Monday, June 27, 2022
HomeCyber SecurityGoogle On-line Safety Weblog: How you can SLSA Half 3

Google On-line Safety Weblog: How you can SLSA Half 3

[ad_1]

As a reminder, Acme is attempting to provide a container picture that accommodates three artifacts:

  1. The Squirrel package deal ‘foo’
  2. The Oppy package deal ‘baz’
  3. A customized executable, ‘bar’, written by Acme workers.

The method begins with ‘foo’ package deal authors triggering a construct utilizing GitHub Actions. This ends in a brand new model of ‘foo’ (an artifact with hash ‘abc’) being pushed to the Squirrel repo together with its SLSA provenance (signed by Fulcio) and supply attestation. When Squirrel will get this push request it verifies the artifact towards the particular coverage for ‘foo’ which checks that it was constructed by GitHub Actions from the anticipated supply repository. After the artifact passes the coverage verify a VSA is created and the brand new package deal, its unique SLSA provenance, and the VSA are made public within the Squirrel repo, out there to all customers of package deal ‘foo’.

Subsequent the maintainers of the Oppy ‘baz’ package deal set off a brand new construct utilizing the Oppy Autobuilder. This ends in a brand new model of ‘baz’ (an artifact with hash ‘def’) being pushed to a public Oppy repo with the SLSA provenance (signed by their org-specific keys) printed to Rekor. When the repo will get the push request it makes the artifact out there to the general public. The repo doesn’t carry out any verification at the moment.

An Acme worker then makes a change to their Dockerfile, sending it for overview by their co-worker, who approves the change and merges the PR. This then causes the Acme builder to set off a construct. Throughout this construct:

  • bar is compiled from supply code saved in the identical supply repo because the Dockerfile.
  • acorn set up downloads ‘foo’ from the Squirrel repo, verifying the VSA, and recording the usage of acorn://foo@abc and its VSA within the construct.
  • acme_oppy_get set up (a customized script made by Acme) downloads the newest model of the Oppy ‘baz’ package deal and queries its SLSA provenance and different attestations from Rekor. It then performs a full verification checking that it was constructed by ‘https://oppy.instance/slsa/builder/v1’ and the publicized key. As soon as verification is full it information the usage of oppy://baz@def and the related attestations within the construct.
  • The construct course of assembles the SLSA provenance for the container by:
    • Recording the Acme git repo the bar supply and Dockerfile got here from, into supplies.
    • Copying the reported dependencies of acorn://foo@abc and oppy://baz@def into supplies and including their attestations to the output in-toto bundle.
    • Recording the CI/CD entrypoint because the invocation.
    • Making a signed DSSE with the SLSA provenance and including it to the output in-toto bundle.

As soon as the container is prepared for launch the Acme verifier checks the SLSA provenance (and different knowledge within the in-toto bundle) utilizing the coverage from their very own coverage repo and points a VSA. The VSA and all related attestations are then printed to an inner Rekor occasion. Acme can then create an SBOM for the container leveraging knowledge in regards to the construct as saved in Rekor. Acme then publishes the container picture, the VSA, and the SBOM on Dockerhub.

Downstream customers of this Acme container can then verify the Acme issued VSA, and if there are any issues Acme can seek the advice of their inner Rekor occasion to get extra particulars on the construct permitting Acme to hint all of their dependencies again to supply code and the methods used to create them.
Conclusion

With SLSA carried out within the methods described on this collection, downstream customers are shielded from lots of the threats affecting the software program provide chain right this moment. Whereas customers nonetheless must belief sure events, the variety of methods requiring belief is far decrease and customers are in a significantly better place to analyze any points that come up.

We’d like to see the concepts on this collection carried out, refuted, or used as a basis to construct even stronger options. We’d additionally love to listen to another strategies on find out how to resolve these points. Present us the way you wish to SLSA. 

[ad_2]

Sasith Mawan
Sasith Mawanhttps://techjunkie.xyz
I'm a Software Engineering graduate with more than 6 years experience on the IT world working as a Software Developer to Tech Lead. Currently the Co-Founder of a Upcoming Gaming Company located in United States.
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

x