/
verify_slsa.go
44 lines (41 loc) · 1.31 KB
/
verify_slsa.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
package installpackage
import (
"context"
"fmt"
"github.com/aquaproj/aqua/v2/pkg/download"
"github.com/aquaproj/aqua/v2/pkg/slsa"
"github.com/sirupsen/logrus"
)
func (is *Installer) verifyWithSLSA(ctx context.Context, logE *logrus.Entry, bodyFile *download.DownloadedFile, param *DownloadParam) error {
if is.slsaDisabled {
logE.Debug("slsa verification is disabled")
return nil
}
ppkg := param.Package
pkgInfo := param.Package.PackageInfo
sp := ppkg.PackageInfo.SLSAProvenance
if !sp.GetEnabled() {
return nil
}
art := ppkg.TemplateArtifact(is.runtime, param.Asset)
logE.Info("verify a package with slsa-verifier")
if err := is.slsaVerifierInstaller.installSLSAVerifier(ctx, logE, slsa.Version); err != nil {
return fmt.Errorf("install slsa-verifier: %w", err)
}
tempFilePath, err := bodyFile.Path()
if err != nil {
return fmt.Errorf("get a temporal file path: %w", err)
}
if err := is.slsaVerifier.Verify(ctx, logE, is.runtime, sp, art, &download.File{
RepoOwner: ppkg.PackageInfo.RepoOwner,
RepoName: ppkg.PackageInfo.RepoName,
Version: ppkg.Package.Version,
}, &slsa.ParamVerify{
SourceURI: pkgInfo.SLSASourceURI(),
SourceTag: ppkg.Package.Version,
ArtifactPath: tempFilePath,
}); err != nil {
return fmt.Errorf("verify a package with slsa-verifier: %w", err)
}
return nil
}