From 646a3ad9697fcdee10073bce1d08f53a25de3f0f Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 31 Jul 2023 22:19:21 +0000 Subject: [PATCH 01/38] Squash commits from byob patch Signed-off-by: Noah Elzner --- cli/slsa-verifier/verify/verify_artifact.go | 1 + options/options.go | 8 +++- verifiers/internal/gha/builder.go | 16 +++++++ verifiers/internal/gha/builder_test.go | 12 +++++ verifiers/internal/gha/provenance.go | 52 ++++++++++++++++++++- verifiers/internal/gha/verifier.go | 11 +---- 6 files changed, 88 insertions(+), 12 deletions(-) diff --git a/cli/slsa-verifier/verify/verify_artifact.go b/cli/slsa-verifier/verify/verify_artifact.go index d6fb4ec0f..08d2dbe6c 100644 --- a/cli/slsa-verifier/verify/verify_artifact.go +++ b/cli/slsa-verifier/verify/verify_artifact.go @@ -54,6 +54,7 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (* ExpectedVersionedTag: c.SourceVersionTag, ExpectedTag: c.SourceTag, ExpectedWorkflowInputs: c.BuildWorkflowInputs, + ExpectedBuilderPath: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/", } builderOpts := &options.BuilderOpts{ diff --git a/options/options.go b/options/options.go index 7bc9c46de..b8fe331f7 100644 --- a/options/options.go +++ b/options/options.go @@ -18,7 +18,8 @@ type ProvenanceOpts struct { // ExpectedSourceURI is the expected source URI in the provenance. ExpectedSourceURI string - // ExpectedBuilderID is the expected builder ID. + // ExpectedBuilderID is the expected builder ID that is parsed from the envelope + // of the provenance. ExpectedBuilderID string // ExpectedWorkflowInputs is a map of key=value inputs. @@ -27,10 +28,13 @@ type ProvenanceOpts struct { ExpectedPackageName *string ExpectedPackageVersion *string + + ExpectedBuilderPath string } // BuildOpts are the options for checking the builder. type BuilderOpts struct { - // ExpectedID is the expected builder ID. + // ExpectedID is the expected builder ID that is inputted + // at the command line by the user to be verified. ExpectedID *string } diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 062905056..db816f9cf 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -109,11 +109,27 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st if _, ok := defaultTrustedBuilders[certBuilderID]; !ok { return nil, false, fmt.Errorf("%w: %s with builderID provided: %t", serrors.ErrorUntrustedReusableWorkflow, certBuilderID, expectedBuilderID != nil) } + // Construct the builderID using the certificate's builder's name and tag. trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true) if err != nil { return nil, false, err } + + // Check if: + // - the builder in the cert is a BYOB builder + // - the caller trusts the BYOB builder + // If both are true, we don't match the user-provided builder ID + // against the certificate. Instead that will be done by the caller. + // + // If using a trusted delgator builder, then return the builderID and true + // for byob to enable non-compulsory flag for builder-id, which allows + // the user to use slsa-github-generator builders and not type the --builder-id + // flag on the command line. + if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { + return trustedBuilderID, true, nil + } + } else { // Verify the builderID. // We only accept IDs on github.com. diff --git a/verifiers/internal/gha/builder_test.go b/verifiers/internal/gha/builder_test.go index e710fec14..46953ead5 100644 --- a/verifiers/internal/gha/builder_test.go +++ b/verifiers/internal/gha/builder_test.go @@ -477,6 +477,15 @@ func Test_verifyTrustedBuilderID(t *testing.T) { defaults: defaultBYOBReusableWorkflows, byob: true, }, + { + // This is a BYOB workflow without an id that tests non-compulsory builder-id + // feature of slsa-verifier and expects byob to be true + name: "generic delegator workflow no id", + path: trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml", + tag: "refs/tags/v1.2.3", + defaults: defaultBYOBReusableWorkflows, + byob: true, + }, { name: "low perms delegator workflow short tag", path: trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml", @@ -486,10 +495,13 @@ func Test_verifyTrustedBuilderID(t *testing.T) { byob: true, }, { + // This is a BYOB workflow without an id that tests non-compulsory builder-id + // feature of slsa-verifier and expects byob to be true name: "low perms delegator workflow no ID provided", path: trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml", tag: "v1.2.3", defaults: defaultBYOBReusableWorkflows, + byob: true, }, { name: "default mismatch against container defaults long tag", diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index e31c8c625..1d6eebcba 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,6 +58,42 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } +// Inputs value in place of --BuilderID for slsa-github-generator builders such that the builderID for +// the builders do not need to be inputted as the expectedBuilderID will default to +// the delegator builder ID for BYOB. +func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { + id, err := prov.BuilderID() + if err != nil { + return err + } + + provBuilderID, err := utils.TrustedBuilderIDNew(id, false) + if err != nil { + return err + } + + // This is the prefix to check for to verify that the builder is from slsa-framework. + // If this prefix is present, then the --builder-id flag is not needed at CLI command. + slsa_prefix := provenanceOpts.ExpectedBuilderPath + + if !(strings.HasPrefix(provBuilderID.Name(), slsa_prefix)) { + return fmt.Errorf("%w: expected slsa-framework BYOB Builder ID in provenance in order to not input --builder-id at command line: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name()) + } + + // Only set if user input is empty and builder is one of slsa-framework's + if strings.HasPrefix(provBuilderID.Name(), slsa_prefix) && builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { + // Allocate temp string to set pointer, tempBuilderID, to set builderOpts.ExpectedID + var str string + str = provBuilderID.Name() + + var tempBuilderID *string + tempBuilderID = &(str) + builderOpts.ExpectedID = tempBuilderID + } + + return nil +} + // Verify Builder ID in provenance statement. // This function verifies the names match. If the expected builder ID contains a version, // it also verifies the versions match. @@ -70,6 +106,7 @@ func verifyBuilderIDLooseMatch(prov iface.Provenance, expectedBuilderID string) if err != nil { return err } + if err := provBuilderID.MatchesLoose(expectedBuilderID, true); err != nil { return err } @@ -286,7 +323,8 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error { } // VerifyProvenance verifies the provenance for the given DSSE envelope. -func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error { +func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool, + builderOpts *options.BuilderOpts) error { prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env) if err != nil { return err @@ -297,7 +335,19 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO if err := isValidDelegatorBuilderID(prov); err != nil { return err } + + // If the --builder-id flag is empty and the builder used to build artifact is not from slsa-framework + // then throw the error. + if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { + // If the --builder-id is empty, check to see if is made with an Expected Builder + if err := verifyBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { + return err + } + } + + provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user. + // or is taken from the user if it matches expected builder and --builder-id is empty if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil { return err } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index d49090fc5..85c131a4b 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -71,15 +71,8 @@ func verifyEnvAndCert(env *dsse.Envelope, // There is a corner-case to handle: if the verified builder ID from the cert // is a delegator builder, the user MUST provide an expected builder ID // and we MUST match it against the content of the provenance. - if byob { - if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { - // NOTE: we will need to update the logic here once our default trusted builders - // are migrated to using BYOB. - return nil, nil, fmt.Errorf("%w: empty ID", serrors.ErrorInvalidBuilderID) - } - provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID - } - if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob); err != nil { + + if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts); err != nil { return nil, nil, err } From fa2148a7eee654272775423cc489481952ceacb2 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 31 Jul 2023 22:30:08 +0000 Subject: [PATCH 02/38] improve error message and comments Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 1d6eebcba..810ea9edf 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,10 +58,10 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } -// Inputs value in place of --BuilderID for slsa-github-generator builders such that the builderID for +// Inputs value in place of --BuilderID for builders of ExpectedPath such that the builderID for // the builders do not need to be inputted as the expectedBuilderID will default to -// the delegator builder ID for BYOB. -func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { +// the delegator builder ID for BYOB. Currently slsa-framework path is the only supported for ExpectedBuilderPath. +func verifyExpectedBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { id, err := prov.BuilderID() if err != nil { return err @@ -72,16 +72,16 @@ func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts return err } - // This is the prefix to check for to verify that the builder is from slsa-framework. + // This is the prefix to check for to verify that the builder is from expected builder path // If this prefix is present, then the --builder-id flag is not needed at CLI command. - slsa_prefix := provenanceOpts.ExpectedBuilderPath + builder_path_prefix := provenanceOpts.ExpectedBuilderPath - if !(strings.HasPrefix(provBuilderID.Name(), slsa_prefix)) { - return fmt.Errorf("%w: expected slsa-framework BYOB Builder ID in provenance in order to not input --builder-id at command line: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name()) + if !(strings.HasPrefix(provBuilderID.Name(), builder_path_prefix)) { + return fmt.Errorf("%w: expected slsa-framework BYOB Builder ID in provenance in order to not input --builder-id at command line. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), builder_path_prefix) } - // Only set if user input is empty and builder is one of slsa-framework's - if strings.HasPrefix(provBuilderID.Name(), slsa_prefix) && builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { + // Only set if user input is empty and builder is one of expected builders of Expected Builder Path + if strings.HasPrefix(provBuilderID.Name(), builder_path_prefix) && builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { // Allocate temp string to set pointer, tempBuilderID, to set builderOpts.ExpectedID var str string str = provBuilderID.Name() @@ -336,11 +336,11 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO return err } - // If the --builder-id flag is empty and the builder used to build artifact is not from slsa-framework + // If the --builder-id flag is empty and the builder used to build artifact is not from ExpectedBuilderPath // then throw the error. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { // If the --builder-id is empty, check to see if is made with an Expected Builder - if err := verifyBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { + if err := verifyExpectedBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { return err } } From ebf4ffc640069a98d1a33b6116a4236ca017e9e6 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 31 Jul 2023 22:39:10 +0000 Subject: [PATCH 03/38] Improvements Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 810ea9edf..2043d2089 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -59,9 +59,10 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) } // Inputs value in place of --BuilderID for builders of ExpectedPath such that the builderID for -// the builders do not need to be inputted as the expectedBuilderID will default to -// the delegator builder ID for BYOB. Currently slsa-framework path is the only supported for ExpectedBuilderPath. -func verifyExpectedBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { +// the builders do not need to be inputted. Example: the expectedBuilderID will default to +// the delegator builder ID for BYOB, this can verify actual BYOB builder for user without --builder-id flag. +// Currently slsa-framework path is the only one supported for ExpectedBuilderPath. +func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { id, err := prov.BuilderID() if err != nil { return err @@ -340,7 +341,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // then throw the error. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { // If the --builder-id is empty, check to see if is made with an Expected Builder - if err := verifyExpectedBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { + if err := verifyBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { return err } } From 67c29de33899b79936785417930a14849dd55aaf Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 21:28:22 +0000 Subject: [PATCH 04/38] Fixed logic and comments from review feedback Signed-off-by: Noah Elzner --- cli/slsa-verifier/verify/verify_artifact.go | 1 - options/options.go | 2 -- verifiers/internal/gha/provenance.go | 36 ++++++--------------- 3 files changed, 10 insertions(+), 29 deletions(-) diff --git a/cli/slsa-verifier/verify/verify_artifact.go b/cli/slsa-verifier/verify/verify_artifact.go index 08d2dbe6c..d6fb4ec0f 100644 --- a/cli/slsa-verifier/verify/verify_artifact.go +++ b/cli/slsa-verifier/verify/verify_artifact.go @@ -54,7 +54,6 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (* ExpectedVersionedTag: c.SourceVersionTag, ExpectedTag: c.SourceTag, ExpectedWorkflowInputs: c.BuildWorkflowInputs, - ExpectedBuilderPath: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/", } builderOpts := &options.BuilderOpts{ diff --git a/options/options.go b/options/options.go index b8fe331f7..5cb9ba9d9 100644 --- a/options/options.go +++ b/options/options.go @@ -28,8 +28,6 @@ type ProvenanceOpts struct { ExpectedPackageName *string ExpectedPackageVersion *string - - ExpectedBuilderPath string } // BuildOpts are the options for checking the builder. diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 2043d2089..2b360f448 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -62,37 +62,23 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) // the builders do not need to be inputted. Example: the expectedBuilderID will default to // the delegator builder ID for BYOB, this can verify actual BYOB builder for user without --builder-id flag. // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. -func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error { +func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) { id, err := prov.BuilderID() if err != nil { - return err + return "", err } provBuilderID, err := utils.TrustedBuilderIDNew(id, false) if err != nil { - return err + return "", err } - // This is the prefix to check for to verify that the builder is from expected builder path - // If this prefix is present, then the --builder-id flag is not needed at CLI command. - builder_path_prefix := provenanceOpts.ExpectedBuilderPath - - if !(strings.HasPrefix(provBuilderID.Name(), builder_path_prefix)) { - return fmt.Errorf("%w: expected slsa-framework BYOB Builder ID in provenance in order to not input --builder-id at command line. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), builder_path_prefix) + // Compare actual BuilderIDPath with the expected + if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPath) { + return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPath) } - // Only set if user input is empty and builder is one of expected builders of Expected Builder Path - if strings.HasPrefix(provBuilderID.Name(), builder_path_prefix) && builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { - // Allocate temp string to set pointer, tempBuilderID, to set builderOpts.ExpectedID - var str string - str = provBuilderID.Name() - - var tempBuilderID *string - tempBuilderID = &(str) - builderOpts.ExpectedID = tempBuilderID - } - - return nil + return provBuilderID.Name(), nil } // Verify Builder ID in provenance statement. @@ -337,16 +323,14 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO return err } - // If the --builder-id flag is empty and the builder used to build artifact is not from ExpectedBuilderPath - // then throw the error. + // If ExpectedID is empty, check to see if it is a trusted builder if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { - // If the --builder-id is empty, check to see if is made with an Expected Builder - if err := verifyBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil { + var trustedBuilderRepositoryPath = "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/" + if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { return err } } - provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user. // or is taken from the user if it matches expected builder and --builder-id is empty if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil { From 38ce418d1d41133293b699026126a93289072712 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:04:29 +0000 Subject: [PATCH 05/38] changed scope of comment Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 2b360f448..969f7c1ba 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -331,8 +331,8 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO } } - // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user. - // or is taken from the user if it matches expected builder and --builder-id is empty + // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user + // or from return of verifyBuilderIDPath. if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil { return err } From 03b26a668db9b029722aa72ab83d29b04371bc6a Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:09:32 +0000 Subject: [PATCH 06/38] Improved function description Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 969f7c1ba..959960322 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,9 +58,11 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } -// Inputs value in place of --BuilderID for builders of ExpectedPath such that the builderID for -// the builders do not need to be inputted. Example: the expectedBuilderID will default to -// the delegator builder ID for BYOB, this can verify actual BYOB builder for user without --builder-id flag. +// Verifies expectedBuilderIDPath against path in provenance, and returns the actual +// builderIDPath if verified against inputted expected path. +// +// Example: the expectedBuilderID will default to the delegator builder ID for BYOB. +// This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) { id, err := prov.BuilderID() From 1095060232478b936b0e035669b5beb685ce4a53 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:12:30 +0000 Subject: [PATCH 07/38] condense comment Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index db816f9cf..bbd9c8596 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -122,10 +122,8 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st // If both are true, we don't match the user-provided builder ID // against the certificate. Instead that will be done by the caller. // - // If using a trusted delgator builder, then return the builderID and true - // for byob to enable non-compulsory flag for builder-id, which allows - // the user to use slsa-github-generator builders and not type the --builder-id - // flag on the command line. + // This return enables non-compulsory builderID feature for BYOB builders + //by setting byob flag to true. if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { return trustedBuilderID, true, nil } From acac0b872f72206c1d54cb1ede9416c7702b238d Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:12:55 +0000 Subject: [PATCH 08/38] space nit Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index bbd9c8596..2cd2aca77 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -123,7 +123,7 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st // against the certificate. Instead that will be done by the caller. // // This return enables non-compulsory builderID feature for BYOB builders - //by setting byob flag to true. + // by setting byob flag to true. if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { return trustedBuilderID, true, nil } From fd17c7d9ff401520d0b8d70c96b1fb928151ac8c Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:21:26 +0000 Subject: [PATCH 09/38] nit: end sentence with period Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 959960322..d977ff8ad 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -75,7 +75,7 @@ func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (s return "", err } - // Compare actual BuilderIDPath with the expected + // Compare actual BuilderIDPath with the expected. if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPath) { return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPath) } @@ -325,7 +325,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO return err } - // If ExpectedID is empty, check to see if it is a trusted builder + // If ExpectedID is empty, check to see if it is a trusted builder. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { var trustedBuilderRepositoryPath = "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { From eb104b863cb7687a3b30698da49279ea6b4562db Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:52:16 +0000 Subject: [PATCH 10/38] Fix function and improve comment on conditional logic Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index d977ff8ad..60643bdd5 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -326,11 +326,15 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO } // If ExpectedID is empty, check to see if it is a trusted builder. + // If empty and trusted builder, populate with path from provenance, + // otherwise, populate from user input. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { var trustedBuilderRepositoryPath = "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { return err } + } else { + provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID } // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user From c97454437b1147244d9aab7fee108fc021082a45 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:55:27 +0000 Subject: [PATCH 11/38] Use builder.go vars for trusted builder string Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 60643bdd5..1d99eab55 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -329,7 +329,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // If empty and trusted builder, populate with path from provenance, // otherwise, populate from user input. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { - var trustedBuilderRepositoryPath = "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/" + var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { return err } From 9318f88e03de2a58c356ee6ea147d7630d4f922c Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 22:59:05 +0000 Subject: [PATCH 12/38] comment fix Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 2cd2aca77..4a7284f56 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -122,8 +122,8 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st // If both are true, we don't match the user-provided builder ID // against the certificate. Instead that will be done by the caller. // - // This return enables non-compulsory builderID feature for BYOB builders - // by setting byob flag to true. + // This return of the delegator builderID enables non-compulsory + // builderID feature for BYOB builders by setting byob flag to true. if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { return trustedBuilderID, true, nil } From ae63dee063e1e8e3a0cedee657d6ce01881b3256 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Tue, 1 Aug 2023 23:03:28 +0000 Subject: [PATCH 13/38] moved comment to caller for better understanding Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 1d99eab55..cdf2cdafb 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,12 +58,9 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } -// Verifies expectedBuilderIDPath against path in provenance, and returns the actual -// builderIDPath if verified against inputted expected path. -// -// Example: the expectedBuilderID will default to the delegator builder ID for BYOB. -// This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, -// Currently slsa-framework path is the only one supported for ExpectedBuilderPath. +// Verifies expectedBuilderIDPath by checking to see if the builderID in provenance +// starts with inputted expectedBuilderIDPath. +// Returns provenance builderID if verified against inputted expected path. func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) { id, err := prov.BuilderID() if err != nil { @@ -328,6 +325,10 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // If ExpectedID is empty, check to see if it is a trusted builder. // If empty and trusted builder, populate with path from provenance, // otherwise, populate from user input. + // + // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. + // This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, + // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { From f00ae0d64d2f07c21e0e616b2806645bb198d449 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:41:26 -0700 Subject: [PATCH 14/38] nit: start doc comments with the name of the function as if it was public. Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index cdf2cdafb..fb82d256e 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,8 +58,7 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } -// Verifies expectedBuilderIDPath by checking to see if the builderID in provenance -// starts with inputted expectedBuilderIDPath. +// verifyBuilderIDPath verifies that the builder ID in provenance matches the provided expectedBuilderIDPrefix. // Returns provenance builderID if verified against inputted expected path. func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) { id, err := prov.BuilderID() From 42d475ea855e2417fb95e196dc98eb10153db12c Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:46:22 -0700 Subject: [PATCH 15/38] nit: builderIDPath --> builderIDPathPrefix Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index fb82d256e..b961dbb93 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -58,9 +58,9 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string) return nil } -// verifyBuilderIDPath verifies that the builder ID in provenance matches the provided expectedBuilderIDPrefix. -// Returns provenance builderID if verified against inputted expected path. -func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) { +// verifyBuilderIDPathPrefix verifies that the builder ID in provenance matches the provided expectedBuilderIDPathPrefix. +// Returns provenance builderID if verified against provided expected Builder ID path prefix. +func verifyBuilderIDPathPrefix(prov iface.Provenance, expectedBuilderIDPathPrefix string) (string, error) { id, err := prov.BuilderID() if err != nil { return "", err @@ -71,9 +71,9 @@ func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (s return "", err } - // Compare actual BuilderIDPath with the expected. - if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPath) { - return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPath) + // Compare actual BuilderID with the expected BuilderID Path Prefix. + if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPathPrefix) { + return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected BuilderID Path Prefix: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPathPrefix) } return provBuilderID.Name(), nil @@ -330,7 +330,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" - if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil { + if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPathPrefix(prov, trustedBuilderRepositoryPath); err != nil { return err } } else { From 90aa32ae4b51762de23ccfdf150ed286b4218553 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:50:12 -0700 Subject: [PATCH 16/38] nit: pass in only expectedID instead of entire builderOpts Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index b961dbb93..36269e0f7 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -309,7 +309,7 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error { // VerifyProvenance verifies the provenance for the given DSSE envelope. func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool, - builderOpts *options.BuilderOpts) error { + expectedID *string) error { prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env) if err != nil { return err @@ -328,13 +328,13 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. // This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. - if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" { + if expectedID == nil || *expectedID == "" { var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPathPrefix(prov, trustedBuilderRepositoryPath); err != nil { return err } } else { - provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID + provenanceOpts.ExpectedBuilderID = *expectedID } // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user From 2301adeeab2536fa3c3ad3a17616856d6c0d161d Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:52:32 -0700 Subject: [PATCH 17/38] nit: only pass in builderOpts.ExpectedID Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/verifier.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 85c131a4b..a303b18b1 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -72,7 +72,7 @@ func verifyEnvAndCert(env *dsse.Envelope, // is a delegator builder, the user MUST provide an expected builder ID // and we MUST match it against the content of the provenance. - if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts); err != nil { + if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts.ExpectedID); err != nil { return nil, nil, err } From 996892d77fe9d6fd0d2004f004c4a946b8810d83 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 10:59:40 -0700 Subject: [PATCH 18/38] nit: fix off comment Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 36269e0f7..5468b8622 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -322,8 +322,8 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO } // If ExpectedID is empty, check to see if it is a trusted builder. - // If empty and trusted builder, populate with path from provenance, - // otherwise, populate from user input. + // If empty, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID + // with that builder, otherwise, populate from user input. // // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. // This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, From 217f027ba705025f52539273a47a93c33e1631f6 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:03:35 -0700 Subject: [PATCH 19/38] nit: inputted Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 5468b8622..12e572ab9 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -326,7 +326,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // with that builder, otherwise, populate from user input. // // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. - // This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted, + // This can verify the actual BYOB builderIDPath against the trusted builderIDPath provided. // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. if expectedID == nil || *expectedID == "" { var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" From 78e971e8496ff1ea16ad69b5a4b106847db04969 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:05:07 -0700 Subject: [PATCH 20/38] nit: inputted Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- options/options.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/options/options.go b/options/options.go index 5cb9ba9d9..c1c3946c2 100644 --- a/options/options.go +++ b/options/options.go @@ -32,7 +32,6 @@ type ProvenanceOpts struct { // BuildOpts are the options for checking the builder. type BuilderOpts struct { - // ExpectedID is the expected builder ID that is inputted - // at the command line by the user to be verified. + // ExpectedID is the expected builder ID that is provided by the user. ExpectedID *string } From c214062235786fd1c3671b802b1453f0e587257f Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:05:42 -0700 Subject: [PATCH 21/38] nit: note --> NOTE Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 12e572ab9..46356994c 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -337,7 +337,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO provenanceOpts.ExpectedBuilderID = *expectedID } - // Note: `provenanceOpts.ExpectedBuilderID` is provided by the user + // NOTE: `provenanceOpts.ExpectedBuilderID` is provided by the user // or from return of verifyBuilderIDPath. if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil { return err From dc80287fee2616d470da4530199debc9712ab152 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Wed, 2 Aug 2023 18:14:56 +0000 Subject: [PATCH 22/38] style: remove else block Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder.go | 46 +++++++++++++++---------------- 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 4a7284f56..8314f47ea 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -124,33 +124,31 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st // // This return of the delegator builderID enables non-compulsory // builderID feature for BYOB builders by setting byob flag to true. - if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { - return trustedBuilderID, true, nil - } + return trustedBuilderID, isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders), nil - } else { - // Verify the builderID. - // We only