A simple demo that shows some of the capabilities that ITE-4 enables.
After cloning this test repo, run the setup_demo.sh
script to setup for the
demo. Make sure to set the environment variable TESTREPO
to a fork of
in-toto/ite-4-demo-test-repo
in order to create and merge PR's, or a repo
with files of the same name.
The script will clone test projects into the home directories of the "players" involved, Alice and Bob. In the real world, it is more likely that both already have the project installed locally.
For this demo, make sure you have the github cli tool installed.
NOTE: Some commands below are making calls to the test repo, make sure to
change any references to in-toto/ite-4-demo-test-repo
to the repo you are using.
cd owner_alice
python create_layout.py
Before Bob makes any changes, he will first create a feature
branch that will
contain his changes.
cd ../functionary_bob/project
git checkout -b feature
Bob uses in-toot-record
command to record the change in the commit hash. The
material will be the latest commit on HEAD.
in-toto-record start --step-name commit-changes --key ../bob -m git:commit
Then, Bob uses an editor of his choice to update the version number in foo.py
and commits the changes to the branch.
# Change version number from v0 to v1
sed -i.bak 's/v0/v1/' foo.py && rm foo.py.bak
git add foo.py && git commit -m "update version"
Finally, Bob records the state of the files after the modification and produces
a link metadata file called update-version.[Bob's keyid].link
.
in-toto-record stop --step-name commit-changes --key ../bob -p git:commit
Now that Bob has commited his changes to his local repo, he will push the changes to the remote repo.
git push --set-upstream origin feature
Then, Bob will submit a pull request using gh
and use in-toto-run
to
record the state of the files to create a link. The output of the gh
command
should give you the pull request number, replace the placeholders in the
following commands with it.
in-toto-record start -n create-pr -m git:commit --key ../bob
gh pr create --title "update version" --body "update version number"
in-toto-record stop -n create-pr -p github:in-toto/ite-4-demo-test-repo:pr:{pr number} --key ../bob
Alice will now review Bob's PR, approve it, and merge it. In order to record the merging, Alice will need to pull the new merge commit and record it.
cd ../../owner_alice/project
in-toto-record start -n merge-pr -m github:in-toto/ite-4-demo-test-repo:pr:{pr number} git:commit --key ../alice
gh pr merge {pr number}
git pull
in-toto-record stop -n merge-pr -p git:commit --key ../alice
Then, Alice will tag the new merge commit and record the action.
in-toto-run -n tag -m git:commit -p git:tag:release --key ../alice -- git tag release
Alice can now build the container image.
in-toto-record start -n build-image -k ../alice -m git:commit git:tag:release
docker build . -f Containerfile --tag ite-4-demo
in-toto-record stop -n build-image -k ../alice -p docker://ite-4-demo
Copy the layout and the links to a new directory to verify the integrity of the workflow.
cd ../..
# Set up the final product
mkdir final_product
cp functionary_bob/project/*.link final_product
cp owner_alice/project/*.link final_product
cp owner_alice/root.layout final_product
cd final_product
# Verify the product
in-toto-verify --layout root.layout --layout-key ../owner_alice/alice.pub
Now, let’s try to tamper with the software supply chain. Suppose someone added a new commit to Alice's source code before she could tag the project and build the container.
cd ../owner_alice/project
echo 'something evil' >> foo.py
git add foo.py && git commit --amend --no-edit
With the changes now in the project, without Alice's knowledge, it will be present in the container.
# Tag the changed commit
in-toto-run -n tag -m git:commit -p git:tag:release --key ../alice -- git tag release
# Build the container
in-toto-record start -n build-image -k ../alice -m git:commit git:tag:release
docker build . -f Containerfile --tag ite-4-demo
in-toto-record stop -n build-image -k ../alice -p docker://ite-4-demo
# Set up the tampered product
cp functionary_bob/project/*.link final_product
cp owner_alice/project/*.link final_product
cp owner_alice/root.layout final_product
cd final_product
in-toto-verify --verbose --layout root.layout --layout-key ../owner_alice/alice.pub
This time, in-toto-verify
will detect that the resulting commit from the step
merge-pr
was not used to tag the project nor build the container image and
will therefore fail verification and return with a non-zero value. Running it
in verbose mode will show this in detail.
echo $?
# should print 1
If you want to run the demo again, remove all the files and reset all of the repos by running the following script.
python3 run_demo.py --clean
Use the same script to have an automated run through of the demo. If you are
running the demo using a repo other than in-toto/ite-4-demo-test-repo
, make
sure you have the environment variable TESTREPO
set to the corresponding repo.
It should be able to handle repos setup with either HTTPS and SSH.
python3 run_demo.py