As a reminder, Acme is attempting to provide a container picture that incorporates three artifacts:
- The Squirrel package deal ‘foo’
- The Oppy package deal ‘baz’
- A customized executable, ‘bar’, written by Acme staff.
The method begins with ‘foo’ package deal authors triggering a construct utilizing GitHub Actions. This leads to a brand new model of ‘foo’ (an artifact with hash ‘abc’) being pushed to the Squirrel repo together with its SLSA provenance (signed by Fulcio) and supply attestation. When Squirrel will get this push request it verifies the artifact towards the precise coverage for ‘foo’ which checks that it was constructed by GitHub Actions from the anticipated supply repository. After the artifact passes the coverage verify a VSA is created and the brand new package deal, its authentic SLSA provenance, and the VSA are made public within the Squirrel repo, out there to all customers of package deal ‘foo’.
Subsequent the maintainers of the Oppy ‘baz’ package deal set off a brand new construct utilizing the Oppy Autobuilder. This leads to a brand new model of ‘baz’ (an artifact with hash ‘def’) being pushed to a public Oppy repo with the SLSA provenance (signed by their org-specific keys) printed to Rekor. When the repo will get the push request it makes the artifact out there to the general public. The repo doesn’t carry out any verification at the moment.
An Acme worker then makes a change to their Dockerfile, sending it for evaluate by their co-worker, who approves the change and merges the PR. This then causes the Acme builder to set off a construct. Throughout this construct:
- bar is compiled from supply code saved in the identical supply repo because the Dockerfile.
- acorn set up downloads ‘foo’ from the Squirrel repo, verifying the VSA, and recording the usage of acorn://foo@abc and its VSA within the construct.
- acme_oppy_get set up (a customized script made by Acme) downloads the most recent model of the Oppy ‘baz’ package deal and queries its SLSA provenance and different attestations from Rekor. It then performs a full verification checking that it was constructed by ‘https://oppy.instance/slsa/builder/v1’ and the publicized key. As soon as verification is full it data the usage of oppy://baz@def and the related attestations within the construct.
- The construct course of assembles the SLSA provenance for the container by:
- Recording the Acme git repo the bar supply and Dockerfile got here from, into supplies.
- Copying the reported dependencies of acorn://foo@abc and oppy://baz@def into supplies and including their attestations to the output in-toto bundle.
- Recording the CI/CD entrypoint because the invocation.
- Making a signed DSSE with the SLSA provenance and including it to the output in-toto bundle.
As soon as the container is prepared for launch the Acme verifier checks the SLSA provenance (and different information within the in-toto bundle) utilizing the coverage from their very own coverage repo and points a VSA. The VSA and all related attestations are then printed to an inner Rekor occasion. Acme can then create an SBOM for the container leveraging information concerning the construct as saved in Rekor. Acme then publishes the container picture, the VSA, and the SBOM on Dockerhub.
Downstream customers of this Acme container can then verify the Acme issued VSA, and if there are any issues Acme can seek the advice of their inner Rekor occasion to get extra particulars on the construct permitting Acme to hint all of their dependencies again to supply code and the methods used to create them.
Conclusion
With SLSA carried out within the methods described on this sequence, downstream customers are shielded from a lot of the threats affecting the software program provide chain at present. Whereas customers nonetheless must belief sure events, the variety of methods requiring belief is way decrease and customers are in a significantly better place to research any points that come up.
We’d like to see the concepts on this sequence carried out, refuted, or used as a basis to construct even stronger options. We’d additionally love to listen to another strategies on how you can resolve these points. Present us the way you wish to SLSA.