accept IDs on github.com. - trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true) - if err != nil { - return nil, false, err - } + } - // Check if: - // - the builder in the cert is a BYOB builder - // - the caller trusts the BYOB builder - // If both are true, we don't match the user-provided builder ID - // against the certificate. Instead that will be done by the caller. - if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { - return trustedBuilderID, true, nil - } + // Verify the builderID. + // We only accept IDs on github.com. + trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true) + if err != nil { + return nil, false, err + } - // Not a BYOB builder. BuilderID provided by user should match the certificate. - // Note: the certificate builderID has the form `name@refs/tags/v1.2.3`, - // so we pass `allowRef = true`. - if err := trustedBuilderID.MatchesLoose(*expectedBuilderID, true); err != nil { - return nil, false, fmt.Errorf("%w: %v", serrors.ErrorUntrustedReusableWorkflow, err) - } + // Check if: + // - the builder in the cert is a BYOB builder + // - the caller trusts the BYOB builder + // If both are true, we don't match the user-provided builder ID + // against the certificate. Instead that will be done by the caller. + if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) { + return trustedBuilderID, true, nil + } + + // Not a BYOB builder. BuilderID provided by user should match the certificate. + // Note: the certificate builderID has the form `name@refs/tags/v1.2.3`, + // so we pass `allowRef = true`. + if err := trustedBuilderID.MatchesLoose(*expectedBuilderID, true); err != nil { + return nil, false, fmt.Errorf("%w: %v", serrors.ErrorUntrustedReusableWorkflow, err) } return trustedBuilderID, false, nil From 5245b53b00503f091d56b34fbcd260157fa0cb37 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Wed, 2 Aug 2023 11:24:42 -0700 Subject: [PATCH 23/38] nit: un-needed usage case for --builder-id Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 46356994c..f432e36cc 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -321,14 +321,14 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO return err } - // If ExpectedID is empty, check to see if it is a trusted builder. - // If empty, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID + // If ExpectedID is not provided, check to see if it is a trusted builder. + // If not provided, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID // with that builder, otherwise, populate from user input. // // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. // This can verify the actual BYOB builderIDPath against the trusted builderIDPath provided. // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. - if expectedID == nil || *expectedID == "" { + if expectedID == nil { var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/" if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPathPrefix(prov, trustedBuilderRepositoryPath); err != nil { return err From d03a11eef5f8f616197623c5ff6c7be1dc7c2bca Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 7 Aug 2023 19:05:50 +0000 Subject: [PATCH 24/38] trusted builder test case added Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 59 +++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index bdbe2d395..8a30d643e 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -9,6 +9,9 @@ import ( slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1" + dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse" + "github.com/slsa-framework/slsa-verifier/v2/options" + "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common" @@ -1182,3 +1185,59 @@ func Test_VerifyVersionedTag(t *testing.T) { }) } } + +func Test_VerifyProvenance(t *testing.T) { + t.Parallel() + tests := []struct { + name string + env *dsselib.Envelope + provenanceOpts *options.ProvenanceOpts + trustedBuilderIDName string + byob bool + expectedID *string + expected error + }{ + { + name: "Verify Trusted (slsa-github-generator) Bazel Builder (enteraga6 fork)", + env: &dsselib.Envelope{ + PayloadType: "application/vnd.in-toto+json", + Payload: "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfQkFTRV9SRUYiOiIiLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3ODgzNDIzODEiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjEiLCJHSVRIVUJfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXIueWFtbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9FVkVOVF9QQVlMT0FEIjp7ImlucHV0cyI6bnVsbCwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6IjIwMjMtMDUtMThUMjI6MzE6MTNaIiwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IlRlc3RpbmcgZ2VuZXJpYyBwcm92ZW5hbmNlIHdpdGggQmF6ZWwgZm9yIFNMU0EgTGV2ZWwgMy4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZXZlbnRzIiwiZm9yayI6dHJ1ZSwiZm9ya3MiOjAsImZvcmtzX2NvdW50IjowLCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9mb3JrcyIsImZ1bGxfbmFtZSI6ImVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOmZhbHNlLCJoYXNfZG93bmxvYWRzIjp0cnVlLCJoYXNfaXNzdWVzIjpmYWxzZSwiaGFzX3BhZ2VzIjpmYWxzZSwiaGFzX3Byb2plY3RzIjp0cnVlLCJoYXNfd2lraSI6dHJ1ZSwiaG9tZXBhZ2UiOiIiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImlkIjo2NDI1Nzk1MTEsImlzX3RlbXBsYXRlIjpmYWxzZSwiaXNzdWVfY29tbWVudF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvaXNzdWVzL2V2ZW50c3svbnVtYmVyfSIsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXN7L251bWJlcn0iLCJrZXlzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFiZWxzey9uYW1lfSIsImxhbmd1YWdlIjoiQysrIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoibWl0IiwibmFtZSI6Ik1JVCBMaWNlbnNlIiwibm9kZV9pZCI6Ik1EYzZUR2xqWlc1elpURXoiLCJzcGR4X2lkIjoiTUlUIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9taXQifSwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJzbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsIm5vZGVfaWQiOiJSX2tnRE9Ka3o4TnciLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL25vdGlmaWNhdGlvbnN7P3NpbmNlLGFsbCxwYXJ0aWNpcGF0aW5nfSIsIm9wZW5faXNzdWVzIjowLCJvcGVuX2lzc3Vlc19jb3VudCI6MCwib3duZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDgtMDdUMTc6NTY6MjlaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvcmVsZWFzZXN7L2lkfSIsInNpemUiOjExMSwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOmVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJzdGFyZ2F6ZXJzX2NvdW50IjowLCJzdGFyZ2F6ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXJnYXplcnMiLCJzdGF0dXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmliZXJzIiwic3Vic2NyaXB0aW9uX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmlwdGlvbiIsInN2bl91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90YWdzIiwidGVhbXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvdGVhbXMiLCJ0b3BpY3MiOltdLCJ0cmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMy0wNS0xOVQwMToxOTozOVoiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sIndvcmtmbG93IjoiLmdpdGh1Yi93b3JrZmxvd3MvdGVzdC12ZXJpZmllci55YW1sIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGVAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6ImFiOWE0NThmNjU5ODI2MjVkZDgzODg0NDIzZmE0NTlhMjI2NGU0MjkifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9idWlsZGVyX2JhemVsX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuOC4wIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYWN0aW9ucy9ydW5zLzU3ODgzNDIzODEvYXR0ZW1wdHMvMSJ9fX19", + Signatures: []dsselib.Signature{ + { + Sig: "MEYCIQCNUV+hEskMPRhBHiYl6F8r8Uvg6Vmyhd7p+yq3mlMujgIhAOYsaMjJqVXnslgvRNThMwpyN0QD6LOiqKjHcitj+NRU", + KeyID: "", + }, + }, + }, + provenanceOpts: &options.ProvenanceOpts{ + ExpectedBranch: nil, + ExpectedTag: nil, + ExpectedVersionedTag: nil, + ExpectedDigest: "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9", + ExpectedSourceURI: "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example", + ExpectedBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", + ExpectedWorkflowInputs: map[string]string{}, + }, + byob: true, + + trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", + + expectedID: nil, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + trustedBuilderID, tErr := utils.TrustedBuilderIDNew(tt.trustedBuilderIDName, true) + if tErr != nil { + t.Errorf("Provenance Verification FAILED. Error: %v", tErr) + } + + err := VerifyProvenance(tt.env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) + if err != nil { + t.Errorf("Provenance Verification FAILED. Error: %v", err) + } + }) + } +} From 0118feabaafb5b4b8361954cf5fd8ea44ef64f9e Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 7 Aug 2023 19:37:17 +0000 Subject: [PATCH 25/38] Added test case for untrusted builder Signed-off-by: Noah Elzner --- options/options.go | 5 +- verifiers/internal/gha/provenance_test.go | 58 ++++++++++++++++++++++- 2 files changed, 59 insertions(+), 4 deletions(-) diff --git a/options/options.go b/options/options.go index c1c3946c2..11ef9fb4a 100644 --- a/options/options.go +++ b/options/options.go @@ -18,8 +18,7 @@ type ProvenanceOpts struct { // ExpectedSourceURI is the expected source URI in the provenance. ExpectedSourceURI string - // ExpectedBuilderID is the expected builder ID that is parsed from the envelope - // of the provenance. + // ExpectedBuilderID is the expected builder ID that is passed from user and verified ExpectedBuilderID string // ExpectedWorkflowInputs is a map of key=value inputs. @@ -32,6 +31,6 @@ type ProvenanceOpts struct { // BuildOpts are the options for checking the builder. type BuilderOpts struct { - // ExpectedID is the expected builder ID that is provided by the user. + // ExpectedBuilderID is the builderID passed in from the user to be verified ExpectedID *string } diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 8a30d643e..51e038e53 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1198,7 +1198,7 @@ func Test_VerifyProvenance(t *testing.T) { expected error }{ { - name: "Verify Trusted (slsa-github-generator) Bazel Builder (enteraga6 fork)", + name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", env: &dsselib.Envelope{ PayloadType: "application/vnd.in-toto+json", Payload: "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfQkFTRV9SRUYiOiIiLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3ODgzNDIzODEiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjEiLCJHSVRIVUJfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXIueWFtbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9FVkVOVF9QQVlMT0FEIjp7ImlucHV0cyI6bnVsbCwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6IjIwMjMtMDUtMThUMjI6MzE6MTNaIiwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IlRlc3RpbmcgZ2VuZXJpYyBwcm92ZW5hbmNlIHdpdGggQmF6ZWwgZm9yIFNMU0EgTGV2ZWwgMy4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZXZlbnRzIiwiZm9yayI6dHJ1ZSwiZm9ya3MiOjAsImZvcmtzX2NvdW50IjowLCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9mb3JrcyIsImZ1bGxfbmFtZSI6ImVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOmZhbHNlLCJoYXNfZG93bmxvYWRzIjp0cnVlLCJoYXNfaXNzdWVzIjpmYWxzZSwiaGFzX3BhZ2VzIjpmYWxzZSwiaGFzX3Byb2plY3RzIjp0cnVlLCJoYXNfd2lraSI6dHJ1ZSwiaG9tZXBhZ2UiOiIiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImlkIjo2NDI1Nzk1MTEsImlzX3RlbXBsYXRlIjpmYWxzZSwiaXNzdWVfY29tbWVudF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvaXNzdWVzL2V2ZW50c3svbnVtYmVyfSIsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXN7L251bWJlcn0iLCJrZXlzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFiZWxzey9uYW1lfSIsImxhbmd1YWdlIjoiQysrIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoibWl0IiwibmFtZSI6Ik1JVCBMaWNlbnNlIiwibm9kZV9pZCI6Ik1EYzZUR2xqWlc1elpURXoiLCJzcGR4X2lkIjoiTUlUIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9taXQifSwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJzbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsIm5vZGVfaWQiOiJSX2tnRE9Ka3o4TnciLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL25vdGlmaWNhdGlvbnN7P3NpbmNlLGFsbCxwYXJ0aWNpcGF0aW5nfSIsIm9wZW5faXNzdWVzIjowLCJvcGVuX2lzc3Vlc19jb3VudCI6MCwib3duZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDgtMDdUMTc6NTY6MjlaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvcmVsZWFzZXN7L2lkfSIsInNpemUiOjExMSwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOmVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJzdGFyZ2F6ZXJzX2NvdW50IjowLCJzdGFyZ2F6ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXJnYXplcnMiLCJzdGF0dXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmliZXJzIiwic3Vic2NyaXB0aW9uX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmlwdGlvbiIsInN2bl91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90YWdzIiwidGVhbXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvdGVhbXMiLCJ0b3BpY3MiOltdLCJ0cmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMy0wNS0xOVQwMToxOTozOVoiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sIndvcmtmbG93IjoiLmdpdGh1Yi93b3JrZmxvd3MvdGVzdC12ZXJpZmllci55YW1sIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGVAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6ImFiOWE0NThmNjU5ODI2MjVkZDgzODg0NDIzZmE0NTlhMjI2NGU0MjkifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9idWlsZGVyX2JhemVsX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuOC4wIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYWN0aW9ucy9ydW5zLzU3ODgzNDIzODEvYXR0ZW1wdHMvMSJ9fX19", @@ -1241,3 +1241,59 @@ func Test_VerifyProvenance(t *testing.T) { }) } } + +func Test_VerifyProvenance2(t *testing.T) { + t.Parallel() + tests := []struct { + name string + env *dsselib.Envelope + provenanceOpts *options.ProvenanceOpts + trustedBuilderIDName string + byob bool + expectedID *string + expected error + }{ + { + name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", + env: &dsselib.Envelope{ + PayloadType: "application/vnd.in-toto+json", + Payload: "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3ODg5NjM1NDUiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjEiLCJHSVRIVUJfU0hBIjoiZGE2NDA0MDJhMTlhYmZlZTBhMTdiMDg4NmQ0Yjk1NzE5NTVkOTdmYyIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXItMi55YW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiJkYTY0MDQwMmExOWFiZmVlMGExN2IwODg2ZDRiOTU3MTk1NWQ5N2ZjIiwiR0lUSFVCX0VWRU5UX1BBWUxPQUQiOnsiaW5wdXRzIjpudWxsLCJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5Ijp7ImFsbG93X2ZvcmtpbmciOnRydWUsImFyY2hpdmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Fzc2lnbmVlc3svdXNlcn0iLCJibG9ic191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvYmxvYnN7L3NoYX0iLCJicmFuY2hlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUuZ2l0IiwiY29sbGFib3JhdG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb2xsYWJvcmF0b3Jzey9jb2xsYWJvcmF0b3J9IiwiY29tbWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1pdHN7L3NoYX0iLCJjb21wYXJlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbXBhcmUve2Jhc2V9Li4ue2hlYWR9IiwiY29udGVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb250cmlidXRvcnMiLCJjcmVhdGVkX2F0IjoiMjAyMy0wNS0xOFQyMjozMToxM1oiLCJkZWZhdWx0X2JyYW5jaCI6Im1haW4iLCJkZXBsb3ltZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kZXBsb3ltZW50cyIsImRlc2NyaXB0aW9uIjoiVGVzdGluZyBnZW5lcmljIHByb3ZlbmFuY2Ugd2l0aCBCYXplbCBmb3IgU0xTQSBMZXZlbCAzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Rvd25sb2FkcyIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ldmVudHMiLCJmb3JrIjp0cnVlLCJmb3JrcyI6MCwiZm9ya3NfY291bnQiOjAsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2ZvcmtzIiwiZnVsbF9uYW1lIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6ZmFsc2UsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOmZhbHNlLCJoYXNfcGFnZXMiOmZhbHNlLCJoYXNfcHJvamVjdHMiOnRydWUsImhhc193aWtpIjp0cnVlLCJob21lcGFnZSI6IiIsImhvb2tzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2hvb2tzIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiaWQiOjY0MjU3OTUxMSwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlcy9jb21tZW50c3svbnVtYmVyfSIsImlzc3VlX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUva2V5c3sva2V5X2lkfSIsImxhYmVsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJDKysiLCJsYW5ndWFnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJtaXQiLCJuYW1lIjoiTUlUIExpY2Vuc2UiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRFeiIsInNwZHhfaWQiOiJNSVQiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL21pdCJ9LCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWVyZ2VzIiwibWlsZXN0b25lc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9taWxlc3RvbmVzey9udW1iZXJ9IiwibWlycm9yX3VybCI6bnVsbCwibmFtZSI6InNsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwibm9kZV9pZCI6IlJfa2dET0prejhOdyIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjAsIm9wZW5faXNzdWVzX2NvdW50IjowLCJvd25lciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwicHJpdmF0ZSI6ZmFsc2UsInB1bGxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3B1bGxzey9udW1iZXJ9IiwicHVzaGVkX2F0IjoiMjAyMy0wOC0wN1QxOTowODo1MVoiLCJyZWxlYXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MTEzLCJzc2hfdXJsIjoiZ2l0QGdpdGh1Yi5jb206ZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsInN0YXJnYXplcnNfY291bnQiOjAsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90cmVlc3svc2hhfSIsInVwZGF0ZWRfYXQiOiIyMDIzLTA1LTE5VDAxOjE5OjM5WiIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidmlzaWJpbGl0eSI6InB1YmxpYyIsIndhdGNoZXJzIjowLCJ3YXRjaGVyc19jb3VudCI6MCwid2ViX2NvbW1pdF9zaWdub2ZmX3JlcXVpcmVkIjpmYWxzZX0sInNlbmRlciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy90ZXN0LXZlcmlmaWVyLTIueWFtbCJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJkYTY0MDQwMmExOWFiZmVlMGExN2IwODg2ZDRiOTU3MTk1NWQ5N2ZjIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfYmF6ZWxfc2xzYTMueW1sQHJlZnMvdGFncy92MS4wLjEifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hY3Rpb25zL3J1bnMvNTc4ODk2MzU0NS9hdHRlbXB0cy8xIn19fX0=", + Signatures: []dsselib.Signature{ + { + Sig: "MEUCIQCLO33ZR7g+FaUKCXR3tncSjGv/mfDiGjPuk7NmHVryPQIgHhratRQrI/Kn4fgO9zK5vglyfrGwbhSJkuvnfUcD5UM=", + KeyID: "", + }, + }, + }, + provenanceOpts: &options.ProvenanceOpts{ + ExpectedBranch: nil, + ExpectedTag: nil, + ExpectedVersionedTag: nil, + ExpectedDigest: "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9", + ExpectedSourceURI: "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example", + ExpectedBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", + ExpectedWorkflowInputs: map[string]string{}, + }, + byob: true, + + trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", + + expectedID: nil, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + trustedBuilderID, tErr := utils.TrustedBuilderIDNew(tt.trustedBuilderIDName, true) + if tErr != nil { + t.Errorf("Provenance Verification FAILED. Error: %v", tErr) + } + + err := VerifyProvenance(tt.env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) + if err == nil { + t.Errorf("Provenance Verification should have failed but DID NOT. Error: untrusted builder is trusted") + } + }) + } +} From 4209ffe01f31f0de6ae5ecbc1f5f305ee435a0d0 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 7 Aug 2023 23:36:58 +0000 Subject: [PATCH 26/38] lint Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder.go | 1 - 1 file changed, 1 deletion(-) diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 8314f47ea..5d82bf0fb 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -125,7 +125,6 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st // This return of the delegator builderID enables non-compulsory // builderID feature for BYOB builders by setting byob flag to true. return trustedBuilderID, isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders), nil - } // Verify the builderID. From 6cd1257bad8b5db9b9f13792730b84cf6efe5d2d Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:38:47 -0700 Subject: [PATCH 27/38] explicity set id to nil Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/builder_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/verifiers/internal/gha/builder_test.go b/verifiers/internal/gha/builder_test.go index 46953ead5..b0c4dd390 100644 --- a/verifiers/internal/gha/builder_test.go +++ b/verifiers/internal/gha/builder_test.go @@ -482,6 +482,8 @@ func Test_verifyTrustedBuilderID(t *testing.T) { // feature of slsa-verifier and expects byob to be true name: "generic delegator workflow no id", path: trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml", + // NOTE: id is nil. + id: nil, tag: "refs/tags/v1.2.3", defaults: defaultBYOBReusableWorkflows, byob: true, From 4fcc8b12f36256e035e68deec54282f37d59c5a8 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:39:10 -0700 Subject: [PATCH 28/38] set id to nil explicitly Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/builder_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/verifiers/internal/gha/builder_test.go b/verifiers/internal/gha/builder_test.go index b0c4dd390..7185f944c 100644 --- a/verifiers/internal/gha/builder_test.go +++ b/verifiers/internal/gha/builder_test.go @@ -501,6 +501,8 @@ func Test_verifyTrustedBuilderID(t *testing.T) { // feature of slsa-verifier and expects byob to be true name: "low perms delegator workflow no ID provided", path: trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml", + // NOTE: id is nil. + id: nil, tag: "v1.2.3", defaults: defaultBYOBReusableWorkflows, byob: true, From 1a17e0c8917ad685d8468ca114e581a8e43f516c Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:39:43 -0700 Subject: [PATCH 29/38] nit: capitalization Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 29aceded9..80ae2a270 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -339,7 +339,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO return err } - // If ExpectedID is not provided, check to see if it is a trusted builder. + // If expectedID is not provided, check to see if it is a trusted builder. // If not provided, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID // with that builder, otherwise, populate from user input. // From c98f6508407bdacbc40068fb1fe54c21c1d01c34 Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:43:57 -0700 Subject: [PATCH 30/38] nit: remove empty lines Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 51e038e53..81507cba7 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1219,9 +1219,7 @@ func Test_VerifyProvenance(t *testing.T) { ExpectedWorkflowInputs: map[string]string{}, }, byob: true, - trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", - expectedID: nil, }, } From ca9e7ae36babda575a6e0d65c5476613acc346ed Mon Sep 17 00:00:00 2001 From: Noah Elzner <78953604+enteraga6@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:44:16 -0700 Subject: [PATCH 31/38] nit: remove empty lines Co-authored-by: Ian Lewis Signed-off-by: Noah Elzner <78953604+enteraga6@users.noreply.github.com> --- verifiers/internal/gha/provenance_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 81507cba7..7674cf6cf 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1273,7 +1273,6 @@ func Test_VerifyProvenance2(t *testing.T) { ExpectedWorkflowInputs: map[string]string{}, }, byob: true, - trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", expectedID: nil, From 