查看构建来源

本页面说明了如何查看和审核 Cloud Build 生成的构建出处元数据。

构建来源是关于 Cloud Build 运行的构建作业的可验证数据集合。来源元数据包括已构建映像的摘要、输入源位置、构建参数和构建时长等详细信息。

Cloud Build 支持根据 SLSA 版本 0.1 规范生成满足软件工件供应链级别 (SLSA) 第 3 级保证要求的构建出处,并且对 SLSA 1.0 版本的支持目前处于预览版阶段。

为了支持 SLSA v1.0 规范,Cloud Build 提供了 buildType 详细信息。您可以使用 buildType 架构来了解用于构建流程的参数化模板。如需了解详情,请参阅 Cloud Build buildType v1

准备工作

  1. Enable the Cloud Build, Artifact Analysis, and Artifact Registry APIs.

    Enable the APIs

  2. 如需使用本指南中的命令行示例,请安装并配置 Google Cloud SDK

此功能仅适用于存储在 Artifact Registry 中的容器映像。

查看构建来源

本部分介绍如何查看 Cloud Build 创建的构建来源元数据。

使用 Cloud Build 构建映像时,系统会自动记录映像的构建来源。您可以稍后提取此信息用于审核。

在 Google Cloud 控制台中查看出处

您可以在 Google Cloud 控制台的安全性数据分析侧边栏中查看构建来源。

安全性数据分析侧边栏简要介绍了 Artifact Registry 中存储的工件的安全信息。如需详细了解侧边栏以及如何使用 Cloud Build 帮助保护软件供应链,请参阅查看构建安全性数据分析

使用 Google Cloud CLI 查看出处

  1. 要生成来源元数据,请使用 Cloud Build 运行构建

    使用 images 字段而不是 docker push 构建步骤推送构建的映像。Cloud Build 仅为通过 images 字段推送的映像生成attestations

  2. 如需查看生成的出处元数据,请运行以下命令:

    gcloud artifacts docker images describe \
    LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH \
    --show-provenance
    

    将命令中的占位值替换为以下内容:

    • LOCATION:单区域或多区域位置
    • PROJECT_ID:Google Cloud 项目 ID。
    • REPOSITORY:代码库名称。
    • IMAGE:映像的名称。
    • HASH:映像的 sha256 哈希值。您可以在构建的输出中找到上述代码。

    输出是容器来源,如 SLSA 来源规范中所述。例如:

      image_summary:
      digest: sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
      fully_qualified_digest: us-central1-docker.pkg.dev/my-project/my-repo/my-image@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
      registry: us-central1-docker.pkg.dev
      repository: my-repo
      slsa_build_level: 0
    provenance_summary:
      provenance:
      - build:
          inTotoSlsaProvenanceV1:
            _type: https://in-toto.io/Statement/v1
            predicate:
              buildDefinition:
                buildType: https://cloud.google.com/build/gcb-buildtypes/google-worker/v1
                externalParameters:
                  buildConfigSource:
                    path: cloudbuild.yaml
                    ref: refs/heads/main
                    repository: git+https://github.com/my-username/my-git-repo
                  substitutions: {}
                internalParameters:
                  systemSubstitutions:
                    BRANCH_NAME: main
                    BUILD_ID: e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
                    COMMIT_SHA: 525c52c501739e6df0609ed1f944c1bfd83224e7
                    LOCATION: us-west1
                    PROJECT_NUMBER: '265426041527'
                    REF_NAME: main
                    REPO_FULL_NAME: my-username/my-git-repo
                    REPO_NAME: my-git-repo
                    REVISION_ID: 525c52c501739e6df0609ed1f944c1bfd83224e7
                    SHORT_SHA: 525c52c
                    TRIGGER_BUILD_CONFIG_PATH: cloudbuild.yaml
                    TRIGGER_NAME: github-trigger-staging
                  triggerUri: projects/265426041527/locations/us-west1/triggers/a0d239a4-635e-4bd3-982b-d8b72d0b4bab
                resolvedDependencies:
                - digest:
                    gitCommit: 525c52c501739e6df0609ed1f944c1bfd83224e7
                  uri: git+https://github.com/my-username/my-git-repo@refs/heads/main
                - digest:
                    sha256: 154fcd4d2d65c6a35b06b98053a0829c581e223d530be5719326f5d85d680e8d
                  uri: gcr.io/cloud-builders/docker@sha256:154fcd4d2d65c6a35b06b98053a0829c581e223d530be5719326f5d85d680e8d
              runDetails:
                builder:
                  id: https://cloudbuild.googleapis.com/GoogleHostedWorker
                byproducts:
                - {}
                metadata:
                  finishedOn: '2023-08-01T19:57:10.734471Z'
                  invocationId: https://cloudbuild.googleapis.com/v1/projects/my-project/locations/us-west1/builds/e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
                  startedOn: '2023-08-01T19:56:57.451553160Z'
            predicateType: https://slsa.dev/provenance/v1
            subject:
            - digest:
                sha256: 7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
              name: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image
            - digest:
                sha256: 7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
              name: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest
        createTime: '2023-08-01T19:57:14.810489Z'
        envelope:
          payload: eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sibmFtZSI6Imh0dHBzOi8vdXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvYXJnby1sb2NhbC1raGFsay9raGFsay1kb2NrZXItYXIvdGFnZ2VkLXdvcmxkLWdlbi10d28iLCAiZGlnZXN0Ijp7InNoYTI1NiI6IjdlOWI2ZTdiYTI4NDJjOTFjZjQ5ZjNlMjE0ZDA0YTdhNDk2ZjgyMTQzNTZmNDFkODFhNmU2ZGNhZDExZjExZTMifX0sIHsibmFtZSI6Imh0dHBzOi8vdXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvYXJnby1sb2NhbC1raGFsay9raGFsay1kb2NrZXItYXIvdGFnZ2VkLXdvcmxkLWdlbi10d286bGF0ZXN0IiwgImRpZ2VzdCI6eyJzaGEyNTYiOiI3ZTliNmU3YmEyODQyYzkxY2Y0OWYzZTIxNGQwNGE3YTQ5NmY4MjE0MzU2ZjQxZDgxYTZlNmRjYWQxMWYxMWUzIn19XSwgInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCAicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vYnVpbGQvZ2NiLWJ1aWxkdHlwZXMvZ29vZ2xlLXdvcmtlci92MSIsICJleHRlcm5hbFBhcmFtZXRlcnMiOnsiYnVpbGRDb25maWdTb3VyY2UiOnsicGF0aCI6ImNsb3VkYnVpbGQueWFtbCIsICJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCAicmVwb3NpdG9yeSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20va2hhbGtpZS9nY2ItcmVwby1zdGFnaW5nIn0sICJzdWJzdGl0dXRpb25zIjp7fX0sICJpbnRlcm5hbFBhcmFtZXRlcnMiOnsic3lzdGVtU3Vic3RpdHV0aW9ucyI6eyJCUkFOQ0hfTkFNRSI6Im1haW4iLCAiQlVJTERfSUQiOiJlNzNjYTFkNC1lYzRhLTRlYTYtYWNkZC1hYzhiYjE2ZGNjNzkiLCAiQ09NTUlUX1NIQSI6IjUyNWM1MmM1MDE3MzllNmRmMDYwOWVkMWY5NDRjMWJmZDgzMjI0ZTciLCAiTE9DQVRJT04iOiJ1cy13ZXN0MSIsICJQUk9KRUNUX05VTUJFUiI6IjI2NTQyNjA0MTUyNyIsICJSRUZfTkFNRSI6Im1haW4iLCAiUkVQT19GVUxMX05BTUUiOiJraGFsa2llL2djYi1yZXBvLXN0YWdpbmciLCAiUkVQT19OQU1FIjoiZ2NiLXJlcG8tc3RhZ2luZyIsICJSRVZJU0lPTl9JRCI6IjUyNWM1MmM1MDE3MzllNmRmMDYwOWVkMWY5NDRjMWJmZDgzMjI0ZTciLCAiU0hPUlRfU0hBIjoiNTI1YzUyYyIsICJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiY2xvdWRidWlsZC55YW1sIiwgIlRSSUdHRVJfTkFNRSI6ImdpdGh1Yi10cmlnZ2VyLXN0YWdpbmcifSwgInRyaWdnZXJVcmkiOiJwcm9qZWN0cy8yNjU0MjYwNDE1MjcvbG9jYXRpb25zL3VzLXdlc3QxL3RyaWdnZXJzL2EwZDIzOWE0LTYzNWUtNGJkMy05ODJiLWQ4YjcyZDBiNGJhYiJ9LCAicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20va2hhbGtpZS9nY2ItcmVwby1zdGFnaW5nQHJlZnMvaGVhZHMvbWFpbiIsICJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiNTI1YzUyYzUwMTczOWU2ZGYwNjA5ZWQxZjk0NGMxYmZkODMyMjRlNyJ9fSwgeyJ1cmkiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyQHNoYTI1NjoxNTRmY2Q0ZDJkNjVjNmEzNWIwNmI5ODA1M2EwODI5YzU4MWUyMjNkNTMwYmU1NzE5MzI2ZjVkODVkNjgwZThkIiwgImRpZ2VzdCI6eyJzaGEyNTYiOiIxNTRmY2Q0ZDJkNjVjNmEzNWIwNmI5ODA1M2EwODI5YzU4MWUyMjNkNTMwYmU1NzE5MzI2ZjVkODVkNjgwZThkIn19XX0sICJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyIn0sICJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vdjEvcHJvamVjdHMvYXJnby1sb2NhbC1raGFsay9sb2NhdGlvbnMvdXMtd2VzdDEvYnVpbGRzL2U3M2NhMWQ0LWVjNGEtNGVhNi1hY2RkLWFjOGJiMTZkY2M3OSIsICJzdGFydGVkT24iOiIyMDIzLTA4LTAxVDE5OjU2OjU3LjQ1MTU1MzE2MFoiLCAiZmluaXNoZWRPbiI6IjIwMjMtMDgtMDFUMTk6NTc6MTAuNzM0NDcxWiJ9LCAiYnlwcm9kdWN0cyI6W3t9XX19fQ==
          payloadType: application/vnd.in-toto+json
          signatures:
          - keyid: projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/google-hosted-worker/cryptoKeyVersions/1
