Last month, ActiveState ran an “Early Access Program” (EAP) to introduce the market to software attestations. Software Attestations are a promising mechanism that developers can use to assess the integrity and security (and therefore the risk) of the third-party software they use. 

At base, Software Attestations are nothing more than metadata about how a software artifact was built, including the origin or source for all components used in/by the build process. For example: 

  • Software built on an author’s laptop from unreviewed source code would likely be deemed higher risk.
  • An open source project built from peer-reviewed code using a CI/CD platform that features reproducible builds might be deemed lower risk.

Attestations seem like a simple mechanism, but they have the potential to revolutionize the way we trust third-party code. For example, the vast majority of software developers incorporate open source software into their applications, but: 

  • Almost one-third of them simply trust that whatever they download from a public repository is free of malware and fit for use. 
  • Of those that build their own OSS from source code, 78% cannot do so reproducibly, making it diffIcult to verify if the source code was compromised when the original build was produced.

Today, trust in third-party software is getting harder and harder to come by: 

  • Software supply chain attacks have grown >740% over the past three years.
  • >60% of organizations were victims of a software supply chain attack in 2022.
  • The Python language repository (PyPI) temporarily halted the acceptance of new projects last week due to the overwhelming presence of malware-infected uploads.

It’s for these reasons that SLSA (Secure Levels for Supply chain Artifacts) made Software Attestations a key control mechanism in version 1.0 of their specification, and why we thought running an EAP would be a good way for organizations to get more familiar with them.

How to Work with Provenance Attestations

As laid out in our four-step EAP, Attestations are typically made available via an API, and are returned in a specific format. ActiveState uses the SLSA-compliant in-toto format, which already covers a wide range of use cases, including:

  • Generating SLSA Provenance attestations
    • Provides metadata for both source code and built artifact 
  • Generating Verification Summary Attestations (VSAs)
    • Provides a “SLSA Build Level” for built artifacts ranging from 0 (untrusted) to 3 (highly trusted)
  • SPDX and CylconeDX Software Bill of Materials (SBOMs)
    • Allows for the inclusion of attestations within an SBOM
  • As well as many others

For example, you can generate a Provenance Attestation for a Python 3.11 build using ActiveState’s GraphQL API located here: https://platform.www.activestate.com/sv/buildplanner/graphql

Simply paste the following query into the left-hand pane and press the Execute Query button:

query slsa {
	  project(organization: "ActiveState-Projects", project: "ActiveState-Python-3.11.2") {
	    __typename
    ... on Project {
	      commit(vcsRef: "6d6a2898-0457-4835-a447-5a6f00819268") {
	        ... on Commit {
	          build {
	            __typename
            ... on BuildReady {
	              targets {
	                __typename
                ... on Source{
	                  targetID
                  namespace
                  name
                  version
                  attestations {
	                    slsa_provenance(version:"0.2")
                  }
                }
                ... on ArtifactSucceeded {
	                  targetID
                  displayName
                  attestations {
	                    slsa_provenance(version:"0.2")
                  }
                }
              }
            }
          }
        }
        ... on Error {
	          __typename
          message
        }
      }
    }
    ... on Error {
	      message
    }
  }
}

The results include a “Source” (Provenance) attestation for each and every dependency and transitive dependency used to build Python 3.11. This allows you to determine whether one or more of the components included in your copy of Python 3.11 represents a weak link/high risk that may invalidate your use of this version of Python. 

Here is the entry for one such component, bzip2:

             {
	              "__typename": "Source",
              "targetID": "5859906c-9439-5f21-aa76-cf99ac774dd7",
              "namespace": "shared",
              "name": "bzip2",
              "version": "1.0.8",
              "attestations": {
	                "slsa_provenance": "https://dl.www.activestate.com/organization/f3f26a1e-6874-4f99-902f-103807523ca1/project/c28f8e2b-5095-455f-a7b4-15475e067d84/commit/6d6a2898-0457-4835-a447-5a6f00819268/attestation/activestate-v1/slsa_provenance/version/0.2/5859906c-9439-5f21-aa76-cf99ac774dd7.json"
              }

You can verify the attestation by simply following the download link to an S3 bucket on AWS where it’s stored in JSON format (both encrypted and unencrypted).

