Instructions for Signature Verification of the Provenance File

In this example we verify the signature of the SLSA provenance file of a Ghaf Lenovo X1 Carbon package.

Step-by-Step Instructions:

Example run with output

    [ktu@x1-nixos:~]$ mkdir verify

    [ktu@x1-nixos:~]$ cd verify

    [ktu@x1-nixos:~/verify]$ wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-09-1/files/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar
    --2024-10-15 16:28:04-- https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-09-1/files/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar
    Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36
    Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 4921190400 (4.66G) [application/x-tar]
    Saving to: ‘packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar’

    packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar    100%[====================================>]   4.586  12.8MB/s    in 6m 3s

    2024-10-15 16:34:20 (12.9 MB/s) - ‘packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar’ saved [4921190400/4921190400]

    [ktu@x1-nixos:~/verify]$ tar -xf *.tar
    [ktu@x1-nixos:~/verify]$ cd packages.x86_64-linux.lenovo-x1-carbon-gen11-debug
    [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug]$ cd scs
    [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug/scs]$ ls
    index.html  provenance.json  provenance.json.sig  sbom.cdx.json  sbom.csv  sbom.spdx.json  vulns.txt

    [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug/scs]$ nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path provenance.json --sigfile provenance.json.sig
    Signature verification result: {'message': 'Signature Verification Result', 'is_valid': True}