This repository contains the implementation for verifying SLSA provenance. It currently supports verifying provenance generated by the SLSA generator for Go projects. We are working on support for verifying provenance for other ecosystems.
You have two options to install the verifier.
$ go install github.com/slsa-framework/[email protected]
$ slsa-verifier <options>
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ cd slsa-verifier && git checkout v1.2.0
$ go run . <options>
Download the binary from the latest release at https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.2.0
Download the SHA256SUM.md.
Verify the checksum:
$ sha256sum -c --strict SHA256SUM.md
slsa-verifier-linux-amd64: OK
Below is a list of options currently supported. Note that signature verification is handled seamlessly without the need for developers to manipulate public keys.
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ go run . --help
Usage of ./slsa-verifier:
-artifact-path string
path to an artifact to verify
-branch string
expected branch the binary was compiled from (default "main")
-print-provenance
output the verified provenance
-provenance string
path to a provenance file
-source string
expected source repository that should have produced the binary, e.g. github.com/some/repo
-tag string
[optional] expected tag the binary was compiled from
-versioned-tag string
[optional] expected version the binary was compiled from. Uses semantic version to match the tag$ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v1.2.0
Verified signature against tlog entry index 3027785 at URL: https://rekor.sigstore.dev/api/v1/log/entries/0cdff5b6a013379f9c1c5c6c598ad73c60de5acd969ba70ea2e874098b6e789f
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1 at commit fb9aeaf6384fd588e56ad90978fe025b3fd44849
PASSED: Verified SLSA provenanceThe verified in-toto statement may be written to stdout with the --print-provenance flag to pipe into policy engines.
Find our blog post series here.
For a more in-depth technical dive, read the SPECIFICATIONS.md.