Thursday, June 30, 2022
HomeCyber SecurityGoogle On-line Safety Weblog: Methods to SLSA Half 2

Google On-line Safety Weblog: Methods to SLSA Half 2


In our final submit we launched a fictional instance of Squirrel, Oppy, and Acme studying to make use of SLSA and lined the fundamentals of what their implementations would possibly appear like. In the present day we’ll cowl the small print: the place to retailer attestations and insurance policies, what insurance policies ought to test, and the right way to deal with key distribution and belief.
Attestations play a big position in SLSA and it’s important that buyers of artifacts know the place to search out the attestations for these artifacts.
Co-located in repo

Attestations may very well be colocated within the repository that hosts the artifact. That is how Squirrel plans to retailer attestations for packages. They even wish to add help to the Squirrel CLI (e.g. acorn get-attestations foo@1.2.3).

Acme actually likes this method as a result of the attestations are all the time accessible and it doesn’t introduce any new dependencies.


In the meantime, Oppy plans to retailer attestations in Rekor. They like with the ability to direct customers to an present public occasion without having to take care of any new infrastructure themselves, and the in-depth protection the transparency log supplies towards tampering with the attestations.

Although the latency of querying attestations from Rekor is probably going too excessive for doing verification at time of use, Oppy isn’t too involved since they count on customers to question Rekor at set up time.


A hybrid mannequin can be accessible the place the writer shops the attestations in Rekor in addition to co-located with the artifact within the repo—together with Rekor’s inclusion proof. This supplies confidence the info was added to Rekor whereas offering the advantages of co-locating attestations within the repository.

‘Coverage’ refers back to the guidelines used to find out if an artifact ought to be allowed for a use case.

Insurance policies typically use the bundle identify as a proxy for figuring out the use case. An instance being, if you wish to discover the coverage to use you could possibly search for the coverage utilizing the bundle identify of the artifact you’re evaluating.

Coverage specifics might fluctuate based mostly on ease of use, availability of information, danger tolerance and extra. Full verification wants extra from insurance policies than delegated verification does.

Default coverage

Default insurance policies enable admission selections with out the necessity to create particular insurance policies for every bundle. A default coverage is a means of claiming “something that doesn’t have a extra particular coverage should adjust to this coverage”.

Squirrel plans to finally implement a default coverage of “any bundle and not using a extra particular coverage will likely be accepted so long as it meets SLSA 3”, however they acknowledge that almost all packages don’t help this but. Till they obtain crucial mass they’ll have a default SLSA 0 coverage (all artifacts are accepted).

Whereas Oppy is leaving verification to their customers, they’ll recommend a default coverage of “any bundle constructed by ‘https://oppy.instance/slsa/builder/v1’”.

Particular coverage

Squirrel additionally plans to permit customers to create insurance policies for particular packages. For instance, this coverage requires that bundle ‘foo’ will need to have been constructed by GitHub Actions, from, and be SLSA 4.

scope: ‘acorn://foo’

target_level: SLSA_L4

allow_github_actions {

  workflow: ‘’

  source_repo: ‘’

  allow_branch: ‘principal’


Squirrel will even enable packages to create SLSA 0 insurance policies in the event that they’re not utilizing SLSA compliant infrastructure.

scope: ‘acorn://qux’

target_level: SLSA_L0

Coverage auto technology

Squirrel has an infinite variety of present packages. It’s not possible to get all these bundle maintainers to create particular insurance policies themselves. Due to this fact, Squirrel plans to leverage course of mining to auto generate insurance policies for packages based mostly on the historical past of the bundle. E.g. “The final 10 instances Squirrel bundle foo was revealed it was constructed by GitHub Actions from, and met SLSA 4 (that is the coverage above). Let’s create a coverage that requires that and ship it to the maintainers to assessment.”
Coverage add-ons

Coverage analysis may do extra than simply consider the SLSA necessities. The identical insurance policies that test SLSA necessities are nicely positioned to test different properties which are essential to organizations like “was static evaluation carried out”, “are there any recognized CVEs on this artifact”, “was integration testing profitable”, and so forth…

Acme is de facto all for a few of these coverage add-ons. They’d prefer to keep away from the embarrassing state of affairs of publishing a brand new container picture with recognized CVEs. They’re undecided the right way to implement it but however they’ll be looking out for instruments that may assist them achieve this.