If you scroll further down the page, you’ll see that the query results also include an attestation for each and every built dependency (built artifact), such as this one for bzip2:

              {
	              "__typename": "ArtifactSucceeded",
              "targetID": "b9a559c3-fc92-5fc9-a964-0e2e9a7001cf",
              "displayName": "bzip2.application/gzip",
              "attestations": {
	                "slsa_provenance": "https://dl.www.activestate.com/organization/f3f26a1e-6874-4f99-902f-103807523ca1/project/c28f8e2b-5095-455f-a7b4-15475e067d84/commit/6d6a2898-0457-4835-a447-5a6f00819268/attestation/activestate-v1/slsa_provenance/version/0.2/b9a559c3-fc92-5fc9-a964-0e2e9a7001cf.json"
              }

Following the download link here will allow you to verify whether bzip2 was built in a manner that complies with your organization’s guidelines for the security and integrity of software artifacts. For example, the unencrypted portion reads:

"statement": {"_type": "https://in-toto.io/Statement/v0.1", "predicate": {"buildConfig": {"steps": [{"command": "build", "parameters": ["--cmake-cache=BUILD_SHARED_LIBS=true"]}]}, "buildType": "https://www.activestate.com/platform_builder/v0.1", "builder": {"id": "https://docs.www.activestate.com/platform/updates/slsapolicy"}, "invocation": {"configSource": {"activestate_material_type": "builder", "digest": {"sha256": "8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a"}, "entryPoint": "build", "uri": "s3://platform-sources/builder/8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a/cmake-builder.tar.gz"}, "environment": {"env": {}}, "parameters": ["--cmake-cache=BUILD_SHARED_LIBS=true"]}, "materials": [{"activestate_material_type": "image", "digest": {"sha256": ""}, "uri": "https://platform.www.activestate.com/sv/inventory-api-v1/v1/images/1fea8a2c-c158-4d57-a215-1ddf52c721e5"}, {"activestate_material_type": "src", "digest": {"sha256": "ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269"}, "uri": "https://dl.www.activestate.com/source/c9621f15-45d3-5da0-849a-f2979aa8e0d5/versions/b077ac4e-7503-503f-b530-9f7f13dfd77f/revisions/10/bzip2-1.0.8.tar.gz"}, {"activestate_material_type": "builder", "digest": {"sha256": "8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a"}, "uri": "s3://platform-sources/builder/8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a/cmake-builder.tar.gz"}], "metadata": {"buildFinishedOn": "2023-01-17T20:39:47.883000Z", "buildInvocationId": "b9a559c3-fc92-5fc9-a964-0e2e9a7001cf", "buildStartedOn": "2023-01-17T20:39:47.883000Z", "completeness": {"environment": true, "materials": true, "parameters": true}}, "reproducible": true}, "predicateType": "https://slsa.dev/provenance/v0.2", "subject": [{"activestate_material_type": "output", "digest": {"sha256": "54313dda41e0afb15487831013860895d7a9eef0ab5e92648b4999fc5644eaa2"}, "uri": "https://dl.www.activestate.com/artifact/b9a559c3-fc92-5fc9-a964-0e2e9a7001cf/artifact.tar.gz"

Parsing this document lets you determine that bzip2 was built:

  • Using the ActiveState Platform 
  • From local, verified source code
  • Using multiple, separate build steps
  • In a reproducible manner

All of which should provide you with the confidence to trust this built artifact.

How to Work With Verification Summary Attestations (VSAs)

ActiveState’s GraphQL endpoint can also be queried for Verification Summary Attestations (VSAs), which provide a simple way to verify that a software artifact has been built to a SLSA level that offers the organization acceptable risk.

For example, you can generate a VSA by entering the following query in the left-hand side of ActiveState’s GraphQL API explorer:

query slsa {
	  project(organization: "ActiveState-Projects", project: "ActiveState-Python-3.11.2") {
	    __typename
    ... on Project {
	      commit(vcsRef: "6d6a2898-0457-4835-a447-5a6f00819268") {
	        ... on Commit {
	          build {
	            __typename
            ... on BuildReady {
	              targets {
	                __typename
                ... on Source{
	                  targetID
                  namespace
                  name
                  version
                  attestations {
	                    slsa_vsa(version:"0.2")
                  }
                }
                ... on ArtifactSucceeded {
	                  targetID
                  displayName
                  attestations {
	                    slsa_vsa(version:"0.2")
                  }
                }
              }
            }
          }
        }
        ... on Error {
	          __typename
          message
        }
      }
    }
    ... on Error {
	      message
    }
  }
}

Pressing the Execute Query button returns a VSA for the source code (each and every dependency/transitive dependency), as well as each and every built artifact. Using bzip2 as our example again, here is the entry in the query results:

             {
	              "__typename": "Source",
              "targetID": "5859906c-9439-5f21-aa76-cf99ac774dd7",
              "namespace": "shared",
              "name": "bzip2",
              "version": "1.0.8",
              "attestations": {
	                "slsa_vsa": "https://dl.www.activestate.com/organization/f3f26a1e-6874-4f99-902f-103807523ca1/project/c28f8e2b-5095-455f-a7b4-15475e067d84/commit/6d6a2898-0457-4835-a447-5a6f00819268/attestation/activestate-v1/slsa_vsa/version/0.2/5859906c-9439-5f21-aa76-cf99ac774dd7.json"
              }

