffix(filename, ".json") 11 | } 12 | 13 | func CreateOutDir(filename string) error { 14 | outDir := filepath.Dir(filename) 15 | 16 | return os.MkdirAll(outDir, 0755) 17 | } 18 | -------------------------------------------------------------------------------- /scai-gen/pkg/fileio/dsse.go: -------------------------------------------------------------------------------- 1 | package fileio 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "os" 7 | 8 | ita "github.com/in-toto/attestation/go/v1" 9 | "github.com/secure-systems-lab/go-securesystemslib/dsse" 10 | "google.golang.org/protobuf/encoding/protojson" 11 | ) 12 | 13 | func ReadDSSEFile(path string) (*dsse.Envelope, error) { 14 | envBytes, err := os.ReadFile(path) 15 | if err != nil { 16 | return nil, err 17 | } 18 | 19 | envelope := &dsse.Envelope{} 20 | if err := json.Unmarshal(envBytes, envelope); err != nil { 21 | return nil, err 22 | } 23 | 24 | return envelope, nil 25 | } 26 | 27 | func ReadStatementFromDSSEFile(path string) (*ita.Statement, error) { 28 | envelope, err := ReadDSSEFile(path) 29 | if err != nil { 30 | return nil, fmt.Errorf("failed to read DSSE file %w", err) 31 | } 32 | 33 | stBytes, err := envelope.DecodeB64Payload() 34 | if err != nil { 35 | return nil, err 36 | } 37 | 38 | statement := &ita.Statement{} 39 | if err = protojson.Unmarshal(stBytes, statement); err != nil { 40 | return nil, err 41 | } 42 | 43 | return statement, nil 44 | } 45 | 46 | func WriteDSSEToFile(envBytes []byte, outFile string) error { 47 | // ensure the out directory exists 48 | if err := CreateOutDir(outFile); err != nil { 49 | return fmt.Errorf("error creating output directory for file %s: %w", outFile, err) 50 | } 51 | 52 | return os.WriteFile(outFile, envBytes, 0644) //nolint:gosec 53 | } 54 | -------------------------------------------------------------------------------- /scai-gen/pkg/fileio/map.go: -------------------------------------------------------------------------------- 1 | package fileio 2 | 3 | import ( 4 | "os" 5 | "path/filepath" 6 | ) 7 | 8 | func ReadFileIntoMap(filename string, fileMap map[string][]byte) error { 9 | name := filepath.Base(filename) 10 | content, err := os.ReadFile(filename) 11 | if err != nil { 12 | return err 13 | } 14 | 15 | fileMap[name] = content 16 | return nil 17 | } 18 | -------------------------------------------------------------------------------- /scai-gen/pkg/fileio/pb.go: -------------------------------------------------------------------------------- 1 | package fileio 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | 7 | "google.golang.org/protobuf/encoding/protojson" 8 | "google.golang.org/protobuf/proto" 9 | ) 10 | 11 | func WritePbToFile(pb proto.Message, outFile string, pretty bool) error { 12 | opt := &protojson.MarshalOptions{} 13 | if pretty { 14 | opt.Multiline = true 15 | opt.Indent = " " 16 | opt.EmitUnpopulated = false 17 | } 18 | 19 | pbBytes, err := opt.Marshal(pb) 20 | if err != nil { 21 | return err 22 | } 23 | 24 | // ensure the out directory exists 25 | if err = CreateOutDir(outFile); err != nil { 26 | return fmt.Errorf("error creating output directory for file %s: %w", outFile, err) 27 | } 28 | 29 | return os.WriteFile(outFile, pbBytes, 0644) //nolint:gosec 30 | } 31 | 32 | func ReadPbFromFile(filename string, pb proto.Message) error { 33 | fileBytes, err := os.ReadFile(filename) 34 | if err != nil { 35 | return fmt.Errorf("error reading file: %w", err) 36 | } 37 | 38 | err = protojson.Unmarshal(fileBytes, pb) 39 | if err != nil { 40 | return fmt.Errorf("error unmarshalling protobuf: %w", err) 41 | } 42 | 43 | return nil 44 | } 45 | -------------------------------------------------------------------------------- /scai-gen/pkg/generators/scai.go: -------------------------------------------------------------------------------- 1 | package generators 2 | 3 | import ( 4 | "fmt" 5 | 6 | scai "github.com/in-toto/attestation/go/predicates/scai/v0" 7 | ita "github.com/in-toto/attestation/go/v1" 8 | "google.golang.org/protobuf/types/known/structpb" 9 | ) 10 | 11 | // Generates a SCAI v0 AttributeAssertion struct. 