As a reminder, Acme is making an attempt to supply a container picture that accommodates three artifacts:
- The Squirrel package deal ‘foo’
- The Oppy package deal ‘baz’
- A customized executable, ‘bar’, written by Acme workers.
The method begins with ‘foo’ package deal authors triggering a construct utilizing GitHub Actions. This leads to a brand new model of ‘foo’ (an artifact with hash ‘abc’) being pushed to the Squirrel repo together with its SLSA provenance (signed by Fulcio) and supply attestation. When Squirrel will get this push request it verifies the artifact towards the particular coverage for ‘foo’ which checks that it was constructed by GitHub Actions from the anticipated supply repository. After the artifact passes the coverage test a VSA is created and the brand new package deal, its authentic SLSA provenance, and the VSA are made public within the Squirrel repo, accessible to all customers of package deal ‘foo’.
Subsequent the maintainers of the Oppy ‘baz’ package deal set off a brand new construct utilizing the Oppy Autobuilder. This leads to a brand new model of ‘baz’ (an artifact with hash ‘def’) being pushed to a public Oppy repo with the SLSA provenance (signed by their org-specific keys) revealed to Rekor. When the repo will get the push request it makes the artifact accessible to the general public. The repo doesn’t carry out any verification presently.
An Acme worker then makes a change to their Dockerfile, sending it for evaluation by their co-worker, who approves the change and merges the PR. This then causes the Acme builder to set off a construct. Throughout this construct:
- bar is compiled from supply code saved in the identical supply repo because the Dockerfile.
- acorn set up downloads ‘foo’ from the Squirrel repo, verifying the VSA, and recording the usage of acorn://foo@abc and its VSA within the construct.
- acme_oppy_get set up (a customized script made by Acme) downloads the newest model of the Oppy ‘baz’ package deal and queries its SLSA provenance and different attestations from Rekor. It then performs a full verification checking that it was constructed by ‘https://oppy.instance/slsa/builder/v1’ and the publicized key. As soon as verification is full it data the usage of oppy://baz@def and the related attestations within the construct.
- The construct course of assembles the SLSA provenance for the container by:
- Recording the Acme git repo the bar supply and Dockerfile got here from, into supplies.
- Copying the reported dependencies of acorn://foo@abc and oppy://baz@def into supplies and including their attestations to the output in-toto bundle.
- Recording the CI/CD entrypoint because the invocation.
- Making a signed DSSE with the SLSA provenance and including it to the output in-toto bundle.
As soon as the container is prepared for launch the Acme verifier checks the SLSA provenance (and different information within the in-toto bundle) utilizing the coverage from their very own coverage repo and points a VSA. The VSA and all related attestations are then revealed to an inside Rekor occasion. Acme can then create an SBOM for the container leveraging information concerning the construct as saved in Rekor. Acme then publishes the container picture, the VSA, and the SBOM on Dockerhub.
Downstream customers of this Acme container can then test the Acme issued VSA, and if there are any issues Acme can seek the advice of their inside Rekor occasion to get extra particulars on the construct permitting Acme to hint all of their dependencies again to supply code and the programs used to create them.
With SLSA carried out within the methods described on this collection, downstream customers are shielded from lots of the threats affecting the software program provide chain at present. Whereas customers nonetheless have to belief sure events, the variety of programs requiring belief is far decrease and customers are in a a lot better place to research any points that come up.
We’d like to see the concepts on this collection carried out, refuted, or used as a basis to construct even stronger options. We’d additionally love to listen to another strategies on easy methods to remedy these points. Present us the way you wish to SLSA.