Similarly, scrolling down in the results, we can see the VSA for the bzip2 built artifact:

             {
	              "__typename": "ArtifactSucceeded",
              "targetID": "20548552-0d98-5615-b517-2cc101ada450",
              "displayName": "bzip2.application/gzip",
              "attestations": {
	                "slsa_vsa": "https://dl.www.activestate.com/organization/f3f26a1e-6874-4f99-902f-103807523ca1/project/c28f8e2b-5095-455f-a7b4-15475e067d84/commit/6d6a2898-0457-4835-a447-5a6f00819268/attestation/activestate-v1/slsa_vsa/version/0.2/20548552-0d98-5615-b517-2cc101ada450.json"
              }

Following the download link returns the VSA for bzip2 in both encrypted and unencrypted formats:

"statement": {"_type": "https://in-toto.io/Statement/v0.1", "predicate": {"dependency_levels": {"SLSA_LEVEL_1": 1, "SLSA_LEVEL_2": 2, "SLSA_LEVEL_3": 1}, "input_attestations": [{"activestate_material_type": "provenance attestation", "digest": {"sha256": "b818266a85dd0ade4645bd47849c003de25e4e7ed7fd245d2b2a1e6cb4aa3e98"}, "uri": "https://dl.www.activestate.com/organization/f3f26a1e-6874-4f99-902f-103807523ca1/project/c28f8e2b-5095-455f-a7b4-15475e067d84/commit/6d6a2898-0457-4835-a447-5a6f00819268/attestation/activestate-v1/slsa_provenance/version/0.2/20548552-0d98-5615-b517-2cc101ada450.json"}, {"activestate_material_type": "provenance attestation", "digest": {"sha256": ""}, "uri": "https://platform.www.activestate.com/sv/inventory-api-v1/v1/images/6b334b10-5211-4dc4-b97b-641de9eedcf3"}, {"activestate_material_type": "provenance attestation", "digest": {"sha256": "8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a"}, "uri": "s3://platform-sources/builder/8771eae2e8490716ea46373bd70fe0f749166b844efe03cb4e55047115c8a94a/cmake-builder.tar.gz"}, {"activestate_material_type": "provenance attestation", "digest": {"sha256": "ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269"}, "uri": "s3://platform-sources/shared/ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269/bzip2-1.0.8-pysvn.tar.gz"}], "policy": {"uri": "https://docs.www.activestate.com/platform/updates/slsapolicy"}, "policy_level": "SLSA_LEVEL_3", "resource_uri": "https://dl.www.activestate.com/artifact/20548552-0d98-5615-b517-2cc101ada450/artifact.tar.gz", "time_verified": "2023-05-29T22:25:45.935080Z", "verifier": {"id": "https://www.activestate.com/"}}, "predicateType": "https://slsa.dev/verification_summary/v0.2", "subject": [{"activestate_material_type": "artifact", "digest": {"sha256": "74e73d6e21fb32f62098aa9b4a35055e7d9cda61a603c2605edced6e32a68695"}, "uri": "https://dl.www.activestate.com/artifact/20548552-0d98-5615-b517-2cc101ada450/artifact.tar.gz"

Here, we can determine that bzip2 was built to SLSA Build Level 3, which is currently the highest level defined by the SLSA specification. 

Conclusions – Verifying Software Attestations

As you can see from this simple exercise, it’s a fairly easy matter to automate:

  • Retrieving Provenance and VSA metadata from an API endpoint
  • Parsing the metadata to retrieve the desired information
  • Verifying that the retrieved data meets the organization’s standards

Incorporating attestations into your software development process means the software you build will not only be safer for your customers to run, but it also means you can prove the security and integrity of all the components from which your software is built.

Attestations are at the forefront of the battle against software supply chain attacks. Despite their relative newness, there are a number of systems that have already adopted them, including GitHub Actions, Google Cloud Build and GitLab Runner Attestations, all of which can provide you with an attestation for your proprietary software builds.

However, unless you intend to vendor all your dependencies and build them from source, you’ll need a system like the ActiveState Platform, which can build all your third-party dependencies from source code and provide you with the Provenance attestations and VSAs you’ll need to ensure the security and integrity of all the code that goes into building your software.

Next steps:

Sign up for a free ActiveState Platform account and test out our Attestation capabilities for yourself.

Read Similar Stories

US Gov Attestation Requirements

Everything Developers Need to Know About Attestations

The US Government requires software vendors to provide attestations. Learn what they are and how to navigate these requirements.

Learn more >

Data Sheet - Software Attestations

Datasheet: ActiveState Software Attestations

Learn how ActiveState can generate a signed attestation for your open source components, helping you establish customer trust. 

Learn More >

SBOMS & Attestations: US Government Deadlines for Implementation

The US government secure supply chain deadline for SBOMs and software attestations is June 2023. Find out how to meet the date.

Learn More >