12 | // Throws an error if the resulting AttributeAssertion does not meet the spec. 13 | func NewSCAIAssertion(attribute string, target *ita.ResourceDescriptor, conditions *structpb.Struct, evidence *ita.ResourceDescriptor) (*scai.AttributeAssertion, error) { 14 | aa := &scai.AttributeAssertion{ 15 | Attribute: attribute, 16 | Target: target, 17 | Conditions: conditions, 18 | Evidence: evidence, 19 | } 20 | 21 | err := aa.Validate() 22 | if err != nil { 23 | return nil, fmt.Errorf("invalid SCAI attribute assertion: %w", err) 24 | } 25 | 26 | return aa, nil 27 | } 28 | 29 | // Generates a SCAI v0 AttributeReport struct to be used as an in-toto attestation predicate. 30 | // Throws an error if the resulting AttributeReport does not meet the spec. 31 | func NewSCAIReport(attrAssertions []*scai.AttributeAssertion, producer *ita.ResourceDescriptor) (*scai.AttributeReport, error) { 32 | ar := &scai.AttributeReport{ 33 | Attributes: attrAssertions, 34 | Producer: producer, 35 | } 36 | 37 | err := ar.Validate() 38 | if err != nil { 39 | return nil, fmt.Errorf("invalid SCAI attribute report: %w", err) 40 | } 41 | 42 | return ar, nil 43 | } 44 | -------------------------------------------------------------------------------- /scai-gen/pkg/generators/v1.go: -------------------------------------------------------------------------------- 1 | package generators 2 | 3 | import ( 4 | "encoding/hex" 5 | "fmt" 6 | "os" 7 | "strings" 8 | 9 | "github.com/in-toto/scai-demos/scai-gen/pkg/policy" 10 | 11 | ita "github.com/in-toto/attestation/go/v1" 12 | "google.golang.org/protobuf/types/known/structpb" 13 | ) 14 | 15 | // Generates an in-toto Attestation Framework v1 ResourceDescriptor for a local file, including its digest (default sha256). 16 | // Throws an error if the resulting ResourceDescriptor does not meet the spec. 17 | func NewRdForFile(filename, name, uri, hashAlg string, withContent bool, mediaType, downloadLocation string, annotations *structpb.Struct) (*ita.ResourceDescriptor, error) { 18 | fileBytes, err := os.ReadFile(filename) 19 | if err != nil { 20 | return nil, fmt.Errorf("error reading resource file: %w", err) 21 | } 22 | 23 | var content []byte 24 | if withContent { 25 | content = fileBytes 26 | } 27 | 28 | var digest string 29 | var alg string 30 | if hashAlg == "sha256" || hashAlg == "" { 31 | digest = hex.EncodeToString(policy.GenSHA256(fileBytes)) 32 | alg = "sha256" 33 | } else { 34 | return nil, fmt.Errorf("hash algorithm %s not supported", hashAlg) 35 | } 36 | 37 | rdName := filename 38 | if len(name) > 0 { 39 | rdName = name 40 | } 41 | 42 | rd := &ita.ResourceDescriptor{ 43 | Name: rdName, 44 | Uri: uri, 45 | Digest: map[string]string{alg: strings.ToLower(digest)}, 46 | Content: content, 47 | DownloadLocation: downloadLocation, 48 | MediaType: mediaType, 49 | Annotations: annotations, 50 | } 51 | 52 | err = rd.Validate() 53 | if err != nil { 54 | return nil, fmt.Errorf("invalid resource descriptor: %w", err) 55 | } 56 | 57 | return rd, nil 58 | } 59 | 60 | // Generates an in-toto Attestation Framework v1 ResourceDescriptor for a remote resource identified by a name or URI). 61 | // Does not check if the URI resolves to a valid remote location. 62 | // Throws an error if the resulting ResourceDescriptor does not meet the spec. 63 | func NewRdForRemote(name, uri, hashAlg, digest, downloadLocation string, annotations *structpb.Struct) (*ita.ResourceDescriptor, error) { 64 | digestSet := make(map[string]string) 65 | if len(hashAlg) > 0 && len(digest) > 0 { 66 | digestSet = map[string]string{hashAlg: strings.ToLower(digest)} 67 | } 68 | 69 | rd := &ita.ResourceDescriptor{ 70 | Name: name, 71 | Uri: uri, 72 | Digest: digestSet, 73 | DownloadLocation: downloadLocation, 74 | Annotations: annotations, 75 | } 76 | 77 | err := rd.Validate() 78 | if err != nil { 79 | return nil, fmt.Errorf("invalid resource descriptor: %w", err) 80 | } 81 | 82 | return rd, nil 83 | } 84 | 85 | // Generates an in-toto Attestation Framework v1 Statement including a given predicate. 86 | // Throws an error if the resulting Statement does not meet the spec. 87 | func NewStatement(subjects []*ita.ResourceDescriptor, predicateType string, predicate *structpb.Struct) (*ita.Statement, error) { 88 | statement := &ita.Statement{ 89 | Type: ita.StatementTypeUri, 90 | Subject: subjects, 91 | PredicateType: predicateType, 92 | Predicate: predicate, 93 | } 94 | 95 | err := statement.Validate() 96 | if err != nil { 97 | return nil, fmt.Errorf("invalid in-toto Statement: %w", err) 98 | } 99 | 100 | return statement, nil 101 | } 102 | -------------------------------------------------------------------------------- /scai-gen/pkg/policy/attestation.go: -------------------------------------------------------------------------------- 1 | package policy 2 | 3 | import ( 4 | "github.com/google/cel-go/cel" 5 | "github.com/google/cel-go/interpreter" 6 | "github.com/in-toto/attestation-verifier/verifier" 7 | scai "github.com/in-toto/attestation/go/predicates/scai/v0" 8 | ita "github.com/in-toto/attestation/go/v1" 9 | ) 10 | 11 | func getAttestationCELEnv() (*cel.Env, error) { 12 | return cel.NewEnv( 13 | cel.Types(&ita.Statement{}), 14 | cel.Variable("subject", cel.ListType(cel.ObjectType("in_toto_attestation.v1.ResourceDescriptor"))), 15 | cel.Variable("predicateType", cel.StringType), 16 | cel.Variable("predicate", cel.ObjectType("google.protobuf.Struct")), 17 | cel.Types(&scai.AttributeAssertion{}), 18 | cel.Variable("assertion", cel.ObjectType("in_toto_attestation.predicates.scai.v0.AttributeAssertion")), 19 | ) 20 | } 21 | 22 | func getAttestationActivation(statement *ita.Statement, attrAssertion *scai.AttributeAssertion) (interpreter.Activation, error) { 23 | return interpreter.NewActivation(map[string]any{ 24 | "type": statement.Type, 25 | "subject": statement.Subject, 26 | "predicateType": statement.PredicateType, 27 | "predicate": statement.Predicate, 28 | "assertion": attrAssertion, 29 | }) 30 | } 31 | 32 | func ApplyAttestationRules(statement *ita.Statement, attrAssertion *scai.AttributeAssertion, rules []verifier.Constraint) error { 33 | env, err := getAttestationCELEnv() 34 | if err != nil { 35 | return err 36 | } 37 | 38 | input, err := getAttestationActivation(statement, attrAssertion) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | return applyRules(env, input, rules) 44 | } 45 | -------------------------------------------------------------------------------- /scai-gen/pkg/policy/checks.go: -------------------------------------------------------------------------------- 1 | package policy 2 | 3 | import ( 4 | "bytes" 5 | "crypto/sha256" 6 | "encoding/hex" 7 | "fmt" 8 | "strings" 9 | 10 | "github.com/google/cel-go/cel" 11 | "github.com/google/cel-go/interpreter" 12 | "github.com/in-toto/attestation-verifier/verifier" 13 | ) 14 | 15 | type SCAIEvidencePolicy struct { 16 | AttestationID string `yaml:"attestationID"` 17 | Inspections []*verifier.Inspection `yaml:"inspections"` 18 | } 19 | 20 | func GenSHA256(bytes []byte) []byte { 21 | h := sha256.New() 22 | h.Write(bytes) 23 | return h.Sum(nil) 24 | } 25 | 26 | func MatchDigest(hexDigest string, blob []byte) bool { 27 | digest := GenSHA256(blob) 28 | 29 | decoded, err := hex.DecodeString(hexDigest) 30 | if err != nil { 31 | fmt.Println("Problem decoding hex-encoded digest to match") 32 | return false 33 | } 