Remote OpenClaw
Menu

Verifying Build Provenance With Slsa Sigstore

mukul975/Anthropic-Cybersecurity-Skills

Installation

openclaw install mukul975/verifying-build-provenance-with-slsa-sigstore

Summary

Build-provenance verification answers a question that defeats many supply-chain attacks: *was this artifact actually built from the source I think it was, by the builder I trust, without tampering?* Attackers who compromise a build system, swap a compiled release, or inject a malicious step (as in the SolarWinds and 3CX incidents) produce artifacts that look legitimate but lack verifiable provenance. SLSA (Supply-chain Levels for Software Artifacts, https://slsa.dev) defines Build levels (L1–L3) describing increasing provenance integrity, and Sigstore (https://www.sigstore.dev) provides the signing and transparency infrastructure: cosign for signing/verifying artifacts and attestations, Fulcio for short-lived keyless certificates bound to an OIDC identity, and Rekor as a tamper-evident transparency log.

SKILL.md

Verifying Build Provenance with SLSA and Sigstore

Overview

Build-provenance verification answers a question that defeats many supply-chain attacks: was this artifact actually built from the source I think it was, by the builder I trust, without tampering? Attackers who compromise a build system, swap a compiled release, or inject a malicious step (as in the SolarWinds and 3CX incidents) produce artifacts that look legitimate but lack verifiable provenance. SLSA (Supply-chain Levels for Software Artifacts, https://slsa.dev) defines Build levels (L1–L3) describing increasing provenance integrity, and Sigstore (https://www.sigstore.dev) provides the signing and transparency infrastructure: cosign for signing/verifying artifacts and attestations, Fulcio for short-lived keyless certificates bound to an OIDC identity, and Rekor as a tamper-evident transparency log.

This skill covers verifying signatures and SLSA provenance with cosign (cosign verify, cosign verify-attestation, cosign verify-blob-attestation) and slsa-verifier (slsa-verifier verify-artifact), enforcing the builder identity (the GitHub Actions workflow that produced the artifact) and the expected source repository. Keyless verification ties trust to an OIDC issuer (e.g., https://token.actions.githubusercontent.com) and a certificate identity rather than a long-lived private key.

This maps to MITRE ATT&CK T1195 — Supply Chain Compromise (provenance verification detects/blocks tampered artifacts) and NIST CSF PR.DS-06 (integrity-checking mechanisms are used to verify software, firmware, and information integrity).

When to Use

  • In CI/CD before deploying or promoting any container image or release binary.
  • When consuming third-party artifacts (base images, Go/npm releases) that publish attestations.
  • When establishing a SLSA Build L3 producer pipeline and enforcing it at the consumer side.
  • During incident response to confirm whether a deployed artifact's provenance is intact.
  • In admission control (e.g., Kubernetes via policy-controller / Kyverno) to admit only verified images.

Prerequisites

  • cosign (Sigstore CLI):
  go install github.com/sigstore/cosign/v2/cmd/cosign@latest
  # or download a release binary from https://github.com/sigstore/cosign/releases
  • slsa-verifier:
  go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest
  # or:
  curl -sSL https://github.com/slsa-framework/slsa-verifier/releases/latest/download/slsa-verifier-linux-amd64 \
    -o /usr/local/bin/slsa-verifier && chmod +x /usr/local/bin/slsa-verifier
  • Network access to Rekor (https://rekor.sigstore.dev) and Fulcio for transparency-log verification.
  • The artifact plus its provenance/attestation bundle (.sigstore, .intoto.jsonl, or attached OCI attestation).

Objectives

  • Verify a keyless cosign signature on a container image, pinning OIDC issuer and certificate identity.
  • Verify a SLSA provenance attestation on an image with cosign verify-attestation --type slsaprovenance.
  • Verify a release binary's provenance with slsa-verifier verify-artifact, pinning source repo and tag.
  • Verify GitHub artifact attestations / blob bundles with cosign verify-blob-attestation.
  • Gate CI and admission control on successful verification; understand SLSA Build L1–L3.

MITRE ATT&CK Mapping

| ID | Tactic | Technique Name | Relevance | |----|--------|----------------|-----------| | T1195 | Initial Access | Supply Chain Compromise | Verifying provenance and signatures detects artifacts that were tampered with or substituted in the build/distribution chain, preventing supply-chain compromise from reaching deployment. |

Workflow

Step 1: Verify a keyless cosign signature on an image

Pin both the OIDC issuer and the certificate identity (the exact workflow that signed). A bare cosign verify without identity pinning is meaningless — anyone can sign.

cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/myorg/myrepo/.github/workflows/.*@refs/tags/v.*" \
  ghcr.io/myorg/myrepo:v1.2.3

A non-zero exit or empty result means verification failed — do not deploy.

Step 2: Verify the SLSA provenance attestation on the image

The signature proves who signed; the provenance attestation proves how it was built. Verify the in-toto SLSA predicate type.

cosign verify-attestation \
  --type slsaprovenance \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity "https://github.com/myorg/myrepo/.github/workflows/build-sign.yml@refs/heads/main" \
  ghcr.io/myorg/myrepo:v1.2.3

Supported predicate types include slsaprovenance, slsaprovenance02, and slsaprovenance1.

