Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestation of 2 artifacts is considered valid even if only one is passed #174

Closed
mihaimaruseac opened this issue Jul 26, 2022 · 2 comments
Closed

Attestation of 2 artifacts is considered valid even if only one is passed #174

mihaimaruseac opened this issue Jul 26, 2022 · 2 comments
Assignees
@mihaimaruseac
Labels
type:bug Something isn't working

Comments

@mihaimaruseac
Copy link
Contributor 

mihaimaruseac@ankh:/tmp$ ~/go/bin/slsa-verifier -provenance attestation.intoto.jsonl -source mihaimaruseac/slsa-lvl3-generic-provenance-with-bazel-example -artifact-path fib -artifact-path hello
Verified signature against tlog entry index 3026659 at URL: https://rekor.sigstore.dev/api/v1/log/entries/b7d5d52dfc795dddf1c03e901e96c3cb1803c9f1ecc250a13299131b2564c422
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0 at commit e9b5431bcfb0df5d8b2ee622bde8ec4fad9d71d3
PASSED: Verified SLSA provenance

Getting the same result if passing only fib or hello arguments.

I could look into this.
@laurentsimon
Copy link
Contributor 

mihaimaruseac@ankh:/tmp$ ~/go/bin/slsa-verifier -provenance attestation.intoto.jsonl -source mihaimaruseac/slsa-lvl3-generic-provenance-with-bazel-example -artifact-path fib -artifact-path hello
Verified signature against tlog entry index 3026659 at URL: https://rekor.sigstore.dev/api/v1/log/entries/b7d5d52dfc795dddf1c03e901e96c3cb1803c9f1ecc250a13299131b2564c422
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0 at commit e9b5431bcfb0df5d8b2ee622bde8ec4fad9d71d3
PASSED: Verified SLSA provenance

Getting the same result if passing only fib or hello arguments.

we did not intend to support multiple -artifact-path, but it could be a new feature . #91 is related.

I could look into this.

Awesome, assigned to you

@ianlewis ianlewis added the type:bug Something isn't working label Nov 25, 2022
mihaimaruseac added a commit to mihaimaruseac/slsa-verifier that referenced this issue Dec 28, 2022
@mihaimaruseac
Enhance help message
be5b015 
One part that is missing in the output if invocation is wrong is that
there is no indication that user has to pass path to a file
(artifact/image).

The remaining potential errors from slsa-framework#173 are handled via slsa-framework#231.

Found while looking at slsa-framework#174.

Signed-off-by: Mihai Maruseac <[email protected]>
This was referenced Dec 28, 2022
Merged
Closed
@mihaimaruseac
Copy link
Contributor Author

Moving this to #91 as it contains all possible scenarios and relevant discussion

asraa pushed a commit that referenced this issue Dec 28, 2022
@mihaimaruseac
Enhance help message (#418)
8279f4b 
One part that is missing in the output if invocation is wrong is that
there is no indication that user has to pass path to a file
(artifact/image).

The remaining potential errors from #173 are handled via #231.

Found while looking at #174.

Signed-off-by: Mihai Maruseac <[email protected]>

Signed-off-by: Mihai Maruseac <[email protected]>
ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this issue Apr 18, 2024
Change format of subjects to base64 (slsa-framework#174)
096c709 
* Use base64 for subjects.

* Update docs

* Update tests for parseSubject

* Update docs for subjects input

* Change input to base64-subjects

* Add comment on sha256sum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mihaimaruseac mihaimaruseac

Labels
type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @mihaimaruseac @laurentsimon