verify_build

command

v0.0.0-...-237abf9 Latest Latest Go to latest Published: May 10, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/transparency-dev/armored-witness

Links

Open Source Insights

README ¶

Reproducible Build Verifier

This continuously monitors the log to look for claims about builds being published. The log properties are checked to ensure the log is consistent with any previous view, and that all claims are verifiably committed to by the log.

For each manifest claim that it hasn't seen before, the following steps are taken:

The source repository is cloned at the git commit hash
The git revision at the tag is checked against the manifest
The ELF file is compiled from source
The hash for the ELF in the manifest is compared against the locally built version

Running in Continuous Mode

In order to control the environment in which the code will be built, a Dockerfile is supplied which will create a compatible environment.

This image can be built and executed using the following commands from the root of the repository:

docker build . -t armored-witness-build-verifier -f ./cmd/verify_build/Dockerfile
docker run armored-witness-build-verifier

The output with the default verbosity provides information on what is happening with information to debug any failed builds:

I0219 12:23:00.470332       1 verify.go:162] Leaf index 125: ✅ reproduced build BOOTLOADER@0.0.1707929407-incompatible (373ce9ef15cc7937e1dc024a7288e4d4b1c33eab) => 7ac229b8c166d26c93006586ffb4e46a0f13c31d881fda85b09816f88c1ebc31
E0219 12:23:01.898909       1 verify.go:158] Leaf index 126: ❌ failed to reproduce build RECOVERY@0.0.0 (74060722c9aa92bbdcf3725ed0d0be4ebe8f8687) => (got b7e32298bb284c92f1cdceaffa39fa8840d21b19e4b08167023985a4a60206b2, wanted d59b4eaf94b1a895264b2a11eaee60c2a5a89c4a5b115fe29d78171187fb4df1)
I0219 12:23:01.898934       1 verify.go:94] 🔎 Evidence of failed build: /tmp/armored-witness-build-verify2690175259 (126: RECOVERY@74060722c9aa92bbdcf3725ed0d0be4ebe8f8687)
I0219 12:23:02.815427       1 verify.go:162] Leaf index 127: ✅ reproduced build RECOVERY@0.0.0 (850baf54809bd29548d6f817933240043400a4e1) => b7e32298bb284c92f1cdceaffa39fa8840d21b19e4b08167023985a4a60206b2
I0219 12:23:03.857585       1 verify.go:162] Leaf index 128: ✅ reproduced build BOOTLOADER@0.0.1707998563-incompatible (6062287365c4d7bab79532940d70d1bab846ef78) => 70d2fc2cc57de625f9a04e8923e2e0a99060c7694c3df758def16ca0f030aa4c

Note that in the above, the entire directory from the failed build can be obtained by:

Finding the container of the verifier using docker container ls -a (refer to this as DOCKER_CONTAINER)
Finding the directory name from the 🔎 Evidence of failed build entry (refer to this as EVIDENCE_DIR)
Copying the directory to somewhere it can be easily inspected using docker cp $DOCKER_CONTAINER:$EVIDENCE_DIR /tmp/evidence

To find more information about failed builds (e.g. full commandline, env variables), the verbosity can be increased by passing --v=2 to the docker run command.

Verifying a Single Manifest

To verify a single manifest, the same Dockerfile as above can be used, but we need to override the entrypoint command. The single command takes a signed manifest note via stdin.

The example below obtains a leaf entry from the log via curl and pipes this directly to the verifier in single mode, running inside docker.

docker build . -t armored-witness-build-verifier -f ./cmd/verify_build/Dockerfile
curl https://api.transparency.dev/armored-witness-firmware/ci/log/1/seq/00/00/00/00/78 | docker run -i --entrypoint "/bin/verifier" armored-witness-build-verifier single

It is possible to run this without using Docker if you are sure you have the correct tooling installed on your machine. Example command:

curl https://api.transparency.dev/armored-witness-firmware/ci/log/1/seq/00/00/00/00/78 | go run ./cmd/verify_build single --tamago_dir=$HOME/tamago/

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

The manifest tool formats input data into the Statement of the Armored Witness firmware transparency log.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd Package cmd contains commands for the verify_build tool.	Package cmd contains commands for the verify_build tool.
internal/build Package build contains the internal components used to implement the verifier.	Package build contains the internal components used to implement the verifier.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL