aoss-verifier provides a streamline user experience for verification of authenticity and integrity for packages generated by the Assured OSS service by abstracting complex technical details. It also supports the verification of build provenance, enhancing trust and security in the software ecosystem.
Before using this tool, make sure you have the following in place:
- Go is installed on your system. If not, please install it from the official Go website
- Cosign, a third party tool required for verifying the build provenance, is correctly installed
- Authenticate to Google Cloud by setting up Application Default Credentials (ADC). You can do this in one of two ways:
- Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of a service account key file. - Run
gcloud auth application-default login.
- Set the
Follow these steps to install the tool.
First, clone this repository and install aoss-verifier tool:
$ git clone https://github.com/google/aoss-verifier.git
$ cd aoss-verifier
$ go mod download
$ go install aoss-verifierThis will compile the tool and install it to $(go env GOPATH)/bin
If not done already, add GOPATH to the environment PATH variable:
$ export PATH="$(go env GOPATH)/bin:$PATH"Once installed, you can use it by executing the aoss-verifier command followed by the desired command and options.
If you see a Command aoss-verifier not found error, make sure that the tool is correctly installed and the $(go env GOPATH)/bin is exported.
To learn more about usages, run aoss-verifier help.
Pass the language, package id, version, and the path of the artifact you are trying to verify using the --language, --package_id, --version and --artifact_path flags.
$ aoss-verifier verify-package \
--language LANGUAGE \
--package_id PACKAGE_ID \
--version VERSION \
--artifact_path ARTIFACT_PATH [flags]where
LANGUAGE: programming language of the package; must be in lowercase
PACKAGE_ID:
- for java groupid:artifactid
- for python package_name
VERSION: version of the package
ARTIFACT_PATH: path to the downloaded package
- jar file for java package
- wheel file for python package
$ aoss-verifier verify-package \
--language java \
--package_id commons-codec:commons-codec \
--version 1.15 \
--artifact_path target/dependency/commons-codec-1.15.jarFile downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:05:28/package_signatures/ca.crt
Certificates verified successfully!
Signature Verified successfully!
To verify build provenance, use the --verify_build_provenance flag.
$ aoss-verifier verify-package \
--language java \
--package_id commons-codec:commons-codec \
--version 1.15 \
--artifact_path target/dependency/commons-codec-1.15.jar \
--verify_build_provenanceFile downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/buildinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signature.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/ca.crt
Cerficates verified successfully!
Signature Verified successfully!
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_04_09:08:08/package_signatures/public.pem
Build Provenance verified successfully!
Pass the metadata type, language, package id, and the version of a package to verify metadata --metadata_type, --language, --package_id, --version and --artifact_path flags.
$ aoss-verifier verify-metadata \
--metadata_type TYPE \
--language LANGUAGE \
--package_id PACKAGE_ID \
--version VERSION [flags]where
TYPE: buildinfo/vexinfo/healthinfo/premiuminfo
LANGUAGE: programming language of the package; must be in lowercase
PACKAGE_ID:
- for java groupid:artifactid
- for python package_name
VERSION: version of the package
ARTIFACT_PATH: path to the downloaded metadata file required to verify premium metadata
$ aoss-verifier verify-metadata \
--metadata_type vexinfo \
--language java \
--package_id commons-codec:commons-codec \
--version 1.15File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/vexinfo.zip
File downloaded at tmp_downloads/commons-codec:commons-codec-1.15-2023_07_06_11:21:28/ca.crt
Certificates verified successfully!
Metadata Signature Verified successfully!
$ aoss-verifier verify-metadata \
--metadata_type premiuminfo \
--language java \
--package_id cglib:cglib \
--version 3.3.0 \
--artifact_path target/dependency/metadata.jsonFile downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
BuildInfo Certificates Verified successfully!
BuildInfo Metadata Signature Verified successfully!
File downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
HealthInfo Certificates Verified successfully!
HealthInfo Metadata Signature Verified successfully!
File downloaded at tmp_downloads/cglib:cglib-3.3.0-2024_02_05_11:17:58/ca.crt
VexInfo Certificates Verified successfully!
VexInfo Metadata Signature Verified successfully!
Please refer to the help section (use -h flag) of the tool for specific instructions on each command, including available options and their usage.