Security

Overview

We continuously check and evolve our practices, therefore it is possible some diagrams may be eventually consistent.

Verifying signed builds

Terminology

We use SLSA to ensure our builds are reproducible and to adhere to supply chain security practices.

Within our releases page, you will notice a new metadata file: multiple.intoto.jsonl. It's metadata to describe where, when, and how our build artifacts were produced - or simply, attestation in SLSA terminology.

For this to be useful, we need a verification tool - SLSA Verifier. SLSA Verifier decodes attestation to confirm the authenticity, identity, and the steps we took in our release pipeline (e.g., inputs, git commit/branch, GitHub org/repo, build SHA256, etc.).

HOW TO

• Download SLSA Verifier binary
• Download the latest release artifact from PyPi (either wheel or tar.gz )
• Download python-client.multiple.intoto.jsonl attestation from the latest release under Assets

Next steps assume macOS on Apple Silicon as the operating system, and release v0.1.0

You should have the following files in the current directory:

• SLSA Verifier tool: slsa-verifier-darwin-arm64
• IATK Python Client Release artifact: aws-iatk-0.1.0.tar.gz
• IATK Python Client attestation: python-client.multiple.intoto.jsonl

You can now run SLSA Verifier with the following options:

./slsa-verifier-darwin-arm64 verify-artifact \
    --provenance-path "python-client.multiple.intoto.jsonl" \
    --source-uri github.com/awslabs/aws-iatk \
    aws-iatk-0.1.0.tar.gz

---

Last update: 2023-11-09