032b098ebaae537901d4d5426277cce0fb332b6e Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 7 Aug 2023 23:45:09 +0000 Subject: [PATCH 32/38] remove confusing comment Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance.go | 1 - 1 file changed, 1 deletion(-) diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 29aceded9..7c3e86017 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -343,7 +343,6 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO // If not provided, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID // with that builder, otherwise, populate from user input. // - // Example: the expectedBuilderID will default to the delegator builder ID for BYOB. // This can verify the actual BYOB builderIDPath against the trusted builderIDPath provided. // Currently slsa-framework path is the only one supported for ExpectedBuilderPath. if expectedID == nil { From 1ff4e9b2243110f9bfe9469b79d00c9223b39e5b Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Mon, 7 Aug 2023 23:50:29 +0000 Subject: [PATCH 33/38] nit: remove empty space Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 7674cf6cf..a65aaf860 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1218,9 +1218,9 @@ func Test_VerifyProvenance(t *testing.T) { ExpectedBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", ExpectedWorkflowInputs: map[string]string{}, }, - byob: true, + byob: true, trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", - expectedID: nil, + expectedID: nil, }, } for _, tt := range tests { @@ -1272,10 +1272,9 @@ func Test_VerifyProvenance2(t *testing.T) { ExpectedBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", ExpectedWorkflowInputs: map[string]string{}, }, - byob: true, + byob: true, trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", - - expectedID: nil, + expectedID: nil, }, } for _, tt := range tests { From e6d22d45a184d9b54ae075987a1f7fd415ee6d0d Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Fri, 11 Aug 2023 00:51:11 +0000 Subject: [PATCH 34/38] Restructure Tests Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 69 ++++++++++--------- .../gha/testdata/bazel-trusted-att.build.slsa | 3 + .../gha/testdata/bazel-untrusted-att.sigstore | 3 + 3 files changed, 43 insertions(+), 32 deletions(-) create mode 100644 verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa create mode 100644 verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index a65aaf860..745ac8b59 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1,6 +1,9 @@ package gha import ( + "fmt" + "os" + "path/filepath" "testing" "time" @@ -9,7 +12,6 @@ import ( slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common" slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2" slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1" - dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/slsa-framework/slsa-verifier/v2/options" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" @@ -1186,11 +1188,11 @@ func Test_VerifyVersionedTag(t *testing.T) { } } -func Test_VerifyProvenance(t *testing.T) { +func Test_VerifyTrustedProvenance(t *testing.T) { t.Parallel() tests := []struct { name string - env *dsselib.Envelope + provenancePath string provenanceOpts *options.ProvenanceOpts trustedBuilderIDName string byob bool @@ -1198,17 +1200,8 @@ func Test_VerifyProvenance(t *testing.T) { expected error }{ { - name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", - env: &dsselib.Envelope{ - PayloadType: "application/vnd.in-toto+json", - Payload: "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfQkFTRV9SRUYiOiIiLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3ODgzNDIzODEiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjEiLCJHSVRIVUJfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXIueWFtbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiYWI5YTQ1OGY2NTk4MjYyNWRkODM4ODQ0MjNmYTQ1OWEyMjY0ZTQyOSIsIkdJVEhVQl9FVkVOVF9QQVlMT0FEIjp7ImlucHV0cyI6bnVsbCwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6IjIwMjMtMDUtMThUMjI6MzE6MTNaIiwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IlRlc3RpbmcgZ2VuZXJpYyBwcm92ZW5hbmNlIHdpdGggQmF6ZWwgZm9yIFNMU0EgTGV2ZWwgMy4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZXZlbnRzIiwiZm9yayI6dHJ1ZSwiZm9ya3MiOjAsImZvcmtzX2NvdW50IjowLCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9mb3JrcyIsImZ1bGxfbmFtZSI6ImVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOmZhbHNlLCJoYXNfZG93bmxvYWRzIjp0cnVlLCJoYXNfaXNzdWVzIjpmYWxzZSwiaGFzX3BhZ2VzIjpmYWxzZSwiaGFzX3Byb2plY3RzIjp0cnVlLCJoYXNfd2lraSI6dHJ1ZSwiaG9tZXBhZ2UiOiIiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImlkIjo2NDI1Nzk1MTEsImlzX3RlbXBsYXRlIjpmYWxzZSwiaXNzdWVfY29tbWVudF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvaXNzdWVzL2V2ZW50c3svbnVtYmVyfSIsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXN7L251bWJlcn0iLCJrZXlzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFiZWxzey9uYW1lfSIsImxhbmd1YWdlIjoiQysrIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoibWl0IiwibmFtZSI6Ik1JVCBMaWNlbnNlIiwibm9kZV9pZCI6Ik1EYzZUR2xqWlc1elpURXoiLCJzcGR4X2lkIjoiTUlUIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9taXQifSwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJzbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsIm5vZGVfaWQiOiJSX2tnRE9Ka3o4TnciLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL25vdGlmaWNhdGlvbnN7P3NpbmNlLGFsbCxwYXJ0aWNpcGF0aW5nfSIsIm9wZW5faXNzdWVzIjowLCJvcGVuX2lzc3Vlc19jb3VudCI6MCwib3duZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDgtMDdUMTc6NTY6MjlaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvcmVsZWFzZXN7L2lkfSIsInNpemUiOjExMSwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOmVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJzdGFyZ2F6ZXJzX2NvdW50IjowLCJzdGFyZ2F6ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXJnYXplcnMiLCJzdGF0dXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmliZXJzIiwic3Vic2NyaXB0aW9uX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmlwdGlvbiIsInN2bl91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90YWdzIiwidGVhbXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvdGVhbXMiLCJ0b3BpY3MiOltdLCJ0cmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMy0wNS0xOVQwMToxOTozOVoiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sIndvcmtmbG93IjoiLmdpdGh1Yi93b3JrZmxvd3MvdGVzdC12ZXJpZmllci55YW1sIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGVAcmVmcy9oZWFkcy9tYWluIiwiZGlnZXN0Ijp7ImdpdENvbW1pdCI6ImFiOWE0NThmNjU5ODI2MjVkZDgzODg0NDIzZmE0NTlhMjI2NGU0MjkifX1dfSwicnVuRGV0YWlscyI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9idWlsZGVyX2JhemVsX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuOC4wIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYWN0aW9ucy9ydW5zLzU3ODgzNDIzODEvYXR0ZW1wdHMvMSJ9fX19", - Signatures: []dsselib.Signature{ - { - Sig: "MEYCIQCNUV+hEskMPRhBHiYl6F8r8Uvg6Vmyhd7p+yq3mlMujgIhAOYsaMjJqVXnslgvRNThMwpyN0QD6LOiqKjHcitj+NRU", - KeyID: "", - }, - }, - }, + name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", + provenancePath: "bazel-trusted-att.build.slsa", provenanceOpts: &options.ProvenanceOpts{ ExpectedBranch: nil, ExpectedTag: nil, @@ -1232,19 +1225,30 @@ func Test_VerifyProvenance(t *testing.T) { t.Errorf("Provenance Verification FAILED. Error: %v", tErr) } - err := VerifyProvenance(tt.env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) + provenanceBytes, err := os.ReadFile(filepath.Join("testdata", tt.provenancePath)) + if err != nil { + panic(fmt.Errorf("os.ReadFile: %w", err)) + } + + env, err := EnvelopeFromBytes(provenanceBytes) if err != nil { - t.Errorf("Provenance Verification FAILED. Error: %v", err) + panic(fmt.Errorf("unexpected error parsing envelope %s", err)) + } + println(env) + vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) + if vErr != nil { + t.Errorf("Provenance Verification FAILED. Error: %v", vErr) } }) } } -func Test_VerifyProvenance2(t *testing.T) { +func Test_VerifyUntrustedProvenance(t *testing.T) { t.Parallel() tests := []struct { - name string - env *dsselib.Envelope + name string + // env *dsselib.Envelope + provenancePath string provenanceOpts *options.ProvenanceOpts trustedBuilderIDName string byob bool @@ -1252,17 +1256,8 @@ func Test_VerifyProvenance2(t *testing.T) { expected error }{ { - name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", - env: &dsselib.Envelope{ - PayloadType: "application/vnd.in-toto+json", - Payload: "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3ODg5NjM1NDUiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjEiLCJHSVRIVUJfU0hBIjoiZGE2NDA0MDJhMTlhYmZlZTBhMTdiMDg4NmQ0Yjk1NzE5NTVkOTdmYyIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXItMi55YW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiJkYTY0MDQwMmExOWFiZmVlMGExN2IwODg2ZDRiOTU3MTk1NWQ5N2ZjIiwiR0lUSFVCX0VWRU5UX1BBWUxPQUQiOnsiaW5wdXRzIjpudWxsLCJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5Ijp7ImFsbG93X2ZvcmtpbmciOnRydWUsImFyY2hpdmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Fzc2lnbmVlc3svdXNlcn0iLCJibG9ic191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvYmxvYnN7L3NoYX0iLCJicmFuY2hlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUuZ2l0IiwiY29sbGFib3JhdG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb2xsYWJvcmF0b3Jzey9jb2xsYWJvcmF0b3J9IiwiY29tbWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1pdHN7L3NoYX0iLCJjb21wYXJlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbXBhcmUve2Jhc2V9Li4ue2hlYWR9IiwiY29udGVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb250cmlidXRvcnMiLCJjcmVhdGVkX2F0IjoiMjAyMy0wNS0xOFQyMjozMToxM1oiLCJkZWZhdWx0X2JyYW5jaCI6Im1haW4iLCJkZXBsb3ltZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kZXBsb3ltZW50cyIsImRlc2NyaXB0aW9uIjoiVGVzdGluZyBnZW5lcmljIHByb3ZlbmFuY2Ugd2l0aCBCYXplbCBmb3IgU0xTQSBMZXZlbCAzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Rvd25sb2FkcyIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ldmVudHMiLCJmb3JrIjp0cnVlLCJmb3JrcyI6MCwiZm9ya3NfY291bnQiOjAsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2ZvcmtzIiwiZnVsbF9uYW1lIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6ZmFsc2UsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOmZhbHNlLCJoYXNfcGFnZXMiOmZhbHNlLCJoYXNfcHJvamVjdHMiOnRydWUsImhhc193aWtpIjp0cnVlLCJob21lcGFnZSI6IiIsImhvb2tzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2hvb2tzIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiaWQiOjY0MjU3OTUxMSwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlcy9jb21tZW50c3svbnVtYmVyfSIsImlzc3VlX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUva2V5c3sva2V5X2lkfSIsImxhYmVsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJDKysiLCJsYW5ndWFnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJtaXQiLCJuYW1lIjoiTUlUIExpY2Vuc2UiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRFeiIsInNwZHhfaWQiOiJNSVQiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL21pdCJ9LCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWVyZ2VzIiwibWlsZXN0b25lc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9taWxlc3RvbmVzey9udW1iZXJ9IiwibWlycm9yX3VybCI6bnVsbCwibmFtZSI6InNsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwibm9kZV9pZCI6IlJfa2dET0prejhOdyIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjAsIm9wZW5faXNzdWVzX2NvdW50IjowLCJvd25lciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwicHJpdmF0ZSI6ZmFsc2UsInB1bGxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3B1bGxzey9udW1iZXJ9IiwicHVzaGVkX2F0IjoiMjAyMy0wOC0wN1QxOTowODo1MVoiLCJyZWxlYXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MTEzLCJzc2hfdXJsIjoiZ2l0QGdpdGh1Yi5jb206ZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsInN0YXJnYXplcnNfY291bnQiOjAsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90cmVlc3svc2hhfSIsInVwZGF0ZWRfYXQiOiIyMDIzLTA1LTE5VDAxOjE5OjM5WiIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidmlzaWJpbGl0eSI6InB1YmxpYyIsIndhdGNoZXJzIjowLCJ3YXRjaGVyc19jb3VudCI6MCwid2ViX2NvbW1pdF9zaWdub2ZmX3JlcXVpcmVkIjpmYWxzZX0sInNlbmRlciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy90ZXN0LXZlcmlmaWVyLTIueWFtbCJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJkYTY0MDQwMmExOWFiZmVlMGExN2IwODg2ZDRiOTU3MTk1NWQ5N2ZjIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfYmF6ZWxfc2xzYTMueW1sQHJlZnMvdGFncy92MS4wLjEifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hY3Rpb25zL3J1bnMvNTc4ODk2MzU0NS9hdHRlbXB0cy8xIn19fX0=", - Signatures: []dsselib.Signature{ - { - Sig: "MEUCIQCLO33ZR7g+FaUKCXR3tncSjGv/mfDiGjPuk7NmHVryPQIgHhratRQrI/Kn4fgO9zK5vglyfrGwbhSJkuvnfUcD5UM=", - KeyID: "", - }, - }, - }, + name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", + provenancePath: "bazel-untrusted-att.sigstore", provenanceOpts: &options.ProvenanceOpts{ ExpectedBranch: nil, ExpectedTag: nil, @@ -1286,8 +1281,18 @@ func Test_VerifyProvenance2(t *testing.T) { t.Errorf("Provenance Verification FAILED. Error: %v", tErr) } - err := VerifyProvenance(tt.env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) - if err == nil { + provenanceBytes, err := os.ReadFile(filepath.Join("testdata", tt.provenancePath)) + if err != nil { + panic(fmt.Errorf("os.ReadFile: %w", err)) + } + + env, err := EnvelopeFromBytes(provenanceBytes) + if err != nil { + panic(fmt.Errorf("unexpected error parsing envelope %s", err)) + } + + vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) + if vErr == nil { t.Errorf("Provenance Verification should have failed but DID NOT. Error: untrusted builder is trusted") } }) diff --git a/verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa b/verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa new file mode 100644 index 000000000..19202c08b --- /dev/null +++ b/verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa @@ -0,0 +1,3 @@ +{ + "payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmMvLi4uIC8vc3JjL2ludGVybmFsOmFsbCIsImZsYWdzIjoiIiwibmVlZHMtcnVuZmlsZXMiOmZhbHNlLCJpbmNsdWRlcy1qYXZhIjpmYWxzZSwidXNlci1qYXZhLWRpc3RyaWJ1dGlvbiI6Im9yYWNsZSIsInVzZXItamF2YS12ZXJzaW9uIjoiMTcifSwidmFycyI6e319LCJpbnRlcm5hbFBhcmFtZXRlcnMiOnsiR0lUSFVCX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX0JBU0VfUkVGIjoiIiwiR0lUSFVCX1JFRiI6InJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9SRUZfVFlQRSI6ImJyYW5jaCIsIkdJVEhVQl9SRVBPU0lUT1JZIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiR0lUSFVCX1JFUE9TSVRPUllfSUQiOiI2NDI1Nzk1MTEiLCJHSVRIVUJfUkVQT1NJVE9SWV9PV05FUl9JRCI6Ijc4OTUzNjA0IiwiR0lUSFVCX1JVTl9BVFRFTVBUIjoiMSIsIkdJVEhVQl9SVU5fSUQiOiI1NzkyMTA4NzQ4IiwiR0lUSFVCX1JVTl9OVU1CRVIiOiIxIiwiR0lUSFVCX1NIQSI6IjdmMjNhYzQ3ODNjYjcwMmE2OGM1NWY3OTU1Y2MyOTZmZGQ0MjVkYmIiLCJHSVRIVUJfVFJJR0dFUklOR19BQ1RPUl9JRCI6Ijc4OTUzNjA0IiwiR0lUSFVCX1dPUktGTE9XX1JFRiI6ImVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS8uZ2l0aHViL3dvcmtmbG93cy90ZXN0LXZlcmlmaWVyLWdsb2IueWFtbEByZWZzL2hlYWRzL21haW4iLCJHSVRIVUJfV09SS0ZMT1dfU0hBIjoiN2YyM2FjNDc4M2NiNzAyYTY4YzU1Zjc5NTVjYzI5NmZkZDQyNWRiYiIsIkdJVEhVQl9FVkVOVF9QQVlMT0FEIjp7ImlucHV0cyI6bnVsbCwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6IjIwMjMtMDUtMThUMjI6MzE6MTNaIiwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IlRlc3RpbmcgZ2VuZXJpYyBwcm92ZW5hbmNlIHdpdGggQmF6ZWwgZm9yIFNMU0EgTGV2ZWwgMy4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZXZlbnRzIiwiZm9yayI6dHJ1ZSwiZm9ya3MiOjAsImZvcmtzX2NvdW50IjowLCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9mb3JrcyIsImZ1bGxfbmFtZSI6ImVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOmZhbHNlLCJoYXNfZG93bmxvYWRzIjp0cnVlLCJoYXNfaXNzdWVzIjpmYWxzZSwiaGFzX3BhZ2VzIjpmYWxzZSwiaGFzX3Byb2plY3RzIjp0cnVlLCJoYXNfd2lraSI6dHJ1ZSwiaG9tZXBhZ2UiOiIiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ob29rcyIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsImlkIjo2NDI1Nzk1MTEsImlzX3RlbXBsYXRlIjpmYWxzZSwiaXNzdWVfY29tbWVudF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvaXNzdWVzL2V2ZW50c3svbnVtYmVyfSIsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXN7L251bWJlcn0iLCJrZXlzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFiZWxzey9uYW1lfSIsImxhbmd1YWdlIjoiQysrIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoibWl0IiwibmFtZSI6Ik1JVCBMaWNlbnNlIiwibm9kZV9pZCI6Ik1EYzZUR2xqWlc1elpURXoiLCJzcGR4X2lkIjoiTUlUIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9taXQifSwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJzbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsIm5vZGVfaWQiOiJSX2tnRE9Ka3o4TnciLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL25vdGlmaWNhdGlvbnN7P3NpbmNlLGFsbCxwYXJ0aWNpcGF0aW5nfSIsIm9wZW5faXNzdWVzIjowLCJvcGVuX2lzc3Vlc19jb3VudCI6MCwib3duZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDgtMDhUMDI6MzQ6MjVaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvcmVsZWFzZXN7L2lkfSIsInNpemUiOjExNSwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOmVudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS5naXQiLCJzdGFyZ2F6ZXJzX2NvdW50IjowLCJzdGFyZ2F6ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXJnYXplcnMiLCJzdGF0dXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmliZXJzIiwic3Vic2NyaXB0aW9uX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N1YnNjcmlwdGlvbiIsInN2bl91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90YWdzIiwidGVhbXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvdGVhbXMiLCJ0b3BpY3MiOltdLCJ0cmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMy0wNS0xOVQwMToxOTozOVoiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZSIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS83ODk1MzYwND92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2IiwiaWQiOjc4OTUzNjA0LCJsb2dpbiI6ImVudGVyYWdhNiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqYzRPVFV6TmpBMCIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2In0sIndvcmtmbG93IjoiLmdpdGh1Yi93b3JrZmxvd3MvdGVzdC12ZXJpZmllci1nbG9iLnlhbWwifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZUByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiN2YyM2FjNDc4M2NiNzAyYTY4YzU1Zjc5NTVjYzI5NmZkZDQyNWRiYiJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfYmF6ZWxfc2xzYTMueW1sQHJlZnMvdGFncy92MS44LjAifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hY3Rpb25zL3J1bnMvNTc5MjEwODc0OC9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQC5KILL/ouIQVHa10bCUW2VukAff5Towcn7t9wP48Qx2AIhAJBiNPxVT2ug4dKNzV73VR+7Qj6wNW7F+vtJ0ngsyIM4","keyid":""}] +} \ No newline at end of file diff --git a/verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore b/verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore new file mode 100644 index 000000000..35c29dc54 --- /dev/null +++ b/verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore @@ -0,0 +1,3 @@ +{ + "payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJmaWIiLCJkaWdlc3QiOnsic2hhMjU2IjoiY2FhYWRiYTI4NDY5MDVhYzQ3N2M3NzdlOTZhNjM2ZTFjMmUwNjdmZGY2ZmVkOTBlYzllZWNhNGRmMThkNmVkOSJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZGVsZWdhdG9yLWdlbmVyaWNAdjAiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsiaW5wdXRzIjp7InJla29yLWxvZy1wdWJsaWMiOmZhbHNlLCJ0YXJnZXRzIjoiLy9zcmM6ZmliIiwiZmxhZ3MiOiIiLCJuZWVkcy1ydW5maWxlcyI6ZmFsc2UsImluY2x1ZGVzLWphdmEiOmZhbHNlLCJ1c2VyLWphdmEtZGlzdHJpYnV0aW9uIjoib3JhY2xlIiwidXNlci1qYXZhLXZlcnNpb24iOiIxNyJ9LCJ2YXJzIjp7fX0sImludGVybmFsUGFyYW1ldGVycyI6eyJHSVRIVUJfQUNUT1JfSUQiOiI3ODk1MzYwNCIsIkdJVEhVQl9FVkVOVF9OQU1FIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJlbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJHSVRIVUJfUkVQT1NJVE9SWV9JRCI6IjY0MjU3OTUxMSIsIkdJVEhVQl9SRVBPU0lUT1JZX09XTkVSX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6IjU3OTIyMTgxNjMiLCJHSVRIVUJfUlVOX05VTUJFUiI6IjIiLCJHSVRIVUJfU0hBIjoiN2YyM2FjNDc4M2NiNzAyYTY4YzU1Zjc5NTVjYzI5NmZkZDQyNWRiYiIsIkdJVEhVQl9UUklHR0VSSU5HX0FDVE9SX0lEIjoiNzg5NTM2MDQiLCJHSVRIVUJfV09SS0ZMT1dfUkVGIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLy5naXRodWIvd29ya2Zsb3dzL3Rlc3QtdmVyaWZpZXItMi55YW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiI3ZjIzYWM0NzgzY2I3MDJhNjhjNTVmNzk1NWNjMjk2ZmRkNDI1ZGJiIiwiR0lUSFVCX0VWRU5UX1BBWUxPQUQiOnsiaW5wdXRzIjpudWxsLCJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5Ijp7ImFsbG93X2ZvcmtpbmciOnRydWUsImFyY2hpdmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Fzc2lnbmVlc3svdXNlcn0iLCJibG9ic191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvYmxvYnN7L3NoYX0iLCJicmFuY2hlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUuZ2l0IiwiY29sbGFib3JhdG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb2xsYWJvcmF0b3Jzey9jb2xsYWJvcmF0b3J9IiwiY29tbWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbW1pdHN7L3NoYX0iLCJjb21wYXJlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2NvbXBhcmUve2Jhc2V9Li4ue2hlYWR9IiwiY29udGVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9jb250cmlidXRvcnMiLCJjcmVhdGVkX2F0IjoiMjAyMy0wNS0xOFQyMjozMToxM1oiLCJkZWZhdWx0X2JyYW5jaCI6Im1haW4iLCJkZXBsb3ltZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9kZXBsb3ltZW50cyIsImRlc2NyaXB0aW9uIjoiVGVzdGluZyBnZW5lcmljIHByb3ZlbmFuY2Ugd2l0aCBCYXplbCBmb3IgU0xTQSBMZXZlbCAzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2Rvd25sb2FkcyIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9ldmVudHMiLCJmb3JrIjp0cnVlLCJmb3JrcyI6MCwiZm9ya3NfY291bnQiOjAsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2ZvcmtzIiwiZnVsbF9uYW1lIjoiZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6ZmFsc2UsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOmZhbHNlLCJoYXNfcGFnZXMiOmZhbHNlLCJoYXNfcHJvamVjdHMiOnRydWUsImhhc193aWtpIjp0cnVlLCJob21lcGFnZSI6IiIsImhvb2tzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2hvb2tzIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwiaWQiOjY0MjU3OTUxMSwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlcy9jb21tZW50c3svbnVtYmVyfSIsImlzc3VlX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUva2V5c3sva2V5X2lkfSIsImxhYmVsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJDKysiLCJsYW5ndWFnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJtaXQiLCJuYW1lIjoiTUlUIExpY2Vuc2UiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRFeiIsInNwZHhfaWQiOiJNSVQiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL21pdCJ9LCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbWVyZ2VzIiwibWlsZXN0b25lc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9taWxlc3RvbmVzey9udW1iZXJ9IiwibWlycm9yX3VybCI6bnVsbCwibmFtZSI6InNsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwibm9kZV9pZCI6IlJfa2dET0prejhOdyIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjAsIm9wZW5faXNzdWVzX2NvdW50IjowLCJvd25lciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwicHJpdmF0ZSI6ZmFsc2UsInB1bGxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3B1bGxzey9udW1iZXJ9IiwicHVzaGVkX2F0IjoiMjAyMy0wOC0wOFQwMjozNDoyNVoiLCJyZWxlYXNlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MTE1LCJzc2hfdXJsIjoiZ2l0QGdpdGh1Yi5jb206ZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlLmdpdCIsInN0YXJnYXplcnNfY291bnQiOjAsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1sdmwzLWdlbmVyaWMtcHJvdmVuYW5jZS13aXRoLWJhemVsLWV4YW1wbGUiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlL2dpdC90cmVlc3svc2hhfSIsInVwZGF0ZWRfYXQiOiIyMDIzLTA1LTE5VDAxOjE5OjM5WiIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlIiwidmlzaWJpbGl0eSI6InB1YmxpYyIsIndhdGNoZXJzIjowLCJ3YXRjaGVyc19jb3VudCI6MCwid2ViX2NvbW1pdF9zaWdub2ZmX3JlcXVpcmVkIjpmYWxzZX0sInNlbmRlciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91Lzc4OTUzNjA0P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYiLCJpZCI6Nzg5NTM2MDQsImxvZ2luIjoiZW50ZXJhZ2E2Iiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pjNE9UVXpOakEwIiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2VudGVyYWdhNi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZW50ZXJhZ2E2L3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9lbnRlcmFnYTYifSwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy90ZXN0LXZlcmlmaWVyLTIueWFtbCJ9fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vZW50ZXJhZ2E2L3Nsc2EtbHZsMy1nZW5lcmljLXByb3ZlbmFuY2Utd2l0aC1iYXplbC1leGFtcGxlQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiI3ZjIzYWM0NzgzY2I3MDJhNjhjNTVmNzk1NWNjMjk2ZmRkNDI1ZGJiIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9lbnRlcmFnYTYvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkZXJfYmF6ZWxfc2xzYTMueW1sQHJlZnMvdGFncy92MS4wLjEifSwibWV0YWRhdGEiOnsiaW52b2NhdGlvbklkIjoiaHR0cHM6Ly9naXRodWIuY29tL2VudGVyYWdhNi9zbHNhLWx2bDMtZ2VuZXJpYy1wcm92ZW5hbmNlLXdpdGgtYmF6ZWwtZXhhbXBsZS9hY3Rpb25zL3J1bnMvNTc5MjIxODE2My9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIBI2U1FXszYZ2BU1hrtiCgfDsvLBpftB5gvGv0UrobTrAiEAnBPjQHPQHXgGRGokorag5kq9BSDNIGs90v/hHUNY77s=","keyid":""}] +} \ No newline at end of file From b6e36b738bd767b79f25ab98c48c78fc69d8e20b Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Fri, 11 Aug 2023 00:58:45 +0000 Subject: [PATCH 35/38] rename for clarity Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 25 +++++++++---------- ... => bazel-trusted-dsseEnvelope.build.slsa} | 0 ... => bazel-untrusted-dsseEnvelope.sigstore} | 0 3 files changed, 12 insertions(+), 13 deletions(-) rename verifiers/internal/gha/testdata/{bazel-trusted-att.build.slsa => bazel-trusted-dsseEnvelope.build.slsa} (100%) rename verifiers/internal/gha/testdata/{bazel-untrusted-att.sigstore => bazel-untrusted-dsseEnvelope.sigstore} (100%) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 745ac8b59..b99b7c737 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1192,7 +1192,7 @@ func Test_VerifyTrustedProvenance(t *testing.T) { t.Parallel() tests := []struct { name string - provenancePath string + envelopePath string provenanceOpts *options.ProvenanceOpts trustedBuilderIDName string byob bool @@ -1200,8 +1200,8 @@ func Test_VerifyTrustedProvenance(t *testing.T) { expected error }{ { - name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", - provenancePath: "bazel-trusted-att.build.slsa", + name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", + envelopePath: "bazel-trusted-dsseEnvelope.build.slsa", provenanceOpts: &options.ProvenanceOpts{ ExpectedBranch: nil, ExpectedTag: nil, @@ -1225,16 +1225,16 @@ func Test_VerifyTrustedProvenance(t *testing.T) { t.Errorf("Provenance Verification FAILED. Error: %v", tErr) } - provenanceBytes, err := os.ReadFile(filepath.Join("testdata", tt.provenancePath)) + envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath)) if err != nil { panic(fmt.Errorf("os.ReadFile: %w", err)) } - env, err := EnvelopeFromBytes(provenanceBytes) + env, err := EnvelopeFromBytes(envelopeBytes) if err != nil { panic(fmt.Errorf("unexpected error parsing envelope %s", err)) } - println(env) + vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) if vErr != nil { t.Errorf("Provenance Verification FAILED. Error: %v", vErr) @@ -1246,9 +1246,8 @@ func Test_VerifyTrustedProvenance(t *testing.T) { func Test_VerifyUntrustedProvenance(t *testing.T) { t.Parallel() tests := []struct { - name string - // env *dsselib.Envelope - provenancePath string + name string + envelopePath string provenanceOpts *options.ProvenanceOpts trustedBuilderIDName string byob bool @@ -1256,8 +1255,8 @@ func Test_VerifyUntrustedProvenance(t *testing.T) { expected error }{ { - name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", - provenancePath: "bazel-untrusted-att.sigstore", + name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", + envelopePath: "bazel-untrusted-dsseEnvelope.sigstore", provenanceOpts: &options.ProvenanceOpts{ ExpectedBranch: nil, ExpectedTag: nil, @@ -1281,12 +1280,12 @@ func Test_VerifyUntrustedProvenance(t *testing.T) { t.Errorf("Provenance Verification FAILED. Error: %v", tErr) } - provenanceBytes, err := os.ReadFile(filepath.Join("testdata", tt.provenancePath)) + envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath)) if err != nil { panic(fmt.Errorf("os.ReadFile: %w", err)) } - env, err := EnvelopeFromBytes(provenanceBytes) + env, err := EnvelopeFromBytes(envelopeBytes) if err != nil { panic(fmt.Errorf("unexpected error parsing envelope %s", err)) } diff --git a/verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa b/verifiers/internal/gha/testdata/bazel-trusted-dsseEnvelope.build.slsa similarity index 100% rename from verifiers/internal/gha/testdata/bazel-trusted-att.build.slsa rename to verifiers/internal/gha/testdata/bazel-trusted-dsseEnvelope.build.slsa diff --git a/verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore b/verifiers/internal/gha/testdata/bazel-untrusted-dsseEnvelope.sigstore similarity index 100% rename from verifiers/internal/gha/testdata/bazel-untrusted-att.sigstore rename to verifiers/internal/gha/testdata/bazel-untrusted-dsseEnvelope.sigstore From 3ba89d9ff38a23e62380adf4818f34fc02bae16f Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Fri, 11 Aug 2023 01:52:31 +0000 Subject: [PATCH 36/38] use t.Errorf Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index b99b7c737..64417d58c 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1,7 +1,6 @@ package gha import ( - "fmt" "os" "path/filepath" "testing" @@ -1227,12 +1226,12 @@ func Test_VerifyTrustedProvenance(t *testing.T) { envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath)) if err != nil { - panic(fmt.Errorf("os.ReadFile: %w", err)) + t.Errorf("os.ReadFile: %v", err) } env, err := EnvelopeFromBytes(envelopeBytes) if err != nil { - panic(fmt.Errorf("unexpected error parsing envelope %s", err)) + t.Errorf("unexpected error parsing envelope %v", err) } vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) @@ -1282,12 +1281,12 @@ func Test_VerifyUntrustedProvenance(t *testing.T) { envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath)) if err != nil { - panic(fmt.Errorf("os.ReadFile: %w", err)) + t.Errorf("os.ReadFile: %v", err) } env, err := EnvelopeFromBytes(envelopeBytes) if err != nil { - panic(fmt.Errorf("unexpected error parsing envelope %s", err)) + t.Errorf("unexpected error parsing envelope %v", err) } vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) From 7ada2adf9b70cc37ceb99c379011fb1587ef2212 Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Fri, 11 Aug 2023 02:00:07 +0000 Subject: [PATCH 37/38] Go Lint Signed-off-by: Noah Elzner --- verifiers/internal/gha/builder_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/verifiers/internal/gha/builder_test.go b/verifiers/internal/gha/builder_test.go index 7185f944c..8475fc599 100644 --- a/verifiers/internal/gha/builder_test.go +++ b/verifiers/internal/gha/builder_test.go @@ -480,8 +480,8 @@ func Test_verifyTrustedBuilderID(t *testing.T) { { // This is a BYOB workflow without an id that tests non-compulsory builder-id // feature of slsa-verifier and expects byob to be true - name: "generic delegator workflow no id", - path: trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml", + name: "generic delegator workflow no id", + path: trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml", // NOTE: id is nil. id: nil, tag: "refs/tags/v1.2.3", @@ -499,8 +499,8 @@ func Test_verifyTrustedBuilderID(t *testing.T) { { // This is a BYOB workflow without an id that tests non-compulsory builder-id // feature of slsa-verifier and expects byob to be true - name: "low perms delegator workflow no ID provided", - path: trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml", + name: "low perms delegator workflow no ID provided", + path: trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml", // NOTE: id is nil. id: nil, tag: "v1.2.3", From 82d0676c0bee54801e3604a31e8ff7e2d99e07ec Mon Sep 17 00:00:00 2001 From: Noah Elzner Date: Fri, 11 Aug 2023 05:00:54 +0000 Subject: [PATCH 38/38] Merged tests and added more Signed-off-by: Noah Elzner --- verifiers/internal/gha/provenance_test.go | 47 +++++++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 64417d58c..7fbb31a18 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -1187,7 +1187,7 @@ func Test_VerifyVersionedTag(t *testing.T) { } } -func Test_VerifyTrustedProvenance(t *testing.T) { +func Test_VerifyProvenance(t *testing.T) { t.Parallel() tests := []struct { name string @@ -1199,7 +1199,7 @@ func Test_VerifyTrustedProvenance(t *testing.T) { expected error }{ { - name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0", + name: "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0)", envelopePath: "bazel-trusted-dsseEnvelope.build.slsa", provenanceOpts: &options.ProvenanceOpts{ ExpectedBranch: nil, @@ -1214,6 +1214,39 @@ func Test_VerifyTrustedProvenance(t *testing.T) { trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", expectedID: nil, }, + { + name: "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)", + envelopePath: "bazel-untrusted-dsseEnvelope.sigstore", + provenanceOpts: &options.ProvenanceOpts{ + ExpectedBranch: nil, + ExpectedTag: nil, + ExpectedVersionedTag: nil, + ExpectedDigest: "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9", + ExpectedSourceURI: "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example", + ExpectedBuilderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", + ExpectedWorkflowInputs: map[string]string{}, + }, + byob: true, + trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0", + expectedID: nil, + expected: serrors.ErrorInvalidBuilderID, + }, + { + name: "Verify Trusted - Empty ExpectedBuilderID", + envelopePath: "bazel-trusted-dsseEnvelope.build.slsa", + provenanceOpts: &options.ProvenanceOpts{ + ExpectedBranch: nil, + ExpectedTag: nil, + ExpectedVersionedTag: nil, + ExpectedDigest: "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9", + ExpectedSourceURI: "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example", + ExpectedBuilderID: "", + ExpectedWorkflowInputs: map[string]string{}, + }, + byob: true, + trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0", + expectedID: nil, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below @@ -1234,9 +1267,8 @@ func Test_VerifyTrustedProvenance(t *testing.T) { t.Errorf("unexpected error parsing envelope %v", err) } - vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) - if vErr != nil { - t.Errorf("Provenance Verification FAILED. Error: %v", vErr) + if err := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID); !errCmp(err, tt.expected) { + t.Errorf(cmp.Diff(err, tt.expected)) } }) } @@ -1289,9 +1321,8 @@ func Test_VerifyUntrustedProvenance(t *testing.T) { t.Errorf("unexpected error parsing envelope %v", err) } - vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID) - if vErr == nil { - t.Errorf("Provenance Verification should have failed but DID NOT. Error: untrusted builder is trusted") + if err := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID); errCmp(err, tt.expected) { + t.Errorf(cmp.Diff(err, tt.expected)) } }) }