aoss-verifier provides a streamline user experience for verification of authenticity and integrity for packages generated by the Assured OSS service by abstracting complex technical details. It also supports the verification of build provenance, enhancing trust and security in the software ecosystem.
Before using this tool, make sure you have the following in place:
- Go is installed on your system. If not, please install it from the official Go website
- Cosign, a third party tool required for verifying the build provenance, is correctly installed
- Generate and download the service account key
To install this tool, follow these steps:
- Clone this repository and install aoss-verifier tool
$ git clone https://github.com/google/aoss-verifier.git
$ cd aoss-verifier
$ go mod download
$ go install aoss-verifierThis will compile the tool and install it to $(go env GOPATH)/bin
- Users are advised to add GOPATH to their environment PATH variable for seamless usage
$ export PATH="$(go env GOPATH)/bin:$PATH"Once the tool is installed, you can use it by executing the aoss-verifier command followed by the desired command and options.
If you see a Command aoss-verifier not found error, make sure that the tool is correctly installed and the $(go env GOPATH)/bin is exported.
To learn more about aoss-verifier usages, run aoss-verifier help.
$ aoss-verifier set-config KEY_FILE_PATHwhere KEY_FILE_PATH is the path to the service account key json file
This will create a hidden config file in the home directory which contains the path to the service account key file that will be used to authenticate to Google Cloud services.
To verify a package, you’ll need to pass the language, package id, version and the path of the artifact you’re trying to verify via the --language, --package_id, --version and --artifact_path flags.
$ aoss-verifier verify-package --language LANGUAGE --package_id PACKAGE_ID --version VERSION --artifact_path ARTIFACT_PATH [flags]where
LANGUAGE: programming language of the package; must be in lowercase
PACKAGE_ID:
- for java groupid:artifactid
- for python package_name
VERSION: version of the package
ARTIFACT_PATH: path to the downloaded package
- jar file for java package
- wheel file for python package
$ aoss-verifier verify-package --language java --package_id commons-codec:commons-codec --version 1.15 --artifact_path target/dependency/commons-codec-1.15.jarFile downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signatures/ca.crt
Certificates verified successfully!
Signature Verified successfully!
To additionally verify build provenance, use the --verify_build_provenance flag.
$ aoss-verifier verify-package --language java --package_id commons-codec:commons-codec --version 1.15 --artifact_path target/dependency/commons-codec-1.15.jar --verify_build_provenanceFile downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/ca.crt
Cerficates verified successfully!
Signature Verified successfully!
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/public.pem
Build Provenance verified successfully!
To verify metadata, you'll need to pass the metadata type, language, package id and the version of the package for which it is desired to verify the metadata via the --metadata_type, --language, --package_id, --version and --artifact_path flags.
$ aoss-verifier verify-metadata --metadata_type TYPE --language LANGUAGE --package_id PACKAGE_ID --version VERSION [flags]where
TYPE: buildinfo/vexinfo/healthinfo/premiuminfo
LANGUAGE: programming language of the package; must be in lowercase
PACKAGE_ID:
- for java groupid:artifactid
- for python package_name
VERSION: version of the package
ARTIFACT_PATH: path to the downloaded metadata file required to verify premium metadata
$ aoss-verifier verify-metadata --metadata_type vexinfo --language java --package_id commons-codec:commons-codec --version 1.15File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/vexinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/ca.crt
Certificates verified successfully!
Metadata Signature Verified successfully!
$ aoss-verifier verify-metadata --metadata_type premiuminfo --language java --package_id cglib:cglib --version 3.3.0 --artifact_path target/dependency/metadata.jsonFile downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
BuildInfo Certificates Verified successfully!
BuildInfo Metadata Signature Verified successfully!
File downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
HealthInfo Certificates Verified successfully!
HealthInfo Metadata Signature Verified successfully!
File downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
VexInfo Certificates Verified successfully!
VexInfo Metadata Signature Verified successfully!
Please refer to the help section (use -h flag) of the tool for specific instructions on each command, including available options and their usage.