Verification Summary Attestations
Macaron generates Verification Summary Attestations (VSAs) as part of its verification to communicate the fact that “some software component has been verified against a policy”.
The concept of VSA in Macaron largely follows the concept of VSA in SLSA and in-toto.
Use cases
The use cases of Macaron VSAs includes, but not limited to:
Enabling delegated verification: This allows software consumers to make use of verification results from another party.
Caching verification results: It could be expensive or inconvenient to run a full Macaron verification in certain circumstances. A VSA helps with caching and reusing verification results.
Schema
Following in-toto attestation schema, the outermost layer if a Macaron-generated VSA is a DSSE envelope containing a base64-encoded payload
of type in-toto Statement.
The following is the schema of the Statement layer:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"uri": {{ PackageURL of the software component being verified }},
}
],
"predicateType": "https://slsa.dev/verification_summary/v1",
"predicate": {
"verifier": {
"id": "https://github.com/oracle/macaron",
"version": {
"macaron": {{ Macaron version }}
}
},
"timeVerified": {{ The timestamp of when the verification happened }},
"resourceUri": {{ PackageURL of the software component being verified }},
"policy": {
"content": {{ Datalog policy applies to the software component being verified }}
},
"verificationResult": {{ Either "PASSED" or "FAILED" }},
"verifiedLevels": []
}
}
_type
: string (TypeURI)Identifier for the schema of the Statement layer. This follows in-toto v1 Statement layer schema and is always
https://in-toto.io/Statement/v1
.
subject
: array of ResourceDescriptor objectsSubjects of the VSA. Each entry is a software component being verified by Macaron. If the software component is also an artifact, a SHA256 digest is also recorded.
predicateType
: string (TypeURI)Identifier for the type of the Predicate. For Macaron-generated VSAs, this is always
https://slsa.dev/verification_summary/v1
.
predicate
: objectThe Predicate of the attestation, providing information about the verification.
predicate.verifier
: objectInformation about the tool running the verification, which is Macaron.
predicate.verifier.id
: string (TypeURI)The identifier for Macaron.
predicate.timeVerified
: string (Timestamp)The timestamp of when the verification happened.
predicate.resourceUri
: string (ResourceURI)URI identifying the resource associated with the software component being verified.
Note: In the current version of Macaron, the value of this field is similar to the PackageURL identifying the only subject software component of the VSA.
policy
: objectDetails about the policy that the subject software component was verified against.
policy.content
: stringThe Souffle datalog policy used for verification, in plain text.
verificationResult
: string, either"PASSED"
or"FAILED"
The verification result. The result of
"PASSED"
means the subject software component conforms to the policy.
verificationResult
: array (SlsaResult), requiredIndicates the highest level of each SLSA track verified for the software component (and not its dependencies), or
"FAILED"
if policy verification failed.Note: For the current version of Macaron, this is left empty.
Example
The following is an example payload (Statement layer) of a Macaron VSA generated from verification on the slsa-verifier repository.
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"uri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95"
}
],
"predicateType": "https://slsa.dev/verification_summary/v1",
"predicate": {
"verifier": {
"id": "https://github.com/oracle/macaron",
"version": {
"macaron": "0.6.0"
}
},
"timeVerified": "2024-01-04T11:13:03.496399Z",
"resourceUri": "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95",
"policy": {
"content": "#include \"prelude.dl\"\n\nPolicy(\"slsa_verifier_policy\", component_id, \"Policy for SLSA Verifier\") :-\n check_passed(component_id, \"mcn_build_as_code_1\"),\n check_passed(component_id, \"mcn_provenance_level_three_1\"),\n check_passed(component_id, \"mcn_provenance_available_1\").\n\napply_policy_to(\"slsa_verifier_policy\", component_id) :-\n is_repo(\n _, // repo_id\n \"github.com/slsa-framework/slsa-verifier\",\n component_id\n ).\n"
},
"verificationResult": "PASSED",
"verifiedLevels": []
}
}
This VSA communicates that the subject software component "pkg:github.com/slsa-framework/slsa-verifier@7e1e47d7d793930ab0082c15c2b971fdb53a3c95"
passed the following policy in the policy.content
field:
#include "prelude.dl"
Policy("slsa_verifier_policy", component_id, "Policy for SLSA Verifier") :-
check_passed(component_id, "mcn_build_as_code_1"),
check_passed(component_id, "mcn_provenance_level_three_1"),
check_passed(component_id, "mcn_provenance_available_1").
apply_policy_to("slsa_verifier_policy", component_id) :-
is_repo(
_, // repo_id
"github.com/slsa-framework/slsa-verifier",
component_id
).
This policy enforces the subject software component to pass 3 Macaron checks:
mcn_build_as_code_1
mcn_provenance_level_three_1
mcn_provenance_available_1
For more details on using the Macaron VSA generation feature and inspecting the resulting VSA, please refer to the Output files of macaron verify-policy section.