Security
The Arconia CLI releases are signed, their provenance is attested via SLSA (Build Level 3), and an SBOM is provided. This page describes how to verify all three aspects of supply chain security for the Arconia CLI.
PGP
All Arconia CLI release artifacts are signed with PGP. Follow these steps to verify the authenticity of the downloads.
-
Download the Arconia CLI public key and save it as
arconia.asc. -
Verify the key fingerprint matches the following:
$ gpg --show-keys arconia.asc
pub ed25519 2024-01-16 [SC] [expires: 2026-01-15]
36DD645BC7818CF5C884DE8F2E64062497575B2D
uid Thomas Vitale (MavenCentral) <oss@************.io>
sub cv25519 2024-01-16 [E] [expires: 2026-01-15]-
Import the public key into your GPG keyring:
$ gpg --import arconia.asc-
Download the Arconia CLI binary archive and its corresponding signature file from the desired release. For example:
-
arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip -
arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip.asc.
-
-
Verify the signature against the downloaded binary:
$ gpg --verify arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip.asc arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip
gpg: Signature made Mar 17 Set 23:29:59 2024 CEST
gpg: using EDDSA key 2E64062497575B2D
gpg: Good signature from "Thomas Vitale (MavenCentral) <oss@************.io>" [ultimate]A successful verification will display "Good signature" in the output, confirming the authenticity and integrity of the downloaded binary.
SLSA
Every Arconia CLI release includes SLSA provenance attestations for all release artifacts. Follow these steps to verify the provenance.
-
Install the slsa-verifier tool
-
Download the SLSA provenance attestation file from the desired release. Example:
arconia-cli-0.0.1-SNAPSHOT.intoto.jsonl. -
Download the corresponding Arconia CLI binary archive from the same release. Example:
arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip. -
Use the slsa-verifier to verify the SLSA provenance attestation against the binary:
$ slsa-verifier verify-artifact arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip \
--provenance-path arconia-cli-0.0.1-SNAPSHOT.intoto.jsonl \
--source-uri github.com/arconia-io/arconia-cliA successful verification will output a message similar to:
Verified signature against tlog entry index 131481633 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a1631335a14958734e5e0a00b4105b318339d4571b91a1ab8a8b2a90b1704d6d0
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 10d734affc77f0f4d0f1087fe66bd7eeb3a61f8a
Verifying artifact arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip: PASSED
PASSED: SLSA verification passedThis process ensures the authenticity and integrity of the Arconia CLI release artifacts.
SBOM
Every Arconia CLI release includes a comprehensive CycloneDX Software Bill of Materials (SBOM) for all release artifacts. The SBOM provides a detailed inventory of components, libraries, and dependencies used in the Arconia CLI, enhancing transparency, security, and compliance efforts.
To access and review the SBOM for a specific release:
-
Visit the Arconia CLI releases page on GitHub.
-
Download the binary archive for your desired release and platform. Example:
arconia-cli-0.0.1-SNAPSHOT-linux-amd64.zip. -
Extract the contents of the archive to a local directory.
-
Locate the file named
sbom.cdx.jsonwithin the extracted directory. This JSON file contains the comprehensive SBOM for the release.
You can use various SBOM analysis tools to examine the sbom.cdx.json file and gain valuable insights into the components and dependencies of the Arconia CLI. Some recommended tools include:
-
OWASP Dependency-Track: An intelligent component analysis platform that allows you to identify and reduce risk in your software supply chain.
-
Trivy: A comprehensive and versatile security scanner for containers and other artifacts.
By reviewing the SBOM, you can better understand the composition of the Arconia CLI, identify potential vulnerabilities, and ensure compliance with licensing requirements.