SLSA attestations
SignPath can create SLSA attestations for any of the supported build systems. See the definition for more details.
Creating a SLSA statement requires multiple directives:
- Add
<create-provenance-file>to the root level<zip-file>to create a SLSA provenance statement. - Add
<create-verification-summary-file>to the<create-provenance-file>element to create a SLSA verification summary statement. - Sign both by adding a
<create-attestation-signature>to each. Signing effectively turns the statements into proper attestations. - Add
<include-in-provenance>to each file that you want to include generated provenance’s subject section.
Supported parameters:
| Directive | Parameter | Description |
|---|---|---|
|
|
|
File name for the provenance statement. |
|
|
|
File name for the verification summary statement. |
|
|
| |
|
|
File name for the attestation signature. | |
|
|
none |
Example
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
<zip-file>
<pe-file path="myApp.exe">
<include-in-provenance />
</pe-file>
<create-provenance-file output-file-name="slsa-attestation.in-toto.jsonl">
<create-attestation-signature type="cms" output-file-name="${file.name}.cms.pem" />
<create-verification-summary-file output-file-name="slsa-vsa.json">
<create-attestation-signature type="dsse" output-file-name="slsa-vsa.dsse.json" />
</create-verification-summary-file>
</create-provenance-file>
</zip-file>
</artifact-configuration>
Verification of SLSA verification summaries (VSA)
To verify a SLSA verification summary attestation (VSA), you need:
- The verification summary attestation file (e.g.
slsa-vsa.dsse.jsonin the example above) - The attestation signer certificate. For SLSA attestations created by SignPath, you can download SignPath_SLSA.pem for fully supported systems and SignPath_SLSA-Beta.pem, which is a self-signed certificate, for all systems with preview support (See the definition for a list of all supported systems).
- The publisher certificate
resource-uriSLSA specifies a
resource-urifield with the intention of allowing a consumer to ensure that the software artifact was obtained from a trusted source. SignPath populates this field with information from the publisher certificate, in the form of
urn:x-software-publisher:verified=<true|false>;certificate-fingerprint=<publisher-cert-fingerprint>;subject=<publisher-cert-subject>The values are defined as follows:
verified:trueif the publisher certificate was issued by a trusted certificate authority (CA)certificate-fingerprint: The SHA-1 fingerprint of the X.509 publisher certificate.subject: The subject of the X.509 publisher certificate.
To verify the verification summary attestation, the official slsa-verifier tool can be used as follows.
The following steps are required to verify a SLSA provenance attestation generated by SignPath:
# 1. Verify the Attestation Signer certificate
## on Windows
certutil -verify SignPath_SLSA.pem
## on Linux
openssl verify -untrusted SignPath_SLSA.pem SignPath_SLSA.pem
# 2. Extract the public key of the Attestation Signer certificate
openssl x509 -pubkey -noout -in SignPath_SLSA.pem > SignPath_SLSA.pubkey.pem
# 3. Verify the SLSA verification summary attestation
slsa-verifier verify-vsa \
--subject-digest "sha256:$artifactHash" \
--attestation-path /path/to/slsa-vsa.dsse.json \
--verifier-id https://signpath.io \
--public-key-path SignPath_SLSA.pubkey.pem \
--resource-uri "urn:x-software-publisher:verified=true;certificate-fingerprint=$publisherFingerprint;subject=$publisherSubject" \
--verified-level SLSA_BUILD_LEVEL_3