How to use Verification Summary Attestations
This tutorial explains how to use the Verification Summary Attestations (VSA) generated by Macaron, using the VSAs for the Graal Development Kit (GDK) artifacts as an example.
For more information about VSAs, please refer to the Verification Summary Attestation page. To use Macaron to generate VSAs see this tutorial.
Use case
Imagine you are a consumer of GDK artifacts and want to verify whether they are produced by a secure, SLSA-compliant build service and sourced from a trusted source code repository. You need to confirm whether a provenance record for this artifact is published and has been verified. The GDK team must keep the details of their build pipeline confidential while still communicating that verification has occurred.
A VSA allows you to assess the security properties of an artifact without needing direct access to the provenance details. This process involves delegating the policy decision to Macaron. Macaron receives the provenance of the build as input, analyzes various aspects of the build, and verifies the gathered data against a Datalog policy. It then generates a VSA that is published alongside the artifacts, attesting to the artifacts produced by the build.
Example
GDK is an Oracle build of the open source Micronaut® framework. GDK provides a curated set of Micronaut framework modules which are built from source and published on the Oracle Maven repository. If a GDK artifact is verified by Macaron, you should be able to to find a corresponding VSA on Oracle Maven repository. Let’s consider, the io.micronaut/micronaut-core@4.6.5-oracle-00001 JAR artifact which is published at https://maven.oracle.com/public/io/micronaut/micronaut-core/4.6.5-oracle-00001/micronaut-core-4.6.5-oracle-00001.jar. In order to verify the artifact with Macaron, you can follow the following steps:
Download the VSA
Check wether a VSA is published for the artifact and download it for further examination.
curl -O https://maven.oracle.com/public/io/micronaut/micronaut-core/4.6.5-oracle-00001/vsa.intoto.jsonl
Manual inspection of the VSA content
cat vsa.intoto.jsonl | jq -r '.payload' | base64 -d | jq
The output of the this command should look like below:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"uri": "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=jar",
"digest": {
"sha256": "685644ae52ed580030550c7e4f441f39df2741c45095f1cf93583bddc413e6f8"
}
},
{
"uri": "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=pom",
"digest": {
"sha256": "64ba60107cdf5a93bec28b73f33585b93635f1fe6ae0707e6c8b42ed2d7d5198"
}
},
{
"uri": "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=java-source",
"digest": {
"sha256": "bcfcdb0213868100ca421f341411a5d5bc98ecb5cf44186804d27a4a34906818"
}
},
{
"uri": "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=javadoc",
"digest": {
"sha256": "33f720a21faad105f2566944a2e49b198eb310a1f9cfaa7742fdae8f46677e46"
}
}
],
"predicateType": "https://slsa.dev/verification_summary/v1",
"predicate": {
"verifier": {
"id": "https://github.com/oracle/macaron",
"version": {
"macaron": "0.10.0"
}
},
"timeVerified": "2024-09-10T06:35:56.559568+00:00",
"resourceUri": "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001",
"policy": {
"content": "#include \"prelude.dl\"\n\nPolicy(\"gdk_provenance_policy\", component_id, \"Policy for GDK builds\") :-\n check_passed(component_id, \"mcn_provenance_expectation_1\").\n\napply_policy_to(\"gdk_provenance_policy\", component_id) :-\n is_component(component_id, purl),\n match(\"^pkg:maven/io.micronaut/micronaut-core@.*$\", purl)."
},
"verificationResult": "PASSED",
"verifiedLevels": []
}
}
The VSA adheres to the schema provided by SLSA. However, rather than specifying a URI for the policy, it includes the policy directly within the VSA under the predicate.policy.content field. The VSA also includes the list of subjects and their corresponding checksums that have been verified, the version of Macaron used, the timestamp of the verification, and the result of the verification.
Here is a pretty-printed version of the policy as it appears in the VSA, along with its description.
#include "prelude.dl"
Policy("gdk_provenance_policy", component_id, "Policy for GDK builds") :-
check_passed(component_id, "mcn_provenance_expectation_1")
apply_policy_to("gdk_provenance_policy", component_id) :-
is_component(component_id, purl),
match("^pkg:maven/io.micronaut/micronaut-core@.*$", purl).
This policy makes sure the mcn_provenance_expectation_1 check, which verifies the content of the provenance file matches a CUE expectation.
Policy prelude (
#include "prelude.dl"): Copies all the pre-written rules and the generated fact import statements into the policy program. All user-written policy files must begin with#include "prelude.dl".Policy Validation (
Policy): This rule ensures that the component satisfies themcn_provenance_expectation_1check.Applying the Policy (
apply_policy_to): To apply thegcn_provenance_policy, Macaron first determines if thecomponent_idis a valid component and if itsPURLconforms to the pattern defined in thematchpredicate. If both conditions are met, the policy is applied.The template Datalog policy file can be downloaded from here
Below you can find the template CUE file that has been used by the mcn_provenance_expectation_1 check at verification time to verify the provenance. It contains place holders for expected values that are populated by the GDK maintainers.
{
target: "<EXPECTATION_PURL>",
predicate: {
attestations: [
{
attestation: {
jobimage: "<IMAGE-NAME>",
projecturl: "https://<REPO_URL>",
},
},
]
}
}
target: "<EXPECTATION_PURL>": This specifies the software component that is verified.<EXPECTATION_PURL>is a placeholder for the actual PURL (Package URL) of the target component, e.g.,pkg:maven/io.micronaut/micronaut-core.jobimage: "<IMAGE-NAME>": This condition checks that thejobimageattribute matches a specific pattern.<IMAGE-NAME>is a placeholder for the actual image name used at build time, e.g.,container-registry.oracle.com/os/oraclelinux:9-slim.projecturl: "https://<REPO_URL>": This checks that theprojecturlattribute exactly matches the expected Repository URL.<REPO_URL>is a placeholder for the actual repository URL, e.g.,internal.repo.com/micronaut-projects/micronaut-core.The template CUE expectation can be downloaded from this location.
Automatically check the artifact checksum and verification result
To verify that the artifact checksum matches the subject listed in the VSA and that the verification process has passed, follow these steps:
Prerequisites
Before running the script, ensure that the following tools are installed and available on your system’s PATH:
bash: This script has been tested withbash 5.1.16(1)-release.curljqshasumawk
Download the check_vsa.sh script
curl -O https://raw.githubusercontent.com/oracle/macaron/main/scripts/release_scripts/check_vsa.sh
Make the script executable
chmod +x check_vsa.sh
Run the script with the appropriate arguments
Following our example, let’s verify that the VSA has passed for the artifact available at https://maven.oracle.com/public/io/micronaut/micronaut-core/4.6.5-oracle-00001/micronaut-core-4.6.5-oracle-00001.jar. You can either download the JAR from the repository or, if you have built the GDK project, obtain the artifact from your local Maven repository at ~/.m2/repository/io/micronaut/micronaut-core/4.6.5-oracle-00001/micronaut-core-4.6.5-oracle-00001.jar. Then, run the following command:
./check_vsa.sh --artifact-path micronaut-core-4.6.5-oracle-00001.jar --vsa-path vsa.intoto.jsonl --purl "pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=jar"
The artifact and VSA paths should be valid paths on your filesystem. Ensure you replace micronaut-core-4.6.5-oracle-00001.jar, vsa.intoto.jsonl, and pkg:maven/io.micronaut/micronaut-core@4.6.5-oracle-00001?type=jar with your actual file paths and package URL.
Verify the output
If the verification is successful, the script will print:
PASSED
If there is an issue, the script will return an error code 1 and print an appropriate error message.