34 | 35 | return bytes.Equal(decoded, digest) 36 | } 37 | 38 | func applyRules(env *cel.Env, input interpreter.Activation, rules []verifier.Constraint) error { 39 | for _, r := range rules { 40 | ast, issues := env.Compile(r.Rule) 41 | if issues != nil && issues.Err() != nil { 42 | return fmt.Errorf("CEL compilation issues: %w", issues.Err()) 43 | } 44 | 45 | prog, err := env.Program(ast) 46 | if err != nil { 47 | return fmt.Errorf("CEL program error: %w", err) 48 | } 49 | 50 | out, _, err := prog.Eval(input) 51 | if err != nil { 52 | if strings.Contains(err.Error(), "no such attribute") || strings.Contains(err.Error(), "no such key") && r.AllowIfNoClaim { 53 | continue 54 | } 55 | return err 56 | } 57 | 58 | switch result := out.Value().(type) { 59 | case bool: 60 | if !result { 61 | if !r.Warn { 62 | return fmt.Errorf("policy check failed for rule '%s'", r.Rule) 63 | } 64 | fmt.Println("Rule", r.Rule, "failed.") 65 | } 66 | case error: 67 | return fmt.Errorf("CEL error: %w", result) 68 | } 69 | } 70 | 71 | return nil 72 | } 73 | -------------------------------------------------------------------------------- /scai-gen/pkg/policy/plaintext.go: -------------------------------------------------------------------------------- 1 | package policy 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/google/cel-go/cel" 7 | "github.com/google/cel-go/interpreter" 8 | "github.com/in-toto/attestation-verifier/verifier" 9 | scai "github.com/in-toto/attestation/go/predicates/scai/v0" 10 | ) 11 | 12 | func getPlaintextCELEnv() (*cel.Env, error) { 13 | return cel.NewEnv( 14 | cel.Types(&scai.AttributeAssertion{}), 15 | cel.Variable("text", cel.StringType), 16 | cel.Variable("assertion", cel.ObjectType("in_toto_attestation.predicates.scai.v0.AttributeAssertion")), 17 | ) 18 | } 19 | 20 | func getPlaintextActivation(text string, attrAssertion *scai.AttributeAssertion) (interpreter.Activation, error) { 21 | return interpreter.NewActivation(map[string]any{ 22 | "text": text, 23 | "assertion": attrAssertion, 24 | }) 25 | } 26 | 27 | func ApplyPlaintextRules(text string, attrAssertion *scai.AttributeAssertion, rules []verifier.Constraint) error { 28 | env, err := getPlaintextCELEnv() 29 | if err != nil { 30 | return fmt.Errorf("failed to init CEL env: %w", err) 31 | } 32 | 33 | input, err := getPlaintextActivation(text, attrAssertion) 34 | if err != nil { 35 | return fmt.Errorf("failed to get CEL activation: %w", err) 36 | } 37 | 38 | return applyRules(env, input, rules) 39 | } 40 | -------------------------------------------------------------------------------- /scail-bandit-output.txt: -------------------------------------------------------------------------------- 1 | [main] INFO profile include tests: B405,B406,B309,B320,B308,B407,B401,B409,B310,B410,B302,B317,B304,B411,B324,B412,B316,B413,B319,B306,B305,B403,B325,B408,B314,B311,B301,B402,B318,B404,B315,B313,B303,B321,B323,B312 2 | [main] INFO profile exclude tests: B703,B601,B102,B108,B702,B606,B502,B504,B104,B101,B610,B609,B112,B201,B505,B603,B701,B103,B106,B611,B105,B501,B605,B607,B107,B506,B503,B507,B604,B110,B608,B602 3 | [main] INFO cli include tests: None 4 | [main] INFO cli exclude tests: None 5 | [main] INFO using config: ../ipas-bandit-config/ipas_default.config 6 | [main] INFO running on Python 3.6.9 7 | Run started:2022-11-14 16:17:20.588204 8 | 9 | Test results: 10 | No issues identified. 11 | 12 | Code scanned: 13 | Total lines of code: 731 14 | Total lines skipped (#nosec): 0 15 | 16 | Run metrics: 17 | Total issues (by severity): 18 | Undefined: 0.0 19 | Low: 0.0 20 | Medium: 0.0 21 | High: 0.0 22 | Total issues (by confidence): 23 | Undefined: 0.0 24 | Low: 0.0 25 | Medium: 0.0 26 | High: 0.0 27 | Files skipped (0): 28 | --------------------------------------------------------------------------------