The recent SolarWinds' SUNSPOT malware incident highlighted a critical vulnerability in software supply chains. Despite having secure signatures and SBOMs, the malware was still able to infiltrate the system. This is where SLSA (Supply-chain Levels for Software Artifacts) provenance comes in - a framework that provides verifiable metadata about the source, build, and builder of a software artifact.
Introduction to SLSA Provenance
SLSA provenance is an attestation that describes how a software artifact was built, including the source code, build process, and environment. It is essentially an in-toto Statement whose predicate matches the SLSA spec, signed inside a DSSE envelope. This provides a secure way to verify the authenticity and integrity of a software artifact.
Generating SLSA Provenance with GitHub Actions
To generate SLSA provenance, we can use the slsa-github-generator tool, which is one of the few implementations that clears L3. This tool uses GitHub's OIDC tokens and reusable workflows to create a tamper-resistant build platform. By leaning on GitHub's security features, it is structured so that user code cannot reach the builder's internal state.
Verifying SLSA Provenance with slsa-verifier
To verify SLSA provenance, we can use the slsa-verifier tool. This tool checks the provenance of a software artifact against the expected values, including the source code, build process, and environment. In this example, we will verify the provenance of the slsa-verifier release itself, which is built with slsa-github-generator and ships with a .intoto.jsonl file alongside the binary.
Step 1: Download the Artifact and its Provenance
First, we need to download the artifact and its provenance. We can use the following commands to download the slsa-verifier binary and its provenance:
mkdir slsa-hands-on && cd slsa-hands-on
# the artifact itself
curl -sLO
# its provenance (in-toto Statement, wrapped in a DSSE envelope)
curl -sLO Step 2: Verification Command
Next, we can use the slsa-verifier tool to verify the provenance of the artifact:
slsa-verifier verify-artifact slsa-verifier-darwin-arm64 \n --provenance-path slsa-verifier-darwin-arm64.intoto.jsonl \n --source-uri github.com/slsa-framework/slsa-verifier \n --source-tag v2.7.1This command will output the verification result, including the verified signature and build information.
Conclusion
In conclusion, SLSA provenance is a critical component of software supply chain security. By providing verifiable metadata about the source, build, and builder of a software artifact, it helps to close security gaps and prevent malware infiltration. With tools like slsa-github-generator and slsa-verifier, we can generate and verify SLSA provenance, ensuring the authenticity and integrity of our software artifacts.
AI summary
SLSA-Provenienz bietet verifizierbare Metadaten für Software-Artefakte und stärkt die Supply-Chain-Sicherheit. Erfahren Sie, wie Sie Provenienz mit GitHub Actions generieren und mit slsa-verifier prüfen.
