In this example we verify the signature of the SLSA provenance file of a Ghaf Lenovo X1 Carbon package.
mkdir verify cd verify wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-09-1/files/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar tar -xf *.tar cd packages.x86_64-linux.lenovo-x1-carbon-gen11-debug cd scs ls
nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path provenance.json --sigfile provenance.json.sig
[ktu@x1-nixos:~]$ mkdir verify [ktu@x1-nixos:~]$ cd verify [ktu@x1-nixos:~/verify]$ wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-09-1/files/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar --2024-10-15 16:28:04-- https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-09-1/files/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar Resolving ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)... 20.60.246.36 Connecting to ghafreleasesstorage.z16.web.core.windows.net (ghafreleasesstorage.z16.web.core.windows.net)|20.60.246.36|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 4921190400 (4.66G) [application/x-tar] Saving to: ‘packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar’ packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar 100%[====================================>] 4.586 12.8MB/s in 6m 3s 2024-10-15 16:34:20 (12.9 MB/s) - ‘packages.x86_64-linux.lenovo-x1-carbon-gen11-debug.tar’ saved [4921190400/4921190400] [ktu@x1-nixos:~/verify]$ tar -xf *.tar [ktu@x1-nixos:~/verify]$ cd packages.x86_64-linux.lenovo-x1-carbon-gen11-debug [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug]$ cd scs [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug/scs]$ ls index.html provenance.json provenance.json.sig sbom.cdx.json sbom.csv sbom.spdx.json vulns.txt [ktu@x1-nixos:~/verify/packages.x86_64-linux.lenovo-x1-carbon-gen11-debug/scs]$ nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path provenance.json --sigfile provenance.json.sig Signature verification result: {'message': 'Signature Verification Result', 'is_valid': True}