Delegated insurance policies

When utilizing delegated verification there’s a lot much less that really must be checked and they are often hard-coded straight in tooling. A minimal delegated verification coverage is perhaps “enable if trusted-party verified this artifact (recognized by digest) as <bundle identify>”. This may be tightened additional by including necessities on the artifact & its dependencies SLSA ranges (knowledge which is on the market within the VSA). For instance, “enable if trusted-party verified this artifact as <bundle identify> at SLSA 3 and it doesn’t have any dependencies lower than SLSA 2”.

# Delegated verification implicitly checks that the bundle identify we’re

# checking matches the VSA’s topic.identify discipline.

allow_delegated_verification {

  trusted_verifier: ‘’

  minimum_level: SLSA_L3

  minimum_dependency_level: SLSA_L2


When utilizing particular, non-default, insurance policies verifiers must know the place to search out the coverage they should consider.

Co-located in repo

Squirrel plans to retailer particular insurance policies as a property of the bundle within the repository. This makes them very simple for customers and their tooling to search out. It additionally permits the maintainer of the bundle to simply set the coverage (they have already got write permissions!).

A possible draw back is that the write permissions are the identical as for the bundle itself. An attacker that compromises the developer’s credentials may additionally change the coverage. This is probably not as dangerous because it appears. Insurance policies are human-readable so anybody paying consideration would discover that bundle foo’s coverage now says that it may be constructed from Squirrel plans to inform events (together with the maintainer!) when the coverage modifications, probably letting them “sound the alarm” if something nefarious occurs.

An identical method is taken in plenty of contact-change workflows. For instance, whenever you change your tackle along with your financial institution, the financial institution will ship you an e-mail (and a letter to the outdated tackle) letting you recognize the tackle has been modified. Such a notification would alert the maintainer to a possible compromise.

Squirrel would additionally take into account requiring a second particular person to assessment any coverage modifications for packages with over 10,000 customers.

Public canonical Git repo

Another choice is perhaps to only create a canonical git repo (e.g. and let individuals publish proposed insurance policies there. This has the benefit of utilizing a separate ACL management mechanism from the bundle repository itself, however the disadvantages of being troublesome to make sure the creator of the coverage is definitely allowed to set the coverage for that bundle and never scaling nicely because the repo grows.

The method outlined in coverage auto technology may assist right here. Automation within the repo may simply take a look at the final N releases of the bundle and decide if the proposed coverage matches what’s truly been revealed. Proactive modifications to the coverage (like deciding to modify from GitHub Actions to CircleCI) could be more durable to coordinate nevertheless.

Org particular repo

Acme plans to determine their very own org particular repo for coverage storage. This provides them a single place to retailer all their insurance policies, no matter ecosystem kind, and lets them present extra particular insurance policies for packages supplied by upstream repos. Since Oppy doesn’t have any plans to supply package-specific insurance policies this provides Acme a spot to retailer their very own insurance policies for Oppy packages (in the event that they ever get round to it).

Organizations also can use their coverage repo to vet any upstream modifications to coverage and probably add extra checks (e.g. “doesn’t have any recognized vulnerabilities”).

Acme desires to make use of delegated verification and that depends on having trusted verifiers to make selections for downstream customers. Who’re these trusted verifiers?
Public verifier

A public repo is in an excellent place to behave as a trusted verifier for his or her customers. Customers already belief these repos and so they might already be doing verification on import.

Squirrel plans to utilize this by making VSAs accessible for every artifact revealed, publicizing their verifier ID (i.e. ‘https://squirrel.instance/slsa-verifier’) and the general public key used to signal the VSAs. They even plan to construct VSA verification straight into the Squirrel tooling, in order that customers can get SLSA safety by default.

Org-wide verifier

Whereas Acme is completely happy to make use of Squirrel’s verifier (and the verification constructed into the tooling) they nonetheless want their very own verifier to allow them to publish VSAs to Acme clients. So Acme plans to face up their very own verification service and publish their verifier ID (i.e. ‘https://acme.instance/private-verifier’) and signing key. Acme clients can then confirm the software program they get from Acme.

Sooner or later Acme may require all software program used all through the corporate to be verified with this verifier (as an alternative of counting on public verifiers). They’d do the verification and generate VSAs every time artifacts are imported into their non-public Artifactory occasion. They may then configure this ID/key pair to be used all through Acme and be assured that any software program used has been verified in line with Acme coverage. That’s not Acme’s highest precedence for the time being, however they like having this feature open to them.

