Back to 24.06 Instructions for Signature Verification

Instructions for Signature Verification of the Provenance File

In this example we verify the signature of the SLSA provenance file of a Ghaf Lenovo X1 Carbon package which was built and signed by themisto server.

Step-by-Step Instructions:

  • Download and extract the package in an empty directory 

    mkdir verify
cd verify
wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
tar -xf *.tar.xz
cd ghaf-24.06_Lenovo_X1_Carbon_Gen11
cd Build_Report
cd Provenance_File					  
ls

  • Download sha256tree.py script (required for calculating hashes for directory trees) 

    wget https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py

  • Create the hash of the output directory and convert to binary format 

    python3 sha256tree.py --plain dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json > digest.hex
xxd -r -p digest.hex digest.bin

  • Decode the signature to binary format 

    openssl enc -base64 -d -in w536jabsakwjn98j1v1n58s9y335zy0j-dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json-themisto.signature -out signature.bin

  • Download the public key for themisto 

    wget https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub

  • Verify the signature 

    openssl dgst -sha256 -verify themisto.pub -signature signature.bin digest.bin

Example run with output:

[karim@nixos::~]$ mkdir verify

[karim@nixos::~]$ cd verify

[karim@nixos::~/verify]$ wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
--2024-09-25 23:23:29--  https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-06/files/ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz
Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36
Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3707191756 (3,5G) [application/x-xz]
Saving to: ‘ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz.1’

ghaf-24.06_Lenovo_X1_Car 100%[==================================>]   3,45G  11,2MB/s    in 5m 57s  

2024-09-25 23:29:27 (9,89 MB/s) - ‘ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz.1’ saved [3707191756/3707191756]


[karim@nixos:~/verify]$ tar -xf *.tar.xz

[karim@nixos:~/verify]$ cd ghaf-24.06_Lenovo_X1_Carbon_Gen11

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11]$ cd Build_Report

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report]$ cd Provenance_File

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ ls
dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json
w536jabsakwjn98j1v1n58s9y335zy0j-dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json-themisto.signature

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ wget https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py
--2024-03-27 09:58:18--  https://raw.githubusercontent.com/tiiuae/ci-public/main/sha256tree/sha256tree.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4479 (4,4K) [text/plain]
Saving to: ‘sha256tree.py’

sha256tree.py             100%[===================================>]   4,37K  --.-KB/s    in 0s      

2024-03-27 09:58:23 (27,0 MB/s) - ‘sha256tree.py’ saved [4479/4479]


[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ python3 sha256tree.py --plain dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json > digest.hex

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ xxd -r -p digest.hex digest.bin

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ openssl enc -base64 -d -in w536jabsakwjn98j1v1n58s9y335zy0j-dkpv6xdyyhdl337kxr0n89m88bzq87b6-themisto-323-provenance.json-themisto.signature -out signature.bin
[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$  wget https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub
--2024-03-27 09:36:02--  https://ghafreleasesstorage.z16.web.core.windows.net/keys/themisto.pub
Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36
Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178 [application/octet-stream]
Saving to: ‘themisto.pub’

themisto.pub              100%[===================================>]     178  --.-KB/s    in 0s      

2024-03-27 09:36:02 (103 MB/s) - ‘themisto.pub’ saved [178/178]

[karim@nixos:~/verify/ghaf-24.06_Lenovo_X1_Carbon_Gen11/Build_Report/Provenance_File]$ openssl dgst -sha256 -verify themisto.pub -signature signature.bin digest.bin
Verified OK