Sample of GCP Binary Authorization audit log and GPG verification.
also see Generate and verify cosign signatures using openssl
export IMAGE="us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
export PUBLIC_KEY_ID="5D8EA7261718FE5728BA937C97341836616BF511"
# crane manifest $IMAGE | sha256sum
# 7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 -
$ gcloud beta container binauthz create-signature-payload --artifact-url=$IMAGE > generated_payload.json
$ cat generated_payload.json
{
"critical": {
"identity": {
"docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
},
"image": {
"docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
},
"type": "Google cloud binauthz container signature"
}
}
## i used my private key to sign
## gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511 you'll use your own
$ gpg --default-key salrashid123@gmail.com \
--pinentry-mode loopback \
--output generated_signature.pgp \
--clearsign --detach-sig --sign generated_payload.json
$ cat generated_signature.pgp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
{
"critical": {
"identity": {
"docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
},
"image": {
"docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
},
"type": "Google cloud binauthz container signature"
}
}
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCgA1FiEEzKqYQesBX6L+cRyRK4vp5dk6HZQFAmRL5vEXHHNhbHJhc2hp
ZDEyM0BnbWFpbC5jb20ACgkQK4vp5dk6HZSnSAgAh3LvHqqon/6WaikD1E2K8lmT
co4nKDotqkbSb7GOtyd/NSEz3Ez5I5B6gYi32Txjf02BGOKhtAPNqS35UEy7uVah
tZDk9vLIXOAc8A5hr9GuZ9l4ECL4/u1LR6RjC73zCM9zKOrH0E6zTKm5t2IcWyAC
BhHSv7/Go7ZIFKKXrmUcLZQspxCKQQV/zG6d0PwYWT0K4jdSM3uKsVcMv/EBH3Lb
hf2j6EPlGuojIfO+sS4j/EpY6HO/V93g9QD56r6s5Wvz5CR4frrGtdHaDnNaLDjs
EiYNiOCfVl44YqePWpDE1BSP/tbjRA1VpgTdcUCgzdypX9BJrB+lgMAT5ii98Q==
=ua8p
-----END PGP SIGNATURE-----
$ gcloud beta container binauthz attestations create \
--artifact-url=$IMAGE \
--attestor="projects/mineral-minutia-820/attestors/teeattestor" \
--signature-file=generated_signature.pgp \
--public-key-id=$PUBLIC_KEY_ID
Audit logs
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "foo@bar.com",
"principalSubject": "user:foo.bar.com"
},
"requestMetadata": {
"callerIp": "2600:4040:2098:a700:81e2:8da8:892c:5ddd",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/408.0.1 command/gcloud.beta.container.binauthz.attestations.create invocation-id/a9638335b2f94b8d9da6ace33f7e1b1b environment/None environment-version/None interactive/True from-script/False python/3.9.12 term/xterm-256color (Linux 6.1.20-2rodete1-amd64),gzip(gfe),gzip(gfe)",
"requestAttributes": {
"time": "2023-04-28T15:33:06.820030827Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "containeranalysis.googleapis.com",
"methodName": "grafeas.v1.Grafeas.CreateOccurrence",
"authorizationInfo": [
{
"resource": "projects/000000f96d836574/containeranalysis_notes/teeattestor-note",
"permission": "containeranalysis.notes.attachOccurrence",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/000000f96d836574/containeranalysis_notes/teeattestor-note",
"request": {
"parent": "projects/mineral-minutia-820",
"occurrence": {
"noteName": "projects/mineral-minutia-820/notes/teeattestor-note",
"resourceUri": "https://us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
"attestation": {
"serializedPayload": "ewogICJjcml0aWNhbCI6IHsKICAgICJpZGVudGl0eSI6IHsKICAgICAgImRvY2tlci1yZWZlcmVuY2UiOiAidXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvbWluZXJhbC1taW51dGlhLTgyMC9yZXBvMS90ZWUiCiAgICB9LAogICAgImltYWdlIjogewogICAgICAiZG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6ICJzaGEyNTY6N2Q2NzBhNzkxYjM4MDQ2ZmJkYTAxZTIyYjQ2NmVjZDIzNWQzNjhhM2ZjNWFlNWFhNmMwNTE2OWM0NzVkMGQ3NiIKICAgIH0sCiAgICAidHlwZSI6ICJHb29nbGUgY2xvdWQgYmluYXV0aHogY29udGFpbmVyIHNpZ25hdHVyZSIKICB9Cn0K",