Each full and delegated verification rely on key distribution to the customers doing the verification. Relying on the specifics and what’s getting verified this generally is a troublesome downside.
Org-specific keys

When utilizing delegated verification this may very well be the best case. Squirrel can simply construct the important thing they used for delegated verification straight into the Squirrel tooling. Acme also can pretty simply configure using their keys by way of the corporate utilizing present configuration management mechanisms.

When utilizing full verification this may be more durable. If there are a number of builders that may very well be accepted the keys that signal the attestations must be distributed to everybody that may use that builder. For Squirrel this might be actually troublesome since they plan to permit bundle maintainers to make use of no matter builder they need. How these keys get configured could be difficult only for Squirrel, and way more troublesome if downstream Squirrel customers needed to do full verification of the Squirrel packages.

The state of affairs is simpler, nevertheless, for Oppy. That’s as a result of Oppy plans to solely settle for artifacts constructed by their autobuilder community. Oppy can configure this community to make use of a single (or small set) of keys after which publish these keys (and the SLSA degree Oppy believes it meets) for downstream customers.


Squirrel plans to unravel the issue of which keys they settle for by leveraging Fulcio. Squirrel will construct help for Fulcio root keys into their verifier after which specific which Fulcio topic is allowed to signal attestations within the particular coverage of every bundle. E.g. “Squirrel bundle ‘foo’ will need to have been constructed & signed by ‘spiffe://, from, and be SLSA 4”.

scope: ‘acorn://foo’

target_level: SLSA_L4

allow_fulcio_builder {

  id: ‘spiffe://’

  source_repo: ‘’

  allow_branch: ‘principal’

  allow_entrypoint: ‘bundle.json’


The Replace Framework (TUF)

The above strategies may very well be additional enhanced with TUF to permit the safe upkeep of keys. TUF metadata may embody all of the SLSA keys, the construct companies and different entities they’re legitimate for, and the SLSA ranges they’re certified at. Oppy is contemplating utilizing TUF to let verifiers securely fetch and replace keys utilized by the Autobuilder community. Oppy would use a TUF delegation to point that these keys ought to solely be used for the builder id ‘https://oppy.instance/slsa/builder/v1’. Squirrel would possibly do one thing just like enable for updating the Fulcio key in its tooling.

Acme desires to document and confirm the dependencies that go into its container into the SLSA provenance. Acme would favor that this performance have been simply built-in their construct service, however that characteristic isn’t accessible but. As a substitute they’ll must do one thing themselves. They’ve just a few choices at their disposal:
Device wrappers

Since Oppy doesn’t construct SLSA into it’s tooling Acme will create wrapper scripts for dependency import/set up that document and confirm (utilizing cosign) dependencies as they’re put in. Acme will replace their construct scripts to interchange all situations of Oppy bundle set up with the wrapper script after which use the recorded outcomes to assist populate the supplies part of the provenance.

A draw back is that this method, if run within the construct itself, is just not assured to be full and can’t meet the “non-falsifiable” requirement (because the outcomes reported by the wrapper may very well be falsified by the construct course of), relegating this method to SLSA 2. Nonetheless, it permits Acme to make progress SLSA-fying their builds and supplies a place to begin for reaching increased SLSA ranges.

Constructed into ecosystem tooling

Since Squirrel does construct verification into their tooling, Acme can simply use acorn set up to confirm the dependencies and document what was put in. Acme can use this info to populate the Squirrel packages put in within the supplies part of the provenance and it could embody the attestations of these dependencies within the in-toto bundle for his or her container picture.

As with software wrappers, if this technique is used within the construct itself it can’t meet “non-falsifiable” requirement.

Proxied verification

Acme thought-about making a proxy for his or her present builder to proxy outbound connections. This proxy may confirm every little thing fetched and use its logs to populate the provenance. Since this proxy is trusted it might be simpler to satisfy “non-falsifiable” requirement. Sadly it’s additionally a whole lot of work for Acme so that they’re going to defer this concept for now.
Within the first two elements of this collection, we’ve lined the fundamentals of getting began with SLSA and the small print of coverage and provenance storage, coverage verification, and key dealing with. In our subsequent submit we’ll cowl how Squirrel, Oppy, and Acme put this all collectively to guard a heterogeneous provide chain.


Sasith Mawan
Sasith Mawan
I'm a Software Engineering graduate with more than 6 years experience on the IT world working as a Software Developer to Tech Lead. Currently the Co-Founder of a Upcoming Gaming Company located in United States.


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments