/in-toto-container

Programmatically running in-toto verifications in a container

Primary LanguageGoMIT LicenseMIT

In-Toto verifications in a container

This is a project that enables running In-Toto verifications inside a Linux container.

This project assumes familiarity with the In-Toto Specification.

Verification is the process by which data and metadata included in the final product is used to ensure its correctness. Verification is performed by the client by checking the supply chain layout and links for correctness, as well as by performing the inspection steps.

Why run verifications in a container?

The main reason for providing a containerized environment for In-Toto verifications is related to dependencies - at a minimum, running an In-Toto verification requires Python, OpenSSL, git, and pip. On top of this, individual layouts might require additional dependencies in order to execute the verification (for example, the official demo needs to execute tar locally). Running in a container ensures the desired dependencies and their versions are available for clients running the verifications.

Additionally, using this method, verifications can be executed on any operating system

Requirements

We introduce the concept of a verification image - a container image where verifications are performed. At a minimum, the image needs to satisfy the requirements for running the in-toto-verify binary, and the existence of the /in-toto directory at the root of the file system.

Such a container image can be built using the following Dockerfile:

FROM python:latest

RUN mkdir /in-toto
RUN pip install in-toto

How does this work?

The root layout, keys, target files, and links directory are passed as arguments to this utility, they are copied inside the verification image in the /in-toto directory, and then the in-toto-verify utility is run in the container.

Note that currently, the utility doesn't currently support passing all flags to in-toto-verify, and currently a single key is passed.

$ make e2e
$ itc verify --layout testdata/intoto/demo.layout.template --layout-key testdata/intoto/alice.pub --links testdata/intoto/ --target testdata/intoto/foo.tar.gz
validating layout structure and signatures...
INFO[0000] validating layout structure and signatures..
INFO[0000] running in-toto verifications in container based on image docker.pkg.github.com/engineerd/in-toto-container/verification:v1...
INFO[0000] Copying file in-toto/foo.tar.gz in container for verification..
INFO[0000] Copying file /in-toto/layout.template in container for verification..
INFO[0000] Copying file /in-toto/key.pub in container for verification..
INFO[0000] Copying file in-toto/package.2f89b927.link in container for verification..
INFO[0000] Copying file in-toto/write-code.776a00e2.link in container for verification..
INFO[0001] Loading layout...
INFO[0001] Loading layout key(s)...
INFO[0001] Verifying layout signatures...
INFO[0001] Verifying layout expiration...
INFO[0001] Reading link metadata files...
INFO[0001] Verifying link metadata signatures...
INFO[0001] Verifying sublayouts...
INFO[0001] Verifying alignment of reported commands...
INFO[0001] Verifying command alignment for 'write-code.776a00e2.link'...
INFO[0001] Verifying command alignment for 'package.2f89b927.link'...
INFO[0001] Verifying threshold constraints...
INFO[0001] Skipping threshold verification for step 'write-code' with threshold '1'...
INFO[0001] Skipping threshold verification for step 'package' with threshold '1'...
INFO[0001] Verifying Step rules...
INFO[0001] Verifying material rules for 'write-code'...
INFO[0001] Verifying product rules for 'write-code'...
INFO[0001] Verifying 'ALLOW foo.py'...
INFO[0001] Verifying material rules for 'package'...
INFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...
INFO[0001] Verifying 'DISALLOW *'...
INFO[0001] Verifying product rules for 'package'...
INFO[0001] Verifying 'ALLOW foo.tar.gz'...
INFO[0001] Verifying 'ALLOW foo.py'...
INFO[0001] Executing Inspection commands...
INFO[0001] Executing command for inspection 'untar'...
INFO[0001] Running 'untar'...
INFO[0001] Recording materials '.'...
INFO[0001] Running command 'tar xfz foo.tar.gz'...
INFO[0001] Recording products '.'...
INFO[0001] Creating link metadata...
INFO[0001] Verifying Inspection rules...
INFO[0001] Verifying material rules for 'untar'...
INFO[0001] Verifying 'MATCH foo.tar.gz WITH PRODUCTS FROM package'...
INFO[0001] Verifying 'DISALLOW foo.tar.gz'...
INFO[0001] Verifying product rules for 'untar'...
INFO[0001] Verifying 'MATCH foo.py WITH PRODUCTS FROM write-code'...
INFO[0001] Verifying 'DISALLOW foo.py'...
INFO[0001] The software product passed all verification.