"signatures": [
{
"signature": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=",
"publicKeyId": "5D8EA7261718FE5728BA937C97341836616BF511"
}
]
},
"kind": "ATTESTATION"
},
"@type": "type.googleapis.com/grafeas.v1.CreateOccurrenceRequest"
},
"response": {
"updateTime": "2023-04-28T15:33:06.923563Z",
"attestation": {
"signatures": [
{
"signature": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=",
"publicKeyId": "5D8EA7261718FE5728BA937C97341836616BF511"
}
],
"serializedPayload": "ewogICJjcml0aWNhbCI6IHsKICAgICJpZGVudGl0eSI6IHsKICAgICAgImRvY2tlci1yZWZlcmVuY2UiOiAidXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvbWluZXJhbC1taW51dGlhLTgyMC9yZXBvMS90ZWUiCiAgICB9LAogICAgImltYWdlIjogewogICAgICAiZG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6ICJzaGEyNTY6N2Q2NzBhNzkxYjM4MDQ2ZmJkYTAxZTIyYjQ2NmVjZDIzNWQzNjhhM2ZjNWFlNWFhNmMwNTE2OWM0NzVkMGQ3NiIKICAgIH0sCiAgICAidHlwZSI6ICJHb29nbGUgY2xvdWQgYmluYXV0aHogY29udGFpbmVyIHNpZ25hdHVyZSIKICB9Cn0K"
},
"name": "projects/mineral-minutia-820/occurrences/d5ffe4b9-fc28-4f49-b10a-5ebc61acf997",
"noteName": "projects/mineral-minutia-820/notes/teeattestor-note",
"resourceUri": "https://us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
"@type": "type.googleapis.com/grafeas.v1.Occurrence",
"createTime": "2023-04-28T15:33:06.923563Z",
"kind": "ATTESTATION"
}
},
"insertId": "1os3e3mengrp0",
"resource": {
"type": "audited_resource",
"labels": {
"service": "containeranalysis.googleapis.com",
"method": "grafeas.v1.Grafeas.CreateOccurrence",
"project_id": "mineral-minutia-820"
}
},
"timestamp": "2023-04-28T15:33:07.368370155Z",
"severity": "INFO",
"logName": "projects/mineral-minutia-820/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2023-04-28T15:33:07.368370155Z"
}
## load the key used in this example
$ gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511
$ gpg --list-keys
/home/srashid/.gnupg/pubring.kbx
--------------------------------
pub rsa2048 2017-03-12 [SC]
5D8EA7261718FE5728BA937C97341836616BF511
uid [ultimate] Salmaan Rashid <salrashid123@gmail.com>
sub rsa2048 2017-03-12 [E]
sub rsa2048 2017-03-12 [A]
sub rsa2048 2017-03-12 [S]
$ cat signature.b64
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=
$ base64 -d signature.b64 > signature.sig
$ cat signature.sig
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
{
"critical": {
"identity": {
"docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
},
"image": {
"docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
},
"type": "Google cloud binauthz container signature"
}
}
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCgA1FiEEzKqYQesBX6L+cRyRK4vp5dk6HZQFAmRL5vEXHHNhbHJhc2hp
ZDEyM0BnbWFpbC5jb20ACgkQK4vp5dk6HZSnSAgAh3LvHqqon/6WaikD1E2K8lmT
co4nKDotqkbSb7GOtyd/NSEz3Ez5I5B6gYi32Txjf02BGOKhtAPNqS35UEy7uVah
tZDk9vLIXOAc8A5hr9GuZ9l4ECL4/u1LR6RjC73zCM9zKOrH0E6zTKm5t2IcWyAC
BhHSv7/Go7ZIFKKXrmUcLZQspxCKQQV/zG6d0PwYWT0K4jdSM3uKsVcMv/EBH3Lb
hf2j6EPlGuojIfO+sS4j/EpY6HO/V93g9QD56r6s5Wvz5CR4frrGtdHaDnNaLDjs
EiYNiOCfVl44YqePWpDE1BSP/tbjRA1VpgTdcUCgzdypX9BJrB+lgMAT5ii98Q==
=ua8p
-----END PGP SIGNATURE-----
## finally verify
$ gpg --default-key salrashid123@gmail.com --verify signature.sig
gpg: Signature made Fri 28 Apr 2023 11:32:01 AM EDT
gpg: using RSA key CCAA9841EB015FA2FE711C912B8BE9E5D93A1D94
gpg: issuer "salrashid123@gmail.com"
gpg: Good signature from "Salmaan Rashid <salrashid123@gmail.com>" [ultimate]