Thursday, July 7, 2022
HomeCyber SecurityGoogle On-line Safety Weblog: Learn how to SLSA Half 3

Google On-line Safety Weblog: Learn how to SLSA Half 3

As a reminder, Acme is making an attempt to supply a container picture that comprises three artifacts:

  1. The Squirrel bundle ‘foo’
  2. The Oppy bundle ‘baz’
  3. A customized executable, ‘bar’, written by Acme workers.

The method begins with ‘foo’ bundle authors triggering a construct utilizing GitHub Actions. This ends in a brand new model of ‘foo’ (an artifact with hash ‘abc’) being pushed to the Squirrel repo together with its SLSA provenance (signed by Fulcio) and supply attestation. When Squirrel will get this push request it verifies the artifact towards the precise coverage for ‘foo’ which checks that it was constructed by GitHub Actions from the anticipated supply repository. After the artifact passes the coverage verify a VSA is created and the brand new bundle, its authentic SLSA provenance, and the VSA are made public within the Squirrel repo, accessible to all customers of bundle ‘foo’.

Subsequent the maintainers of the Oppy ‘baz’ bundle set off a brand new construct utilizing the Oppy Autobuilder. This ends in a brand new model of ‘baz’ (an artifact with hash ‘def’) being pushed to a public Oppy repo with the SLSA provenance (signed by their org-specific keys) printed to Rekor. When the repo will get the push request it makes the artifact accessible to the general public. The repo doesn’t carry out any verification at the moment.

An Acme worker then makes a change to their Dockerfile, sending it for assessment by their co-worker, who approves the change and merges the PR. This then causes the Acme builder to set off a construct. Throughout this construct:

  • bar is compiled from supply code saved in the identical supply repo because the Dockerfile.
  • acorn set up downloads ‘foo’ from the Squirrel repo, verifying the VSA, and recording using acorn://foo@abc and its VSA within the construct.
  • acme_oppy_get set up (a customized script made by Acme) downloads the most recent model of the Oppy ‘baz’ bundle and queries its SLSA provenance and different attestations from Rekor. It then performs a full verification checking that it was constructed by ‘https://oppy.instance/slsa/builder/v1’ and the publicized key. As soon as verification is full it data using oppy://baz@def and the related attestations within the construct.
  • The construct course of assembles the SLSA provenance for the container by:
    • Recording the Acme git repo the bar supply and Dockerfile got here from, into supplies.
    • Copying the reported dependencies of acorn://foo@abc and oppy://baz@def into supplies and including their attestations to the output in-toto bundle.
    • Recording the CI/CD entrypoint because the invocation.
    • Making a signed DSSE with the SLSA provenance and including it to the output in-toto bundle.

As soon as the container is prepared for launch the Acme verifier checks the SLSA provenance (and different information within the in-toto bundle) utilizing the coverage from their very own coverage repo and points a VSA. The VSA and all related attestations are then printed to an inner Rekor occasion. Acme can then create an SBOM for the container leveraging information in regards to the construct as saved in Rekor. Acme then publishes the container picture, the VSA, and the SBOM on Dockerhub.

Downstream customers of this Acme container can then verify the Acme issued VSA, and if there are any issues Acme can seek the advice of their inner Rekor occasion to get extra particulars on the construct permitting Acme to hint all of their dependencies again to supply code and the programs used to create them.

With SLSA applied within the methods described on this collection, downstream customers are protected against a lot of the threats affecting the software program provide chain right now. Whereas customers nonetheless have to belief sure events, the variety of programs requiring belief is far decrease and customers are in a a lot better place to research any points that come up.

We’d like to see the concepts on this collection applied, refuted, or used as a basis to construct even stronger options. We’d additionally love to listen to another strategies on easy methods to resolve these points. Present us the way you wish to SLSA. 



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments