Verify and validate via cosign and slsa-verifier
Prerequisites
Step 1: Verify GUAC image via Cosign
-
Based on the latest GUAC release, validate that the GUAC image is signed and verifiable via cosign by running the following command:
LATEST_VERSION=$(curl https://api.github.com/repos/guacsec/guac/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") GUAC_DIGEST=$(crane digest ghcr.io/guacsec/guac:v$LATEST_VERSION) cosign verify ghcr.io/guacsec/guac@$GUAC_DIGEST \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/guacsec/guac/.github/workflows/release.yaml@refs/tags/v$LATEST_VERSION
You should see an output similar to this:
Verification for ghcr.io/guacsec/guac@sha256:de50517b5a527f031395ba11de5576462bc4db6fa0eef5073f82fab052c2b07e -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates [{"critical":{"identity":{"docker-reference":"ghcr.io/guacsec/guac"},"image":{"docker-manifest-digest":"sha256:de50517b5a527f031395ba11de5576462bc4db6fa0eef5073f82fab052c2b07e"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"push","1.3.6.1.4.1.57264.1.3":"463b8004beebbd413ecf556e4fc5a1bf986534ab","1.3.6.1.4.1.57264.1.4":"release","1.3.6.1.4.1.57264.1.5":"guacsec/guac","1.3.6.1.4.1.57264.1.6":"refs/tags/v0.1.2","Bundle":{"SignedEntryTimestamp":"MEUCIBuRzf/8IPBSjPINRC1XvzmSUhX83wGj+tX+g/7FektaAiEAq84FtWJAj+39qf8AB9ZJvbLOUUGCPdM9SsC1mDyZW24=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzMzBhYjVjNDcwZGU5ZGZlOTJkOGVkMzVjZTJmNDQ0OWMzY2EwMTI0ZWFmOTlkZmExZjE0ZTk2NjE2YWQ1MzJkIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUQzangyVlV2WiszZndpM1VubWlmS1BEckNMOWVuQlJWR0tTNzQrU1YzVWl3SWhBTnpaRkRYL3V4TWtJUjA0TnU1clJyVkYvejFHSUt3dU50UngyUitTWGZkcSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVZHBla05EUW1oTFowRjNTVUpCWjBsVlpGb3dkMWhVVlROcFVEaFVXRmw1VUZBM05IaFVNVVZGZGtaQmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDlFUlRKTlZHZDZUbXBCTTFkb1kwNU5hazEzVDBSRk1rMVVaekJPYWtFelYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZXZVM5dGRXTlRPRGwxYzBVeWJtczNla1I0UkdVdlJGcGxTR3ROT0RSalNGVXZUeklLVmxaeGVIUlFUakEwVERGYWRrVldkV1ZITkcxUGVUVlpNUzlWUVZOdVpUaGxSMXBZTlZaUWVHOHlaVlpSTkU5dVQyRlBRMEpVUlhkbloxVjBUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZCYmpoaUNuRk5lVFZuVkdwU055dGhSbXhSUkVaRmVGUXpka280ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoUldVUldVakJTUVZGSUwwSkdUWGRWV1ZwUVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKa01WbFhUbnBhVjAxMldqTldhQXBaZVRoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGw1V2xkNGJGbFlUbXhNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYZE1ha1YxQ2sxcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG13S1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ1NVZERhWE5IUVZGUlFtYzNPSGRCVVVsRlFraENNV015WjNkT1oxbExTM2RaUWtKQlIwUjJla0ZDUVhkUmJ3cE9SRmw2V1dwbmQwMUVVbWxhVjFacFdXMVJNRTFVVG14Wk1sa3hUbFJhYkU1SFdtcE9WMFY0V1cxWk5VOUVXVEZOZWxKb1dXcEJWa0puYjNKQ1owVkZDa0ZaVHk5TlFVVkZRa0ZrZVZwWGVHeFpXRTVzVFVKdlIwTnBjMGRCVVZGQ1p6YzRkMEZSVlVWRVIyUXhXVmRPZWxwWFRYWmFNMVpvV1hwQlpVSm5iM0lLUW1kRlJVRlpUeTlOUVVWSFFrSkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk5VelI1VFVSelIwTnBjMGRCVVZGQ1p6YzRkMEZSWjBWTVVYZHlZVWhTTUFwalNFMDJUSGs1TUdJeWRHeGlhVFZvV1ROU2NHSXlOWHBNYldSd1pFZG9NVmx1Vm5wYVdFcHFZakkxTUZwWE5UQk1iVTUyWWxSQ1prSm5iM0pDWjBWRkNrRlpUeTlOUVVWS1FrWkZUVlF5YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVzVrVjBacVl6Sldha3d5WkRGWlYwMTJURzFrY0dSSGFERUtXV2s1TTJJelNuSmFiWGgyWkROTmRtTnRWbk5hVjBaNldsTTFOVmxYTVhOUlNFcHNXbTVOZG1SSFJtNWplVGt5VFVNMGVFeHFTWGRQUVZsTFMzZFpRZ3BDUVVkRWRucEJRa05uVVhGRVEyY3dUbXBPYVU5RVFYZE9SMHBzV2xkS2FWcEVVWGhOTWxacVdtcFZNVTV0VlRCYWJVMHhXVlJHYVZwcWF6Uk9hbFY2Q2s1SFJtbE5RakJIUTJselIwRlJVVUpuTnpoM1FWRnpSVVIzZDA1YU1td3dZVWhXYVV4WGFIWmpNMUpzV2tSQmRrSm5iM0pDWjBWRlFWbFBMMDFCUlUwS1FrTkZUVWd5YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVzVrVjBacVl6Sldha3d5WkRGWlYwMTNUMEZaUzB0M1dVSkNRVWRFZG5wQlFncEVVVkZ4UkVObk1FNXFUbWxQUkVGM1RrZEtiRnBYU21sYVJGRjRUVEpXYWxwcVZURk9iVlV3V20xTk1WbFVSbWxhYW1zMFRtcFZlazVIUm1sTlEwRkhDa05wYzBkQlVWRkNaemM0ZDBGUk5FVkZaM2RSWTIxV2JXTjVPVEJaVjJSNlRETlpkMHhxUlhWTmFrRmFRbWR2Y2tKblJVVkJXVTh2VFVGRlVFSkJjMDBLUTFSVmQwMXFSWGxPZWtVeVRtcEJjVUpuYjNKQ1owVkZRVmxQTDAxQlJWRkNRbmROUjIxb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01Ymdwa1YwWnFZekpXYWsxQ2EwZERhWE5IUVZGUlFtYzNPSGRCVWtWRlEzZDNTazFVUlhoTmVtdDZUMFJyZUUxR09FZERhWE5IUVZGUlFtYzNPSGRCVWtsRkNsVlJlRkJoU0ZJd1kwaE5Oa3g1T1c1aFdGSnZaRmRKZFZreU9YUk1NbVF4V1ZkT2VscFhUWFphTTFab1dYazRkVm95YkRCaFNGWnBURE5rZG1OdGRHMEtZa2M1TTJONU9YbGFWM2hzV1ZoT2JFeHViR2hpVjNoQlkyMVdiV041T1RCWlYyUjZURE5aZDB4cVJYVk5ha0UwUW1kdmNrSm5SVVZCV1U4dlRVRkZWQXBDUTI5TlMwUlJNazB5U1RSTlJFRXdXVzFXYkZsdFNtdE9SRVY2V2xkT2JVNVVWVEphVkZKdFdYcFdhRTFYU20xUFZHY3lUbFJOTUZsWFNYZEdRVmxMQ2t0M1dVSkNRVWRFZG5wQlFrWkJVVWRFUVZKM1pGaE9iMDFHU1VkRGFYTkhRVkZSUW1jM09IZEJVbFZGVWtGNFEyRklVakJqU0UwMlRIazVibUZZVW04S1pGZEpkVmt5T1hSTU1tUXhXVmRPZWxwWFRYWmFNMVpvV1hrNWFGa3pVbkJpTWpWNlRETktNV0p1VFhaT1ZHYzBUV3BWTUU5RVNUQk5RemxvWkVoU2JBcGlXRUl3WTNrNGVFMUNXVWREYVhOSFFWRlJRbWMzT0hkQlVsbEZRMEYzUjJOSVZtbGlSMnhxVFVsSFNrSm5iM0pDWjBWRlFXUmFOVUZuVVVOQ1NITkZDbVZSUWpOQlNGVkJNMVF3ZDJGellraEZWRXBxUjFJMFkyMVhZek5CY1VwTFdISnFaVkJMTXk5b05IQjVaME00Y0Rkdk5FRkJRVWRLTHpaSmVXWm5RVUVLUWtGTlFWSnFRa1ZCYVVJNVFVZHJUMFJwZG1Nd2RFNUZNV2xwYVdGNE9XMUhVMjlHZUZocmEzaEtialJZYjBWVVkwTTNUVTlSU1dkUmJGaFZPR1p6YWdwclZYTXJSMU1yTmt0WlkxQllhRmQ2V0RCdVpIaE1SVkZFV0RGdlpUbHRNMmRXUlhkRFoxbEpTMjlhU1hwcU1FVkJkMDFFV25kQmQxcEJTWGRYZVZodUNuazJZM1UyTm00M05sRnFOVGxqZUdaSmNVRlBlV1ZsV0cxR1NrdG9iMlZKZEdaTFUzWTFaRTVHTjA4elNFUnFkR3M1T0V0aE15dHdVV2xoZWtGcVFVd0tlRnBRZFVwRldIZEZTSEZTY0RRMWJrSkpVelpDUkRkMVdFTkZaV2xhTVV4dE0xbEhhelJwYTNWakwzVjVkVGxLYW5kRlozTmxTR2h4UmtkSVZXdzRQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=","integratedTime":1692210967,"logIndex":31541333,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/guacsec/guac/.github/workflows/release.yaml@refs/tags/v0.1.2","git_sha":"463b8004beebbd413ecf556e4fc5a1bf986534ab","githubWorkflowName":"release","githubWorkflowRef":"refs/tags/v0.1.2","githubWorkflowRepository":"guacsec/guac","githubWorkflowSha":"463b8004beebbd413ecf556e4fc5a1bf986534ab","githubWorkflowTrigger":"push"}}]
-
We can also verify the SLSA attestation on the image via:
cosign verify-attestation ghcr.io/guacsec/guac@$GUAC_DIGEST \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.8.0 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com --type 'https://slsa.dev/provenance/v0.2'
you should see an output similar to this:
Verification for ghcr.io/guacsec/guac@sha256:de50517b5a527f031395ba11de5576462bc4db6fa0eef5073f82fab052c2b07e -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates Certificate subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.8.0 Certificate issuer URL: https://token.actions.githubusercontent.com GitHub Workflow Trigger: push GitHub Workflow SHA: 463b8004beebbd413ecf556e4fc5a1bf986534ab GitHub Workflow Name: release GitHub Workflow Repository: guacsec/guac GitHub Workflow Ref: refs/tags/v0.1.2 {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL2d1YWNzZWMvZ3VhYyIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkZTUwNTE3YjVhNTI3ZjAzMTM5NWJhMTFkZTU1NzY0NjJiYzRkYjZmYTBlZWY1MDczZjgyZmFiMDUyYzJiMDdlIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2dlbmVyYXRvcl9jb250YWluZXJfc2xzYTMueW1sQHJlZnMvdGFncy92MS44LjAifSwiYnVpbGRUeXBlIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci9jb250YWluZXJAdjEiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhY0ByZWZzL3RhZ3MvdjAuMS4yIiwiZGlnZXN0Ijp7InNoYTEiOiI0NjNiODAwNGJlZWJiZDQxM2VjZjU1NmU0ZmM1YTFiZjk4NjUzNGFiIn0sImVudHJ5UG9pbnQiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnlhbWwifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7ImdpdGh1Yl9hY3RvciI6InB4cDkyOCIsImdpdGh1Yl9hY3Rvcl9pZCI6Ijg4MDQ1MjE3IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI0NjNiODAwNGJlZWJiZDQxM2VjZjU1NmU0ZmM1YTFiZjk4NjUzNGFiIiwiYmFzZV9yZWYiOiJyZWZzL2hlYWRzL21haW4iLCJiZWZvcmUiOiIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwiY29tbWl0cyI6W10sImNvbXBhcmUiOiJodHRwczovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjL2NvbXBhcmUvdjAuMS4yIiwiY3JlYXRlZCI6dHJ1ZSwiZGVsZXRlZCI6ZmFsc2UsImZvcmNlZCI6ZmFsc2UsImhlYWRfY29tbWl0Ijp7ImF1dGhvciI6eyJlbWFpbCI6IjQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb20iLCJuYW1lIjoiTmF0aGFuIE5hdmVlbiIsInVzZXJuYW1lIjoibmF0aGFubmF2ZWVuIn0sImNvbW1pdHRlciI6eyJlbWFpbCI6Im5vcmVwbHlAZ2l0aHViLmNvbSIsIm5hbWUiOiJHaXRIdWIiLCJ1c2VybmFtZSI6IndlYi1mbG93In0sImRpc3RpbmN0Ijp0cnVlLCJpZCI6IjQ2M2I4MDA0YmVlYmJkNDEzZWNmNTU2ZTRmYzVhMWJmOTg2NTM0YWIiLCJtZXNzYWdlIjoiOmJvb2s6IEluY2x1ZGVkIGNvbW1lbnRzIGZvciB0aGUgYmZzIG9uIHBhdGNoUGxhbm5pbmcgKCMxMTMwKVxuXG4qIFtkb2NzXSBJbmNsdWRlZCBjb21tZW50cyBmb3IgdGhlIGJmcyBvbiBwYXRjaFBsYW5uaW5nXG5cbiogSW5jbHVkZWQgY29tbWVudHMgb24gU2VhcmNoRGVwZW5kZW5jaWVzRnJvbVN0YXJ0Tm9kZVxuXG5TaWduZWQtb2ZmLWJ5OiBuYXRoYW5uYXZlZW4gXHUwMDNjNDIzMTk5NDgrbmF0aGFubmF2ZWVuQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbVx1MDAzZVxuXG4qIFVwZGF0ZWQgQmFzZWQgb24gQ29kZSBSZXZpZXdcblxuU2lnbmVkLW9mZi1ieTogbmF0aGFubmF2ZWVuIFx1MDAzYzQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb21cdTAwM2VcblxuKiBSZW1vdmVkIGV4dHJhIHJldHVybiB2YWx1ZVxuXG5TaWduZWQtb2ZmLWJ5OiBuYXRoYW5uYXZlZW4gXHUwMDNjNDIzMTk5NDgrbmF0aGFubmF2ZWVuQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbVx1MDAzZVxuXG4qIFVwZGF0ZWQgYmFzZWQgb24gY29kZSByZXZpZXdcblxuU2lnbmVkLW9mZi1ieTogbmF0aGFubmF2ZWVuIFx1MDAzYzQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb21cdTAwM2VcblxuLS0tLS0tLS0tXG5cblNpZ25lZC1vZmYtYnk6IG5hdGhhbm5hdmVlbiBcdTAwM2M0MjMxOTk0OCtuYXRoYW5uYXZlZW5AdXNlcnMubm9yZXBseS5naXRodWIuY29tXHUwMDNlIiwidGltZXN0YW1wIjoiMjAyMy0wOC0xNVQyMToxMToyN1oiLCJ0cmVlX2lkIjoiZmQwNjUzY2EwM2MzYzVhNTViMTAxYjA3MzU4ODQ4NGFmOGZmYzM1ZSIsInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWMvY29tbWl0LzQ2M2I4MDA0YmVlYmJkNDEzZWNmNTU2ZTRmYzVhMWJmOTg2NTM0YWIifSwib3JnYW5pemF0aW9uIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMTExMzkzODkxP3Y9NCIsImRlc2NyaXB0aW9uIjpudWxsLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvZXZlbnRzIiwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvaG9va3MiLCJpZCI6MTExMzkzODkxLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvaXNzdWVzIiwibG9naW4iOiJndWFjc2VjIiwibWVtYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3MvZ3VhY3NlYy9tZW1iZXJzey9tZW1iZXJ9Iiwibm9kZV9pZCI6Ik9fa2dET0JxTzhZdyIsInB1YmxpY19tZW1iZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9ndWFjc2VjL3B1YmxpY19tZW1iZXJzey9tZW1iZXJ9IiwicmVwb3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvcmVwb3MiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3MvZ3VhY3NlYyJ9LCJwdXNoZXIiOnsiZW1haWwiOiI4ODA0NTIxNytweHA5MjhAdXNlcnMubm9yZXBseS5naXRodWIuY29tIiwibmFtZSI6InB4cDkyOCJ9LCJyZWYiOiJyZWZzL3RhZ3MvdjAuMS4yIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6MTY1NDg4MjA4NywiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IkdVQUMgYWdncmVnYXRlcyBzb2Z0d2FyZSBzZWN1cml0eSBtZXRhZGF0YSBpbnRvIGEgaGlnaCBmaWRlbGl0eSBncmFwaCBkYXRhYmFzZS4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZXZlbnRzIiwiZm9yayI6ZmFsc2UsImZvcmtzIjoxMTYsImZvcmtzX2NvdW50IjoxMTYsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2ZvcmtzIiwiZnVsbF9uYW1lIjoiZ3VhY3NlYy9ndWFjIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6ZmFsc2UsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOnRydWUsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjoiaHR0cHM6Ly9ndWFjLnNoIiwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWMiLCJpZCI6NTAyMTI3MTY2LCJpc190ZW1wbGF0ZSI6ZmFsc2UsImlzc3VlX2NvbW1lbnRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaXNzdWVzL2NvbW1lbnRzey9udW1iZXJ9IiwiaXNzdWVfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaXNzdWVzey9udW1iZXJ9Iiwia2V5c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9rZXlzey9rZXlfaWR9IiwibGFiZWxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IkdvIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoiYXBhY2hlLTIuMCIsIm5hbWUiOiJBcGFjaGUgTGljZW5zZSAyLjAiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRJPSIsInNwZHhfaWQiOiJBcGFjaGUtMi4wIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9hcGFjaGUtMi4wIn0sIm1hc3Rlcl9icmFuY2giOiJtYWluIiwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJndWFjIiwibm9kZV9pZCI6IlJfa2dET0hlM2FQZyIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjEwMCwib3Blbl9pc3N1ZXNfY291bnQiOjEwMCwib3JnYW5pemF0aW9uIjoiZ3VhY3NlYyIsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMTExMzkzODkxP3Y9NCIsImVtYWlsIjpudWxsLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMiLCJpZCI6MTExMzkzODkxLCJsb2dpbiI6Imd1YWNzZWMiLCJuYW1lIjoiZ3VhY3NlYyIsIm5vZGVfaWQiOiJPX2tnRE9CcU84WXciLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiT3JnYW5pemF0aW9uIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6MTY5MjIxMDc4NCwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvcmVsZWFzZXN7L2lkfSIsInNpemUiOjYyOTAsInNzaF91cmwiOiJnaXRAZ2l0aHViLmNvbTpndWFjc2VjL2d1YWMuZ2l0Iiwic3RhcmdhemVycyI6MTAwNCwic3RhcmdhemVyc19jb3VudCI6MTAwNCwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdGFyZ2F6ZXJzIiwic3RhdHVzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvc3RhdHVzZXMve3NoYX0iLCJzdWJzY3JpYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdWJzY3JpcHRpb24iLCJzdm5fdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhYyIsInRhZ3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL3RlYW1zIiwidG9waWNzIjpbXSwidHJlZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L3RyZWVzey9zaGF9IiwidXBkYXRlZF9hdCI6IjIwMjMtMDgtMTVUMTU6Mzk6NTlaIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhYyIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MTAwNCwid2F0Y2hlcnNfY291bnQiOjEwMDQsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS84ODA0NTIxNz92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5MjgvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5MjgvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vcHhwOTI4IiwiaWQiOjg4MDQ1MjE3LCJsb2dpbiI6InB4cDkyOCIsIm5vZGVfaWQiOiJNRFE2VlhObGNqZzRNRFExTWpFMyIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5Mjgvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4In19LCJnaXRodWJfaGVhZF9yZWYiOiIiLCJnaXRodWJfcmVmIjoicmVmcy90YWdzL3YwLjEuMiIsImdpdGh1Yl9yZWZfdHlwZSI6InRhZyIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiNTAyMTI3MTY2IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJndWFjc2VjIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiIxMTEzOTM4OTEiLCJnaXRodWJfcnVuX2F0dGVtcHQiOiIxIiwiZ2l0aHViX3J1bl9pZCI6IjU4ODI1NDgyNDAiLCJnaXRodWJfcnVuX251bWJlciI6IjIyNCIsImdpdGh1Yl9zaGExIjoiNDYzYjgwMDRiZWViYmQ0MTNlY2Y1NTZlNGZjNWExYmY5ODY1MzRhYiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiI1ODgyNTQ4MjQwLTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6dHJ1ZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWNAcmVmcy90YWdzL3YwLjEuMiIsImRpZ2VzdCI6eyJzaGExIjoiNDYzYjgwMDRiZWViYmQ0MTNlY2Y1NTZlNGZjNWExYmY5ODY1MzRhYiJ9fV19fQ==","signatures":[{"keyid":"","sig":"MEQCIGod4j6gQywneGxoMj1WaICGb5T6+mmF3a8G3YfTS1oMAiBuiEup7lmOgLpGQKwWIiXQE+keBWYZSmuLgXTKnLh47g=="}]}
Step 2: Download GUAC binary and verify
-
We can also verify the binaries via the checksums associated with each. Download the latest GUAC release guac_checksums.txt file. This contains all the checksums for all artifacts included in the release:
curl -O -L "https://github.com/guacsec/guac/releases/latest/download/guac_checksums.txt"
First we will verify signature of this file via:
LATEST_VERSION=$(curl https://api.github.com/repos/guacsec/guac/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") cosign verify-blob --cert https://github.com/guacsec/guac/releases/download/v$LATEST_VERSION/guac_checksums.txt-keyless.pem \ --signature https://github.com/guacsec/guac/releases/download/v$LATEST_VERSION/guac_checksums.txt-keyless.sig \ ./guac_checksums.txt \ --certificate-identity https://github.com/guacsec/guac/.github/workflows/release.yaml@refs/tags/v$LATEST_VERSION \ --certificate-oidc-issuer https://token.actions.githubusercontent.com
The output should be:
Verified OK
-
Download the GUAC CLI
guacone
binary for your machine’s OS and architecture from the latest GUAC release. For example Linux x86_64 is `guacone-linux-amd64’. -
Calculate the checksum of the binary. For example:
shasum -a 256 guacone-linux-amd64
which will output:
769040ce66e97a6398e2e697107fbdb02daa2fdeb97784ac70dc38b794c8b02b guacone-linux-amd64
compare this against the guac_checksums.txt downloaded above and you should see that they match.
