replicatedhq · St0rmz1 · May 15, 2025 · May 15, 2025
@@ -1,50 +1,76 @@
 # Validate Provenance of Releases for the Replicated SDK
 
-This topic describes the process to perform provenance validation on the Replicated SDK.
+This topic describes how to verify the authenticity and integrity of Replicated SDK container images using SLSA provenance, image signatures, and Software Bill of Materials (SBOM) attestations.
 
 ## About Supply Chain Levels for Software Artifacts (SLSA)
 
-[Supply Chain Levels for Software Artifacts (SLSA)](https://slsa.dev/), pronounced “salsa,” is a security framework that comprises standards and controls designed to prevent tampering, enhance integrity, and secure software packages and infrastructure.
-
+[Supply Chain Levels for Software Artifacts (SLSA)](https://slsa.dev/), pronounced "salsa," is a security framework that comprises standards and controls designed to prevent tampering, enhance integrity, and secure software packages and infrastructure.
 
 ## Purpose of Attestations
-Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image’s Software Bill of Materials (SBOM) and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application. This process ultimately enhances the security and assurances provided to both vendors and end customers.
 
-## Prerequisite
-Before you perform these tasks, you must install [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) and [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md).
+Attestations enable the inspection of an image to determine its origin, the identity of its creator, the creation process, and its contents. When building software using the Replicated SDK, the image's Software Bill of Materials (SBOM) and SLSA-based provenance attestations empower your customers to make informed decisions regarding the impact of an image on the supply chain security of your application.
 
-## Validate the SDK SLSA Attestations
+The Replicated SDK build process uses Chainguard's Wolfi-based images to minimize the number of CVEs. The build process automatically generates:
+- SLSA provenance attestations
+- Image signatures 
+- Software Bill of Materials (SBOM)
 
-The Replicated SDK build process utilizes Wolfi-based images to minimize the number of CVEs. The build process automatically generates SBOMs and attestations, and then publishes the image along with these metadata components. For instance, you can find all the artifacts readily available on [DockerHub](https://hub.docker.com/r/replicated/replicated-sdk/tags). The following shell script is a tool to easily validate the SLSA attestations for a given Replicated SDK image.
+## Prerequisites
+Before performing these tasks, install the following tools:
+- [slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
+- [cosign](https://github.com/sigstore/cosign)
+- [jq](https://stedolan.github.io/jq/)
 
-```
-#!/bin/bash
+## Verify SDK Image Integrity
+### Using the Verification Script
+Replicated provides a verification script within the replicated-sdk repo that you can use directly or use it as a basis to develop your own verification automation. The script is located at https://github.com/replicatedhq/replicated-sdk/blob/main/certs/verify-image.sh
 
-# This script verifies the SLSA metadata of a container image
-#
-# Requires
-# - slsa-verifier (https://github.com/slsa-framework/slsa-verifier)
-# - crane (https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md)
-#
+The verification script performs three key security checks:
+1. SBOM attestation verification
+2. SLSA Provenance verification
+3. Image signature verification
 
+**Usage:**
+```bash
+./verify-image.sh [OPTIONS]
 
-# Define the image and version to verify
-VERSION=v1.0.0-beta.20
-IMAGE=replicated/replicated-sdk:${VERSION}
+Required Arguments:
+  -e, --env ENV      Environment to verify (dev|stage|prod)
+  -v, --version VER  Version to verify
+  -d, --digest DIG   Image digest to verify
 
-# expected source repository that should have produced the artifact, e.g. github.com/some/repo
-SOURCE_REPO=github.com/replicatedhq/replicated-sdk
+Optional Arguments:
+  --show-sbom       Show full SBOM content
+  -h, --help        Show this help message
+```
 
+**Example:**
+```bash
+./verify-image.sh --env prod \
+  --version 1.5.3 \
+  --digest sha256:7cb8e0c8e0fba8e4a7157b4fcef9e7345538f7543a4e5925bb8b30c9c1375400
+```
 
-# Use `crane` to retrieve the digest of the image without pulling the image
-IMAGE_WITH_DIGEST="${IMAGE}@"$(crane digest "${IMAGE}")
+### Verification Process
 
-echo "Verifying artifact"
-echo "Image: ${IMAGE_WITH_DIGEST}"
-echo "Source Repo: ${SOURCE_REPO}"
+The script performs the following checks:
 
-slsa-verifier verify-image "${IMAGE_WITH_DIGEST}" \
-    --source-uri ${SOURCE_REPO} \
-    --source-tag ${VERSION} 
+1. **SLSA Provenance Verification**
+   - Validates the build chain integrity
+   - Verifies the build was performed through the secure build pipeline
+   - Displays build details
 
-```
+2. **Image Signature Verification**
+   - Uses environment-specific public keys for verification
+   - The repo contains the public located in the /certs directory. For example the `cosign-prod.pub` key is used to validate a production release of the SDK.
+
+3. **SBOM Attestation Verification**
+   - Validates the Software Bill of Materials
+   - Displays SBOM details including:
+     - Document name
+     - Creation timestamp
+     - Creator information
+     - Total number of packages
+   - Optionally shows full SBOM content with `--show-sbom` flag
+
+For more information about the SDK release process and security measures, see the [Replicated SDK Release Process documentation](https://docs.replicated.com/vendor/releases-creating).