            sig: MEUCIQCss8UlQL2feFePRJuKTE8VA73f85iqj4OJ9SvVPqTNwAIgYyuyuIrl1PxQC5B109thO24Y6NA4bTa0PJY34EHRSVE=
        kind: BUILD
        name: projects/my-project/occurrences/71787589-c6a6-4d6a-a030-9fd041e40468
        noteName: projects/argo-qa/notes/intoto_slsa_v1_e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
        resourceUri: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
        updateTime: '2023-08-01T19:57:14.810489Z'
      - build:
          intotoStatement:
            _type: https://in-toto.io/Statement/v0.1
            predicateType: https://slsa.dev/provenance/v0.1
            slsaProvenance:
              builder:
                id: https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3
              materials:
              - digest:
                  sha1: 525c52c501739e6df0609ed1f944c1bfd83224e7
                uri: git+https://github.com/my-username/my-git-repo
              metadata:
                buildFinishedOn: '2023-08-01T19:57:10.734471Z'
                buildInvocationId: e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
                buildStartedOn: '2023-08-01T19:56:57.451553160Z'
              recipe:
                arguments:
                  '@type': type.googleapis.com/google.devtools.cloudbuild.v1.Build
                  id: e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
                  name: projects/265426041527/locations/us-west1/builds/e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
                  options:
                    dynamicSubstitutions: true
                    logging: LEGACY
                    pool: {}
                    requestedVerifyOption: VERIFIED
                    substitutionOption: ALLOW_LOOSE
                  sourceProvenance: {}
                  steps:
                  - args:
                    - tag
                    - hello-world
                    - us-central1-docker.pkg.dev/my-project/my-repo/my-image
                    name: gcr.io/cloud-builders/docker
                    pullTiming:
                      endTime: '2023-08-01T19:57:07.231646287Z'
                      startTime: '2023-08-01T19:57:07.225609188Z'
                    status: SUCCESS
                    timing:
                      endTime: '2023-08-01T19:57:08.343864907Z'
                      startTime: '2023-08-01T19:57:07.225609188Z'
                  substitutions:
                    BRANCH_NAME: main
                    COMMIT_SHA: 525c52c501739e6df0609ed1f944c1bfd83224e7
                    REF_NAME: main
                    REPO_FULL_NAME: my-username/my-git-repo
                    REPO_NAME: my-git-repo
                    REVISION_ID: 525c52c501739e6df0609ed1f944c1bfd83224e7
                    SHORT_SHA: 525c52c
                    TRIGGER_BUILD_CONFIG_PATH: cloudbuild.yaml
                    TRIGGER_NAME: github-trigger-staging
                entryPoint: cloudbuild.yaml
                type: https://cloudbuild.googleapis.com/CloudBuildYaml@v0.1
            subject:
            - digest:
                sha256: 7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
              name: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image
            - digest:
                sha256: 7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
              name: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest
        createTime: '2023-08-01T19:57:13.168653Z'
        envelope:
          payload: eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0dvb2dsZUhvc3RlZFdvcmtlckB2MC4zIn0sIm1hdGVyaWFscyI6W3siZGlnZXN0Ijp7InNoYTEiOiI1MjVjNTJjNTAxNzM5ZTZkZjA2MDllZDFmOTQ0YzFiZmQ4MzIyNGU3In0sInVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20va2hhbGtpZS9nY2ItcmVwby1zdGFnaW5nIn1dLCJtZXRhZGF0YSI6eyJidWlsZEZpbmlzaGVkT24iOiIyMDIzLTA4LTAxVDE5OjU3OjEwLjczNDQ3MVoiLCJidWlsZEludm9jYXRpb25JZCI6ImU3M2NhMWQ0LWVjNGEtNGVhNi1hY2RkLWFjOGJiMTZkY2M3OSIsImJ1aWxkU3RhcnRlZE9uIjoiMjAyMy0wOC0wMVQxOTo1Njo1Ny40NTE1NTMxNjBaIn0sInJlY2lwZSI6eyJhcmd1bWVudHMiOnsiQHR5cGUiOiJ0eXBlLmdvb2dsZWFwaXMuY29tL2dvb2dsZS5kZXZ0b29scy5jbG91ZGJ1aWxkLnYxLkJ1aWxkIiwiaWQiOiJlNzNjYTFkNC1lYzRhLTRlYTYtYWNkZC1hYzhiYjE2ZGNjNzkiLCJuYW1lIjoicHJvamVjdHMvMjY1NDI2MDQxNTI3L2xvY2F0aW9ucy91cy13ZXN0MS9idWlsZHMvZTczY2ExZDQtZWM0YS00ZWE2LWFjZGQtYWM4YmIxNmRjYzc5Iiwib3B0aW9ucyI6eyJkeW5hbWljU3Vic3RpdHV0aW9ucyI6dHJ1ZSwibG9nZ2luZyI6IkxFR0FDWSIsInBvb2wiOnt9LCJyZXF1ZXN0ZWRWZXJpZnlPcHRpb24iOiJWRVJJRklFRCIsInN1YnN0aXR1dGlvbk9wdGlvbiI6IkFMTE9XX0xPT1NFIn0sInNvdXJjZVByb3ZlbmFuY2UiOnt9LCJzdGVwcyI6W3siYXJncyI6WyJ0YWciLCJoZWxsby13b3JsZCIsInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L2FyZ28tbG9jYWwta2hhbGsva2hhbGstZG9ja2VyLWFyL3RhZ2dlZC13b3JsZC1nZW4tdHdvIl0sIm5hbWUiOiJnY3IuaW8vY2xvdWQtYnVpbGRlcnMvZG9ja2VyIiwicHVsbFRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0wMVQxOTo1NzowNy4yMzE2NDYyODdaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0wMVQxOTo1NzowNy4yMjU2MDkxODhaIn0sInN0YXR1cyI6IlNVQ0NFU1MiLCJ0aW1pbmciOnsiZW5kVGltZSI6IjIwMjMtMDgtMDFUMTk6NTc6MDguMzQzODY0OTA3WiIsInN0YXJ0VGltZSI6IjIwMjMtMDgtMDFUMTk6NTc6MDcuMjI1NjA5MTg4WiJ9fV0sInN1YnN0aXR1dGlvbnMiOnsiQlJBTkNIX05BTUUiOiJtYWluIiwiQ09NTUlUX1NIQSI6IjUyNWM1MmM1MDE3MzllNmRmMDYwOWVkMWY5NDRjMWJmZDgzMjI0ZTciLCJSRUZfTkFNRSI6Im1haW4iLCJSRVBPX0ZVTExfTkFNRSI6ImtoYWxraWUvZ2NiLXJlcG8tc3RhZ2luZyIsIlJFUE9fTkFNRSI6ImdjYi1yZXBvLXN0YWdpbmciLCJSRVZJU0lPTl9JRCI6IjUyNWM1MmM1MDE3MzllNmRmMDYwOWVkMWY5NDRjMWJmZDgzMjI0ZTciLCJTSE9SVF9TSEEiOiI1MjVjNTJjIiwiVFJJR0dFUl9CVUlMRF9DT05GSUdfUEFUSCI6ImNsb3VkYnVpbGQueWFtbCIsIlRSSUdHRVJfTkFNRSI6ImdpdGh1Yi10cmlnZ2VyLXN0YWdpbmcifX0sImVudHJ5UG9pbnQiOiJjbG91ZGJ1aWxkLnlhbWwiLCJ0eXBlIjoiaHR0cHM6Ly9jbG91ZGJ1aWxkLmdvb2dsZWFwaXMuY29tL0Nsb3VkQnVpbGRZYW1sQHYwLjEifX0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMSIsInNsc2FQcm92ZW5hbmNlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vR29vZ2xlSG9zdGVkV29ya2VyQHYwLjMifSwibWF0ZXJpYWxzIjpbeyJkaWdlc3QiOnsic2hhMSI6IjUyNWM1MmM1MDE3MzllNmRmMDYwOWVkMWY5NDRjMWJmZDgzMjI0ZTcifSwidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9raGFsa2llL2djYi1yZXBvLXN0YWdpbmcifV0sIm1ldGFkYXRhIjp7ImJ1aWxkRmluaXNoZWRPbiI6IjIwMjMtMDgtMDFUMTk6NTc6MTAuNzM0NDcxWiIsImJ1aWxkSW52b2NhdGlvbklkIjoiZTczY2ExZDQtZWM0YS00ZWE2LWFjZGQtYWM4YmIxNmRjYzc5IiwiYnVpbGRTdGFydGVkT24iOiIyMDIzLTA4LTAxVDE5OjU2OjU3LjQ1MTU1MzE2MFoifSwicmVjaXBlIjp7ImFyZ3VtZW50cyI6eyJAdHlwZSI6InR5cGUuZ29vZ2xlYXBpcy5jb20vZ29vZ2xlLmRldnRvb2xzLmNsb3VkYnVpbGQudjEuQnVpbGQiLCJpZCI6ImU3M2NhMWQ0LWVjNGEtNGVhNi1hY2RkLWFjOGJiMTZkY2M3OSIsIm5hbWUiOiJwcm9qZWN0cy8yNjU0MjYwNDE1MjcvbG9jYXRpb25zL3VzLXdlc3QxL2J1aWxkcy9lNzNjYTFkNC1lYzRhLTRlYTYtYWNkZC1hYzhiYjE2ZGNjNzkiLCJvcHRpb25zIjp7ImR5bmFtaWNTdWJzdGl0dXRpb25zIjp0cnVlLCJsb2dnaW5nIjoiTEVHQUNZIiwicG9vbCI6e30sInJlcXVlc3RlZFZlcmlmeU9wdGlvbiI6IlZFUklGSUVEIiwic3Vic3RpdHV0aW9uT3B0aW9uIjoiQUxMT1dfTE9PU0UifSwic291cmNlUHJvdmVuYW5jZSI6e30sInN0ZXBzIjpbeyJhcmdzIjpbInRhZyIsImhlbGxvLXdvcmxkIiwidXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvYXJnby1sb2NhbC1raGFsay9raGFsay1kb2NrZXItYXIvdGFnZ2VkLXdvcmxkLWdlbi10d28iXSwibmFtZSI6Imdjci5pby9jbG91ZC1idWlsZGVycy9kb2NrZXIiLCJwdWxsVGltaW5nIjp7ImVuZFRpbWUiOiIyMDIzLTA4LTAxVDE5OjU3OjA3LjIzMTY0NjI4N1oiLCJzdGFydFRpbWUiOiIyMDIzLTA4LTAxVDE5OjU3OjA3LjIyNTYwOTE4OFoifSwic3RhdHVzIjoiU1VDQ0VTUyIsInRpbWluZyI6eyJlbmRUaW1lIjoiMjAyMy0wOC0wMVQxOTo1NzowOC4zNDM4NjQ5MDdaIiwic3RhcnRUaW1lIjoiMjAyMy0wOC0wMVQxOTo1NzowNy4yMjU2MDkxODhaIn19XSwic3Vic3RpdHV0aW9ucyI6eyJCUkFOQ0hfTkFNRSI6Im1haW4iLCJDT01NSVRfU0hBIjoiNTI1YzUyYzUwMTczOWU2ZGYwNjA5ZWQxZjk0NGMxYmZkODMyMjRlNyIsIlJFRl9OQU1FIjoibWFpbiIsIlJFUE9fRlVMTF9OQU1FIjoia2hhbGtpZS9nY2ItcmVwby1zdGFnaW5nIiwiUkVQT19OQU1FIjoiZ2NiLXJlcG8tc3RhZ2luZyIsIlJFVklTSU9OX0lEIjoiNTI1YzUyYzUwMTczOWU2ZGYwNjA5ZWQxZjk0NGMxYmZkODMyMjRlNyIsIlNIT1JUX1NIQSI6IjUyNWM1MmMiLCJUUklHR0VSX0JVSUxEX0NPTkZJR19QQVRIIjoiY2xvdWRidWlsZC55YW1sIiwiVFJJR0dFUl9OQU1FIjoiZ2l0aHViLXRyaWdnZXItc3RhZ2luZyJ9fSwiZW50cnlQb2ludCI6ImNsb3VkYnVpbGQueWFtbCIsInR5cGUiOiJodHRwczovL2Nsb3VkYnVpbGQuZ29vZ2xlYXBpcy5jb20vQ2xvdWRCdWlsZFlhbWxAdjAuMSJ9fSwic3ViamVjdCI6W3siZGlnZXN0Ijp7InNoYTI1NiI6IjdlOWI2ZTdiYTI4NDJjOTFjZjQ5ZjNlMjE0ZDA0YTdhNDk2ZjgyMTQzNTZmNDFkODFhNmU2ZGNhZDExZjExZTMifSwibmFtZSI6Imh0dHBzOi8vdXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvYXJnby1sb2NhbC1raGFsay9raGFsay1kb2NrZXItYXIvdGFnZ2VkLXdvcmxkLWdlbi10d28ifSx7ImRpZ2VzdCI6eyJzaGEyNTYiOiI3ZTliNmU3YmEyODQyYzkxY2Y0OWYzZTIxNGQwNGE3YTQ5NmY4MjE0MzU2ZjQxZDgxYTZlNmRjYWQxMWYxMWUzIn0sIm5hbWUiOiJodHRwczovL3VzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L2FyZ28tbG9jYWwta2hhbGsva2hhbGstZG9ja2VyLWFyL3RhZ2dlZC13b3JsZC1nZW4tdHdvOmxhdGVzdCJ9XX0=
          payloadType: application/vnd.in-toto+json
          signatures:
          - keyid: projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1
            sig: MEUCIQDsD7nX7YgnKrhgiNZXWuvSf_1AG8DgGDUAlZnjT_SB1AIgTBHZPCjTTPk3lQPAccL6WNg457QHufk9T9YB1FW5xbQ=
          - keyid: projects/argo-qa/locations/us-west1/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1
            sig: MEUCIQDnQmgbIcCkbDZy91HicY-IkcuV5bV_Zo0D1Y_rmsAMyQIga17tv0c_KAW3Uhv8mM2SZwY8D3YuP6TUy7QXDs2cmpA=
        kind: BUILD
        name: projects/my-project/occurrences/8b5dcf9d-4076-4b85-a934-adfb91042088
        noteName: projects/argo-qa/notes/intoto_e73ca1d4-ec4a-4ea6-acdd-ac8bb16dcc79
        resourceUri: https://us-central1-docker.pkg.dev/my-project/my-repo/my-image@sha256:7e9b6e7ba2842c91cf49f3e214d04a7a496f8214356f41d81a6e6dcad11f11e3
        updateTime: '2023-08-01T19:57:13.168653Z'
    

