This page explains how to verify the signature on the Assured OSS artifacts.
This page applies to the free tier only. For the premium tier, see Access security metadata and verify packages.
Package verification
Package signatures are stored separately from the package in a Cloud Storage
bucket in a zip format.
You can verify signatures using the
Assured OSS verifier tool (aoss-verifier) or using a verification script.
Using the aoss-verifier tool
Before using this tool, make sure Go is installed on your system. If Go is not installed, install Go from the Go website.
To verify the authenticity and integrity of open source software packages, install the aoss-verifier tool.
Export
$(go env GOPATH)/bin, and run theaoss-verifier verify-packagecommand.aoss-verifier verify-package \ --language LANGUAGE \ --package_id PACKAGE_ID \ --version VERSION \ --artifact_path ARTIFACT_PATH \ [--disable_certificate_verification] \ [--temp_downloads_path TEMP_DOWNLOADS_DIR_PATH] \ [--disable_deletes]Replace the following:
- LANGUAGE: The package language. The value must be in lowercase.
- PACKAGE_ID: for Java, it's groupId:artifactId and for Python it's packageName. The value must be in lower case.
- VERSION: The version of the package.
- ARTIFACT_PATH: The path to the data file in your
local directory that you want to verify. Use the following filename
extensions:
jarfile extension for a Java packagewhlfile extension for a Python package
--disable_certificate_verificationis an optional flag which skips matching leaf certificate to the root certificate through the certificate chain, if used.--temp_downloads_pathis an optional flag to set the path where you want to download the files. (replace TEMP_DOWNLOADS_DIR_PATH). If this flag isn't set, the files are downloaded to thetmp_downloadsfolder in the current directory.--disable_deletesis an optional flag which keeps the downloaded files. By default, the tool cleans all the downloaded files.
Refer the README for further information.
Using verification script
This section describes how to use a verification script to verify the signatures of downloaded packages.
Step 1: Get the signature URL
The URL of the zip file is available in the security metadata of each package. The following example is a sample from Container Analysis metadata.
As shown in the following example, you can find the signature zip URL in the
description: digestUrl field.
package {
distribution {
cpe_uri: "cpe:2.3:a:JAVA::com.fasterxml.jackson.core:jackson-databind:2.13.3:*:*:*:*:*:*:*"
maintainer: "<nil>"
url: "https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.jar"
description: "{\n \"artifactMetadataList\": [\n {\n \"digestUrl\": \"gs://cloud-aoss/java/com.fasterxml.jackson.core:jackson-databind/2.13.3/jackson-databind-2.13.3_binary_2022-10-12T06:54:05Z.zip\"\n }\n ]\n}"
}
distribution {
cpe_uri: "cpe:2.3:a:JAVA::com.fasterxml.jackson.core:jackson-databind:2.13.3:*:*:*:*:*:*:*"
url: "https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3-sources.jar"
description: "{\n \"digestUrl\": \"gs://cloud-aoss/java/com.fasterxml.jackson.core:jackson-databind/2.13.3/jackson-databind-2.13.3-sources_source_2022-10-12T06:54:05Z.zip\"\n}"
}
}
Sample example from Cloud Storage metadata (buildInfo.json file). As shown
in the following example, you can get the signature zip URL from the
externalRefs : referenceLocator field.
"packages": [
{
"SPDXID": "SPDXRef-Package-logback-core-1.2.11.jar",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c847e0e310acda8bc1347c9d9cc051e91210b9f943e131fceb5034c2f0c9a5d8"
}
],
"downloadLocation": "https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/ch/qos/logback/logback-core/1.2.11/logback-core-1.2.11.jar",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:*:JAVA\\:\\:ch\\.qos\\.logback\\:logback\\-core:1\\.2\\.11:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
},
{
"referenceCategory": "OTHER",
"referenceLocator": "gs://cloud-aoss/java/ch.qos.logback:logback-core/1.2.11/logback-core-1.2.11_binary_2022-10-12T14:19:11Z.zip",
"referenceType": "digestURL"
}
],
You can use the local signature zip for manual verification or
the Cloud Storage URL directly for using the verification script. You can download
the signature.zip file using the following steps:
Set up authentication using Application Default Credentials (ADC).
Download the
signature.zipusing the following command:gcloud storage cp SIGNATURE_ZIP_URL PATH_TO_LOCAL_STORE --recursiveReplace the following:
- SIGNATURE_ZIP_URL: the signature zip URL.
- PATH_TO_LOCAL_STORE: the local path where you want to download the file.
Step 2: Get the root certificate
To access the root certificate, use the following URL:
https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt
You can download the certificate locally or use the certificate link directly. To download the certificate, run the following command:
curl -o PATH_TO_LOCAL_STORE/ca.crt https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt
Replace PATH_TO_LOCAL_STORE with the local path where you want to download the certificate.
Step 3: Get the package file location
The file we would be verifying is the jar for Java packages and wheel file for Python packages. That file would be the PATH_TO_DATA_FILE for verification.
Step 4: Verification
You can manually verify the signature zip using the steps at manual signature verification or can use the verification script.
To verify using verification script, run the following commands:
Download the verification script and give permissions.
gcloud storage cp "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification.sh" . --recursive chmod +x signatureverification.shRun the verification script and verify. You can use the remote URLs or local paths for signature zip and root certificate.
./signatureverification.sh --data_file_path PATH_TO_DATA_FILE --signature_url SIGNATURE_ZIP_URL --root_cert_url ROOT_CERT_URLReplace the following:
- PATH_TO_DATA_FILE with the path to the package file identified in step 3
- SIGNATURE_ZIP_URL with the signature zip URL obtained in step 1.
- ROOT_CERT_URL with the root certificate URL obtained in step 2.
Metadata verification
This section explains how you can verify the signature on the Assured OSS metadata accessed using Cloud Storage.
Use the aoss-verifier tool
Use the aoss-verifier tool to verify metadata.
Before using this tool, install Go.
Install the aoss-verifier tool.
Export
$(go env GOPATH)/bin, and run theaoss-verifier verify-metadatacommand.aoss-verifier verify-metadata \ --metadata_type TYPE \ --language LANGUAGE \ --package_id PACKAGE_ID \ --version VERSION \ [--disable_certificate_verification] \ [--temp_downloads_path TEMP_DOWNLOADS_DIR_PATH] \ [--disable_deletes]Replace the following:
- TYPE: The possible values are
buildinfo,vexinfo, andhealthinfo. - LANGUAGE: The package language. The value must be in lowercase.
- PACKAGE_ID: For Java, the format is groupId:artifactId. For Python, the format is packageName. The value must be in lower case.
- VERSION: The version of the package.
--disable_certificate_verificationis an optional flag which skips matching the leaf certificate to the root certificate through the certificate chain, if used.--temp_downloads_pathis an optional flag to set the path where you want to download the files (replace TEMP_DOWNLOADS_DIR_PATH). If this flag isn't set, the files are downloaded to thetmp_downloadsfolder in the current directory.--disable_deletesis an optional flag which keeps the downloaded files. By default, the tool cleans all the downloaded files.- TYPE: The possible values are
For more information, see the README.
Using verification script
This section describes how to use a verification script to verify the security metadata file.
Step 1: Get the signature zip and metadata file
We can access the metadata as in Access Metadata. The metadata file would be present with the signature.zip file.
Example - contents of buildInfo.zip
buildInfo.json
signature.zip
The buildInfo.json is the metadata file required to be verified and the
signature.zip is the signature zip.
Step 2: Get the root certificate
Use the following URL link to get the root certificate:
https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt
You can download the certificate locally or use the certificate link directly. To download the certificate, run the following command:
curl -o PATH_TO_LOCAL_STORE/ca.crt https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt
Replace PATH_TO_LOCAL_STORE with the local path where you want to download the certificate.
Step 3: Verification
You can verify the signature.zip using manual verification or by
using the verification script.
To verify using verification script, run the following commands:
Download the verification script and give permissions.
gcloud storage cp "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification.sh" . --recursive chmod +x signatureverification.shRun the verification script and verify. You should use the local path for the signature zip. For the root certificate, you can use either the URL or local path. The data file would be the metadata file we are verifying -
buildInfo.json,vexInfo.jsonorhealthInfo.json../signatureverification.sh --data_file_path PATH_TO_DATA_FILE --signature_local_path SIGNATURE_LOCAL_PATH --root_cert_url ROOT_CERT_URLReplace the following:
PATH_TO_DATA_FILE with the metadata file we are verifying as obtained in Step 1.
SIGNATURE_LOCAL_PATH with the signature zip URL obtained in step 1.
ROOT_CERT_URL with the root certificate URL obtained in step 2.
In case you want to use a local certificate already downloaded, use this option instead:
--root_cert_local ROOT_CERT_LOCALReplace ROOT_CERT_LOCAL with the local certificate path.
Utility script verification
Assured OSS provides three utility scripts. This section describes how to verify the signature on these scripts.
Python Requirements.txt generator
Access the signature for this file at
gs://cloud-aoss/utils/python-requirements-txt/v1.0/generator-sig.zip. You can verify the
signature.zip either using manual verification or
using the verification script.
To quick verify the signature using the verification script, follow these steps:
If you have not already downloaded the
requirements.txtgenerator script file, download the file.gcloud storage cp "gs://cloud-aoss/utils/python-requirements-txt/v1.0/generator.sh" . --recursiveFetch the root certificate. The URL link is
https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crtYou can download the certificate locally or use the certificate link directly. To download the certificate, run the following command:curl -o PATH_TO_LOCAL_STORE/ca.crt "https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crt"Replace PATH_TO_LOCAL_STORE with the local path where you want to download the certificate
Download the verification script if you have not already done so.
gcloud storage cp "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification.sh" . --recursive chmod +x signatureverification.shRun the verification script and verify.
./signatureverification.sh --data_file_path PATH_TO_DATA_FILE --signature_url "gs://cloud-aoss/utils/python-requirements-txt/v1.0/generator-sig.zip" --root_cert_url ROOT_CERT_URLReplace the following:
- PATH_TO_DATA_FILE with the local path of the
generator.shscript we want to verify as obtained in Step 2. - ROOT_CERT_URL with the root certificate URL. In case you want to use a local certificate already downloaded, run the following command:
–root_cert_local ROOT_CERT_LOCALReplace ROOT_CERT_LOCAL with the local path of the root certificate.
- PATH_TO_DATA_FILE with the local path of the
Signature verification script
Access the signature for this file at gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification-sig.zip. You can verify the
signature.zip either using manual verification or
using the verification script.
To quick verify the signature using the verification script, follow these steps:
If you have not already downloaded the signature verification script file, download the file.
gcloud storage cp "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification.sh" . --recursive chmod +x signatureverification.shFetch the root certificate. The URL link is
https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crtYou can download the certificate locally or use the certificate link directly. Command to download the certificate:curl -o PATH_TO_LOCAL_STORE/ca.crt https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crtReplace PATH_TO_LOCAL_STORE with the local path where you want to download the certificate
Run the verification script and verify.
./signatureverification.sh --data_file_path PATH_TO_DATA_FILE --signature_url "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification-sig.zip" --root_cert_url ROOT_CERT_URLReplace the following:
PATH_TO_DATA_FILE with the local path of the verification script we want to verify as obtained in Step 2. ROOT_CERT_URL with the root certificate URL. In case you want to use a local certificate already downloaded, use this option instead:
–root_cert_local ROOT_CERT_LOCALReplace ROOT_CERT_LOCAL with the local path of the root certificate.
Download metadata script
Access the signature for this file at gs://cloud-aoss/utils/python-download-metadata/v1.1/download_metadata-sig.zip. You can verify the
signature.zip either using manual verification or
using the verification script.
To quick verify the signature using the verification script, follow these steps:
If you have not already downloaded the
download_metadata.pyscript file, download the file.gcloud storage cp "gs://cloud-aoss/utils/python-download-metadata/v1.1/download_metadata.py" . --recursiveFetch the root certificate. The URL link is
https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crtYou can download the certificate locally or use the certificate link directly.To download the certificate, run the following command:
curl -o PATH_TO_LOCAL_STORE/ca.crt https://privateca-content-6333d504-0000-2df7-afd6-30fd38154590.storage.googleapis.com/a2c725a592f1d586f1f8/ca.crtReplace PATH_TO_LOCAL_STORE with the local path where you want to download the certificate
Download the verification script.
gcloud storage cp "gs://cloud-aoss/utils/signature-verification/v1.0/signatureverification.sh" . --recursive chmod +x signatureverification.shRun the verification script and verify.
./signatureverification.sh --data_file_path PATH_TO_DATA_FILE --signature_url gs://cloud-aoss/utils/python-download-metadata/v1.1/download_metadata-sig.zip --root_cert_url ROOT_CERT_URLReplace the following:
- PATH_TO_DATA_FILE with the local path of the
download_metadata.pyscript we want to verify as obtained in Step 2. - ROOT_CERT_URL with the root certificate URL. In case you want to use a local certificate already downloaded, run the following command:
–root_cert_local ROOT_CERT_LOCALReplace ROOT_CERT_LOCAL with the local path of the root certificate.
- PATH_TO_DATA_FILE with the local path of the