Step 3: Inspect the provenance predicate

Decode the verified attestation to confirm the source repo, commit, and builder match expectations.

cosign verify-attestation --type slsaprovenance \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp '.*' \
  ghcr.io/myorg/myrepo:v1.2.3 \
  | jq -r '.payload' | base64 -d | jq '.predicate.buildDefinition.externalParameters, .predicate.runDetails.builder.id'

Step 4: Verify a release binary with slsa-verifier

For downloadable binaries (e.g., produced by slsa-github-generator), pin the source URI and the tag. slsa-verifier checks the cryptographic signature on the provenance and that the expected builder produced it.

slsa-verifier verify-artifact slsa-test-linux-amd64 \
  --provenance-path slsa-test-linux-amd64.intoto.jsonl \
  --source-uri github.com/myorg/myrepo \
  --source-tag v1.2.3

# Optionally pin the builder identity (SLSA L3)
slsa-verifier verify-artifact ./mybin \
  --provenance-path ./mybin.intoto.jsonl \
  --source-uri github.com/myorg/myrepo \
  --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0

Step 5: Verify GitHub artifact attestations / blob bundles

For artifacts signed via actions/attest-build-provenance, the bundle uses the new Sigstore bundle format.

cosign verify-blob-attestation \
  --bundle ./myartifact.sigstore.json \
  --new-bundle-format \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp="^https://github.com/myorg/myrepo/" \
  ./myartifact

# Equivalent native GitHub CLI verification
gh attestation verify ./myartifact --repo myorg/myrepo

Step 6: Enforce verification as a gate

Wrap verification so the pipeline fails closed on any error.

#!/usr/bin/env bash
set -euo pipefail
IMG="ghcr.io/myorg/myrepo:v1.2.3"
cosign verify \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/myorg/myrepo/" "$IMG" >/dev/null
cosign verify-attestation --type slsaprovenance \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp "^https://github.com/myorg/myrepo/" "$IMG" >/dev/null
echo "[+] $IMG verified: signature + SLSA provenance OK"

Step 7: Map findings to SLSA Build levels

Document the level each consumed artifact achieves:

  • Build L1 — provenance exists (the build process generates it), but it may be unsigned/forgeable.
  • Build L2 — provenance is signed by a hosted build service.
  • Build L3 — provenance is non-forgeable: generated on an isolated, hardened builder where secrets are unavailable to user-defined steps (e.g., slsa-github-generator reusable workflows). Require L3 for high-trust artifacts.

Tools and Resources

| Tool / Resource | Purpose | Link | |-----------------|---------|------| | cosign | Sign/verify artifacts and attestations (keyless) | https://github.com/sigstore/cosign | | slsa-verifier | Verify SLSA provenance from compliant builders | https://github.com/slsa-framework/slsa-verifier | | slsa-github-generator | Produce SLSA L3 provenance in GitHub Actions | https://github.com/slsa-framework/slsa-github-generator | | actions/attest-build-provenance | GitHub-native provenance attestation | https://github.com/actions/attest-build-provenance | | SLSA specification | Build levels and provenance schema | https://slsa.dev/spec/v1.0/ | | Sigstore docs | Fulcio, Rekor, cosign verification | https://docs.sigstore.dev/cosign/verifying/verify/ |

Verification Identity Reference

| Field | Where it comes from | Why it matters | |-------|--------------------|----------------| | --certificate-oidc-issuer | The OIDC issuer (e.g., GitHub Actions) | Restricts who could have requested the signing cert | | --certificate-identity[-regexp] | The exact/patterned workflow identity (SAN) | Restricts which workflow signed; prevents impersonation | | --source-uri (slsa-verifier) | Expected source repo | Confirms the artifact came from your repo | | --source-tag / --source-versioned-tag | Expected git tag | Prevents rollback/substitution | | --builder-id | Trusted builder workflow ref | Enforces SLSA L3 non-forgeable builder |

Validation Criteria

  • [ ] cosign and slsa-verifier installed and report versions
  • [ ] Image signature verified with pinned OIDC issuer AND certificate identity
  • [ ] SLSA provenance attestation verified (--type slsaprovenance)
  • [ ] Provenance predicate inspected; source repo/commit/builder match
  • [ ] Release binary verified with slsa-verifier (source-uri + tag pinned)
  • [ ] GitHub blob/bundle attestation verified
  • [ ] Verification wired as a fail-closed CI/admission gate
  • [ ] Each consumed artifact assigned a SLSA Build level

Recommended skills

Browse all →

A C2 Redirector

mukul975

0 installsInstall

AADInternals

mukul975

0 installsInstall

Abusing Dpapi For Credential Access

mukul975

0 installsInstall

Abusing Shadow Credentials For Privesc

mukul975

0 installsInstall

Achieving Cmmc Level 2 Compliance

mukul975

0 installsInstall

Acquiring Disk Image With Dd And Dcfldd

mukul975

0 installsInstall

Browse

Skills by category

Frontend250Git198Data154Testing120Design105Docs103Security96Automation87Backend76Devops37Productivity29Mcp23