feat: fixes #724: add input for --provenance-repository while image verification

slsa-framework / slsa-verifier

Verify provenance from SLSA compliant builders

Apache License 2.0

216 stars 45 forks source link

feat: fixes #724: add input for --provenance-repository while image verification #736

Closed saisatishkarra closed 5 months ago

saisatishkarra commented 5 months ago

@laurentsimon Added a new image verification cmd input --provenance-repository This replicates the feature of the COSIGN_REPOSITORY environment variable when provenance is stored in a different repository/registry

Order of precedence:

If input --provenance-repository is set, leverages the non-empty input value
If the env variable COSIGN_REPOSITORY is set, it is NOT consumed

README edit : https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280

saisatishkarra commented 5 months ago

Refer comment and description before merging for the UX

saisatishkarra commented 5 months ago

@ianlewis / @laurentsimon added a VerifyImageProvenanceRepo function for verifier interface GHA implementation of the new function overrides the cosign opts with provided input and backwards compatible for verifyImage()

GCB implementation of the new function VerifyImageProvenanceRepo calls back the verifyImage() internally and ignores the passed provenanceRepository argument.

LMK what you folks think!!

saisatishkarra commented 5 months ago

@laurentsimon can you review these changes again pls?

laurentsimon commented 5 months ago

Let's update the example-package workfow next?

I also created https://github.com/slsa-framework/slsa-github-generator/issues/3095 which should be a simple change

Thanks again for the hard work.