    此示例中有几点需要注意:

    • 构建是从 GitHub 代码库触发的。您可以在 materials 字段中查看相应的提交。

    • digestfileHash 字段引用了同一对象。digest 字段采用 base 16 编码(十六进制编码),fileHash 字段采用 base 64 编码。

    • envelope 字段中有两个签名。密钥名称为 provenanceSigner 的第一个签名使用 DSSE 符合签名(采用预身份验证编码 (PAE) 格式),该签名可在 Binary Authorization 政策中进行验证。我们建议您在此来源的新用法中使用此签名。密钥名称为 builtByGCB 的第二个签名是为旧版用途提供的。

    • Cloud Build 出处中自动包含的签名可帮助您验证执行构建的构建服务。您还可以配置 Cloud Build,以记录用于启动构建的服务帐号的可验证元数据。如需了解详情,请参阅使用 Cosign 对容器映像进行签名

查看区域级池的构建来源

无论您是使用专用池,还是使用已分配区域的默认池,Cloud Build 都不会为区域级池中的构建生成出处元数据。您可以向 build 文件添加选项,为区域 build 启用出处元数据。如需详细了解区域,请参阅 Cloud Build 位置

查看非容器工件的出处

在您将构建工件上传到 Artifact Registry 时,Cloud Build 会为独立 Java (Maven)、Python 和 Node.js (npm) 应用生成软件工件的供应链级别 (SLSA) 元数据。

  1. 如需为工件生成出处元数据,请使用 Cloud Build 运行构建:

    构建完成后,请注意 BuildID

  2. 在终端中运行以下 API 调用,其中 PROJECT_ID 是与您的 Google Cloud 项目关联的 ID:

    alias gcurl='curl -H"Authorization: Bearer $(gcloud auth print-access-token)"'
        gcurl 'https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/occurrences'
    

    在项目的发生实例中,按 BuildID 搜索,以查找与每个构建工件关联的出处信息。

验证出处

本部分介绍如何验证 build 出处。

验证构建出处有助于您:

  • 确认 build 工件是否从可信的源代码和构建器生成
  • 确保描述构建流程的出处元数据完整且真实

如需了解详情,请参阅保护 build

使用 SLSA 验证程序验证出处

SLSA 验证程序是一种开源 CLI 工具,用于根据 SLSA 规范验证 build 完整性。

如果验证程序发现问题,它会返回详细的错误消息,以帮助您更新构建流程并降低风险。

如需使用 SLSA 验证程序,请执行以下操作:

  1. slsa-verifier 代码库安装 2.1 版或更高版本:

    go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@VERSION
    
  2. 在 CLI 中,设置映像标识符的变量:

    export IMAGE=LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH
    

    将命令中的占位值替换为以下内容:

    • LOCATION:单区域或多区域位置
    • PROJECT_ID:Google Cloud 项目 ID。
    • REPOSITORY:代码库名称。
    • IMAGE:映像名称。
    • HASH:映像的 sha256 哈希值。您可以在构建的输出中找到上述代码。
  3. 向 gcloud CLI 授权,以便 SLSA 验证程序可以访问您的出处数据:

    gcloud auth configure-docker LOCATION-docker.pkg.dev
    
  4. 检索映像的出处,并将其存储为 JSON

    gcloud artifacts docker images describe $IMAGE --format json --show-provenance > provenance.json
    
  5. 验证出处:

    slsa-verifier verify-image "$IMAGE" \
    --provenance-path provenance.json \
    --source-uri SOURCE \
    --builder-id=BUILDER_ID
    

    其中:

    • SOURCE 是映像的源代码库 URI,例如 github.com/username/my-application

      如果您要验证的 build 不是由 Git 触发器生成的,则来源看起来会有所不同。例如,当您在本地处理源代码时,gcloud builds submit 会将您的源代码上传到 Cloud Storage。那么您的 Cloud Storage 来源信息类似于 gs://myrepo/source/1665165300.279777-955d1904741e4bbeb3461080299e929a.tgz#1665165361152799

    • BUILDER_ID:构建器的唯一 ID,例如 https://cloudbuild.googleapis.com/GoogleHostedWorker

    如果要输出经过验证的出处以在政策引擎中使用,请使用带有 --print-provenance 标志的上一个命令。

    输出类似于 PASSED: Verified SLSA provenanceFAILED: SLSA verification failed: <error details>

如需详细了解可选标志,请参阅选项

使用 gcloud CLI 验证出处元数据

如果您要验证 build 出处元数据是否未被篡改,则可以通过执行以下步骤来验证出处:

  1. 创建一个新目录,并转到该目录。

    mkdir provenance && cd provenance
    
  2. 使用 keyid 字段中的信息获取公钥。

    gcloud kms keys versions get-public-key 1 --location global --keyring attestor \
    --key builtByGCB --project verified-builder --output-file my-key.pub
    
  3. payload 包含来源的 JSON 表示法,采用 base64url 编码。解码该数据并将其存储在一个文件中。

    gcloud artifacts docker images describe \
    LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH --show-provenance \
    --format=json | jq -r '.provenance_summary.provenance[] | select(.build.intotoStatement.predicateType == "https://slsa.dev/provenance/v0.1") | .envelope.payload' | tr '\-_' '+/' | base64 -d > provenance.json
    

    SLSA 0.1 版和 1.0 版本的出处类型在可用时都会存储。如果您要针对版本 1.0 进行过滤,请将 predicateType 更改为使用 https://slsa.dev/provenance/v1。例如:

    gcloud artifacts docker images describe \
    LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH --show-provenance \
    --format=json | jq -r '.provenance_summary.provenance[] | select(.build.intotoStatement.predicateType == "https://slsa.dev/provenance/v1") | .envelope.payload' | tr '\-_' '+/' | base64 -d > provenance.json
    
  4. 信包还包含来源的签名。解码该数据并将其存储在一个文件中。

    gcloud artifacts docker images describe LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH --show-provenance \
    --format=json | '.provenance_summary.provenance[] | select(.build.intotoStatement.predicateType == "https://slsa.dev/provenance/v0.1") | .envelope.signatures[0].sig' | tr '\-_' '+/' | base64 -d > signature.bin
    

    如果您要针对版本 1.0 进行过滤,请将 predicateType 更改为使用 https://slsa.dev/provenance/v1。例如:

    gcloud artifacts docker images describe LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE@sha256:HASH --show-provenance \
    --format=json | jq -r '.provenance_summary.provenance[] | select(.build.intotoStatement.predicateType == "https://slsa.dev/provenance/v1") | .envelope.signatures[0].sig' | tr '\-_' '+/' | base64 -d > signature.bin
    
  5. 上述命令引用了由 provenanceSigner 密钥签名的第一个出处签名 (.provenance_summary.provenance[0].envelope.signatures[0])。载荷通过 PAE 格式的信封进行签名。为进行验证,请运行此命令,将来源转换为预期的 PAE 格式 "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(body) + SP + body

    echo -n "DSSEv1 28 application/vnd.in-toto+json $(cat provenance.json | wc -c) $(cat provenance.json)" > provenance.json
    
  6. 验证签名。

    openssl dgst -sha256 -verify my-key.pub -signature signature.bin provenance.json
    

    验证成功后,输出为 Verified OK

要求您的映像具有关联的出处元数据

默认情况下,如果 Cloud Build 未生成出处元数据,构建仍会成功完成。如需在 Cloud Build 没有为您的映像生成出处元数据时覆盖此行为并使构建失败,请将 requestedVerifyOption: VERIFIED 选项添加到您的构建配置文件

steps:
- name: 'gcr.io/cloud-builders/docker'
  args: [ 'build', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/quickstart-docker-repo/quickstart-image:tag1', '.' ]
images:
- 'us-central1-docker.pkg.dev/$PROJECT_ID/quickstart-docker-repo/quickstart-image:tag1'
options:
  requestedVerifyOption: VERIFIED

添加 requestedVerifyOption 后,只有在 Cloud Build 可以生成相应的来源元数据时,Cloud Build 才会将构建标记为成功。这还会影响在区域级池中构建的映像,从而为这些映像启用来源元数据和证明生成。

后续步骤