Azure Pipelines Task for Verifying Software Attestations

Overview

The Xygeni Attestation Verifier task can be used to verify software attestations, such as SLSA Provenance, using Xygeni SALT (Software Attestations Layer for Trust), the component for generating, registering and verifying software attestations.

The task will receive either the signed attestation file or the ID of the attestation entry in the Attestation Registry, plus the public key or the certificate used to sign the attestation.

The subject (typically the final product) could be specified for verification. The subject could be a file or a directory, a container image, the hex-encoded digest (such as the SHA-256 hash of content) of a resource, or a raw string value.

Multiple subjects could be specified in a specification of the form

[ 
    {name: 'sources',   file:   '$(Build.SourcesDirectory)'}, 
    {name: 'my_image',  image:  'docker.io/my_org/my_image:latest'},
    {name: 'my_digest', digest: 'sha256:d82938...8e62'},
    {name: 'my_text',   value:  'some text'}
]

The task will verify the signature of the attestation and the subjects in the attestation passed as arguments. The task will fail if the verification process terminates with error, if the attestation is not found as a local file or in the Attestation Registry, or when the attestation does not verify.

When verification succeeds, the task will succeed. When verification fails, the task will terminate with issues.

Need some help to understand Software Attestations? Visit Build Security Concepts, where Software Attestations and SLSA Provenance are described.

For more information on Xygeni Build Attestation (SALT), visit https://docs.xygeni.io/xygeni-products/build-security.

Installing the task

Go to the Visual Studio Marketplace, search for Xygeni Attestation Verifier and install it, or go directly to the extension page at Xygeni Build Attestation.

Using the task

Add the task to your pipeline: Search Xygeni Attestation Verifier

Search Extension

Edit the task inputs using the right panel (1), or in the pipeline YAML editor (2).

Edit Task

Task properties

Name	Description	Default Value
id	The ID of the attestation entry in the Attestation Registry.
attestation	The path to the signed attestation file.
multipleSubjects	If true, the task will verify multiple subjects.	false
subjectName	The name of the subject to verify.
subjectType	The type of the subject to verify, one of file, image, digest or value.	file
subjectValue	The value of the subject to verify.
multiSubjectSpec	The specification of multiple subjects to verify.
key	The public key or certificate used to sign the attestation. Use env:VARNAME or file:PATH for environment variable or local file.
certChain	The optional certificate chain used to sign the attestation. Use env:VARNAME or file:PATH for environment variable or local file.
output	File for the verification result.	$(Build.ArtifactStagingDirectory)/attestation

If you want to verify a single subject (e.g. the final build product), you can use the subjectName, subjectType and subjectValue inputs. For verifying multiple subjects, you can set multipleSubjects = true and give the specification in the multiSubjectSpec inputs.

An example is of such an specification for two subject, an executable file and a container image:

[ 
  {name: 'executable', file: '$(Build.BinariesDirectory)/my_tool.exe'}, 
  {name: 'image', image: 'docker.io/my_org/my_image@sha256:d82938...8e62'} 
]

License

The task is released under the Apache 2.0 License.

Xygeni Attestation Verifier