-
Verify the signature. We generate SLSA 3 provenance using the OpenSSF’s slsa-framework/slsa-github-generator. To verify our release, install the verification tool from slsa-framework/slsa-verifier#installation and verify as follows:
For example if using `guacone-linux-amd64’ the command would would be as follows:
LATEST_VERSION=$(curl https://api.github.com/repos/guacsec/guac/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ") curl -sL https://github.com/guacsec/guac/releases/download/v$LATEST_VERSION/multiple.intoto.jsonl > multiple.intoto.jsonl slsa-verifier verify-artifact ./guacone-linux-amd64 --provenance-path ./multiple.intoto.jsonl --source-uri github.com/guacsec/guac
You should see an output similar to this:
Verified signature against tlog entry index 31541425 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a020e9997ab4ec1312d9f95e211b528e9a8751f775d78c5542a365cd2bfb82871 Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.8.0" at commit 463b8004beebbd413ecf556e4fc5a1bf986534ab Verifying artifact ./guacone-linux-amd64: PASSED PASSED: Verified SLSA provenance
Step 3: Verify guac-visualizer image via Cosign
-
Similar to the above, we can verify the latest guac-visualizer release, by running the following command. As the current guac-visualizer is in pre-release, we cannot fetch the latest version. Replace the
LATEST_VERSION
with the latest verion for the guac-visualizer:LATEST_VERSION=0.1.1 GUAC_DIGEST=$(crane digest ghcr.io/guacsec/guac-visualizer:v$LATEST_VERSION) cosign verify ghcr.io/guacsec/guac-visualizer@$GUAC_DIGEST \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/guacsec/guac-visualizer/.github/workflows/release.yaml@refs/tags/v$LATEST_VERSION
You should see an output similar to this:
Verification for ghcr.io/guacsec/guac-visualizer@sha256:d75c71a4ad5cec96d1a453d7aea7e6ae5886af178a6380dececf695fcc7f3ad1 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates [{"critical":{"identity":{"docker-reference":"ghcr.io/guacsec/guac-visualizer"},"image":{"docker-manifest-digest":"sha256:d75c71a4ad5cec96d1a453d7aea7e6ae5886af178a6380dececf695fcc7f3ad1"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"push","1.3.6.1.4.1.57264.1.3":"59751aae96e5290cf2cab9f721a63050bf5db42e","1.3.6.1.4.1.57264.1.4":"release-guac-visualizer-image","1.3.6.1.4.1.57264.1.5":"guacsec/guac-visualizer","1.3.6.1.4.1.57264.1.6":"refs/tags/v0.1.1","Bundle":{"SignedEntryTimestamp":"MEUCIHfbwjJNVK4TPGqjf6Duw9enBO4mPANckvN2PJp2jDtjAiEAkEIpM0I34T3yW6q6SaAsAT+ZDyLc5SOdKjH5USCZZqs=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJmMzcwMTBlN2NhOWI1YjdiNTY3MDA2OGRmN2M3NmViNTNiMzM4ZjU1NGQ1NjRjNzZhODE2Y2Q0MDNiYTQ1ZGY2In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUN5UGZ4S05TaWMycSt6K3U1SEYyQS91WVFBV0pYeUZFeGZpcGd3NW5TNmRnSWdIbStYRUZxUnV3WDF3dEg0TXNpRXVWeEdueWJENTdaVkh5ZUk0SEZuZHQ4PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVYzFha05EUW0xNVowRjNTVUpCWjBsVllVZFJOelpKZVdOQ2IyWjRiWGRyU1hKQ1IxQmpaREZ1WjA5UmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDlFUlROTlZHdDRUbFJCZDFkb1kwNU5hazEzVDBSRk0wMVVhM2xPVkVGM1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVV2UlVkWU5XdHlZbVJhWW1aU1JVZHFkMDVwYzNkWWJXaHhUR0Y0WTFWVmVuRjNkMjBLTVdKUlpURk9VMlJZUm1Kb1JrdFFjMk5uYjFaVVRqRXlXVTVQVkVGRmVGRXJUbmM0TUU5a01HUnNNM3BKYURKaEwwdFBRMEpaYzNkbloxZElUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZFV0ZONUNuTmlRMGRCYms1NWNURk1TV2x1T0c1RmIyc3JjbkZuZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJGQldVUldVakJTUVZGSUwwSkdOSGRZU1ZwaFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKa01WbFhUbnBhVjAxMldqTldhQXBaZVRFeVlWaE9NVmxYZUhCbGJWWjVUSGsxYm1GWVVtOWtWMGwyWkRJNWVXRXlXbk5pTTJSNlRETktiR0pIVm1oak1sVjFaVmRHZEdKRlFubGFWMXA2Q2t3elVtaGFNMDEyWkdwQmRVMVROSGhOUkd0SFEybHpSMEZSVVVKbk56aDNRVkZGUlVzeWFEQmtTRUo2VDJrNGRtUkhPWEphVnpSMVdWZE9NR0ZYT1hVS1kzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGRGWjFsTFMzZFpRa0pCUjBSMmVrRkNRV2RSUldOSVZucGhSRUV5UW1kdmNncENaMFZGUVZsUEwwMUJSVVJDUTJjeFQxUmpNVTFYUm1oYVZHc3lXbFJWZVU5VVFtcGFha3BxV1ZkSk5WcHFZM2xOVjBVeVRYcEJNVTFIU20xT1YxSnBDazVFU214TlEzTkhRMmx6UjBGUlVVSm5OemgzUVZGUlJVaFlTbXhpUjFab1l6SlZkRm96Vm1oWmVURXlZVmhPTVZsWGVIQmxiVlo1VEZkc2RGbFhaR3dLVFVOVlIwTnBjMGRCVVZGQ1p6YzRkMEZSVlVWR01tUXhXVmRPZWxwWFRYWmFNMVpvV1hreE1tRllUakZaVjNod1pXMVdlVTFDTkVkRGFYTkhRVkZSUWdwbk56aDNRVkZaUlVWSVNteGFiazEyWkVkR2JtTjVPVEpOUXpSNFRHcEZkMDkzV1V0TGQxbENRa0ZIUkhaNlFVSkRRVkYwUkVOMGIyUklVbmRqZW05MkNrd3pVblpoTWxaMVRHMUdhbVJIYkhaaWJrMTFXakpzTUdGSVZtbGtXRTVzWTIxT2RtSnVVbXhpYmxGMVdUSTVkRTFIYjBkRGFYTkhRVkZSUW1jM09IY0tRVkZyUlZoQmVHRmhTRkl3WTBoTk5reDVPVzVoV0ZKdlpGZEpkVmt5T1hSTU1tUXhXVmRPZWxwWFRYWmFNMVpvV1hreE1tRllUakZaVjNod1pXMVdlUXBNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1NMHBzWWtkV2FHTXlWWFZsVjBaMFlrVkNlVnBYV25wTU0xSm9Xak5OZG1ScVFYVk5VelI0Q2sxRVowZERhWE5IUVZGUlFtYzNPSGRCVVc5RlMyZDNiMDVVYXpOT1ZFWm9XVmRWTlU1dFZURk5hbXQzV1RKWmVWa3lSbWxQVjFrelRXcEdhRTVxVFhjS1RsUkNhVnBxVm10WmFsRjVXbFJCWkVKbmIzSkNaMFZGUVZsUEwwMUJSVXhDUVRoTlJGZGtjR1JIYURGWmFURnZZak5PTUZwWFVYZFBaMWxMUzNkWlFncENRVWRFZG5wQlFrUkJVWE5FUTNCdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyV2pOV2FGa3pUbXhaZVRsdVpGZEdha3hZV25Cak0xWm9DbUpIYkRaYVdFbDNUMEZaUzB0M1dVSkNRVWRFZG5wQlFrUlJVWEZFUTJjeFQxUmpNVTFYUm1oYVZHc3lXbFJWZVU5VVFtcGFha3BxV1ZkSk5WcHFZM2tLVFZkRk1rMTZRVEZOUjBwdFRsZFNhVTVFU214TlEwRkhRMmx6UjBGUlVVSm5OemgzUVZFMFJVVm5kMUZqYlZadFkzazVNRmxYWkhwTU0xbDNUR3BGZFFwTlZFRmFRbWR2Y2tKblJVVkJXVTh2VFVGRlVFSkJjMDFEVkZsM1RXcGpkMDVFVVhkT1JFRnhRbWR2Y2tKblJVVkJXVTh2VFVGRlVVSkNkMDFIYldnd0NtUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01Ym1SWFJtcGpNbFpxVFVKclIwTnBjMGRCVVZGQ1p6YzRkMEZTUlVWRGQzZEtUVlJGZUUxNmEzb0tUMFJyZUUxSGIwZERhWE5IUVZGUlFtYzNPSGRCVWtsRldFRjRZV0ZJVWpCalNFMDJUSGs1Ym1GWVVtOWtWMGwxV1RJNWRFd3laREZaVjA1NldsZE5kZ3BhTTFab1dYa3hNbUZZVGpGWlYzaHdaVzFXZVV4NU5XNWhXRkp2WkZkSmRtUXlPWGxoTWxwellqTmtla3d6U214aVIxWm9ZekpWZFdWWFJuUmlSVUo1Q2xwWFducE1NMUpvV2pOTmRtUnFRWFZOVXpSNFRVUm5SME5wYzBkQlVWRkNaemM0ZDBGU1RVVkxaM2R2VGxSck0wNVVSbWhaVjFVMVRtMVZNVTFxYTNjS1dUSlplVmt5Um1sUFYxa3pUV3BHYUU1cVRYZE9WRUpwV21wV2ExbHFVWGxhVkVGVlFtZHZja0puUlVWQldVOHZUVUZGVlVKQldVMUNTRUl4WXpKbmR3cFlVVmxMUzNkWlFrSkJSMFIyZWtGQ1JsRlNVRVJGTVc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFphTTFab1dUTk9iRmw1T1c1a1YwWnFDa3hZV25Cak0xWm9Za2RzTmxwWVNYWlpWMDR3WVZjNWRXTjVPWGxrVnpWNlRIcFZORTlVVVRWUFJFVXpUV3BKZGxsWVVqQmFWekYzWkVoTmRrMVVRVmNLUW1kdmNrSm5SVVZCV1U4dlRVRkZWMEpCWjAxQ2JrSXhXVzE0Y0ZsNlEwSnBkMWxMUzNkWlFrSkJTRmRsVVVsRlFXZFNPVUpJYzBGbFVVSXpRVTR3T1FwTlIzSkhlSGhGZVZsNGEyVklTbXh1VG5kTGFWTnNOalF6YW5sMEx6UmxTMk52UVhaTFpUWlBRVUZCUW1sblZITktOVlZCUVVGUlJFRkZaM2RTWjBsb0NrRk1TMngwYW5vd2VGUjBUVkJwY0RBdmNXOWtkM0ZWWlc0M1NHaHdMekZVZDJ4NVJrNWFSM28zWVZNMFFXbEZRWFZYT0RsTmIyZE5VbEpaUVdSUFJWY0tSMW92VVZoMlEycE5jMWRQUVRoU1FVRnBRazV5V2psMk5HcHJkME5uV1VsTGIxcEplbW93UlVGM1RVUmhRVUYzV2xGSmVFRk9hWFpZTWxGR1NrRnFhUW8xUlV4Tk5WRkRlbkJ0ZDBoVVlWTnhhVmxwTTAxelpXMVFaMnM1VVRKdmRsVXpSMEpFYzBGUFlteG5lazE1T0doaWVrcDZlRkZKZDB0TUwzaG9RVWx6Q2tOVlJIVkNVa2xuVjBKT2VVUmpWazUzY3l0VWR5dFFXVEpZWTAxWVIxbGxTREYxUTBjek4zUXJabFpOY0hRNGJVVlNaRU5qZVUxaENpMHRMUzB0UlU1RUlFTkZVbFJKUmtsRFFWUkZMUzB0TFMwSyJ9fX19","integratedTime":1692299701,"logIndex":31716148,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/guacsec/guac-visualizer/.github/workflows/release.yaml@refs/tags/v0.1.1","git_sha":"59751aae96e5290cf2cab9f721a63050bf5db42e","githubWorkflowName":"release-guac-visualizer-image","githubWorkflowRef":"refs/tags/v0.1.1","githubWorkflowRepository":"guacsec/guac-visualizer","githubWorkflowSha":"59751aae96e5290cf2cab9f721a63050bf5db42e","githubWorkflowTrigger":"push"}}]
-
SLSA attestation for the guac-visualizer are currently not generated for v0.1.1 as it is pre-release but will be for all following releases. Verification can be done the following command:
cosign verify-attestation ghcr.io/guacsec/guac-visualizer@$GUAC_DIGEST \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.9.0 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com --type 'https://slsa.dev/provenance/v0.2'
you should see an output similar to this:
Verification for ghcr.io/guacsec/guac-visualizer@visualizer:d75c71a4ad5cec96d1a453d7aea7e6ae5886af178a6380dececf695fcc7f3ad1 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates Certificate subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.9.0 Certificate issuer URL: https://token.actions.githubusercontent.com GitHub Workflow Trigger: push GitHub Workflow SHA: 463b8004beebbd413ecf556e4fc5a1bf986534ab GitHub Workflow Name: release GitHub Workflow Repository: guacsec/guac GitHub Workflow Ref: refs/tags/v0.1.2 {"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL2d1YWNzZWMvZ3VhYyIsImRpZ2VzdCI6eyJzaGEyNTYiOiJkZTUwNTE3YjVhNTI3ZjAzMTM5NWJhMTFkZTU1NzY0NjJiYzRkYjZmYTBlZWY1MDczZjgyZmFiMDUyYzJiMDdlIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2dlbmVyYXRvcl9jb250YWluZXJfc2xzYTMueW1sQHJlZnMvdGFncy92MS44LjAifSwiYnVpbGRUeXBlIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci9jb250YWluZXJAdjEiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhY0ByZWZzL3RhZ3MvdjAuMS4yIiwiZGlnZXN0Ijp7InNoYTEiOiI0NjNiODAwNGJlZWJiZDQxM2VjZjU1NmU0ZmM1YTFiZjk4NjUzNGFiIn0sImVudHJ5UG9pbnQiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnlhbWwifSwicGFyYW1ldGVycyI6e30sImVudmlyb25tZW50Ijp7ImdpdGh1Yl9hY3RvciI6InB4cDkyOCIsImdpdGh1Yl9hY3Rvcl9pZCI6Ijg4MDQ1MjE3IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI0NjNiODAwNGJlZWJiZDQxM2VjZjU1NmU0ZmM1YTFiZjk4NjUzNGFiIiwiYmFzZV9yZWYiOiJyZWZzL2hlYWRzL21haW4iLCJiZWZvcmUiOiIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwiY29tbWl0cyI6W10sImNvbXBhcmUiOiJodHRwczovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjL2NvbXBhcmUvdjAuMS4yIiwiY3JlYXRlZCI6dHJ1ZSwiZGVsZXRlZCI6ZmFsc2UsImZvcmNlZCI6ZmFsc2UsImhlYWRfY29tbWl0Ijp7ImF1dGhvciI6eyJlbWFpbCI6IjQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb20iLCJuYW1lIjoiTmF0aGFuIE5hdmVlbiIsInVzZXJuYW1lIjoibmF0aGFubmF2ZWVuIn0sImNvbW1pdHRlciI6eyJlbWFpbCI6Im5vcmVwbHlAZ2l0aHViLmNvbSIsIm5hbWUiOiJHaXRIdWIiLCJ1c2VybmFtZSI6IndlYi1mbG93In0sImRpc3RpbmN0Ijp0cnVlLCJpZCI6IjQ2M2I4MDA0YmVlYmJkNDEzZWNmNTU2ZTRmYzVhMWJmOTg2NTM0YWIiLCJtZXNzYWdlIjoiOmJvb2s6IEluY2x1ZGVkIGNvbW1lbnRzIGZvciB0aGUgYmZzIG9uIHBhdGNoUGxhbm5pbmcgKCMxMTMwKVxuXG4qIFtkb2NzXSBJbmNsdWRlZCBjb21tZW50cyBmb3IgdGhlIGJmcyBvbiBwYXRjaFBsYW5uaW5nXG5cbiogSW5jbHVkZWQgY29tbWVudHMgb24gU2VhcmNoRGVwZW5kZW5jaWVzRnJvbVN0YXJ0Tm9kZVxuXG5TaWduZWQtb2ZmLWJ5OiBuYXRoYW5uYXZlZW4gXHUwMDNjNDIzMTk5NDgrbmF0aGFubmF2ZWVuQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbVx1MDAzZVxuXG4qIFVwZGF0ZWQgQmFzZWQgb24gQ29kZSBSZXZpZXdcblxuU2lnbmVkLW9mZi1ieTogbmF0aGFubmF2ZWVuIFx1MDAzYzQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb21cdTAwM2VcblxuKiBSZW1vdmVkIGV4dHJhIHJldHVybiB2YWx1ZVxuXG5TaWduZWQtb2ZmLWJ5OiBuYXRoYW5uYXZlZW4gXHUwMDNjNDIzMTk5NDgrbmF0aGFubmF2ZWVuQHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbVx1MDAzZVxuXG4qIFVwZGF0ZWQgYmFzZWQgb24gY29kZSByZXZpZXdcblxuU2lnbmVkLW9mZi1ieTogbmF0aGFubmF2ZWVuIFx1MDAzYzQyMzE5OTQ4K25hdGhhbm5hdmVlbkB1c2Vycy5ub3JlcGx5LmdpdGh1Yi5jb21cdTAwM2VcblxuLS0tLS0tLS0tXG5cblNpZ25lZC1vZmYtYnk6IG5hdGhhbm5hdmVlbiBcdTAwM2M0MjMxOTk0OCtuYXRoYW5uYXZlZW5AdXNlcnMubm9yZXBseS5naXRodWIuY29tXHUwMDNlIiwidGltZXN0YW1wIjoiMjAyMy0wOC0xNVQyMToxMToyN1oiLCJ0cmVlX2lkIjoiZmQwNjUzY2EwM2MzYzVhNTViMTAxYjA3MzU4ODQ4NGFmOGZmYzM1ZSIsInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWMvY29tbWl0LzQ2M2I4MDA0YmVlYmJkNDEzZWNmNTU2ZTRmYzVhMWJmOTg2NTM0YWIifSwib3JnYW5pemF0aW9uIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMTExMzkzODkxP3Y9NCIsImRlc2NyaXB0aW9uIjpudWxsLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvZXZlbnRzIiwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvaG9va3MiLCJpZCI6MTExMzkzODkxLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvaXNzdWVzIiwibG9naW4iOiJndWFjc2VjIiwibWVtYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3MvZ3VhY3NlYy9tZW1iZXJzey9tZW1iZXJ9Iiwibm9kZV9pZCI6Ik9fa2dET0JxTzhZdyIsInB1YmxpY19tZW1iZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9ndWFjc2VjL3B1YmxpY19tZW1iZXJzey9tZW1iZXJ9IiwicmVwb3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL2d1YWNzZWMvcmVwb3MiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3MvZ3VhY3NlYyJ9LCJwdXNoZXIiOnsiZW1haWwiOiI4ODA0NTIxNytweHA5MjhAdXNlcnMubm9yZXBseS5naXRodWIuY29tIiwibmFtZSI6InB4cDkyOCJ9LCJyZWYiOiJyZWZzL3RhZ3MvdjAuMS4yIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6MTY1NDg4MjA4NywiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IkdVQUMgYWdncmVnYXRlcyBzb2Z0d2FyZSBzZWN1cml0eSBtZXRhZGF0YSBpbnRvIGEgaGlnaCBmaWRlbGl0eSBncmFwaCBkYXRhYmFzZS4iLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZXZlbnRzIiwiZm9yayI6ZmFsc2UsImZvcmtzIjoxMTYsImZvcmtzX2NvdW50IjoxMTYsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2ZvcmtzIiwiZnVsbF9uYW1lIjoiZ3VhY3NlYy9ndWFjIiwiZ2l0X2NvbW1pdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2dpdC90YWdzey9zaGF9IiwiZ2l0X3VybCI6ImdpdDovL2dpdGh1Yi5jb20vZ3VhY3NlYy9ndWFjLmdpdCIsImhhc19kaXNjdXNzaW9ucyI6ZmFsc2UsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOnRydWUsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjoiaHR0cHM6Ly9ndWFjLnNoIiwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWMiLCJpZCI6NTAyMTI3MTY2LCJpc190ZW1wbGF0ZSI6ZmFsc2UsImlzc3VlX2NvbW1lbnRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaXNzdWVzL2NvbW1lbnRzey9udW1iZXJ9IiwiaXNzdWVfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvaXNzdWVzey9udW1iZXJ9Iiwia2V5c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9rZXlzey9rZXlfaWR9IiwibGFiZWxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IkdvIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoiYXBhY2hlLTIuMCIsIm5hbWUiOiJBcGFjaGUgTGljZW5zZSAyLjAiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRJPSIsInNwZHhfaWQiOiJBcGFjaGUtMi4wIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9hcGFjaGUtMi4wIn0sIm1hc3Rlcl9icmFuY2giOiJtYWluIiwibWVyZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvbWlsZXN0b25lc3svbnVtYmVyfSIsIm1pcnJvcl91cmwiOm51bGwsIm5hbWUiOiJndWFjIiwibm9kZV9pZCI6IlJfa2dET0hlM2FQZyIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjEwMCwib3Blbl9pc3N1ZXNfY291bnQiOjEwMCwib3JnYW5pemF0aW9uIjoiZ3VhY3NlYyIsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvMTExMzkzODkxP3Y9NCIsImVtYWlsIjpudWxsLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMiLCJpZCI6MTExMzkzODkxLCJsb2dpbiI6Imd1YWNzZWMiLCJuYW1lIjoiZ3VhY3NlYyIsIm5vZGVfaWQiOiJPX2tnRE9CcU84WXciLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvZ3VhY3NlYy9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2d1YWNzZWMvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiT3JnYW5pemF0aW9uIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9ndWFjc2VjIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6MTY5MjIxMDc4NCwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvcmVsZWFzZXN7L2lkfSIsInNpemUiOjYyOTAsInNzaF91cmwiOiJnaXRAZ2l0aHViLmNvbTpndWFjc2VjL2d1YWMuZ2l0Iiwic3RhcmdhemVycyI6MTAwNCwic3RhcmdhemVyc19jb3VudCI6MTAwNCwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdGFyZ2F6ZXJzIiwic3RhdHVzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvc3RhdHVzZXMve3NoYX0iLCJzdWJzY3JpYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2d1YWNzZWMvZ3VhYy9zdWJzY3JpcHRpb24iLCJzdm5fdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhYyIsInRhZ3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvZ3VhY3NlYy9ndWFjL3RlYW1zIiwidG9waWNzIjpbXSwidHJlZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9ndWFjc2VjL2d1YWMvZ2l0L3RyZWVzey9zaGF9IiwidXBkYXRlZF9hdCI6IjIwMjMtMDgtMTVUMTU6Mzk6NTlaIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2d1YWNzZWMvZ3VhYyIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MTAwNCwid2F0Y2hlcnNfY291bnQiOjEwMDQsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS84ODA0NTIxNz92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5MjgvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5MjgvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vcHhwOTI4IiwiaWQiOjg4MDQ1MjE3LCJsb2dpbiI6InB4cDkyOCIsIm5vZGVfaWQiOiJNRFE2VlhObGNqZzRNRFExTWpFMyIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9weHA5Mjgvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3B4cDkyOC9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4L3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvcHhwOTI4In19LCJnaXRodWJfaGVhZF9yZWYiOiIiLCJnaXRodWJfcmVmIjoicmVmcy90YWdzL3YwLjEuMiIsImdpdGh1Yl9yZWZfdHlwZSI6InRhZyIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiNTAyMTI3MTY2IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJndWFjc2VjIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiIxMTEzOTM4OTEiLCJnaXRodWJfcnVuX2F0dGVtcHQiOiIxIiwiZ2l0aHViX3J1bl9pZCI6IjU4ODI1NDgyNDAiLCJnaXRodWJfcnVuX251bWJlciI6IjIyNCIsImdpdGh1Yl9zaGExIjoiNDYzYjgwMDRiZWViYmQ0MTNlY2Y1NTZlNGZjNWExYmY5ODY1MzRhYiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiI1ODgyNTQ4MjQwLTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6dHJ1ZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9ndWFjc2VjL2d1YWNAcmVmcy90YWdzL3YwLjEuMiIsImRpZ2VzdCI6eyJzaGExIjoiNDYzYjgwMDRiZWViYmQ0MTNlY2Y1NTZlNGZjNWExYmY5ODY1MzRhYiJ9fV19fQ==","signatures":[{"keyid":"","sig":"MEQCIGod4j6gQywneGxoMj1WaICGb5T6+mmF3a8G3YfTS1oMAiBuiEup7lmOgLpGQKwWIiXQE+keBWYZSmuLgXTKnLh47g=="}]}