Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/readme.md

Last active April 30, 2023 14:50
Show Gist options
  • Save salrashid123/2ca607fee4977244136cb1ae0d37173f to your computer and use it in GitHub Desktop.
Save salrashid123/2ca607fee4977244136cb1ae0d37173f to your computer and use it in GitHub Desktop.
Download ZIP
GCP Binary Authorization containeranalysis audit log sample
Raw
readme.md

Sample of GCP Binary Authorization audit log and GPG verification.

also see Generate and verify cosign signatures using openssl

export IMAGE="us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
export PUBLIC_KEY_ID="5D8EA7261718FE5728BA937C97341836616BF511"


# crane  manifest $IMAGE  | sha256sum
#   7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76  -


$ gcloud beta container binauthz create-signature-payload --artifact-url=$IMAGE > generated_payload.json


$ cat generated_payload.json 
{
  "critical": {
    "identity": {
      "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
    },
    "image": {
      "docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
    },
    "type": "Google cloud binauthz container signature"
  }
}

## i used my private key to sign
## gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511  you'll use your own
$ gpg --default-key salrashid123@gmail.com  \
   --pinentry-mode loopback  \
   --output generated_signature.pgp \
    --clearsign  --detach-sig --sign generated_payload.json


$ cat generated_signature.pgp 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

{
  "critical": {
    "identity": {
      "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
    },
    "image": {
      "docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
    },
    "type": "Google cloud binauthz container signature"
  }
}
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCgA1FiEEzKqYQesBX6L+cRyRK4vp5dk6HZQFAmRL5vEXHHNhbHJhc2hp
ZDEyM0BnbWFpbC5jb20ACgkQK4vp5dk6HZSnSAgAh3LvHqqon/6WaikD1E2K8lmT
co4nKDotqkbSb7GOtyd/NSEz3Ez5I5B6gYi32Txjf02BGOKhtAPNqS35UEy7uVah
tZDk9vLIXOAc8A5hr9GuZ9l4ECL4/u1LR6RjC73zCM9zKOrH0E6zTKm5t2IcWyAC
BhHSv7/Go7ZIFKKXrmUcLZQspxCKQQV/zG6d0PwYWT0K4jdSM3uKsVcMv/EBH3Lb
hf2j6EPlGuojIfO+sS4j/EpY6HO/V93g9QD56r6s5Wvz5CR4frrGtdHaDnNaLDjs
EiYNiOCfVl44YqePWpDE1BSP/tbjRA1VpgTdcUCgzdypX9BJrB+lgMAT5ii98Q==
=ua8p
-----END PGP SIGNATURE-----


$ gcloud beta container binauthz attestations create \
       --artifact-url=$IMAGE \
       --attestor="projects/mineral-minutia-820/attestors/teeattestor" \
       --signature-file=generated_signature.pgp \
       --public-key-id=$PUBLIC_KEY_ID

Audit logs

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "foo@bar.com",
      "principalSubject": "user:foo.bar.com"
    },
    "requestMetadata": {
      "callerIp": "2600:4040:2098:a700:81e2:8da8:892c:5ddd",
      "callerSuppliedUserAgent": "google-cloud-sdk gcloud/408.0.1 command/gcloud.beta.container.binauthz.attestations.create invocation-id/a9638335b2f94b8d9da6ace33f7e1b1b environment/None environment-version/None interactive/True from-script/False python/3.9.12 term/xterm-256color (Linux 6.1.20-2rodete1-amd64),gzip(gfe),gzip(gfe)",
      "requestAttributes": {
        "time": "2023-04-28T15:33:06.820030827Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "containeranalysis.googleapis.com",
    "methodName": "grafeas.v1.Grafeas.CreateOccurrence",
    "authorizationInfo": [
      {
        "resource": "projects/000000f96d836574/containeranalysis_notes/teeattestor-note",
        "permission": "containeranalysis.notes.attachOccurrence",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/000000f96d836574/containeranalysis_notes/teeattestor-note",
    "request": {
      "parent": "projects/mineral-minutia-820",
      "occurrence": {
        "noteName": "projects/mineral-minutia-820/notes/teeattestor-note",
        "resourceUri": "https://us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
        "attestation": {
          "serializedPayload": "ewogICJjcml0aWNhbCI6IHsKICAgICJpZGVudGl0eSI6IHsKICAgICAgImRvY2tlci1yZWZlcmVuY2UiOiAidXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvbWluZXJhbC1taW51dGlhLTgyMC9yZXBvMS90ZWUiCiAgICB9LAogICAgImltYWdlIjogewogICAgICAiZG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6ICJzaGEyNTY6N2Q2NzBhNzkxYjM4MDQ2ZmJkYTAxZTIyYjQ2NmVjZDIzNWQzNjhhM2ZjNWFlNWFhNmMwNTE2OWM0NzVkMGQ3NiIKICAgIH0sCiAgICAidHlwZSI6ICJHb29nbGUgY2xvdWQgYmluYXV0aHogY29udGFpbmVyIHNpZ25hdHVyZSIKICB9Cn0K",
          "signatures": [
            {
              "signature": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=",
              "publicKeyId": "5D8EA7261718FE5728BA937C97341836616BF511"
            }
          ]
        },
        "kind": "ATTESTATION"
      },
      "@type": "type.googleapis.com/grafeas.v1.CreateOccurrenceRequest"
    },
    "response": {
      "updateTime": "2023-04-28T15:33:06.923563Z",
      "attestation": {
        "signatures": [
          {
            "signature": "LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=",
            "publicKeyId": "5D8EA7261718FE5728BA937C97341836616BF511"
          }
        ],
        "serializedPayload": "ewogICJjcml0aWNhbCI6IHsKICAgICJpZGVudGl0eSI6IHsKICAgICAgImRvY2tlci1yZWZlcmVuY2UiOiAidXMtY2VudHJhbDEtZG9ja2VyLnBrZy5kZXYvbWluZXJhbC1taW51dGlhLTgyMC9yZXBvMS90ZWUiCiAgICB9LAogICAgImltYWdlIjogewogICAgICAiZG9ja2VyLW1hbmlmZXN0LWRpZ2VzdCI6ICJzaGEyNTY6N2Q2NzBhNzkxYjM4MDQ2ZmJkYTAxZTIyYjQ2NmVjZDIzNWQzNjhhM2ZjNWFlNWFhNmMwNTE2OWM0NzVkMGQ3NiIKICAgIH0sCiAgICAidHlwZSI6ICJHb29nbGUgY2xvdWQgYmluYXV0aHogY29udGFpbmVyIHNpZ25hdHVyZSIKICB9Cn0K"
      },
      "name": "projects/mineral-minutia-820/occurrences/d5ffe4b9-fc28-4f49-b10a-5ebc61acf997",
      "noteName": "projects/mineral-minutia-820/notes/teeattestor-note",
      "resourceUri": "https://us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
      "@type": "type.googleapis.com/grafeas.v1.Occurrence",
      "createTime": "2023-04-28T15:33:06.923563Z",
      "kind": "ATTESTATION"
    }
  },
  "insertId": "1os3e3mengrp0",
  "resource": {
    "type": "audited_resource",
    "labels": {
      "service": "containeranalysis.googleapis.com",
      "method": "grafeas.v1.Grafeas.CreateOccurrence",
      "project_id": "mineral-minutia-820"
    }
  },
  "timestamp": "2023-04-28T15:33:07.368370155Z",
  "severity": "INFO",
  "logName": "projects/mineral-minutia-820/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2023-04-28T15:33:07.368370155Z"
}
## load the key used in this example
$ gpg --recv-keys 5D8EA7261718FE5728BA937C97341836616BF511

$ gpg --list-keys
/home/srashid/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2017-03-12 [SC]
      5D8EA7261718FE5728BA937C97341836616BF511
uid           [ultimate] Salmaan Rashid <salrashid123@gmail.com>
sub   rsa2048 2017-03-12 [E]
sub   rsa2048 2017-03-12 [A]
sub   rsa2048 2017-03-12 [S]



$ cat signature.b64
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEE1MTIKCnsKICAiY3JpdGljYWwiOiB7CiAgICAiaWRlbnRpdHkiOiB7CiAgICAgICJkb2NrZXItcmVmZXJlbmNlIjogInVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIgogICAgfSwKICAgICJpbWFnZSI6IHsKICAgICAgImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiAic2hhMjU2OjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYiCiAgICB9LAogICAgInR5cGUiOiAiR29vZ2xlIGNsb3VkIGJpbmF1dGh6IGNvbnRhaW5lciBzaWduYXR1cmUiCiAgfQp9Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tCgppUUZMQkFFQkNnQTFGaUVFektxWVFlc0JYNkwrY1J5Uks0dnA1ZGs2SFpRRkFtUkw1dkVYSEhOaGJISmhjMmhwClpERXlNMEJuYldGcGJDNWpiMjBBQ2drUUs0dnA1ZGs2SFpTblNBZ0FoM0x2SHFxb24vNldhaWtEMUUySzhsbVQKY280bktEb3Rxa2JTYjdHT3R5ZC9OU0V6M0V6NUk1QjZnWWkzMlR4amYwMkJHT0todEFQTnFTMzVVRXk3dVZhaAp0WkRrOXZMSVhPQWM4QTVocjlHdVo5bDRFQ0w0L3UxTFI2UmpDNzN6Q005ektPckgwRTZ6VEttNXQySWNXeUFDCkJoSFN2Ny9HbzdaSUZLS1hybVVjTFpRc3B4Q0tRUVYvekc2ZDBQd1lXVDBLNGpkU00zdUtzVmNNdi9FQkgzTGIKaGYyajZFUGxHdW9qSWZPK3NTNGovRXBZNkhPL1Y5M2c5UUQ1NnI2czVXdno1Q1I0ZnJyR3RkSGFEbk5hTERqcwpFaVlOaU9DZlZsNDRZcWVQV3BERTFCU1AvdGJqUkExVnBnVGRjVUNnemR5cFg5QkpyQitsZ01BVDVpaTk4UT09Cj11YThwCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

$ base64 -d signature.b64 > signature.sig

$ cat signature.sig 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

{
  "critical": {
    "identity": {
      "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
    },
    "image": {
      "docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
    },
    "type": "Google cloud binauthz container signature"
  }
}
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCgA1FiEEzKqYQesBX6L+cRyRK4vp5dk6HZQFAmRL5vEXHHNhbHJhc2hp
ZDEyM0BnbWFpbC5jb20ACgkQK4vp5dk6HZSnSAgAh3LvHqqon/6WaikD1E2K8lmT
co4nKDotqkbSb7GOtyd/NSEz3Ez5I5B6gYi32Txjf02BGOKhtAPNqS35UEy7uVah
tZDk9vLIXOAc8A5hr9GuZ9l4ECL4/u1LR6RjC73zCM9zKOrH0E6zTKm5t2IcWyAC
BhHSv7/Go7ZIFKKXrmUcLZQspxCKQQV/zG6d0PwYWT0K4jdSM3uKsVcMv/EBH3Lb
hf2j6EPlGuojIfO+sS4j/EpY6HO/V93g9QD56r6s5Wvz5CR4frrGtdHaDnNaLDjs
EiYNiOCfVl44YqePWpDE1BSP/tbjRA1VpgTdcUCgzdypX9BJrB+lgMAT5ii98Q==
=ua8p
-----END PGP SIGNATURE-----

## finally verify
$ gpg --default-key salrashid123@gmail.com --verify signature.sig
gpg: Signature made Fri 28 Apr 2023 11:32:01 AM EDT
gpg:                using RSA key CCAA9841EB015FA2FE711C912B8BE9E5D93A1D94
gpg:                issuer "salrashid123@gmail.com"
gpg: Good signature from "Salmaan Rashid <salrashid123@gmail.com>" [ultimate]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment