in-toto/attestation-verifier

# in-tato/attestation-verifier [](https://github.com/in-toto/attestation-verifier/actions/workflows/gittuf-verify.yml) 这是 in-toto 增强 [10](https://github.com/in-toto/ITE/blob/master/ITE/10/README.adoc) 和 [11](https://github.com/in-toto/ITE/pull/50) 中引入的验证能力的**原型**。此验证器不得用于生产系统。 ## 用法 使用 `go install` 安装。假设 `$GOPATH/bin` 已在你的路径中，你应该能够使用 `attestation-verifier` 调用该验证器。 ## 示例 示例[布局](layout.yml)包含三个步骤：`clone`、`test` 和 `build`。 clone 步骤使用 [in-toto link predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/link.md) 表示，test 步骤使用 [in-toto test-result predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/test-result.md) 表示，build 步骤使用 [SLSA Provenance predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md) 表示。 test 和 build 步骤将其 materials 与 clone 步骤的 products 进行匹配。此外，布局中的每个步骤定义都包含一些额外的属性检查。 ``` $ attestation-verifier -l layouts/layout.yml -a test-data INFO[0000] Verifying layout expiry... INFO[0000] Done. INFO[0000] Fetching verifiers... INFO[0000] Creating verifier for key fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a INFO[0000] Done. INFO[0000] Loading attestations as claims... INFO[0000] Done. INFO[0000] Verifying claim for step 'clone' of type 'https://in-toto.io/attestation/link/v0.3' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'... INFO[0000] Applying material rules... INFO[0000] Evaluating rule `DISALLOW *`... INFO[0000] Applying product rules... INFO[0000] Evaluating rule `CREATE foo`... INFO[0000] Evaluating rule `DISALLOW *`... INFO[0000] Applying attribute rules... INFO[0000] Evaluating rule `predicate.command == ['git', 'clone', 'https://example.com/foo.git']`... INFO[0000] Done. INFO[0000] Verifying claim for step 'test' of type 'https://in-toto.io/attestation/test-result/v0.1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'... INFO[0000] Applying material rules... INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`... INFO[0000] Evaluating rule `DISALLOW *`... INFO[0000] Applying product rules... INFO[0000] Applying attribute rules... INFO[0000] Evaluating rule `size(predicate.failedTests) == 0`... INFO[0000] Evaluating rule `predicate.result == 'PASSED'`... INFO[0000] Evaluating rule `size(subject) != 0`... INFO[0000] Done. INFO[0000] Verifying claim for step 'build' of type 'https://slsa.dev/provenance/v1' by 'fe1c6281c5ff13e35286cc67e5a1fb3e6575b840a6c39ca4267d3805eb17288a'... INFO[0000] Applying material rules... INFO[0000] Evaluating rule `MATCH foo WITH products FROM clone`... INFO[0000] Evaluating rule `DISALLOW *`... INFO[0000] Applying product rules... INFO[0000] Evaluating rule `CREATE bin/foo`... INFO[0000] Evaluating rule `DISALLOW *`... INFO[0000] Applying attribute rules... INFO[0000] Evaluating rule `predicate.buildDefinition.buildType == 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'`... INFO[0000] Evaluating rule `predicate.runDetails.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.7.0'`... INFO[0000] Done. INFO[0000] Verification successful! ```

标签：CI-CD安全, DevSecOps, EVTX分析, Go语言, in-toto, ITE-10, ITE-11, JSONLines, SBOM, SLSA, 上游代理, 安全原型, 完整性验证, 密码学验证, 工件溯源, 日志审计, 硬件无关, 程序破解, 策略即代码, 聊天机器人安全, 证明书验证, 跌倒检测, 软件供应链安全, 软件物料清单, 远程方法调用, 零信任