GithubHelp home page GithubHelp logo

noya3110 / aoss-verifier Goto Github PK

View Code? Open in Web Editor NEW

This project forked from google/aoss-verifier

0.0 0.0 0.0 241 KB

A standalone tool to enable easy verification of the authenticity and integrity of OSS packages generated by the Assured OSS service and also support the verification of build provenance.

License: Apache License 2.0

Go 100.00%

aoss-verifier's Introduction

aoss-verifier

aoss-verifier provides a streamline user experience for verification of authenticity and integrity for packages generated by the Assured OSS service by abstracting complex technical details. It also supports the verification of build provenance, enhancing trust and security in the software ecosystem.

Before you start

Before using this tool, make sure you have the following in place:

  • Go is installed on your system. If not, please install it from the official Go website
  • Cosign, a third party tool required for verifying the build provenance, is correctly installed
  • Generate and download the service account key

Installation

To install this tool, follow these steps:

  • Clone this repository and install aoss-verifier tool
$ git clone https://github.com/google/aoss-verifier.git
$ cd aoss-verifier
$ go mod download
$ go install aoss-verifier

This will compile the tool and install it to $(go env GOPATH)/bin

  • Users are advised to add GOPATH to their environment PATH variable for seamless usage
$ export PATH="$(go env GOPATH)/bin:$PATH"

Usages

Once the tool is installed, you can use it by executing the aoss-verifier command followed by the desired command and options.

If you see a Command aoss-verifier not found error, make sure that the tool is correctly installed and the $(go env GOPATH)/bin is exported.

To learn more about aoss-verifier usages, run aoss-verifier help.

Set configuration

$ aoss-verifier set-config KEY_FILE_PATH

where KEY_FILE_PATH is the path to the service account key json file

This will create a hidden config file in the home directory which contains the path to the service account key file that will be used to authenticate to Google Cloud services.

Verify package

To verify a package, you’ll need to pass the language, package id, version and the path of the artifact you’re trying to verify via the --language, --package_id, --version and --artifact_path flags.

$ aoss-verifier verify-package --language LANGUAGE --package_id PACKAGE_ID --version VERSION --artifact_path ARTIFACT_PATH [flags]

where

LANGUAGE: programming language of the package; must be in lowercase

PACKAGE_ID:

  • for java groupid:artifactid
  • for python package_name

VERSION: version of the package

ARTIFACT_PATH: path to the downloaded package

  • jar file for java package
  • wheel file for python package

Example

$ aoss-verifier verify-package --language java --package_id commons-codec:commons-codec --version 1.15 --artifact_path target/dependency/commons-codec-1.15.jar
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signatures/ca.crt
Certificates verified successfully!
Signature Verified successfully!

Verify build provenance

To additionally verify build provenance, use the --verify_build_provenance flag.

$ aoss-verifier verify-package --language java --package_id commons-codec:commons-codec --version 1.15 --artifact_path target/dependency/commons-codec-1.15.jar --verify_build_provenance
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/ca.crt
Cerficates verified successfully!
Signature Verified successfully!
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/public.pem
Build Provenance verified successfully!

Verify metadata

To verify metadata, you'll need to pass the metadata type, language, package id and the version of the package for which it is desired to verify the metadata via the --metadata_type, --language, --package_id and --version flags.

$ aoss-verifier verify-metadata --metadata_type TYPE --language LANGUAGE --package_id PACKAGE_ID --version VERSION [flags]

where

TYPE: buildinfo/vexinfo/healthinfo

LANGUAGE: programming language of the package; must be in lowercase

PACKAGE_ID:

  • for java groupid:artifactid
  • for python package_name

VERSION: version of the package

Example

$ aoss-verifier verify-metadata --metadata_type vexinfo --language java --package_id commons-codec:commons-codec --version 1.15
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/vexinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/ca.crt
Certificates verified successfully!
Metadata Signature Verified successfully!

Please refer to the help section (use -h flag) of the tool for specific instructions on each command, including available options and their usage.

aoss-verifier's People

Contributors

bansalyashwini avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.